Skip to main content

Posts

Showing posts from January, 2012

Oracle Support portal: HTML 5 replaces Flash

Oracle Support is upgrading their web interface from Flash to HTML5. I’m happy. I no longer have to twiddle my thumbs waiting for Flash to load:



That was really annoying.  The consolation prize was that the Flash UI was still two orders of magnitude faster than the call back from support on a Sev 1, so the Flash interface really didn’t affect MTTR.

My major complaints about the Flash interface were:

Managing Flash plugins on critical data center servers & management infrastructure. Adobe simply has not been able to keep Flash from being exploited, so having to rely on an exploitable plugin for daily operations never made me comfortable. It is really nice to be able to gather data on an incident and upload it directly to Oracle but that meant that the database management infrastructure had to have Flash plugins along with the associated risk/cost of an exploitable plugin.

Slow and unreliable. When I log into the Flash based support site, I typically need to reload the Flash app at l…

50 million Megaupload users…

… have data in danger of being erased. From Daniel Wagner’s AP story, is looks like:The Feds are done cloning servers. They have what they need. They don’t care. Megaupload assets are frozen. They might care, but are helpless. The hosting companies for Megaupload [Cogent|Carpathia] [don’t have access|can’t comment].Presumably there are legitimate customers of Megaupload who stored stuff that did not stomp all over other peoples copyrights. If so, it sounds like those customers are screwed.Update Feb 02 2012: Maybe not. Carpathia Hosting and the EFF are stepping up to the plate.

Secret question fail

My credit union switched to a new service provider for online banking and bill paying. The good news is that they’ve chosen a service provider that has a fairly modern looking interface, unlike the 1990s interface of their old provider. Among other things, they no longer use a captcha as a security factor and they now require “the latest versions of Internet Explorer and Firefox […] SSL compliant with 128 bit encryption” instead of IE5 and Netscape 6.2.  I keep thinking that old interface was screen scraping TN3270 session in the background. The new interface at least gives the appearance of having been written this century. They did not set the world on fire with their state of the art authentication though. As far as I can tell, they still think that a secret question is a second authentication factor, and they regressed significantly by prohibiting me from creating my own questions. I used to have a secret question like ‘Who is Z's5.'vYCf!.v/Zu31wkJYjR’ with an answer somet…

“We keep logs as far back, as long as we have had software to keep logs.”

If I’m reading this right, Symantec had a breech in 2006 but didn’t think that the breech was significant. After learning that older versions or their source code was stolen, they re-analyzed the 2006 event from 6 year old logs (!) and determined that the source was stolen during that incident. The interesting bits:Nobody that was involved at the 2006 breech is still at the company, but the logs still existed and were sufficiently detailed to reconstruct the event. That’s really impressive. Presumably whomever stole the source could have been busy writing bots that were undetected by Symantec AV. I don’t know that to be the case, but it certainly is possible. Owning the source code for an AV product would certainly be a competitive advantage for a bot-maker.Symantec’s advice to shut off pcAnywhere is interesting. I’s not the usual advice you get from companies with exploitable software. Oracle has never asked us to shut off their unbreakable databases.It’s broken, shut it off.