Archive for August 2004

Mozilla default features that raise my eyebrows.

leave a comment »

There are some features that that may look cool to others but bad enough for me that I disable them. You can tweak any mozilla/Firefox preferences
by going to about:config in url bar. [ If this does not work then you may be using an old version of Mozilla ] If you are using other fundamentally insecure browsers then you are out of luck and should consider moving to Mozilla or Firefox.

Referer URLs: Referer field in HTTP request-headers is typically for server’s benefit. It lets the server know about the page from which you clicked a link to the server. Most webservers might just ignore them, while some may use them to analyse user’s browsing path patterns. Why are they bad? they leak information like the google key words that you used to get to that page. They may leak information about intranet URLs that are not accessible to outsiders. Solution set:

network.http.sendRefererHeader - 0

Clipboard paste auto loads URL: This is one of the nasty features I believe. If you accidentally hit middle mouse button on a window and no input is in focus, Mozilla puts that in the URL bar and also tries to load it thinking it is a valid URL. In case, if it did happen to be valid domain name, then that site will get all the information that was in your clip board. To disable set

middlemouse.contentLoadURL - false

Domain guessing is a feature where it adds www. and .com to guess a domain name that could not be reached. Again this can accidentally leak information if the guessed site is different from you intended. To disable:

browser.fixup.alternate.enabled - false

[ See mozilla doc, bug 40082 ]

User agent details: I am paranoid about giving away details of my OS, browser version etc., Chances are that some malicious servers can
make use of browser version to exploit a vulnerability that might exist in a particular version. This is more of an issue for Web Servers like Apache. I would considered it unsafe to give away web server version number. Note that Sun’s Java Enterprise Webserver does not leak version numbers! So I would keep my browser information to minimum:

general.useragent.override - Mozilla/5.0

Note that disabling these features may break some sites that depend on them. If they are absolutely needed, I would create a separate profile for those sites.


Written by chandanlog

31 Aug 2004 at 8:40 am

Posted in Security

Women Presidents in US?

with 2 comments

There is one thing that is common to United States of America, Iraq and North Korea: None seem to ever had a woman as their head of state!

Politics does not interests me much, but not a day passes without some news being forcefully fed into my ears about American elections. Makes me wonder how free and fair these elections are.
In an equal opportunity country, percentage of successful woman leaders to become presidents should have been atleast 50%. Not zero!

Written by chandanlog

30 Aug 2004 at 3:55 am

Posted in General

Architectures of Management Vs Science

leave a comment »

Yesterday we took one of our colleagues from US to see the architecture of Indian Institute of Management Bangalore (IIMB) south of Bangalore.
Woa! It is not a building but a huge garden of concrete pillars and rough cut granite bars and slabs. It was like being in quake computer game but for real. Architecture is very confusing, complicated and unorganized. It is a labyrinth of raw cement pillars and granite rocks. The landscape around is all chaotic and looked more like sad ruins of an unfinished building rather than a management school.

The library too was more of a huge realization of a Escher drawing. High floors and balconies looked very scary. Most stairs did not have hand rails on the sides. Some times the stairs themselves would take a strange turn to lead you to a deep precipice. If you are not watching your step you might easily fall off from a dizzy height to splat blood on a rough concrete floor below. No walls ware painted, no surfaces polished. With leaking water patterns it looked like a dangerous site to be. After a couple of steps in this maze and I had totally lost my spatial senses. Probably the Architecture of this management institute is to symbolize the cheap uncertainties, fear and confusion that field of management is.

This is totally in contrast to Indian Institute of Science (IISc) in the North of Bangalore. As you enter IISc you would pass through thick growth of trees and
flowering plants. Walk on roads covered with a thick layer of dried bird droppings. It is dark. A faint smell of bird droppings fills your nostrils. The main building that you see in pictures is no where in sight. It is only after couple of minutes of walk, that you will begin to sense the dark backside of a huge building still hidden behind trees.
And as the tree cover slides, you would see a wast clearing,
with lots of beautiful flower plants arranged at the periphery of the field. There, on your right is the face of a huge bright granite building standing high; dwarfing you with long corridors, spacious arches and tall windows.

Here you will see neatly cut granite rock blocks, assembled with perfect symmetry. This main building of the institute is about a 100 years old but still looks brand new. Red carpet and white marble interiors welcome you when you enter building through the main door. Solid teakwood side rails adorn a pair of palatial stair cases that lead you first floor (that is second floor in American English). In all, this symbolizes the beauty, symmetry and perfection of science, shedding light on the chaos and darkness of nature around. Precise and solid principles supporting a tower of knowledge!

Written by chandanlog

26 Aug 2004 at 10:50 am

Posted in Art

rpc.statd vulnerability, ISS scan and Security Bulletin #00135

leave a comment »

Many people email security-alert (@t) to enquire if Solaris 2.6, 7, 8 or 9 are vulnerable to rpc.statd
vulnerability described in very old Security Bulletin
Advisory CA-1996-09
. [Also
and BID 6831].
It is mostly because ISS
(Internet Security Systems) or similar scanning tools that check for “RPC statd remote file
creation and removal” issue (rpc-stat
) and report it as a possibility. Reports might look like:

The Remote Procedure Call (RPC) stat deamon (statd) is running on UNIX hosts and may
allow unauthorized placement of files on the system.
Rating: High Risk
Vulnerable Systems:
An attacker can exploit the RPC statd vulnerability and create a file in any
directory on the host. The attacker can overwrite existing files or create new
Apply the appropriate vendor patch. For Sun Microsystems, refer to Security Bulletin
#00135. A file proving the RPC statd exploit can be found on the affected server at
/tmp/statd-vulnerable - remove the file after checking.

... OR ...

rpcstatd: RPC statd remote file creation and removal (CVE-1999-0019)
More Information
Remote Procedure Call (RPC) statd maintains state information in
cooperation with RPC lockd to provide crash and recovery functionality
for file locking across the Network File System (NFS). Statd does not
validate information received from a remote lockd. By sending to the
statd service an RCP or RDIST request including references to the parent
directory (".."), an attacker can provide false information to the
rpc.statd file, allowing the creation of a file in an arbitrary directory
on the host. This can be used to overwrite pre-existing files or create
new files on the host.

Internet Scanner users: Most systems presently running NFS can allow
remote removal of a file. Internet Scanner can only determine if statd is
possibly vulnerable to the attack. To conclusively determine a system's
vulnerability before patching it, check the system for the file
/tmp/statd-vulnerable. If this file exists after a scan, then the
computer is vulnerable to attack.

Apply the appropriate patch for your operating system.

For Hewlett-Packard:

For SunOS:
Apply the appropriate patch for your system, as listed in Sun
Microsystems, Inc. Security Bulletin #00135. See References.

This is no longer an issue for any higher Solaris versions (like 2.7, 2.8, 2.9 and
Solaris 10 or greater). Most users do not check the existance of /tmp/statd-vulnerable file after the scan and
think they are vulnerable and get worried. To confirm if the listed systems are
vulnerable, you must manually check if a “/tmp/statd-vulnerable” file exists. If it does not,
then you are not vulnerable.
For the releases that are mentioned in the bulletin you
must apply the latest patches listed in the Bulletin. Note that any Solaris releases
prior to 2.7 is no longer supported. It is always best to upgrade to
latest release of Solaris.

Written by chandanlog

23 Aug 2004 at 9:55 pm

Posted in Security

Popular Software

with 2 comments

Last Friday night Glen gave me a “People’s Choice Award” – mostly for writing about 100 line of perl script that became hugely popular amongst engineers. It was written as a simple alternative to something else. Thought I should write about what I think are ingredients of popular software (or any product for that matter)

1. It has to be usable. If you are writing software that people use, then you must strictly follow basic usability principles. Usability and human computer interaction (HCI) (some people wrongly abbreviate it as CHI) is typically an optional subject in computer engineering courses. Bulk of engineers simply do not get it. There is nothing much to learn – I learnt most of it just by paying attention to what Robin Jeffries says.

2. It should not require users to be trained. It should be easy for anyone with basic domain knowledge to be able to just start using it.

3. If there is any work that is algorithmic in nature, then computers can do it. Automate to the maximum extent possible and push the complexity behind computers.

4. It should efficiently do what it is supposed to do – no less and no more. Always develop with “you aren’t gonna need it” attitude. Feature-rich need not necessarily mean great. Be efficient, use best data structures and algorithms. Write small fast code.

5. It should be easily accessible and available. Any one who needs it should be easily be able to get it and use it. This not only means being portable (think POSIX) or platform independent (think Java) or open standards based (think ASCII or XML) but also with out unnecessary prompts, restrictions or pre-requisites.

Put all these together, then your software will sell like hot cakes. It will continue to sell like hot cakes for decades as long as there is a need for it. If it makes people’s life easy or saves a couple of seconds worth of effort, then they will like it and use it.

Take latex for example, which is hugely popular with techies. It is readily available on most platforms (5); easy to get started with – you can look at an example latex file and understand most of its syntax (2); it does a wonderful job at automatically type setting documents (3).

Google is another example. Why did Google become so popular? It had a very simple usable interface (1); light web pages that were fast to load (4); it used some simple and solid ranking algorithms (4) unlike other search engines of that time, which had heavy pages, full of flashing graphics and ads which most users did not want.

There are dozens of other things which IMHO became popular for these reasons: less (vs more), gpg (vs pgp or SMIME), graphviz (any competitors?), firefox (vs Mozilla) etc.,

Written by chandanlog

22 Aug 2004 at 11:50 pm

Posted in General

Chief Executive Prankster

with one comment

blankbaby has posted a kind review of my blog and talks about my self caricature and my title “Chief Executive Prankster”.
Every late March and early April, I assume the role of a Chief Executive Prankster, Sun Microsystems Inc. However I’m not a Chief Executive, just like a “Cookie Cutter” is not a Cookie! There are scores of Chief Executive Pranksters at Sun.
We play pranks on almost anyone; not just CEOs and COOs with real pony tails

Last April we played a prank on our Chief Executive Officer Scott McNealy with a working implementation of Big F*ing Web Tone Switch. He often talks about it. It is a big switch – turn it on – you get all the services you need – non stop – no virus outages.
We have done many things in the past like putting Bill Joy‘s car on water, or converting Scott’s office into a golf course, or playing
“Formula Sun ONE” race, or putting a director in a cardboard box office and even backing out all the cool new features we have added to Solaris 10. There is a prank history museum in the corridors of our Menlopark campus building 17, that houses remains of the pranks we play at Sun. Check this page for a huge list of more pranks! (do check the link, its great!)

At Sun we do two things: We make the net work and we kick butt and have fun!

Written by chandanlog

20 Aug 2004 at 4:00 am

Posted in General

Cool Solaris Screenshots

with 9 comments

Update: The desktop look and feel on Solaris has improved a lot since this entry.
Here is one of the latest screenshot:


Someone hit my page while searching for “Cool Solaris Screenshots”
though I had not put any screenshot of my desktop on my blog.
(I do see words “Cool”, “Screenshots” and “Solaris” on my blog)
I am sorry to disappoint you dear that visitor – so here I post a
“Cool Solaris Screenshot” of the wonderful Java Desktop System that I use.

You can run many desktop environments like CDE, or Gnome or any of the other desktops available on our Solaris freeware site (like KDE and XFce)

You can see the a picture of the new Sun Java Workstation, released recently.
There is nautilus and a picture from Ladhak (courtesy Nagakiran) being edited in Gimp that sports
Sun’s brand colors (blue yellow and red).
The background image gives a realistic feeling that my monitor is a semitransparent
glass with a hand at the back!

Update: For past couple of days there are a large number of hits to this entry from people searching for Solaris Screenshots. (because my site tops the google search results). That is good. Clearly more people want to see how it feels like to use Solaris which can run on PCs and Laptops and is more stable and secure than Windows. I have put more screen shots illustrating how cool and customizable the GUI in Solaris is.

This is how CDE (Common Desktop Environment) looks like on Solaris.
This is not in the default configuration. I have changed the background to a rhino [If you live in India, guess where you may have seen it!]
Customization in CDE (or X11) is so fine grained through its Xdefaults file, that I could change the font and colors of the calendar application’s individual widgets without having the calendar do anything for it.

This is a screenshot of the default Solaris GNOME 2 desktop on Solaris 9.

Now this is totally different. It illustrates the power of themeing that is built into GNOME 2.6 that is running on Solaris 10. The theme makes computer screen look more like a radar screen. Everything is radar like. I designed the icons myself for fun in svg. (read more about them here) The original icons are colorful. Since they are svg (XML standard for scalable vector graphics) I could easily derive new sets of icons with different colors with a perl one liner. The widgets control GTK theme is also radar green where required. It is derived from a high contrast GNOME theme.
On the background is the map of the world. It makes the screen look bigger and again more radar like.

For official Java Desktop System screenshots see
For screenshots of the Sun’s new innovative 3D desktop Looking Glass see

Written by chandanlog

19 Aug 2004 at 7:55 am

Posted in Solaris