Speaking of which (again)…

…someone’s playing tricks with my referers. I have an entry with no link, consisting of XXXX: followed by 160 plus characters (+). It pushed the right column of the table out past the page border and made me think there was something wrong with my site (which, in fact, there may be). Is something like this supposed to be able to appear on the referer page?

Update: Now this is interesting. There are a few discussions at places like DECAFBAD and philringnalda.com around this topic. There’s no consensus. The cause is either

  • someone faking the referers manually
  • a tool like Outpost is blocking the referral

It’s a little surprising that it hasn’t happened before now, I suppose.

Speaking of which….

…what are the Userland folks doing to ensure the security of root updates for Radio and Frontier? Seems to me it would be possible, as long as those updates aren’t signed, to masquerade as the update server and download some bogus stuff. I don’t know enough about the products or the scripting language to figure it out, though. Anyone?

Be careful: trojaned OpenSSH package found

Slashdot: OpenSSH Package Trojaned. OpenSSH, for the Windows audience out there, is a secure connection package that allows encrypted connections over which users can use a shell on a remote machine or transfer files. (Grossly simplified, but that’s what I use it for.) It’s pretty essential, to the point that it’s become the default remote login daemon on Mac OS X.

Apparently someone hacked the package available for download from ftp.openbsd.org (and its mirrors) and inserted a line in the makefile to call a script that attempts to contact a server during the build process. So the trojan doesn’t appear to be much more than a proof of concept.

It’s pretty damn scary all the same. But there are is one simple thing that people can do to mitigate their risks: Check the checksums. According to the mailing list message that announced the problem, the two packages have different checksums:

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

This is why Apple started digitally signing its software update packages. Without an infrastructure to verify identity and validity of downloaded packages, people will continue to be at risk.

Now the OpenSSH project will have to look at its server and its processes to figure out how they got tainted.

Whither Massachusetts health care?

George Chang: Taxachusetts… legislating companies out of business. Mass governor Jane Swift just signed a bill legislating cutting the Medicare reimbursement rate to 2% less than the wholesale cost of drugs. George argues this is a pretty quick way to cause a meltdown:

Let’s think about this: First, regulate the reimbursement rate of a product below the wholesale cost. Second, sue/force businesses to continue to sell this product at a loss. Does this make any sense?

…large pharmacies such as CVS have the option to pull out of unprofitable markets and continue to operate in profitable ones. However, about 20% of the 1000 pharmacies in Massachusetts are independently owned. These neighborhood mom and pop shops that are already scraping along will most likely be forced out of business.

Not to mention that decreasing sales volumes can only raise the cost of drugs overall. Have we learned nothing?