Joe Auricchio

Apple just “fixed” CVE-2007-4703.

The “Set access for specific services and applications” setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections”. This could result in the unexpected exposure of network services.

I am utterly speechless. Shouldn’t the firewall have been built by a security team? Not a bunch of monkeys smashing their keyboards with a femur then committing?

I’m not sorry if I’ve offended you. If you work for Apple, and the Firewall code passed through your hands, YOU DESERVE TO LOSE YOUR JOB.

Letting any root process listen no matter what is like a bank security guard letting nobody except ex-convicts in after hours. The history of Unix security from Robert Morris up to today is that a single chink in any root daemon’s armor means your entire system is laid bare to anyone who knows what Metasploit is. It is inconceivable to me that someone being paid to write security code in 2007 would turn off all firewalling for any root process—and make it impossible for users to specifically request it.

There are those who say firewalls and network security are solving the wrong problem. At DefCon 15, Bruce Potter made the compelling argument that the right way to improve security is to fix the buggy code, and that “defense in depth” is just a band-aid. That may be, but for today, we still have buggy daemons, and sometimes we want to hide them from the world.

Again: I hope someone at Apple lost his or her goddamned career for this.

This is Danny’s Ubuntu computer. Tonight he upgraded from 7.04 to 7.10. Now he has two Printing control panels.

Slowest infinite-regress ever: Java-on-Ruby on Ruby-on-Java on Java-on-Ruby on…

I work at The Dini Group, a small company in downtown La Jolla. We build FPGA boards (Xilinx and some Altera) to support logic emulation & ASIC prototyping.

Yesterday I was testing my third board design. It’s a revision of one of our older boards, generally cleaned up, and ready to go into a production environment for a contract client. The board has a security-related purpose, and it will store private keys. Consequently, one of the customer’s requirements was that to the extent possible there should be no unnecessary I/O paths, and still required paths should be disguised.

We use USB to bring up and configure the boards, but we couldn’t just put a USB plug. So instead we put in a four pin header like this one. V+, D-, D+, G, in a row.

Next challenge: We needed a cable to connect that to a computer. We could buy one for a few bucks… but Neal and I came up with a better idea.

1. Get a USB A-to-A cable, the kind that aren’t supposed to exist. Dave had one in his drawer.
2. Plug one side into the computer and the other side into one of the USB back-panel bracket that come with most motherboards these days. We have one in every dead computer in the Dungeon, and most folks didn’t bother installing them on our last batch of computer purchases.
3. And those header blocks on the end of the bracket’s cable plug directly into the board header pins.

Cost: zero. Results: excellent! (Pics: soon.)

Yesterday we found ourselves in need of a second cable. This time I just took a six-foot A-to-B cable, snipped it near the B end, snipped the header block off a second bracket, and soldered the connections up. I think for version 3.0, I’ll use heatshrink instead of masking tape.

This isn’t a particularly abnormal day.

A few more pictures of my desk:

• Picture the First - Phone, sharpie, multimeter probe, tea cup, board under test, PCI extender to power DUT, Nalgene, keyboard for Linux machine under desk, Subway sandwich for afternoon, paper plate that used to have bagel, mouse for Linux computer, power supply for test, SMA cable, edge of main machine
• Picture the Second - other side of main (WinXP) machine, solder sample boards, partly-assembled PSX board, post-it with a few part numbers scribbled on it, set of low-ohm resistors soldered in parallel from an old old power supply capacity test, ASUS motherboard box, some instrument that was on my desk the first day and I’ve never touched, Dave’s trashcan
• Picture the Third - behind me: schematics, schematics, and more schematics, box with new hard drive for backup server (oops I need to install that), Gigabyte motherboard box, headphones, ethernet hub under desk, miscellaneous cbles (power, ethernet, usb, serial) along back of desk

Amazing Epitaph.

Thanks Ryan!