Tuesday, February 14, 2006

Oracle official blogs

Oracle included a new section listing weblogs of employees/executives and other non-Oracle employees who blogs about Oracle technologies.

It's interesting to note who's there and who's not. For example, no links to Burleson Consulting (e.g. Mike Ault, Don Burleson, Robert Freeman) but other noteables are Jeff Moss of Oramoss. Technically, Jonathan Lewis's site is not a blog so that's not included. Another thing to note is that Tom Kyte, eventhough he's a Vice President is not considered to be part of the Oracle Executives.

I think it's a great start for folks wanting to connect with all the various personalities that makes up the Oracle community and hopefully the list of blogs will grow as more and more Oracle professionals take the plunge and start blogging.

Monday, February 13, 2006

Security/Privacy on the Net

I promised to write about one of the sessions that I attended at the Security & Privacy conference last week. This particular one was put on by a lady by the name of Linda from Microsoft. She's in charge of product safety and her topic was on how products are not designed to provide the user community with safe usage. For example, lots and lots of folks are blogging on the Net but yet privacy/security does not seems to be integrated with the various tools.

As an example, she showed how quickly she can identify and pin point the identity and location of a specific blogger just from information posted on that person's blog. In just about 9 minutes, she was able to identify the full name, address, telephone number, high school and close friends of this female teenage who had posted a couple of pictures on her blog. Of course Linda did not publish the information but rather had blacked out the sensitive information. This is of course quite scary as someone else who have other intents could also track down the teenager. The teenager and family was contacted and shown how she still can blog and yet still remain anonymous. This is in no way restricted to kids and teenagers. Linda went on to another case of a 47 year woman who wrote too much personal information and this time, it only took 2 minutes to track her down.

Bottom line: If you are blogging or know people who are blogging, please have a review to before publishing to see whether there is a risk of unknowingly providing more information than you intent which could come back and haunt you. There is also the possibility of people you know who would publish information about you. As an example, posting of photos.

If you are interested in seeing the presentation as well others from the Security & Privacy conference, check out the following site. NB: Presentations will be available March 1/2006.

Thursday, February 09, 2006

Recently I blogged about the fact that George W Bush has signed into law a bill that has implications for anonymous posters/bloggers (see New US law slipped through under unrelated bill ). Today ZD News has an article on a service provider filing a lawsuit to challenge this particular legislation, Lawsuit challenges new 'e-annoyance' law.

Anyhow, I'm at a Security and Privacy conference this week and one of the more interesting presentation was Microsoft on "Safety on the Internet" as it pertains to kids. I will try and post more details on this as I get time but it sure open up your eyes to the "innocent" blogging and revelation of details where information about ourselves, family, and friends.

Ciao.

Friday, February 03, 2006

Who got egg on their faces now?

In his rush to publish an unfixed vulnerbility in Oracle E-biz suite, David Litchfield cobble together a quick workaround/fix that he claimed is easy to apply and work. Oracle, predictablely, said that the "fix" will break the E-biz suite and should not be applied. Oh boy, who do believe? Along came Stephen Krost with a detailed analysis of the vulnerbility and Litchfield's "fix" and Stephen showed why the "fix" would not work and will indeed break the Oracle E-biz suite. Stephen has three recommendations with one being to disable mod_plsql and to follow Oracle Metalink Note 287176.1 for configurating your E-Biz suite in a DMZ. By disabling mod_plsql, you are of course disabling certain functionalities and it's up to each organization to determine the impact of loss of functionality vs vulnerability. The second recommendation was to modify the mod_plsql configuration but you will take a performance hit and possibily loss of functionalities as some valid calls to path aliases might be blocked. The last recommendation is status quo and wait for Oracle to release a patch (either emergency or in the next scheduled release). Stephen Krost's analysis could be found at his Integrigy site. If you have not read it, please do.