CSS a Mail Security Issue?

Reading some e-mail with the Horde Project’s [horde.org] webmail reader, I was surprised to see all of the CSS style statements from the header of an html e-mail message visible, instead of interpreted. A quick look at the source showed the following, interesting, header statement.

<cleaned_tag type=”text/css”>

What, you may ask, is a “cleaned_tag”? It appears that there is, to my eyes, an undocumented feature of the Horde webmail interface. Any heading tags that are related to “blatant security holes” [google.com] are cleaned by renaming them. Thus, <style> becomes <cleaned_tag>.

I was not able to find a post indicating “Why?” the <style> tag is considered a security hole, but I am still looking. The only thing I can find that appears to be related is a discussion of a HOTMAIL CSS issued. Hotmail Security Hole: False Alarm? [tnl.net] published back in February of 2001. In it, they state, “by using cascading style sheets (CSS), hackers could easily replicate the look and feel of Web-based mail packages, leaving the user unaware of the fact that they have a problem.”

All I know, is that I would expect such a “blatant security hole” to be more widely discussed.

U.S. Government led ICANN to redeligate top level domains

The Register has an article about U.S. Government backed policy changes that have led ICANN to redeligate top level domains in such a way as to provide “greater state-controlled censorship on the internet, reduce people’s ability to use the internet to communicate freely, and leave expansion of the internet in the hands of the people least capable of doing the job”

More from the article: “At that meeting, consciously and for the first time, ICANN used a US government-provided reason to turn over Kazakhstan’s internet ownership to a government owned and run association without requiring consent from the existing owners. The previous owners, KazNIC, had been created from the country’s Internet community. ICANN then immediately used that ‘precedent’ to hand ownership of Iraq’s internet over to another government-run body, without accounting for any objections that the existing owners might have.”

Linux SCSI tape drive device files

Have you ever gotten bit by the Linux kernel renaming your scsi devices after one of them got removed or a new one was added? This drove me crazy until I came across the following scripts.

Check out:
Linux SCSI Scripts

Check into SpamAssassin

I’ve been testing the program SpamAssassin and must state that it works quite effectively to filter out 60-80% of the SPAM that I am recieving. Check it out:

http://www.spamassassin.org/

The experience chicken and egg problem

Someone asked on a mail list for system administrators about how they could gain the experience they needed in order to get a job where they could gain more experience.

Given the cost of computer systems these days and the availability of all of the open source software packages, the one thing that anyone can do to expand their skills and gain job-related experience as a system administrator is to build their own network at home, using cheap, off-the-shelf, computers. [My resume always contained a section describing the six or seven computer systems I have at home at any one time.]

Use those home systems to try different things. Experiment with new software packages. Join one of the many open software projects. Put up your own web site about something you are interested and experiment with new web publication technologies.

I try installing the latest/greatest versions of applications we use at work, such as sendmail and bind, on my home systems first. That way breaking things is not a big issue AND when it comes time to upgrade the work systems, I’ve already learned [been burned] by the problems that came with that upgrade.

Finally, if you want to learn – teach. It is amazing how much knowledge you gain about a subject when you attempt to explain it to someone else.

Check out The Poldek

http://freshmeat.net/projects/poldek/

The poldek is an interactive RPM package management tool like dselect from Debian. It helps resolve some of those circular dependancies that RPM likes to get stuck on….