Thushan Fernando Uncut

Well its been a heavy week on the security front, first up is a Linux root exploit for 64bit Machines.

A vulnerability in the 32-bit compatibility layer for 64-bit systems was reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the “compat_alloc_user_space” method with an arbitrary length input.

What does that mean? Essentially, some sanity checks in the compat_alloc_user_space function to check the length and ensure that the pointer to the block of memory is within the user-space of the process is valid was missing. The fix has already been committed but if you are running any x64 versions of Linux, make sure you update your Kernel – especially now that the exploit code is publicly available!

Read up on the exploit by Jeff Arnold from Ksplice and use this very useful CVE-2010-3081 high-profile exploit detection tool to determine if you’re boxens are already compromised.

Of particular note from his article is the breadth of exploitable distributions – see the references below for vendor specific information:

This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.

After downloading and running the tool under a non-sudo account, you should cheerfully get the following output.

thushan@dingo:~/tmp$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.32-23-server
!!! Not a RHEL kernel, will skip LSM method
$$$ Backdoor in LSM (1/3): not available.
$$$ Backdoor in timer_list_fops (2/3): checking...not present.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081.
thushan@dingo:~/tmp$

If not, its time to put those security drills into action!

References

• Redhat – https://access.redhat.com/kb/docs/DOC-40265
• CentOS – http://lists.centos.org/pipermail/centos/2010-September/099268.html
• Ubuntu – http://www.ubuntu.com/usn/usn-988-1
• Debian – http://security-tracker.debian.org/tracker/CVE-2010-3081

The moment we’ve all been waiting for, the final release of the Windows Phone 7 SDK has been released! What are you waiting for, go download it and try out some cool things!

No Visual Studio installed? Not an issue, it comes with the Express edition of VS2010 and Expression Blend 4 for Windows Phone as well as XNA and Silverlight tools for Windows Phone and an emulator – all for free too!

For more information, see ScottGu’s great post about it!

Earlier today, we had the announcement for OpenIndiana. Aimed to be the de-facto OpenSolaris Distribution that tries to be binary and package compatible with Solaris 11 & Solaris 11 Express. Its apart Illumos Community with 20 core developers providing (eventually) a stable branch with 100% free & open source distribution.

Not only that, you can also download a ready baked OpenIndiana distribution (based on ou_147) or if you’re like me and still using OpenSolaris DEV snv_134, you can upgrade via the IPS management tools. Having said that though, I’m not going to rush and upgrade my zeus box anytime soon as it will take time to settle in, but you can take the baked ISO’s for a spin in a VM I have found a few references to OpenSolaris still there and there is currently no xVM Xen (dom0) support nor lx (Linux) branded zones. Not to worry, keep an eye out on the roadmap and release schedule for what they’re going to deliver.

You can get a copy of the OpenIndiana announcement presentation slides as well or follow @openIndiana on twitter. Otherwise, see the Getting Involved guide on the OpenIndiana Wiki and join in!

In a way, its good to know that the beloved OpenSolaris will still live – thanks to the community, but at the same time, how long that community will be turned on by developing and maintaining it will be interesting – though other forks of OpenSolaris are backing it (via Illumos) – like Nexenta and Schillix which has just released a version based on Ilumos. All in all, WATCH THIS PROJECT!

Free ebook compliments of Microsoft Press, you can download a PDF. or an XPS of the book and grab the book’s sample code.

The book is broken down into these parts  catering for the following audiences:

• Part I – for those moving from Visual Studio 2003 to Visual Studio 2010.
• Part II – for developers moving from Visual Studio 2005.
• Part III – for developers moving from Visual Studio 2008.

See the blog post about the target audience for this ebook too.

With the release of the final Windows Phone 7 SDK just days away, now’s the time to get into understanding the concepts, architecture & development side of Windows Phone 7. There’s an interesting series posted on Channel 9 to hep you get there.

This Windows Phone 7 Jump Start video training is for all developers interested in developing applications or games for the new Windows Phone 7 Platform.  The course is based on the Microsoft Windows Phone 7 Developer Training Kit and taught by Microsoft MVP’s and Microsoft Press Authors, Andy Wigley and Rob S. Miles.  Watch these entertaining sessions and complete the labs found on Channel 9 (http://channel9.msdn.com/learn/courses/WP7TrainingKit/) to gain development skills using both XNA and Silverlight. For copies of the student files and links to demo code, you can go to the Windows Phone 7 Born To Learn Forum (http://borntolearn.mslearn.net/wp7/m/classresources/default.aspx).

• Session 1: Introduction
• Session 2: Building a Silverlight Application, Part 1
• Session 3: Building a Silverlight Application, Part 2
• Session 4: Building Games for the Windows Phone 7 Platform
• Session 5: Building XNA Games for the Windows Phone 7 Platform, Part 1
• Session 6: Building XNA Games for the Windows Phone 7 Platform, Part 2
• Session 7: Advanced Application Development, Part 1
• Session 8: Advanced Application Development, Part 2
• Session 9: Advanced Application Development, Part 3
• Session 10: Marketing Your Windows Phone 7 Application
• Session 11: Working with Media
• Session 12: Final Silverlight Topics and Wrap-Up

Enjoy – the ! I’ll be posting about my own adventures soon!

An interesting article tracking The Death and Rebirth of Duke Nukem Forever was posted on ArsTechnica recently, well worth a read – or at least a watch of the trailer from 1998!

Here’s to hoping 2011 is the year of the Duke. Hail to the king baby!

As promised, here are some of the (Microsoft) developer events happening down under.

CodeCampOz (Wagga-Wagga)

When / Where:
20-21st of November 2001 / Charles Sturt University Wagga Wagga | Map | How to get there.

Cost: Free of charge | See the CodeCampOz FAQ

Accommodation: See Charles “Chuck” Sterling‘s list of accommodation places!

Registration: http://codecampoz2010.eventbrite.com/

Agenda:

• Saturday – 20th November
  
  • 0800: Welcome & Housekeeping
  • 0830: Domain Driven Design with Entity Framework 4.0 (Omar Besiso)
  • 0930: Developing with Microsoft Commerce Server 2009 R2 (Lewis Benge)
  • 1030: Morning Tea
  • 1100: Extending Office with VSTO (Jake Ginnivan)
  • 1200: Magellan – a navigation framework for WPF (Paul Stovell)
  • 1300: Lunch
  • 1400: HTML 5.0, the useful bits – what you can use now! (Alex Mackey)
  • 1500: Afternoon Tea
  • 1530: Real World Unit Testing & Future (Rajitha Aththanyake)
• Sunday – 21st November
  
  • 0800: Welcome & Housekeeping
  • 0830: Windows Azure Compute for Developers (Steven Nagy)
  • 0930: Windows Phone with Silverlight (Nick Randolph)
  • 1030: Morning Tea
  • 1100: Not a WIF of Federation (Rory Primrose)
  • 12:00: Behaviour Driven Development with StoryQ (Liam McLennan)
  • 13:00: Lunch
  • 1400: Battle of the Containers (TBA)
  • 1500: Afternoon Tea
  • 1530: Team Build Patterns & Practices (Mitch Denny)
  • 1630: Wrap-up

Windows Phone 7 Deep Dive (Melbourne/Sydney/Adelaide/Brisbane)

When / Where

• Melbourne: 20th-21st September | Register Now >
  • Exhibition Room| Level 5, 4 Freshwater Place, Southbank VIC 3006 | Map

• Sydney: 23rd-24th September | Register Now >
  • Exchange |  1 Epping Road North Ryde Sydney, NSW 2113 | Map

• Adelaide: 27th-28th September | Register Now >
  • Board Room | Level 26, Santos House, 91 King William Street Adelaide SA 5000 | Map

• Brisbane: 29th-30th September | Register Now >
  • Theatre 2 | Level 9, Waterfront Place 1 Eagle Street Brisbane QLD 4000 | Map

Cost: Free of charge

Registration: See Dave Glover’s blog post.

Please bring your laptop with you on the day.

Agenda:

Day 1
•    9.45am registration for a 10am start
•    Session 1: Introduction and Windows Phone User Experience Overview
•    Session 2: Animation, Orientation and Overlays
•    Session 3: Application Lifecycle, Navigation, Application Tiles and Notification
•    Session 4: Tasks and Touch
•    Session 5: Working with the Accelerometer, Sounds and Location
•    5.30pm close

Day 2
•    9.15am registration for a 9.30am start
•    Session 6: Connecting and Consuming the Web
•    Session 7: Retrieving, Storing and Synchronizing Data
•    Session 8: Silverlight Analytics, Unit Testing and other Frameworks
•    Session 9: Security, Authentication and Performance
•    5.30pm close

Workshop information

Are you interested in Windows Phone 7 Development? Are you keen to get ahead of the competition to create apps for the Windows Phone 7?
Windows Phone 7 is a fresh exciting mobility platform and potentially a land of opportunity for killer apps! These workshops are designed to take your skills to the next level beyond the online training kits and helps you explore some more complex scenarios.

Prerequisites

You need Silverlight/WPF, C# .NET Framework skills and you should have completed a subset of hands on labs from the following:
•    Windows Phone 7 Training Kit
•    Windows Phone 7 Jump Start Training
•    Windows Phone Design Day Recordings

Instructor

The workshop will be run by Nick Randolph from Built to Roam.

Well its been a while since I last posted, but I’m still here. Infact I’ve just realised that xkcd has stolen my plans for world domination.

I’m only kidding, what would I do with all that information? I have enough princes offering me the opportunity to help them move money out of West Africa! Alas, OpenSolaris is now dead (RIP dear friend), we’re eagerly awaiting word of OpenIndiana and The Illumos Project to see where things are going to go. The Android momentum has picked up and Windows Phone 7 is just around the corner!

I’ve also changed my jobs and now I’m working for Readify as a Senior Developer. A company full of talented bright people (the author of Autofac or Paul Stovel of Magellan fame for instance) & skills in so many different areas I’m ashamed to be even be seen in the office – which is a great thing because we’re a mobile office (some day!). You might even see me at a few local Australian developer events now and I’ll be sure to advertise them when I come across any.

Essentially, its back to the days of being more involved with the developer community, times have changed since Developerfusion (for one, we have StackOverflow) and getting into up and coming technology – which this time around is Windows Phone 7. So I’ll be starting a series of posts on Windows Phone 7 as well as Android soon.

From The IT Crowd Season 4 Episode 5 – Bad Boys.

Quick note that the official release of Froyo (Android 2.2) is finally trickling down to Google Nexus One users. You’ll get it by the end of the week if not already. You can also download the officially signed release and update via your SD card alternatively.

UPDATE (01/07): The link above is for updating from the Google-IO Froyo release to the final.

The full OTA release is here:
http://android.clients.google.com/packages/passion/signed-passion-ota-42745.dc39ca1f.zip

The update from Froyo Google-IO to Froyo-OTA:
http://android.clients.google.com/packages/passion/signed-passion-FRF83-from-FRF50.38d66b26.zip

1. Rename the signed ZIP file to “update.zip” and upload it to your SD Card.
2. Power off your Nexus device.
3. Turn it on with the “Volume Down” button pressed.
4. When the boot loader appears, select “Recovery” using the Volume Up/Down keys to navigate and the Power button to select.
5. Once the Nexus has rebooted, the screen will display an exclamation mark with Android. Press and hold down Power and Volume Up, it’ll take a bit of time to register.
6. Navigate to “Apply SDCard:update.zip” and wait for the verification to complete and flash your phone.
7. After a bit of time the phone will reboot and launch your cultured Froyo release.
8. Verify by going to Settings > About Phone. The build number should be FRF83.
9. Bon Appetit!

As mentioned in my previous post from a couple of months back, this release packs a bit of punch! Yum!