Year: 2014

Posted on

Asking for advice regarding lombar #discal #herniation with strong #sciatic nerve impact

Ok, my lombar discal herniation which strongly affected my sciatic nerve roots that connect to the left leg doesn’t seem to be getting noticeably better, with a few days of meds, the huge pains only happen now when I’m sitting, other than that I feel an almost constant tingling under my left foot and a weird sensation on the whole leg.

Driving is horrible and dangerous (I suddenly need the car to stop so I can walk a few meters), can’t be sitting for either work, meals or relaxing for more than a couple of minutes.

At the hospital I had lots of different pain killers until they decided to use cortizone. The doctor says that’s the last med they can try to ease my life before deciding to do surgery, so let’s see what these meds will do in the space of a week.

What should I do?

I’m a bit scared of the surgery because if it goes wrong I could become crippled, but everywhere I read it’s a very safe procedure. The videos on YouTube make it seem simple enough.

OTOH, not doing surgery basically means that I may get this from time to time. I’m not sure I can handle the thought of this pain again for a week or two, and how easy it can be fired (lift something a tiny bit heavier, for instance), or if I need to jump or suddenly balance my self out of a fall.

What would you do? More interestingly, what *did* you do if you went through such a case?

Posted on

#Infarmed tem oportunidade rara com #SoftwareLivre

Boa tarde

Chamo-me Rui Seabra e presido a direção da Associação Nacional para o Software Livre, pelo que gostaria de chamar à atenção do Infarmed este tema.

Li no Tugaleaks que o Infarmed pagou para criar um software que deve funcionar em  iPhones e iPads e em devices Android (telefones e tablets), mas é acusado lá de ter alguns problemas sérios e talvez até fora da lei.

É importante salientar que no que li no caderno de requisitos que consta a obrigação legal de cumprir a Lei das Normas Abertas e que «todo o código produzido no âmbito do presente projeto é propriedade do Infarmed». Um pequeno à parte: isto não é lei da propriedade industrial não há aqui nenhuma invenção, o que se aplica é, sim, a lei do direito de autor e direitos conexos.

O Infarmed tem aqui uma oportunidade rara de sanar os problemas de que é acusado no Tugaleaks transferindo todo este código sob a licença, por exemplo, GNU GPL v3 ou superior para o SVN.GOV.PT, um projeto da Agência para a Modernização Administrativa, e assumindo o dinheiro pago como um investimento na criação de um programa livre que ainda não existia.

Estes dez mil euros poderiam ter sido investidos com o intuito de publicar os códigos fonte desta suite de aplicações e permitir que a sociedade civil participasse em desenvolvimentos futuros, melhorando a aplicação em futuras versões, talvez até sem muito mais investimento do Infarmed (naturalmente alguém deveria fazer algum Q&A das versões futuras que o Infarmed opte por utilizar).

A primeira versão pode não ser suficientemente adequada, mas pode perfeitamente ser melhorada, especialmente se todos pudéssemos ajudar.

Aceitará o Infarmed tal desfio?  Quer a nossa ajuda?

Os melhores cumprimentos,
Rui Seabra

Posted on

Musings on #Heartbleed

Several thoughts have been on my mind about #heartbleed. You may have heard similar thoughts about it, but I’d like to add my own.

Ah… nothing like checking the news in the morning, feels like… ah… a bug in OpenSSL, let’s check it out… OMFG… By 10:00 I was already applying patches to vulnerable (and exposed) servers all around, processes be damned!

Is Free Software security tarnished?

Absolutely not!

Let me start by the first thing you should take in mind: you’re better off than with proprietary software and this bug proves it, few could have said as well as Sam Tuke of FSF Europe did, there are also a few words from Simon Phipps and Eric Raymond.

In a gist, there are several instances of just as serious bugs, and many much more serious, on proprietary software. Even in the field of network security. And those are just the tip of the iceberg, those that were guessed and not found.

This bug had patches available within few hours of being published available to those affected.

Several documented flaw finding studies have been made, guess who turned out better in every single one of them in average? Yes, Free Software. Proprietary software has constantly been found to have, in average, more bugs, more security bugs, more delayed patch releases, etc..

Update (2014/04/13): Also, an even such as this one prompted an independent audit review from the OpenBSD people, here’s another bug in OpenSSL that has been fixed there, proving once again how Free Software works to make software more secure:

  1. you can do independent and public audit reviews
  2. you can push fixes for what you found publicly on the Internet
  3. anyone can take advantage of those changes thus maximizing the effect

Now imagine such a bug happened in Microsoft’s crypto…

  1. you can’t do independent audit reviews
  2. you can’t push fixes for what you found publicly on the Internet
  3. nobody but Microsoft can make a fixes Microsoft crypto library

Replace Microsoft by whomever you prefer above, they’re just an easy target. 😉

Exposure

Here’s the most detailed timeline of public information on the bug that I found.

Yes, the code was there for about two years, but the exposure was not that big. It was big, about a fifth of the “secure” web. Unfortunately, lots of very popular websites were exposed, so the general recommendation is: don’t assume they’re safe, change your passwords everywhere.

Why wasn’t it bigger? Because not everyone runs the latest releases, lots of GNU/Linux distributions have more conservative approaches to running recent software. Take in point Red Hat Enterprise Linux and it’s derivate distributions.

Only since the 6.5 release, released in late November last year, did updated Red Hat (and derivatives) installations become exposed. CentOS followed a about a couple of weeks later.

Ironically, this bug affected the most efficient system administrators who had kept their systems updated 🙂

But many run their services in, for instance, Red Hat Enterprise Linux 5 (and derivatives) which is completely unaffected by this bug. Same for other software.

Even those who run the major 6.5 release could be totally unaffected, if they used NSS instead of OpenSSL with Apache, for instance.

In short: it was big, but not catastrophically big.

Also affects proprietary software!

What? How could this be? Isn’t OpenSSL Free Software? Well, yes, yes it is, but it is licensed in such a way that permits proprietary derivative versions.

They should be safer, right? Hi Cisco and Juniper… I’m sure there are others. I wonder if they’ll be at least honest enough with us… I urge people to check their ultra-expensive and highly proprietary  Web Application Firewalls, Load Balancers, Proxies… etc…

All your keys are belong to US!

9 out of 10 SSL certificates are under indirect control of the US Government. Think Patriot, NDAA, National Security Letters, Secret Courts with Secret Interpretations, people and companies coerced under threat of being formally accused of treason if they don’t cooperate or if they talk about it.

Even if #heartbleed can really lead vulnerable  software to leak the private keys, you should renew your certificates under a non-american CA.

Really, don’t make it easy for them, they don’t deserve that, your customers don’t deserve that, your friends and family don’t deserve that.

Change management be damned!

If you ever have an axe to grind about ISO 20000, ITIL or similar brain dead efficiency killers, specially when implemented by complete and utter idiots, now you can have some revenge.

It is a bug of such seriousness that I recommend to screw the change management processes. Update now if you are affected or change your career because you either are managed by complete and utter idiots or you don’t take it seriously enough.

Places that have enough good sense will allow you to run the Emergency Change process by your ECAB after the fact for such serious situations.

Take advantage of that, this is such a case.

Conspiracy theories

Unlike some suggested, it appears to be an honest mistake that neither the developer nor his reviewers did spot, and they felt quite embarrassed:

The author of the bug, Robin Seggelmann,[78] stated that he “missed validating a variable containing a length” and denied any intention to submit a flawed implementation.[79]

Theo de Raadt, OpenBSD’s founder, said «OpenSSL is not developed by a responsible team», but I doubt they’ll bother implementing a new SSL library. I wonder what they’ll do though… but are likely making an independent review.

Prophecy come true!

Poul Henning-Kamp’s hilarious ending keynote of FOSDEM 2014 pretending to be an NSA agent speaking of Operation Orchestra, calling it a crown jewel:

  • Crown jewel: OpenSSL
  • Go-to library for crypto services
  • API is a nightmare
  • Documentation is deficient and misleading
  • Defaults are deceptive

We need to ask him where he has found spice… he certainly seemed like he had blue eyes and #Heartbleed was truly a Crow Jewel for…

…The NSA

No such agency had such a duty to find a serious bug like this one and responsibly proceed to get it fixed ASAP as it was affecting its nation like the National Security Agency had.

There are innuendos that the NSA knew about heartbleed for a long time. They certainly have the expertise and the budget to have found it, but they did deny any knowledge or exploit for years, in fact that they didn’t know about it before April.

Of course, no one can trust the NSA anymore because they have been proven invested into breaking security for everyone, so they could be lying in order to cover their asses after such a monumental fail in protecting their own country’s security.

Or they could have just been doing it for less than two years, like one year and 364 days, not yet years (plural), right?

One never can tell, and that’s symptomatic of a very botched organization.

Is Microsoft involved?

I don’t know. It’s certainly fishy that:

  • The publication date coincides with the death of Windows XP. It could be called a distraction manouver, so that people get scared of moving away from Windows XP into a GNU/Linux… it certainly has been effective at crying wolf in big media outlets
  • Codenomicon is run by a Microsoftie, well, ex Chief Security Officer of Microsoft, but those kinds of people tend to leave the companies with strong lobbying and partnership relations in their next ventures with the big mothership
  • It is documented that Microsoft has been a faithful collaborator of the NSA for many years, even to the point of maybe having a dedicated backdoor

Maybe it’s just coincidence. Maybe

OpenSSL is grossly unappreciated

They few OpenSSL developers are highly dedicated people that don’t exactly live well off of it. In fact, the importance of OpenSSL is disproportionately unappreciated, specially in a financially rewarding form.

Fortunately, the devlopers do it more out of other rewarding factors, like responsibility and pride.

Conclusions

  • It’s one of the most serious security bugs in the history of the Internet
  • Use any of the available mitigations if you’re affected (upgrade, recompile disabling the feature, downgrade, change software)
  • More people (specially corporate companies making money with OpenSSL) should donate mone to the OpenSSL Software Foundation
  • I don’t remember writing such a long post, it’s probably very flawed, I accept patches, comment below 😉
Posted on

Free Software and Security under the #NSA

Anyone claiming Free Software “does not magically make things more secure – never has, never will” without explaining how you’re so much better off at securing yourself is using truths to lie to you.

Here’s an example:

Explicit truth: it doesn’t “magically make things more secure
Hidden truth: it technically and scientifically does by exposure to peer review and the scientific method, the end results have definitely been proved more secure in average than the proprietary “alternatives”
Hidden lie: “never has, never will” It’s just piggy backing on the explicit truth in order to hide (using a true statement) that in average it does and that you’re better off.

So, if someone is lying to you so straight faced, how can you trust that person when he’s been claiming badBIOS is a myth?

The fact is it is possible, it’s installed code running on chips and it can be updated. Didn’t he himself just say that all software has security bugs when he told that being Free Software doesn’t “magically make things more secure“?

So why couldn’t these computers be compromised in such ways? In fact the NSA backdoor catalogue explicitly details BIOS level security compromises and implants! Go read this list, specially the BIOS level attacks then think for yourself upon badBIOS rather than trust people who tell you “no, that’s not it” or “just conspiracy theories”.

Those people are lying to you and they have hired a lot of security people under their wing, so of course they’d use these hired high tech spooks in order to try to discredit you…

So go watch Jacob Applebaum’s talk at 30C3, To protect and infect, part 2, rather than believing someone calling him a conspiracy theorist.

He’s publishing these findings at a respectable newspaper (Der Spiegel), the other guy is just name calling.

Which one deserves more credit? You decide.

Me, I’ll be trusting Free Software security, if anything, these NSA scandals have proven my reason, and sure they could try to insert backdoors in Free Software, but tell me, how easily can you put a backdoor where anyone can see?

Not. Easily. Not at all.

What about when most people are blinded except from the builders?

Riiight…

Here’s an example, from Jacob’s talk: Jake tells about those little USB dongles that randomly move your mouse in order to prevent the screensaver from launching… you know what Systemd now does when it finds one? Automatically locks the screen. What do Windows or MacOS do?

Riiight… you guessed it, move the mouse and prevent the screensaver from launching.

I’ll be using Free Software and so should you, but you’re your own boss.

You can choose a greater likelihood of being infected.

Posted on

Yes! I’ve got my 46.03 € of #Windows #Refund and so can you, at least with #Samsung

If you’ve been following me on this blog or other social networks you know I bought a Samsung NP900X3C. It’s a very nice laptop but I’m forced for some obscure cof OEM cof reason to buy a Microsoft WIndows 7 Home Premium OEM license.

Receipt and refund in cash

When I bought it at Media Markt I immediately mentioned I wanted to get a refund on the Windows that was installed. Media Markt said I’d have to go to Samsung or Microsoft, that they wouldn’t do that. Please remember this part…

Since It was the exhibition model they had there, I had no chance to explicitly reject the Windows license, so I went ahead and installed my favorite GNU/Linux distribution for personal use, Fedora, at release 20.

While it installed, I opened a case with Samsung by “email” and they replied to me soon enough by real email.

Samsung said that

  1. I wasn’t to turn the laptop on or accept the license [check, Media Markt did, I didn’t]
  2. that I should take it to the store [Media Markt, which had preemptively rejected any process]
  3. the store would use the official Samsung Service Center [which in Lisboa is just a few doors up in my street] to erase the disk and then
  4. return it to the store in order to fulfill the refund

Well, if steps one and two were broken already and since the store is a few doors upwards, why not just go there directly?

That’s what I did, but I was left hanging without any further details for up to three weeks and I was getting very pissed off. At least give me a piece of paper saying you won’t do it, damn it! 🙂

So I went there today and said I wasn’t going to leave the store without one of three things:

  1. my satisfaction, aka, the Windows Refund, or…
  2. a note explaining why they can’t do it yet, or…
  3. a note explaining why they won’t do it.

Boy, where the poor nice guys at the service center pissed, so there’s this crazy guy trying to get money back from a Windows refund, what a nutty guy, never heard of that before and now I’m stuck here well past closing ours, right? 🙂

Well, after a short talk on the phone with the owner, who was a bit defensive then, and waiting a bit more, I had a second talk with him and he was much, much friendlier now and willing to capture my satisfaction. Nice! I don’t know exactly what happened, but they decided to fast forward the process.

Apparently, Samsung Portugal sent the request to Samsung Korea and never had any reply, so they were going to refund my 46.03 € in advance.

Receipt

Yes!

I still had to explain the guys they had to take out the license from the charger because Samsung would need it to pay them back the money, but finally I could officially get rid of Windows and get back what I had paid for it.

Before: charger WITH Windows licenseAfter: charger WITHOUT Windows license

Posted on

Global warming and climate chaos for dummies

On the subject of global warning and the current freezing storm in the USA, some denialists are claiming that this storm proves the climate is not warming… That scientists flip flip on their evidences of warning between “see it’s hot” with the extreme summer temperatures and “see it’s cold” with the extreme winter temperatures.

Actually, that’s gross (almost criminal negligence IMHO) misrepresentation of what scientists say.

As the average global surface temperature raises slightly, that breaks and melts some ice.

What happens to the water in your glass when you pour singer ice cubes in it? It gets cooler.

What covers over 2/3 of the surface? Sea water.

What currents being colder waters? Those near the USA.

What does colder water surface do? Cools the air.

….

What happens sometime after the ice melts?

Water gets hotter…

You can see where this is going unless you’re covering your eyes and ears… And I’ll even let you use a thermometer to analyse it yourself in your home.

Room temperature gets temporarily cold, cold gets temporarily colder, the changes in between wreak havoc everywhere, and then… It. Will. Get. Hot.

I probably won’t see this part, but I’m almost sure my son will suffer. I would love he didn’t have to.

Posted on

Gun propaganda pretending to be civil rights campaign

There is a certain image spreading in social networks that seems to be in defense of personal rights but it’s not: it’s nothing but gun propaganda disguised of a civil rights campaign.

It goes like this:

Don’t like gay marriage? Don’t get one.

Don’t like cigarettes? Don’t smoke one.

Don’t like abortions? Don’t have one.

Don’t like sex? Don’t do it.

Don’t like drugs? Don’t do them.

Don’t like porn? Don’t watch it.

Don’t like alcohol? Don’t drink it.

Don’t like guns? Don’t buy one.

Don’t like your rights taken away?

Then don’t take away someone else’s.

There’s a little problem there with this logic. I’ll illustrate it with smoking.

It’s not enough to not to smoke in order to not suffer from smoking, if you don’t like to smoke.

Smoking affects the rights of others by intrusion, it’s the equivalent of stretching your arm up to my nose including contact. Your smelly cigarette is obnoxious and I don’t like the risk of disease by getting second hand smoke into my nose and lungs.

When I don’t want to get that smoke in my lungs, I’m not stretching my arm up to your nose with contact, I’m pushing your arm away.

You are the one intruding on my rights, not me.

Same goes for the effects of many drugs (including alcohol) when out of control (which happens with highly addictive drugs or when people are too drunk to understand how badly they’re behaving) and let’s not dwelve into what a stray bullet can do to me, who had nothing to do with your argument against your also-gun-loving neighbour who’s at odds with you.

Sexual orientation, abortion, sex and watching porn have nothing to do with that. They’re not even in the same league. They’re personal things you do on your own time, usually in privacy.

I can’t agree with that poster as it’s definitely not well thought and only seems to have one goal: allowing unfettered guns into the hands of people.

It’s disgusting. I beg you to not spread it.

Posted on

Could security agencies be snuffing out inconvenient people? Why wouldn’t they, huh? #nsa #truepiracy

Like Jan Wildeboer sez:

«Obviously suicide. Just two days before he would have presented how to hack pacemakers.

Too many hackers have accidentally run into such things in the past years. It’s a pattern that screams counterintelligence.»

A comment on his post on Google+ with which I agree wholeheartedly.

Counter intelligence has a history of snuffing out inconvenient people, that’s undeniable. There have been too many incidents (suicides, deaths, etc…) recently in our communities…