Saturday, November 12, 2011

Fedora 16 impressions

I installed Fedora 16 this week, onto my "test" USB flash drive. My first impressions: I really like what I see.

As promised, the login screen has received an overhaul to more closely match the Gnome desktop theme. Looks great.

Once you get into the desktop, things look about the same as Fedora 15. A few differences: you aren't available for chat by default (a welcome change for me.) And as always, a new default wallpaper specific to this version of Fedora:

In general, there aren't a lot of big changes from the previous Fedora. But we knew that. Applications are moved up to the latest releases (at the time Fedora 16 was assembled.) Firefox 7, Gnome 3.2, and so on.

Per my previous post, I was really excited to experiment with the integration with social contacts, and the support for online accounts. So once I was on the new version of Fedora, I played with that right away.

If you click on your name, in the upper-right corner, you now have access to online accounts:

It took only a few clicks to add my Google account:

As you can see, there's support for email, calendar, contacts, chat, and documents.

This means that you can now use Google as your default chat client. Clicking on my name again, I could go online with chat - with Gnome using Google Talk. In Evolution (Gnome's default email and calendar program) I could send and receive messages via my Gmail account, and update my Google Calendar. All through the native Evolution program. I haven't tried the "documents" integration yet.

This would be great if I actually used Evolution. But I don't. I prefer to stay in Google's web client for everything. So this desktop interaction, while cool, probably won't do much for me.

But if you're a desktop user who prefers Evolution to do your email and such, this will be a huge win. You can now do everything with one click. If you use Thunderbird for your Gmail, you may consider switching to Evolution, for this feature alone.

For those who wonder "what updates are already pushed out", there aren't that many updates for Fedora 16, which I suppose is a good indicator of its stability at release. My update was 55MB, and took only a few minutes while I did other things.

Monday, November 7, 2011

Fonts in kernel mode?

I try not to comment on Microsoft's fumbles unless I've directly experienced it, like some functionality that seems totally broken to me, or behavior that seems inconsistent. However, I couldn't ignore this one.

You may have heard recently about the Duqu malware, making the rounds. It appeared in the guise of a specially crafted Word document that, when opened, would compromise your Windows PC. It was all over the news last week.

This morning, I received one of those "you're not really on our mailing list, but it's not really spam" emails from Redmond Magazine, "the independent voice of the Microsoft IT community". It linked to their full article, but the email summary said:
The Duqu zero-day exploit has had Microsoft twisting, turning and churning for a solution. Duqu exploits a hole in the Windows kernel and lets hackers remotely access and control your unfixed computer. 
That's until Microsoft came out with a workaround last week. The stopgap solution can protect the kernel with just a few lines of code and a one click-install. That's some pretty efficient code.
(Emphasis mine)

Yes, that's some pretty efficient code, wrapping a fix into a one-click install.

I guess I'd be more impressed if I didn't know what allowed the Duqu exploit in the first place: Windows parses fonts in kernel mode. That's maybe not the best practice. Kind of blows your whole "pretty efficient code" out of the water with "spectacularly stupid security."

This, from the company who claimed in 2005 to be "investing heavily in security", focusing on the security pillars of:
  • Fundamentals: provide a built-in level of safety and security, improvements to the security of software code through the Engineering Excellence initiative, and investments in technologies.
  • Threat and vulnerability mitigation: industry-leading integrated security technologies, defense-in-depth protection.
  • Identity and access control: technologies that verify user identity, control what resources users are allowed to access based on policy, allow management of users, and protect access to data.
I'd say this Duqu exploit demonstrates a failure on all three levels.