* Posts by Jeremy Allison

82 posts • joined 19 Oct 2008

Page:

Linux kernel community tries to castrate GPL copyright troll

Jeremy Allison

Re: WTF? How is this bad??

Remember, the Linux Foundation is a USA 501(c)(6) non-profit, organizing on behalf of its members, *NOT* the Open Source or (heaven forbid) the Free Software community.

Anyone who is surprised at this simply hasn't been paying attention.

Other notable 501(c)(6) non-profits include the MPAA and the RIAA.

Now are you getting it ?

6
1

Rejecting Sonos' private data slurp basically bricks bloke's boombox

Jeremy Allison

Re: Contempt for users

> lack of SMB2+ support. They're STILL insisting on SMB1 for network shares

> despite all the security concerns and they fact their support line is going to get

> hammered when MS drop it shortly and everyone updates their NAS boxes.

Not only that, I've contacted their support line and email and personally offered support and help to move them onto SMB2+ (they're using Steve French's Linux kernel client and Steve and I can certainly fix this for them). I got a "thanks" back, but no follow up.

This tells me they're probably trying to figure out how to orphan people who are running their own NAS boxes and force everyone onto shitty-quality streaming cloud music, for whatever reasons (probably trying to get a cut of that sweet rental revenue). If that happens I'm ditching my SONOS stuff on eBay - which will hurt, I've spent a *LOT* of money on them over the years and previously was a very happy customer until the abomination of their latest Android app update.

The latest app update makes the system virtually unusable from a UI/usability point of view (my wife has already given up on it).

4
0

Ghost of NTLM still haunts Microsoft: Aged protocol hole patched

Jeremy Allison

Samba not vulnerable

We fixed this with the "badlock" patchset already. We also notified Microsoft about this issue at the same time, but it looks like the fix took a while to filter through the system.

0
0

Google ships WannaCrypt for Android, disguised as Samba app

Jeremy Allison

Silly alarmist headline

I expected better from you Richard.

The facts:

This code is based on Samba 4.6.x, which still has SMB1 as default for the *client* code only. The server code supports SMB2 of course and has since 3.6.x. The client code also supports SMB2 but the default was left at SMB1 for 4.6.x (which was released *before* WANNACRY) to keep all the regression tests working (which are run on every check-in to ensure code quality and protect against regressions).

For 4.7.x (now in rc1) - being released *post* WANNACRY there has been a large effort put in to fix this and ensure everything works out of the box with SMB2+ by default in the client libraries.

Samba has never been vulnerable to WANNACRY, this was a Microsoft-only implementation problem. Now we've had our fair share of our own horrible vulnerabilities of course (some of which I'm ashamed to say I caused), but associating WANNA-*anything* merely with SMB1 support is sloppy, amateurish journalism. Please check facts next time. It's not like my email address or contact details are a secret, is it.

http://samba.org/~jra

11
0

Fat-thumbed dev slashes Samba security

Jeremy Allison

Re: an old commit connected the two subsystems together,

Yes I am fully aware of these restrictions and the reasons for them, and Samba follows these in all of our internal library code. Plugins are only loaded from $SAMBA_INSTALL_BASE_DIR/lib/<subsystem_name>/plugin_name.so where <subsystem_name> is hard coded at compile time.

The bug occurred because this was connected to the RPC subsystem, which originally had a hard-coded list of acceptable plugin names (that's why the pre-3.5.0 code is not vulnerable), but this was relaxed for 3.5.0 and above - which was a big mistake. We will be correcting that in future releases, but due to the severity of the problem and immediacy of the threat we decided we had to go with the minimal secure patch for the CVE release.

2
0
Jeremy Allison

Re: Not a bug, that's a feature!

> On the face of it, it looks like there might be deeper problems that are being fixed in the short term with a quick simple patch?

No, that's not the case. I did the forensics on this.

There are 2 subsystems involved here.

(1). Load a shared library module and execute it.

This has many uses inside Samba, plugin VFS libraries etc.

(2). Allow a client request on an RPC pipe to be routed to an external process or library.

This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.

Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem. That's what the fix now does.

In the future more restrictions are planned (along with cmocka regression tests) to improve the code quality here.

2
0

Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools

Jeremy Allison

Re: Tut tut tut

Ahem. Samba4 implements an Active Directory Domain Controller quite nicely thanks. Amazon use it in their cloud provisioning for customers who don't want to pay Microsoft licensing fees.

3
0

Blue sky basic income thinking is b****cks

Jeremy Allison

The Future :-(

http://www.syfy.com/incorporated/timelines/history-of-the-future-2016-2074

1
0

Microsoft, IBM, Intel refuse to hand over family jewels to China

Jeremy Allison

Re: How about domestic software?

As I like to say the Chinese don't understand open source/free software because it's communism and they just don't get it :-).

10
0

UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

Jeremy Allison

There is something everybody can do.

https://www.torproject.org/projects/torbrowser.html.en

Please install and use this on all systems. Use it instead of "private browsing" mode.

I'm installing new computers for my family in the UK over Christmas. I'll be putting the link to the new browser prominently in the "programs" bar.

2
0

Google makes it to third base with Home digital assistant

Jeremy Allison

Re: Intangibles

SONOS reads and indexes the music on my NAS. They're announced Amazon Echo integration for next year, so I'm eagerly waiting for that.

Being able to stagger, barely conscious, into the kitchen in the morning and croak "Alexa, play KQED" is *very* useful :-).

The problem with most of these music playing devices (mentioning no names) is that they really, *really* want you to stream your music from the cloud. Bugger that - I have a 24TB NAS with everything I want on it. Don't need to waste bandwidth on cloud streaming thanks very much.

0
0
Jeremy Allison

Re: These devices are botnet

Nope - free as in FSF (GPL etc. etc.). I'm not keen on *any* products using closed, proprietary protocols.

0
0
Jeremy Allison

Re: These devices are game changers

The echo has a 'stop listening' button you can press, after which it stops listening for the wake-word. I guess you either trust Amazon on that or not. Personally I do trust that ( but I also know how to run Wireshark to make sure it's not shipping anything off to the cloud when I've pressed it :-).

1
2
Jeremy Allison

Re: These devices are botnet

People are screwed, control- wise, as soon as they use closed proprietary products and protocols IMHO. Thats why I use Thunderbird with enigmail (gpg plugin) and set it to complain every time I have to send unencrypted mail.

As you can imagine, it complains a lot.

Free software products are the only way for people to regain control from corporations. Use and report bugs in them whenever you can !

0
1
Jeremy Allison

Re: These devices are game changers

Blimey ! You are Charlie Brooker and I claim my five pounds..

2
0
Jeremy Allison

These devices are game changers

Disclosure - I'm a Google employee, but I have no experience with Google Home (haven't even seen a demo :-). I do have an Amazon Echo and bought one for my brother in the UK (which required some shenanigans to get the time zone right :-).

Always-on voice interfaces are game changers. I absolutely *love* the Echo, and will be interested to compare it with Google Home. For a geek like myself, it's like having the Star Trek computer in your house. For the cynics, it's like living in an episode of "Black Mirror" :-). Now the voice interfaces are getting good enough to converse you find that it is a completely natural way of making requests - something that the voice assistants on the phone never managed to do for me.

Personally I think the most successful device will be the one that makes an open platform for third-party developers to interface with easily. Watching how the other people in my house use the Echo is very illuminating. Make no mistake - these things are the PC / phone / tablet replacement for the non-geek person.

Now, where's my jetpack, hoverboard and flying car ? :-).

11
10

Twitter trolls are destroying democracy, warn eggheads

Jeremy Allison

I know how to fix Twitter and Facebook.

Add a spelling and grammar filter. Any posts that have bad Grammer or incorrect spelling are automatically rejected - *without telling the poster exactly what the error was* !

That way only people who know how to write coherently can comment. Maybe 'El Reg can do the same to this comment section.

There, problem solved ! Plus it would eliminate 99% of my posts, so that's a bonus..

5
0

British jobs for British people: UK tech rejects PM May’s nativist hiring agenda

Jeremy Allison

Reap what you have sown

Best comment on Brexit:

https://www.theguardian.com/politics/commentisfree/2016/jun/24/divided-britain-brexit-money-class-inequality-westminster

“If you’ve got money, you vote in,” she said, with a bracing certainty. “If you haven’t got money, you vote out.”

The people who voted Brexit don't care about you and your IT jobs. They voted to *punish* you for not sharing the wealth. I can't blame them. Doesn't really matter if it's your fault or not.

Trading Places quote from Eddie Murphy:

"the best way to hurt rich people is by turning them into poor people."

Looks like that's happening. To everyone.

8
1

Linus Torvalds says ARM just doesn't look like beating Intel

Jeremy Allison

My interview with Linus about our Sinclair QL days !

At Sao Paulo Zoo:

https://www.youtube.com/watch?v=05pgVwzAZ6k

It's rare I get a chance to bring this interview (from 2010) up, but this seems the perfect article :-).

4
0

A USB stick as a file server? We've done it!

Jeremy Allison

WebDAV or SMB ?

Hi Simon,

When you connect from Mac finder/Windows \\IP-addr\name do you know if it's connecting using WebDAV or SMB ? Enquiring minds want to know...

(and if it is SMB, I might have to ping my friend at SanDisk to see if we can help make it work better and go faster :-). Sounds like a great product !

1
0

Queen’s Speech: Digital Bill to tackle radicalisation, pirates

Jeremy Allison

Re: nobody goes after the small fry

〉Want to do a raid on that well known felon Mr Winston Kadogo?

Ah, someone else who remembers "Not the Nine o'clock news" :-).

Few of us left these days...

3
0

Bug hype haters gonna hate hate hate: Badlock flaw more like Sadlock

Jeremy Allison

How Badlock Was Discovered and Fixed

Fantastic article from Alexander Bokovoy on

how this thing was found and fixed !

http://rhelblog.redhat.com/2016/04/15/how-badlock-was-discovered-and-fixed/

0
0
Jeremy Allison

Register article is pretty good all in all !

Best comment I've seen on Infosec "reporting". From Alexander Bokovoy:

https://lwn.net/Articles/683721/

"Overall reaction is exactly by throwing content out and concentrating on the messenger. To give you a level of incredible misunderstanding what the content is, here is a quote from 'threatpost.com', a site that is associated with Kaspersky Lab:

"As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services."

The end of the second sentence is all you need to know about infosec news reporting."

0
0
Jeremy Allison

Re: Not quite right

The "sniffing the traffic" bit isn't required. Just get the client to connect to you and bobs-yer-uncle ! :-).

1
0
Jeremy Allison

Not quite right.

You must be on the same network as the client connecting to the AD-DC, but you don't need to be able to sniff any traffic, just be able to spoof the client to connect to you instead of the correct DC.

It's the first protocol-level bug in DCE RPC I'm aware of, and Metze did an amazing job both finding it, working out the implications and creating the required fixes for this. Also many other engineers put in long

Not gonna comment on the "badlock" website, only that it wasn't a Samba Team activity.

4
0

Yahoo! kills! search! APIs!, games! and! Astrology! site!

Jeremy Allison

That is *so* true...

> > "Sure no company would ever let her near the levers of power again?"

>

> You'd be surprised.

> Really, you would.

Yep. Once you reach the CXX level there are never any consequences for your actions. Google the ex-CEO of SGI who became a VP at Microsoft, then back to CEO here in the valley for a good example.

What people don't realize about the HBO "Silicon Valley" TV show is that they have to *tone down* the antics of the VC's and company management. No one would believe the truth here..

1
0

SQL Server for Linux: A sign of Microsoft's weakness. Sort of

Jeremy Allison

Re: Active Directory on linux

Nope - I have a lot of users who haven't forgotten that Samba4 == AD-DC. I fix bugs for them every day :-).

1
0

Canonical accused of violating GPL with ZFS-in-Ubuntu 16.04 plan

Jeremy Allison

Re: Details matter.

Nothing of what you posted addressed what I said in any way. I am pointing to direct copying of Linux kernel source code under GPLv2 into zfs-on-linux because the code inside the kernel was restricted to GPL-only modules and the ZFS developers wanted to use it. I know little about the NVidia drivers but I very much doubt their developers have been careless enough to do the same sort of thing.

Don't conflate the two issues. The zfs on Linux code is clearly not clean, and I'm amazed Canonical have tried to ignore these problems to sell to commercial customers. If I were a Canonical cloud customer I'd be calling them right now asking them what they hell they thought they were doing putting my business and my customers at legal risk.

3
1
Jeremy Allison

Details matter.

Disclosure, I'm on the Board of Directors of Software Freedom Conservancy (SFC).

This link:

https://lwn.net/Articles/676946/

shows that the ZFS-on-Linux developers copied GPLv2 code from the Linux kernel into their zfs on linux source tree in order to avoid having to use an EXPORT_SYMBOL_GPL function that they needed.

The haven't been careful, or clean in developing this. Details like this *matter*.

Everyone wants ZFS inside Linux. Doing a dirty, careless hack-job that plays fast and loose with the licenses isn't the right way to do this.

Conservancy is doing Canonical a favour by pointing out the folly in what they are doing here (IMHO of course).

13
1

The Nano-NAS market is now a femto-flop being eaten by the cloud

Jeremy Allison

Bollocks

> especially because Samba implementation of SMB is not so performant

Utter bollocks. Prove it you anonymous troll. Samba can saturate 10GigE for both read and write, plus we're currently testing multi-channel SMB3 TCP for multiple NIC concurrent performance goodness. I hate 'nony-coward drive-by slagging off like this.

0
0

Windows' authentication 'flaw' exposed in detail

Jeremy Allison

Re: Never say never

"Edit: wow Samba is an even bigger POS than I realized."

Easy to say - hard to write secure code. If you want to do the things that Samba needs to do on a computer system, you have to have the privileges needed to do so. That means root.

You do realize we continuously test with Coverity static analysis, Codenomicon protocol fuzzers, and work with Linux vendor security Teams to issue CERT alerts when vulnerabilities are found ? I'd hold up Samba security practices as best-in-class against any vendor, Open Source or proprietary.

5
1
Jeremy Allison

Doesn't look like a bug to me.

(From a post I made to samba-technical@lists.samba.org):

Hmmm. Doesn't look real as far as I can see

(the article is full of hyperbole).

It's got lots of phrases like:

"So, if we have an access to the key.."

"if we’re able to steal those tickets and somehow

insert them into our own system"

"It’s just an account in domain controller

database, so your obviously need access to DC or it’s data."

So looks like a "if we can break the security

then we've broken the security" article :-).

3
0

Samba man 'Tridge' accidentally helps to sink request for Oz voteware source code

Jeremy Allison

Scaling

Forgot to address the comment about "Maybe they should have spent their efforts in making it scale better.."

I don't think you have any idea about how much effort we put into making Samba scale, to the point of counting instructions using cachgrind and modifying core algorithms to improve scalability. We have one Samba Team member (Volker) who does this to the point of obsessiveness. I love him for it :-).

Haven't you heard, the pendulum has swung back again, and being in user-space is the new, new hotness - again (see the other recent article on IP-in-userspace performance improvements :-).

2
0
Jeremy Allison

GPLv3 is more business friendly

See here:

https://www.fsf.org/blogs/licensing/jeremy-allison-on-why-samba-switched-to-gplv3

for details. Apple are religious zealots about patenting software. Nothing we can do about that. All other vendors had no problems with it.

0
0

VMware lawsuit fallout causes funding issues for GPL lobby group

Jeremy Allison

Re: Please help Conservancy !

Here is the link for donations. Thanks !

https://sfconservancy.org/supporter/

0
0
Jeremy Allison

Re: Please help Conservancy !

No I haven't forgotten about the FSF. The FSF hasn't enforced the GPL on their copyrighted material for many years. Last time they did that was when Bradley Kuhn (who now works at Conservancy) worked there. Since he left they haven't done enforcement (are you seeing a pattern here ?).

3
0
Jeremy Allison

Please help Conservancy !

Thanks for highlighting this (disclosure, I'm on the Conservancy Board of Directors).

Conservancy is the only organization doing GPL compliance work in the USA. Not only that, they do it in a reasonable and non-confrontational way:

https://sfconservancy.org/linux-compliance/principles.html

But lots of corporations really don't like GPL compliance, to the extent of putting financial and political pressure on Conservancy for doing it at all. If we developers want the license enforced, we'll have to donate and fund it ourselves. Please help !

23
1

Linus Torvalds fires off angry 'compiler-masturbation' rant

Jeremy Allison

Re: Maybe not goto's fault, but...

Use talloc:

talloc.samba.org

It takes care of all this for you.. Seriously, it's very nice for C code. Makes something as complex as Samba even possible.

0
0

Scotland Yard pulls eyeballs off WikiLeaker-in-Chief Assange

Jeremy Allison

We're a funny old lot the English.

You can be a murderous paedophile and the police and security services will move heaven and earth to protect you and keep you in parliament (especially if you have royal friends).

But publish "secret" information that embarrasses them and their rage and vindictiveness knows no bounds, as poor Julian will eventually find out.

9
6

Hacking Team: Oh great, good job, guys ... now the TERRORISTS have our zero-day exploits

Jeremy Allison

An apt description of "Hacking Team"

As "terrorists and extortionists."

Utter shits, who find zero day exploits and refuse to disclose them to the creators of the software but sell them to others instead.

I can't be bothered to download their crap, can anyone tell me if they have contracts that explicitly prohibit licensees from disclosing the vulnerabilities to the actual authors of the software ? Other similar companies (let's hope you get hacked too, you disgraceful bastards) have such clauses. I remember knowing about a vulnerability because of one of these companies, but being unable to fix it for a while because of these contracts. We eventually figured it out.

As a Free Software author myself, this makes my blood boil.

21
1

150,000 angry Redditors demand Chairman Pao's head on a spike

Jeremy Allison

Re: that vocal minority

AC wrote: "once that happens you will be stacking shelves..."

Hahahahaha ! Consequences for their actions ? Clearly you must live in a different silicon valley than I do.

Lookup "Rick Belluzzo" for the perfect example of a Silicon Valley CEO. They make the banksters look honest :-).

0
0

Top Eurocop: People are OK with us snooping on their phone calls

Jeremy Allison

From "A Very British Coup"

Sir Percy Browne: "Sometimes Mr. Fiennes, I think you'll only be content when you have the population of Great Britain under permanent, twenty-four hour surveillance. Would you be happy then ?"

Fiennes: "Happy, sir ? Satisfied."

5
0

Don't listen to me, I don't know what I'm talking about – a pundit speaks

Jeremy Allison

Re: That's...

I *loved* those guys... Sig11 I think it was.

"Information wants to be wiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiide" :-).

0
0

Amazon cloud threatens to SMASH the fundamental laws of PHYSICS

Jeremy Allison

Re: Interesting ToS

Haha. I know why they want to have 'the right to modify your files' :-).

Given a 'jpg backend with 'infinite' storage, it is relatively trivial for an experienced storage engineer (i.e. I've thought of it :-) to write code (Samba VFS or FUSE maybe) to split any incoming file into a set of JPG formatted backend files, and re-combine them on read. Layered filesystems - they're a wonderful thing ! :-).

Offering 'infinite' picture storage means simply 'infinite' storage of any kind.

If they transform the incoming data, then it's harder to build a generic storage backend out of the thing (although probably not impossible with clever enough error-correction code :-).

2
0

VMware sued, accused of ripping off Linux kernel source code

Jeremy Allison

Re: How to help !

No, that's tridge :-). Andrew Tridgell wrote both rsync and Samba. I just wrote Samba (we're co-authors on that).

It's an easy mistake to make, him being Australian and me being from Sheffield and all. Most people think we sound and look *exactly* alike (except for the old accent thing and the fact I'm probably 100lbs heavier :-).

4
0
Jeremy Allison

Re: How to help !

Err. Yeah, that's me. Not sure what your comment is trying to say though :-).

In the words of Popeye the sailor, "I Yam What I Yam".

12
0
Jeremy Allison

How to help !

If you want to donate to help Conservancy:

http://sfconservancy.org/linux-compliance/vmware-lawsuit-appeal.html

There's a $50k challenge match at the moment, plus donations are tax deductible (in the USA at least). Full disclosure - I'm on the Board of Directors of the Conservancy.

22
2

Your hard drives were RIDDLED with NSA SPYWARE for YEARS

Jeremy Allison

Re: Let us not forget....

Unfortunately the NSA/GCHQ *ARE* the real bad guys.

If by "there ARE real bad guys out there" you're referring to people like the Islamists and the IRA, as Steve Bell famously pointed out, they're bad guys wearing clown shoes. Getting hurt by them is like a car accident, you're just unlucky.

No, NSA/GCHQ are *much* *much* worse. As good 'ol King Henry VIII says in "A Man For All Seasons" : they are "a deadly canker in the body politic". They are an infection in the very ideals of our Democracy, and there's no way back from that.

15
1

Page:

Forums

Biting the hand that feeds IT © 1998–2017