TriNetre - The Third Eye
(no longer updated)
For the last couple of days you may have noticed a marked increase in the frequency of posts on TriNetre. That was me trying to reach the 1000 post milestone before I ran out of steam. Then, a couple of minutes ago something dawned on me - If it has come to a state where I have to struggle, maybe it was not worth it!
So, here I am, going to do something that I have (strangely) been longing to do for some time now - bid adieu. Rest assured, unlike last time there will be no resurrection :)
A big "Thanks" to all of you for all the comments, trackbacks and lively discussion. It was fun!
Most Americans do not accept the theory of evolution. Instead, 51 percent of Americans say God created humans in their present form, and another three in 10 say that while humans evolved, God guided the process. Just 15 percent say humans evolved, and that God was not involved. (CBS News)
Why do I not find this surprising?
Via kottke.org remaindered links weblog I came across this beauty - Lone Star Statements, select one-star reviews from Amazon of books on Time magazine's list of the 100 best English language novels since 1923.
Reading through the 'reviews' I was chuckling along until I read the review of 'Lord of the Flies' by William Golding that went:
I am obsessed with Survivor, so I thought it would be fun. WRONG!!! It is incredibly boring and disgusting. I was very much disturbed when I found young children killing each other. I think that anyone with a conscience would agree with me.
We had to study this book for our +12 ISC English course and hence this comparison between Golding's great work and Survivor dealt a harder blow than the rest of the reviews. I cannot even begin to express why comparing the two is wrong, at some many levels.
That brings me to the point of this post, are crap TV shows and movies spoiling the appreciation of literature? Living a busy life we do not seem to have the time to read books and ponder the finer points that the author is trying to guide one to, especially when capsulized easily digestible visual substitutes (or so they seem) are available?
If you want to compare Lord of the Flies, compare it to Battle Royale. At the least, the movie does show that all visual medium products are not crap :)
You must have heard of videos being watermarked and fingerprinted to trace the source of leaks. Now, it turns out that New Oxford American Dictionary had inserted a non-existent word to trace copying of materials from the dictionary.
A call was placed to Erin McKean, the editor-in-chief of the second edition of NOAD. Upon being presented with the majority opinion, McKean confirmed that "esquivalience" was a fabricated word. She said that Oxford had included it in NOAD’s first edition, in 2001, to protect the copyright of the electronic version of the text that accompanied most copies of the book. (The New Yorker)
A couple of days ago, someone emailed me asking whether Srijith.Net had a privacy policy statement! I had always thought of my site as being small enough to escape without having a privacy policy.
But then I thought, why not? So now I have a slightly somber privacy policy of Srijith.Net
Anyone who has even a passing interest in issue of Internet governance should follow Karl Auerbach's blog. His recent post "Forgotten Principles of Internet Governance" is a must-read.
My supervisor Andy Tanenbaum has announced the release of Minix 3 along with a cute little mascot!
While loosely based on MINIX 2, in many ways it is fundamentally different from its predecessors. It is extremely compact, modular, and designed for very high reliability. The total amount of code running in kernel mode is under 3800 lines (vs. 2.5 million for Linux). Each device driver runs as a separate user-mode process under the supervision of a reincarnation server. If a driver crashes or gets into an infinite loop, the reincarnation server kills it and starts a fresh copy, without rebooting the operating system and without affecting running processes. MINIX 3 has a small memory footprint (it runs in 8 MB with tweaking) and may be suitable for embedded systems as well as PCs. Yet it is quite powerful and comes with over 300 popular UNIX utilities, including two C compilers, emacs, vi, and much more.
It is available as LiveCD and even as VMware image!
Just to clarify, I am not working on Minix 3, though I gave input on the 'qualities' of a racoon, some of which made to the short list - 'small, agile, cute, clever, and eat bugs' :)
More than a year ago, I had reported a small flaw in the way MovableType uses Sendmail to send emails. At that time, I had taken down the post on the request of Six Apart. recently I was going though my list of draft posts and saw this post and decided to post it. So, here is the post that was briefly online in March 26, 2004.
MovableType (MT) does not use the '-oi' parameter when calling Sendmail, thus making it possible for a malicious user to prematurely terminate the body of the email notifications sent by the system.
Affected software description
From the software website:
Affected software version
Any version upto 2.661 that uses the Sendmail system in Mail.pm Perl modules to send emails from the MT system. I have author has tested in on the latest (at that time) version of Movable Type - 2.661
Am I vulnerable?
If you are using Movable Type 2.661 or older version and have configured the weblog to use Sendmail for sending notifications, you are. To check whether you are using Sendmail, open up the configuration file 'mt.cfg' and search for the line 'MailTransfer smtp'. If this line is comment out or if instead the line reads 'MailTransfer Sendmail', you are using Sendmail and you are vulnerable.
Details of Vulnerability
The vulnerable code exists in the file "base_dir/lib/MT/Mail.pm" that is used to provide support for sending email notifications. Among other things, Mail.pm is used to provide notification to blog owner when a new comment or trackback is received or by a normal used to send reading recommendations. If the weblog is configured to use Sendmail as the backend system to send the emails, a vulnerability exists in the Mail.pm codes which allows a malicious user to prematurely terminate the script after the content he dictates is sent.
Sendmail uses the sequence of a dot in a new line to signal the end of the email's body. Thus, if a comment posted on the weblog by a user (malicious or otherwise) contains a dot-in-a-newline, the content above that sequence will be sent as the email content, while the content below the sequence will not be sent, but will still be stored in the MT database as part of the comment. Similar issue would exist with the text of the trackback received from other weblogs.
How can the vulnerability be exploited?
A lot of weblog owners using MT use notification of comments posting to keep track of the content of the comments posted. This in turn helps them in deciding if a new comment is unwanted (spam or in bad taste) and whether to delete the comment. A spammer or a malicious user could exploit this dependence on email notification to keep track of bad comments by placing the offending part of the comment after a dot-in-a-newline sequence, while keeping the part before the sequence civil. This advisory is not giving an example of such a comment (even though it is trivial to make one) as such to prevent curious users from trying to test it on other blogs.
A side effect of the exploit mentioned above is that MT-Blacklist's "Search & De-spam mode" capability is nullified. MT-Blacklist provides this feature by including a link in the comment notification email. From the MT-Blacklist website:
However, since this URL is placed in the email after the comment body, using the previously mentioned exploit, the malicious user can prevent the URL from being printed in the email. Even if the author of MT-Blacklist changes his code to place the URL above the comment body, since the blog owner will not see the offending comment in his email, he might not use the "Search & De-spam" provided by the URL.
Similar exploits can be used by malicious MT Trackback and mt-send-entry.cgi usage.
Possible Solution
Call Sendmail with the 'oi' parameter in addition to the existing '-t'. Edit the base_dir/lib/MT/Mail.pm (MT v 2.661) and change line number 88 from the present:
to
After editing, save the file. That is it.
Full Disclosure Policy
This vulnerability is being reported following the Full Disclosure Policy (RFPolicy) 2.0.
[Update] I forgot to mention that I have already patched my codes and have disabled the mt-send-entry.cgi file (a long time ago). So, please refrain from testing the bug on my installation.
Recently, I have been seeing bloggers investigating into IIPM 'incident' post stories that contained email exchanges between them and faculty members and other individuals related to IIPM via seminars etc.The latest among this is the email exchange between a blogger and Dr. J.F.Collier. The question I want to raise is the ethics of quoting personal communication like email in one's post/articles without obtaining prior permission from the other party.
While I have no authority to say it is wrong to do this, from an personal ethical point, I find the practice a bit unsettling, especially since the original email intentionally hid the fact that this was a part of digging up mud about IIPM.
I like everything under the sun about IT ethics and corporate responsibility..
says the author, but was he ethical in quoting a personal email in his website without permission?
So, here I am running this new super sekreet Flock (nope not that way, I really got an email 'invite') and scratching my head, trying to decide whether to admit that some 'developer releases' are just not for me.
Mind you, I am not someone who shies away from alpha products having used Firefox from its 0.1 days. Flock sure does have some extra features over a default install of Firefox but for someone who does not use del.icio.us and Flickr, what extra juice can it give? It plainly refused to recognise TriNetre XMLRPC interface by default (they say they know about the bug) but even if it did, I really don't see myself using another popup window to compose my post. I have no problem opening my MT admin interface and posting my posts in a normal browser window.
While clicking around, I noticed that using Flock referral, I can get a Wordpress.com account. Cool! At least this should be worthwhile, or so I thought. For someone used to the power of a locally installed WordPress, Wordpress.com just does not cut it (I know, I know, it was never meant to). I spent 15 minutes trying to decide on a simple no-nonsense template and just could not find one. You can't install a new theme nor can you edit the existing ones to suit your needs. Oh well, one account wasted. Sorry WordPress.com
By the way, if I ever lay my hand of the person who enabled SVG support into Firefox 1.5 series, I'll make him stand next to my laptop when Firefox is rendering SVG. At 76C cpu temperature, I have a feeling he/she will feel the heat!
Om Malik links to TIME's mention of PublicGyan in his GigaLink section. He had talked about us a couple of days earlier too. Thanks Om!
Next time you get caught for drunk driving and fail a breathalyser test, challenge the working of the breathalyser and tell the judge that you want to see the source code of the system! That is what 150 defendants are asking for in Florida, reports Vunet (via digg.com).
Can this logic be used by defeated candidates to open up voting machines too? Tempting thought eh?
Interesting, Flock is available on couple of torrents networks. The question that anyone who plans to download and use Flock from there should ask themselves is - "How much of malware is the exe contaminated with?"
In dealing with a software I usually follow a very simple rule, don't install a x.0 release if you really really rely on the software to work all the time, be it the kernel, gcc, Gnome, KDE, whatever. A lot of other I know, who have been bitten quite badly by software instabilities of a x.0 release, prescribe to that view.
Imagine my surprise when people started calling all these 'new' technologies floating around collectively as Web 2.0.
Maybe I should wait for the first bug release?
I have not used the expression 'ROFL' for a long time, but this photo essay on IIPM deserves it! (via DesiPundit)
