Chichaplanet, Planeta Debian Perú, Planeta Linux Perú, Planeta Ubuntu Perú
Comments (0)
Hace menos de una semana alguien me hablaba de esta imagen, sobre la cual obviamente hicimos muchas bromas al respecto:
Y dada la coincidencia ayer me entero la de nueva killer feature de Fedora 12: Cualquier usuario del sistema sin privilegios de administrador, ni clave de root puede instalar paquetes sin necesidad de una contraseña, lo cual es tremendo problema. Ahora muchos me diran que no hay problema porque necesitas paquetes firmados por los repositorios, los cuales tienen un alto grado de confiabilidad, pero aca algunos de los peores vectores de ataque para este nuevo “Feature”:
DoS (Defeat of Service)
Un usuario puede ser engañado para ejecutar con comando equivalente a “instalar todo”, lo que se lograria con esto directamente seria que el disco duro del sistema sea tomado por completo no permitiendo mas informacion y hasta la ejecucion de ciertos procesos que necesitan espacio en disco o escribir a disco. Esto se puede hacer tambien con clave la clave de administrador, pero hay una razon para la cual algunas personas NO tienen esa clave, paso de ser algo posible a ser algo completamente trivial.
Escala de privilegios
Otro problema que presenta con esta nueva configuracion por defecto es que hecha por la borda todo el esfuerzo del equipo de seguridad de Fedora. Con esto se vuelve trivial que un usuario con privilegios restringidos descargue un paquete que contenga una vulnerabilidad de escala de privilegios (incluso de versiones anteriores de fedora) y luego instale este en el sistema para luego explotarlo y poder escalar privilegios (mas informacion y comandos detallados). Es cierto que si un paquete con vulnerabilidades esta en el archivo de por si ya es un problema, pero esto es completamente comun, para eso existen equipos de seguridad que preparan actualizaciones para el sistema.
Como veran esto fue una pesima idea por parte del equipo de fedora, aunque segun lei en los ultimos commentarios en el Bug que se reporto sobre esto, posiblemente pase muy poco tiempo antes de que la reviertan
Actualizacion (20/11/09):
Por fin alguien con 2 dedos de frente: https://admin.fedoraproject.org/updates/PackageKit-0.5.4-0.4.20091029git.fc12
nxvl @ November 19, 2009
Planet Ubuntu
Comments (2)
Here we go:
01:35 PM [~]
nxvl@buster $ vrms
Non-free packages installed on buster
fglrx-modaliases Identifiers supported by the ATI graphics driver
ion3 tiling tabbed window manager designed for keyboard use
linux-restricted-modules- Non-free Linux 2.6.28 modules helper script
linux-restricted-modules- Restricted Linux modules for generic kernels
nikto web server security scanner
nvidia-173-modaliases Modaliases for the NVIDIA binary X.Org driver
nvidia-180-modaliases Transitional package for nvidia-185-modaliases
nvidia-185-modaliases Modaliases for the NVIDIA binary X.Org driver
nvidia-71-modaliases Modaliases for the NVIDIA binary X.Org driver
nvidia-96-modaliases Modaliases for the NVIDIA binary X.Org driver
tangerine-icon-theme Tangerine Icon theme
unrar Unarchiver for .rar files (non-free version)
Contrib packages installed on buster
flashplugin-installer Adobe Flash Player plugin installer
flashplugin-nonfree Adobe Flash Player plugin installer
ion3-scripts user-contributed add-ons to the Ion 3 window manager
nvidia-common Find obsolete NVIDIA drivers
12 non-free packages, 0.7% of 1798 installed packages.
4 contrib packages, 0.2% of 1798 installed packages.
nxvl @ September 10, 2009
Canonical, Planet Debian, Planet Ubuntu
Comments (4)
It has been a whole year since i joined canonical on 1st September 2008, it’s unbelievable a year went that fast, i’m still getting used to the company and suddenly, a whole year just went away, but as some people say, time flights when you are having so much fun.
I can describe this whole year experience in just one word: AMAZING! I’m having so much fun, even if i’m getting out of time for other things i wanted to do, everything has it’s price and working for canonical isn’t an easy task, a lot is expected from you all the time, but the company policy is to be friends more than co-workers, even if we don’t see each other to much.
In this year i’ve had the pleasure of visiting some friends all over the world while traveling for work or escaping a little before or after a work trip, i’ve also had the chance to meet some people i wouldn’t otherwise, like a guy i met in Germany that develops this horrible scripts that learn from my shopping customs and offer me stuff i want to buy (i said that guy that i hate him between jokes 
, c’mon you hate him as well) and learned things i wouldn’t in a normal local based company, i learned almost the hard way that when you say “Asian people” you are talking about Indians as well (isn’t it Polly?) and also notice how different cultures can be, some things that are completely natural and normal for me can be really disturbing and offensive for others and vice versa.
I’ve also have the joy of seeing some friends join the company and grow our friendship, as well as i’ve seen some good friends leave the company, but the sadness was compensated with the happiness that they are going for something better and that the friendship will continue.
It’s also always fun how when we meet in person is like we have worked in the same office for ever, people is always keen to have some beers, chat and test Pisco (no, i will never get bored of seeing your faces when you try it!). In summary, canonical is like a big family, you know, how people say that there is competition even inside a same company, well, this is not the case, people is always happy to help you and give you a hand when you need it, and even i thought it wasn’t possible to have a weekly meeting with your boss to talk about your personal lives before you start talking about work, it’s always nice to know that they care about you, not only about numbers and results!
That said i wanted to thank everyone in canonical, and the ones that already left for making this company such an amazing place to work! And special thanks for the two guys that helped me had this incredible opportunity (you know who you are!)
nxvl @ September 1, 2009
Planet Debian, Planet Ubuntu
Comments (0)
I know i’m late with the news, but i’ve been busy with travels, conferences and catching up with what happened in work while i was away, is amazing how fast open source world can move in a couple of weeks, but as they say better later that never:
Launchpad is now open source, the announcement has been done almost a month ago, and there has been already some community contributions, big congratulations to all the people involved in this! I hope now that it’s not a closed technology more people will feel comfortable using it and contributing!
nxvl @ August 17, 2009
Planet Debian, Planet Ubuntu
Comments (2)
No, they are not producing married with children again, and again no, there isn’t that Christina Applegate is involved on weird scandal or something. Is just that i’ve the Kelly Bundy syndrome again. What’s that? Remember the chapter where Kelly went to a knowledge contest and Al teched her to be prepared for the contest? Remember what Bud told his father when he started to tech her? “Every time you teach her something she will forget something else”. Well, being bleeding edge with the technology working in free software that changes every single day and you need to learn new things again every day produces this kind of situation when your brain get’s overloaded with information and you start forgetting things, for example i’ve just been told that i ask the same single question to my boss every day, i just keep forgetting that i asked, is frustrating! Again i need to calm down, take a deep breath and rest, my workaholism is playing on me again (i posted about same issue in the past, in Spanish). I need to aviod this, at least this time has been 1 and a half year without it!
nxvl @ June 10, 2009