LWN.net Weekly Edition for August 14, 2008 [LWN.net]

Chandler finally reaches a 1.0 release

By Jake Edge
August 13, 2008

The Chandler project has been around since 2001, periodically releasing new versions of its personal information management (PIM) tool, but never quite reaching the 1.0 milestone—until now. Over that time, Chandler has undergone various major revisions of both code and philosophy, while the rest of software industry has hardly been standing still. Whether Chandler is relevant or important going forward is an open question, but it does have some interesting ideas as well as potentially useful code.

Chandler is the brainchild of Mitch Kapor, of Lotus 1-2-3 fame, who started the project as part of his Open Source Applications Foundation (OSAF). Kapor and others have funded OSAF to work on Chandler over the last seven years, but in January all that changed. Kapor announced that he was leaving the board and only continuing to finance Chandler until the end of 2008. The 1.0 release is to some extent a "last gasp" attempt to build a community of users and developers to continue Chandler development down the road.

Since the time when Chandler was originally envisioned as a shareable calendar and information manager, many other, similar tools have come about. Evolution is a free software example, while Google Calendar is popular, but proprietary and closed. Neither of those cover the full feature spectrum that Chandler aspires to, but they have been available for quite some time.

The idea behind Chandler will be familiar to those who know about the Getting Things Done system. Organizing and integrating to-do lists, calendar events, email, and notes into a single system—and single application—is the driving force. These items (known as "notes") can be tagged into various collections (like Home, Work, etc.), assigned as events in the calendar, or mailed to others.

The calendar works like one would expect. Events have the standard fields: start/end time, frequency for recurring events, various alarm options, etc. Events get color-coded based on their collection and the calendar itself can be viewed at various granularities: day, week, or month. Based on their proximity in time, as well as user choice, events get "triaged" into categories of "Done", "Now", or "Later".

There are multiple synchronization options available with Chandler. Keeping calendars in sync amongst multiple different systems, with different import/export formats is clearly something that the Chandler team focused on. Because Chandler is cross-platform—written in Python and available on Linux, OS X, and Windows—it can interface both with tools that run on those platforms as well as with internet services like Google Calendar. As yet there is no Outlook/Exchange synchronization available which leaves out a rather large portion of the potential audience one would guess.

The Chandler desktop is only one of two pieces of the Chandler project; the other is the Chandler server. It is the means to share Chandler information, either with other users or just with other computers. Data can be synchronized to the server, then retrieved on another Chandler desktop elsewhere. For those that do not want to run their own server, the project runs a version of the server as the Chandler hub, which offers free accounts.

The 1.0 release looks like a solid tool. It has some enthusiastic users, but will that translate to a larger development community? Chandler development has always been directed—and funded—by the OSAF, so it suffers from a smaller development community than it might have otherwise.

Projects that start as proprietary, but then open their code, sometimes have difficulties allowing a community to influence or control the direction of that code thereafter. We have seen that with OpenSolaris and other projects. Chandler seems to suffer from some of those same problems, even though it came about differently. By removing the funding, Kapor may well have jump started Chandler development.

Seven years is a long time by any standard, but for software, it is an eternity. By keeping a relatively tight grip on the direction of the project, the OSAF may well have kept interested folks who were not on their payroll from getting involved. If the project can move to a more open style, with frequent releases, it may be able to regain some of that lost time. It is an intriguing tool, but it is way behind schedule.

Comments (29 posted)

GeekPAC to fight for information rights

August 13, 2008

This article was contributed by Lisa Hoover

There's little question that plenty of people are annoyed at how difficult it is to rip movies from legally purchased DVDs into formats readable by handheld devices or media players. The lack of consistency in document formats is an ongoing headache for anyone who receives files that are only readable with certain software. Information rights management has become enough of a frustration that a group has formed specifically to deal with the problem head on. GeekPAC is a political action committee made up of volunteers who are taking their complaints straight to Capitol Hill.

Last year California Assemblyman Mark Leno authored AB 1668, a bill designed to encourage the state to adopt the Open Document Format as the standard format for government documents. Not surprisingly, Microsoft came out against the bill and it was eventually struck down in committee. CollabNet Community Manager and longtime FOSS supporter John Mark Walker was angry. Realizing that the open source community had no voice during the hearings and no way to fight back against the opposition's lobbyists, Walker decided to mobilize support from within the ranks of the FOSS community and let them do what they do best — rally behind a cause and prove once again that there's strength in numbers. So he founded GeekPAC.

GeekPAC's goal is to pull together enough funding — a mere $2,200 — to file the necessary paperwork to be formally recognized by the Federal Elections Committee as a Political Action Committee (PAC). Then the group will locate politicians or candidates in the House and Senate who support hot-button technology issues like copyright reform and net neutrality. Once identified, GeekPAC will help support their campaigns and lobby together for change.

"If all we do is fund some campaigns, create a few attack ads, and do the occasional lobbying, I'll be pretty disappointed," says Walker. "The real goal here is to educate people as to why they should care. Frankly, those of us who care about our rights in the information age have done a really poor job of communicating the importance or relevance."

Indeed, Walker suggests that ambiguous verbiage and a lack of communication with people outside the tech industry has been the biggest hindrance to effecting large-scale change. "One of the problems is that we insist on using terms like 'digital rights,' the usage of which basically leaves out a large percentage of the population. Most people don't know what that means, and they assume that digital doesn't include them, because they don't work in the tech industry and have little contact with people who do. So lots of digerati swing around their proverbial phalli and talk 'digital rights' this and 'DRM' that, and it becomes a kind of high-tech circle jerk that is constraining and ultimately self-limiting."

A better approach, he says, would be to frame these important issues as "information rights." Once people realize that the bills politicians are voting on aren't about obscure concepts but rather affect human rights at a basic level, Walker is confident GeekPAC will make great strides toward changing minds at the national level.

"It's really about the free flow of information and letting free markets do their job. Once you start there, it's a quick hop and a skip down the path of the founding principles of this great country," explains Walker. He goes on to note that these issues affect people at every socio-economic level, from patents that limit free market trade, to "information restrictions that affect our ability to adequately educate the public."

Walker asserts that without a total overhaul of the United States patent and copyright laws, the information divide will never narrow, and ultimately lead to larger problems down the road. "It's really about education, innovation, and reducing the bar to entry so that America can remain competitive in the 21st century."

One of the overriding reasons Walker chose to launch GeekPAC now is because this is an important election year and political issues are on the minds of many. Though he acknowledges people have been discussing these topics for years, talking just isn't enough.

"In the 10 years that have passed since the DMCA, we still haven't been able to mount a credible reform effort, and countless horrible things have taken place on our watch that co-opt our so-called inalienable rights. We must do more, and I can't think of a better time to do more than an election year," he says.

GeekPAC is taking a multi-faceted approach to locating politicians to support. The group's supporters and volunteers are encouraged to recommend candidates who they know believe in GeekPAC's goals and direction. Politicians can also contact the group directly and asked to be considered for backing from GeekPAC. Once chosen, candidates are asked to sign a simple pledge promising to "protect my constituents' fair use rights to information [and] support the use of open standards in government for the storage and archiving of public data."

Walker says GeekPAC is most interested in helping candidates who take a strong stance on open standards and open access, copyright reform, patent reform, and net neutrality. "Obviously, we'll be most enthusiastic about candidates who support all of those, but we will help campaign for candidates who support at least one of those items."

The name GeekPAC may ring a bell for those who have been around the FOSS community for a while. A similar group was formed more than five years ago but never quite got off the ground. Though the two organizations don't share any common members, they do have the same goals — and an affection for the domain name. Before GeekPAC morphed into its current state, it was known as BytesFree — a similar group, but without the political slant. Walker says he originally planned to stay with that name, until he learned that the geek-pac.org domain was available, and then everything fell into place.

Walker formally launched GeekPAC at last week's LinuxWorld Expo by hosting a Birds of a Feather get-together at the end of a long day of sessions. While current and would-be volunteers strategized and planned, Walker took a few minutes to share the group's vision with notable columnist and FOSS supporter Doc Searls.

Though GeekPAC's premise is strong, not everyone is convinced of its viability. LinuxWorld community blogger Don Marti says the idea is likely to fail, in part, because of a poor choice of names. He claims the inclusion of the term "geek" is insulting and suggests it doesn't relay the true goals of the group.

"Creative Commons is a great name. Electronic Frontier Foundation is pretty good," Marti suggests. "You have to get in some words that imply that the people in the organization actually make something useful and that the organization's goals are public goods. Network Growth and Productivity Council?"

Marti also notes that GeekPAC should include singers, podcasters, and other sub-groups affected by information rights. Though the underlying commonality among the members of GeekPAC is an understanding of how these issues impact the FOSS community, Marti says that's not enough of a reason to form a splinter group of nothing but techies.

"There's a community that already exists around these issues — why split off the subset of EFF supporters who happen to be into free software?" asks Marti. "Of course EFF itself can't be involved because they're tax-exempt, but the target is clearly the same people, and their friends and colleagues. A 'free software users for DMCA reform' group would be like 'cat owners for a balanced budget'."

At the end of the day, it won't be the group's name or membership demographic that decides GeekPAC's success. Walker says it will be "When politicians and candidates start referencing us by name because our influence is large enough to matter."

Comments (25 posted)

Moving the Data Center, a LinuxWorld Keynote from Kevin Clark

By Rebecca Sobol
August 13, 2008

LinuxWorld 2008

Last week your author was in San Francisco attending LinuxWorld 2008. One keynote was from Kevin Clark, Director of IT Operations at Lucasfilm. Lucasfilm is the production company that brought us Star Wars, Indiana Jones and many other movies and related merchandise. As the Director of IT Operations, Kevin is responsible for the IT needs of four separate divisions in five locations. In 2005 the main data center was moved to a new facility; Kevin talked about the challenges and lessons learned in the process of moving a high availability data center, while making three movies and maintaining high security.

The four divisions of Lucasfilm all have different needs; to meet those needs, the data center has machines running Linux, Unix, Windows and few Macs. Industrial Light and Magic (ILM) is the biggest user of Linux. This is the division that does the special effects for Lucasfilm and many other movies such as Disney's "Pirates of the Caribbean" series. Lucas Arts, Lucas Licensing and Lucas Animation are the other three. These three divisions handle the production of movie-based video games, action figures, official web sites, animated films and other related endeavors.

When Hollywood producers want special effects, they want something that hasn't been seen before, something amazing. With each new movie the producer strives to out-do other movies. ILM must be on the bleeding edge of special effects technology, while maintaining high availability and high security. ILM Linux clusters run around the clock, producing "some of the best special effects the industry has to offer." Downtime is not an option, even for a major move.

Kevin's talk was about moving the data center, and not particularly about Linux. He did have some nice, short films showing off some of ILM's work. Did you know that Pirates of the Caribbean was not filmed on a ship at sea? It's just rendered that way.

For the new data center, Kevin knew he wanted to consolidate systems such as email, databases, storage and backup/recovery. He knew he needed flexible power and cooling requirements and a flexible distribution design with lots of storage for the rendering clusters and the backups and also web hosting for movie sites and other related businesses. The center has high bandwidth requirements, both internally and externally. Also, there are always many people trying to get the scoop on the latest movies and games, so high security is paramount. He chose technologies from AMD, Foundry, NetApp, HP and Juniper to accomplish his goals.

The new data center has over 700 miles of fiber and over 2000 miles of copper with a global WAN for sites at the Telco depot, Letterman Digital Arts Center, Skywalker Ranch, Big Rock Ranch and Singapore Animation. There are 400 terabytes of storage. The AMD blades have 32 gigabytes of memory and they stack them 66 blades per rack. There are lots of racks and floor to ceiling airflow cools them. When filming, all shots are archived, so there is high volume at all times and complete disaster recovery is required.

Kevin had a few lessons that he learned from the data center move: DC power has limitations, equipment interoperability is key and should be built to scale following a network design. The center has needs outside of IT to consider. All the pieces must be fully redundant. You always think that it is fully redundant until it fails. Power and cooling requirements must be balanced. Run the computers hotter to save power, but not so hot that they fail. The data center is a continually moving target with constant pressure to be more energy efficient. More virtualization could help. Getting light to move faster would help.

We were left to wonder how one might overcome the limitations of DC power, or how to get light to move faster. Those points did get a laugh from the audience though. All in all, one might wish for something more Linux related at LinuxWorld, but it was an entertaining presentation.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

Details of the DNS flaw revealed

By Jake Edge
August 13, 2008

Dan Kaminsky spoke to a packed house at Black Hat on 6 August to outline the fundamental flaw he found in the Domain Name System (DNS). Contrary to his hopes, though, the flaw was discovered and publicized before his presentation. The vulnerability is interesting in its own right, but the implications of what can be done with it are staggering. In addition, the "fix" has well understood shortcomings that can still potentially be exploited to poison DNS caches.

We reported on the vulnerability in early July, including Kaminsky's request that security folks not publicly speculate about the flaw. As one might guess, that request was largely ignored. When security researcher Halvar Flake published his speculation, another researcher, who was known to have the details of the flaw, publicly confirmed it, but just as quickly removed the confirmation. While it sounds a bit like a security community soap opera, it was fairly clearly caused by the attempt to contain the vulnerability information.

An important part of DNS is the ability to delegate to another nameserver. When looking up example.net, first one of the root nameservers is consulted; it does not know the answer so it delegates to one of the nameservers that handles .net addresses. The delegation response includes the names of the servers being delegated to, but also helpfully includes the IP address of those servers as well. It is this helpful addition, which is meant to reduce DNS traffic, that can be exploited.

The key to DNS cache poisoning is that the first good answer wins. If an attacker can send a packet with all of the proper information, but with his own IP address substituted for the correct one, and that packet reaches the querying server first, the attacker wins. In order for that to happen, the attacker needs to arrange or know that the victim will be making a particular query as well as be able to create a response that will be considered "good".

Each DNS query has a 16-bit transaction ID; early implementations just had an incrementing counter, but since that time random transaction IDs have been used. In order for a DNS response to be accepted, it must have the same transaction ID as the request. Just over a year ago, we wrote about a cache poisoning vulnerability in BIND that was caused by a predictable random number generator. When an attacker can narrow down the possible values for transaction IDs, it reduces the number of responses they must generate commensurately.

Absent any method to predict transaction IDs, an attacker must send 32K responses on average before the correct response arrives—which is difficult, at best, to do. If the attacker can cause the victim to make multiple requests, though, they can increase their chances. Because DNS servers cache the results of their queries, repeated requests for the same host information will not generate additional lookups.

Kaminsky observed that if you make the victim request information about multiple, probably non-existent names in a domain, it will have to make a request to the nameserver responsible for that domain multiple times. If the victim queries for foo1.example.net, foo2.example.net, etc., it will use a different, random transaction ID for each request. The attacker can flood the victim with packets purporting to delegate the request to another server, ns.example.net say, but include an IP address under its control as the IP for that server.

The net result is that if one of the attacker's responses gets accepted, because it finally guessed the right transaction ID, the victim's nameserver cache has been poisoned. The attacker can control all lookups in the entire example.net domain because it has substituted its own server as the nameserver for that domain. Because of the birthday paradox, the attacker does not need to generate anywhere near 32K responses to have a high probability of having one with a correct transaction ID. In his testing, Kaminsky found that he could poison a cache like this in less than 10 seconds.

This technique works all the way up the hierarchy of DNS servers, potentially allowing top-level-domain or root nameservers to be poisoned. It is clearly a very serious flaw that can be exploited in a huge number of ways. Kaminsky's Black Hat slides [Powerpoint format, but viewable in OpenOffice], detail many different implications and are well worth a read. Also, for an excellent description of how DNS works as well as more details on the flaw Kaminsky found, see Steve Friedl's illustrated guide.

The "fix" that was rolled out in a coordinated fashion by many different vendors is to randomize the source UDP port for each query. This is a technique that was implemented years ago in Daniel Bernstein's djbdns and has been recommended by various cache poisoning researchers (notably Amit Klein) for some time. By doing this, an attacker must also guess the proper UDP port to send the response to, which can provide up to an additional 16 bits of randomness to the query. In the best case, where all possible UDP source ports are used, that increases the number of possible responses from 64K to over 4 billion.

That seems like it would take the attack out of the realm of possibility, but that clearly isn't the case. Kaminsky and the vendors all knew that adding source port randomization only made it harder—not impossible. Linux kernel hacker Evgeniy Polyakov has done some experiments with the patched version of BIND on a gigabit ethernet LAN, finding that he could poison a cache in under ten hours. As he points out: "So, if you have a GigE lan, any trojaned machine can poison your DNS during one night."

Other solutions are actively being sought, but it is a difficult problem because backward compatibility with countless DNS installations needs to be maintained. As always when a DNS problem is publicized, DNSSEC is touted as the solution. There are numerous technical and political problems that have stood in the way of DNSSEC adoption; those seem unlikely to just disappear.

This DNS flaw is serious, but there are plenty of serious internet security issues as Kaminsky points out in his blog:

Even if we go from 32 bits of entropy to 128 bits — even if we deploy DNSSec — we're still going to deliver email insecurely. We're still going to have an almost entirely unauthenticated web. We're still going to ignore SSL certificate errors, and we're still going to have application after application that can't autoupdate securely.

That, at the end of the day, is a far larger problem than this particular DNS issue.

While there may be bigger problems in our internet infrastructure, there are few things that are as pervasive as DNS. Kaminsky points out a number of non-obvious places where it is used—and could be abused—such as mailer lookups of HELO strings to try and decide whether to accept email or web servers doing reverse lookups for logfile messages. It is a little surprising that something so integral had such an obvious, in retrospect, flaw in its design that went undetected for around 25 years. It makes one wonder what else is lurking out there.

Comments (27 posted)

Brief items

EFF: MIT Students Gagged by Federal Court Judge

Three MIT students have been ordered by a US Federal judge to cancel their presentation at DEFCON in Las Vegas. The Massachusetts Bay Transit Authority (MBTA) sued the students to stop the presentation of security problems with MBTA fare cards. In a special Saturday court session, they were ordered not to disclose their findings for ten days. The Electronic Frontier Foundation represented the students, click below for their press release. "The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a 'transmission' of a computer program that could harm the fare collection system."

Full Story (comments: 15)

Keyczar - simple cryptography

The Keyczar project, initially developed at Google, has announced its existence. "Cryptography is easy to get wrong. Developers can choose improper cipher modes, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple programming interface." It is distributed under the Apache 2 license.

LWN.net Weekly Edition for August 14, 2008

acroread: arbitrary code execution

clamav: denial of service

condor: unauthorized access

git: denial of service

hplip: multiple vulnerabilties

moodle: multiple vulnerabilities

opera: information leak

pdns: simpler spoofing attacks

uudeview: insecure temporary file creation

vim: arbitrary command execution

xine-lib: buffer overflow

Events: August 21, 2008 to October 20, 2008