February 2003 Archives

I have discovered one of the coolest sites I've ever seen. It is an online encyclopedia called WikiPedia.

It is easy to spend hours reading its contents, drifting from one link to the next, as you explore its wealth of information.

WikiPedia has several unique features: the site is a Wiki, and is thus editable by anyone, enabling the widest possible collaborations. Second, the contents are licensed under the GNU FDL, to ensure it remains free (as in Freedom) to everyone in perpetuity.

All I can say is: go have a read! It is very addictive. I plan to start contributing some articles soon.

Reading the Dhammapada (verses of wisdom from Buddha), I came across this verse which feels appropriate, as the world prepares for a war:

"Hatred is never appeased by hatred in this world. By non-hatred alone is hatred appeased. This is a law eternal."

Recently I went on a holiday. The first holiday in what seems like a very long time...

I spent an entire week at a friend's holiday house by the bay. It was so relaxing...

We awoke in the morning, had breakfast, then went to the beach. Swim, walk, relax, talk... then lunch, then usually a short drive to the surf beach a little further south. And then -

Wave jumping, more swimming, body surfing, sandcastles, and even more swimming.

And every night when we got back to the flat, we would cook a completely new recipe that we'd never tried before. And - fortunately - they were all good!

Aside from all the swimming and relaxing, I got in quite a bit of reading. And one of the best things about the trip was that for an entire week, I was so free...

I was free from email, telephones, mobiles, interruptions, seminars, support calls, dumb questions, bills and spam.

I was also free in that I walked around in bathers and a t-shirt, with no watch or phone or wallet - no posessions weighing me down. Well, apart from my hat and sunglasses, which were essential given the weather!

I resolved to make a few changes after that trip - it was more than just a quick getaway; I learned a few things, in the book and without...

For the first time in about a year, I have started writing some serious C++ code.

I was reminded why it had been so long...

I have been using Java, Python and C primarily, and for the past year Python is by far my preferred language.

I had actually forgotten how painful C++ can be to use, not to mention unproductive. The cryptic cascade of error messages any time you breathe on code that uses templates... The senseless duplication (and ensuing maintenance problem) of class declarations in headers and definitions in source files... The screwing around with Makefiles and paths... The extra verbosity...

The number of problems I've had just writing some simple code, deciphering the errors, fighting with CMake (and its woeful documentation), and all the other problems of paths and so on, and I've achieved very little.

I think I must have been spoiled by Python et al. I am definitely about 20 times more productive with it than in C++. But I have been doing a reasonable amount of C, and for some reason C doesn't seem to be quite as painful.

I think its quite clear that the extra effort of writing wrappers for library code is definitely worth it, for all the benefits you get. Perhaps this needs to be expanded in an article...

I don't think anyone could have missed the Slammer worm that recently dealt a devastating blow to the Internet.

It attacked Microsoft SQL Server installations, and apparently the embedded DBE in other office apps like Visio if you listen to some people. A patch for the vulnerability was released a good 6 months ago, which means the vulnerability was even older. Some good coverage at ZDNet has some more details.

But I have a burning question...

How on earth did it really happen?

We know that the worm propagated itself by sending UDP packets as fast as it could to random IP addresses.

Does anyone else think it is strange that there are thousands and thousands of database servers that are open and exposed to the outside internet???

Pick any decent network security book and they will describe how public-facing servers should be in a DMZ, while db servers and other important boxen should be behind an internal firewall.

If these servers were really firewalled off properly, they wouldn't be listening on a real public IP address. The firewalls wouldn't be allowing outgoing traffic on ports that should only be permitted internally.

This should never have happened!

Of course, that is terribly easy to say... but honestly, everyone has been yelling about keeping up with patches. What about security in depth? If we rely solely on keeping patches up to date, there will always be a window of vulnerability where Murphy can strike. If people followed some basic security guidelines (such as the principle of least privilege) then this outbreak would have been contained.

If people had firewalled incoming traffic, it should not be able to propagate in to someone's network - after all, it was a UDP packet on an unsual port. And it egress filtering was in place, it should not have propagated out. The damange should have been limited to within a network, and been much easier to contain.

So why were there so many MS SQL servers sitting, listening on public IP addresses? Some people never learn...