Part of this is a lie.

The latter half of this message is true. Apple’s software update servers don’t have what this server needs. However in no way is the software on this server “up to date”!

I rarely talk about work here, as I consider this an escape from my work life… however I just have to rant a bit here. A major flaw in the Domain Name System protocol was discovered by a security researcher several months ago. It was revealed to a few key people who could do something about it. Further it was revealed in early May to a select group of software vendors in order to give them time to fix their software to address the vulnerability. I won’t go into the details of what the flaw and vulnerability are, as they are covered very well elsewhere on the web. Suffice to say that DNS is likely the most key portion of the Internet’s infrastructure with regards to how human beings use it. If exploited this flaw would create havoc with a very basic thing that users take absolutely for granted.

Anyway Apple was one of those vendors notified back in May. Also in May a schedule for announcement and full disclosure was settled upon: Announcement in July, giving the vendors a two month head-start to fix their software, test it, and release a patch. Full disclosure in August, giving the world a full month to install the patches.

The announcement was about three weeks ago. I don’t recall the specific date, as the subsequent days and weeks have become a complete blur for me. Since we run an Internet Datacenter, a place where servers live and breathe, it was vital to make sure that our systems were patched, and our client’s systems got patched. As it turned out our systems were secure already, since we had just completed a major upgrade and maintenance window on all of our DNS servers. We use ISC’s BIND software for DNS serving and they had fixed their software in early May, likely a week or two before we installed the latest version. We then focussed our efforts on customers.

The first shock was finding out how many DNS servers are running in our facilities! I had expected a few dozen. DNS servers are usually not high in number… it only takes two or three to handle the DNS for a huge network. By scanning our internal network we found hundreds of them. Then we scanned them to see if they were listed as “vulnerable” to this flaw, and got another shock. All but one client-owned server were vulnerable. (I had dinner with that client on Monday and congratulated him on this accomplishment! he even reads this blog, so go ahead and take a bow Nick. 😉 )

So then we began the process of identifying the servers, their owners, and what DNS software they used so we could notify them of their vulnerability and instruct them if needed on what to do next. As you can imagine this was a serious task.

Meanwhile, out there in the world… The “security community” starts questioning the guy who found this, and asking him why this flaw is any different from similar flaws that have been known for over 10 years in DNS. I’m not privy to details, but basically some select people were given full-disclosure and one of them leaked it on their website about a week and a half ago. The proverbial cat was out of the bag. The Internet being what it is, an exploit was “in the wild” within hours.

Most vendors shipped a patch for their systems either before the announcement, or within a day or two of the announcement. The date of the announcement coincided with Microsoft’s monthly “Patch Tuesday” so most systems administrators were already well-trained to expect announcements of this sort, at that particular time. Of course this announcement goes WELL BEYOND just Microsoft and it’s products but “Patch Tuesday” is now a well-known date for such news. Apple however did not have a patch available that day. Or even the day after. Apple is notoriously closed-mouthed about anything going on inside, so we all expected no acknowledgment or news from them, but we did expect a patch to be ready for installation within a reasonably short period of time. Apple’s track record with regards to security has been VERY good over the years and this was a serious issue that they had been made aware of back in May along with all their peers in the software and systems community.

A week goes by. Then another. And now a third. Every day, in fact several times a day I check the Software Update application on my test-bed MacOS X Server box and I keep seeing what you see above: “Your software is up to date.”

Bullshit.

About two weeks ago I started poking and prodding at anyone I knew inside Apple for news. At first I just got stonewalled, which honestly I expect from Apple. Then a couple of them, on private mailing lists essentially stated that the issue wasn’t that big a deal, people don’t use Apple servers for DNS, and the systems were really not that vulnerable anyway. Needless to say I sort of exploded and unleashed a reasonable but toasty reply. I didn’t have time to correct every one of their claims (since I don’t even know the full extent of the vulnerability, since that will not be revealed for another week) but basically said “This is an unacceptable stance from a vendor who wishes to be taken seriously.” The reply I got back via a private message was: “Tell that to Steve Jobs. Here is his email address.”

Sigh. Oh well. Meanwhile I kept flogging our customers to patch their servers and coordinating efforts to do so – all while carrying out al my other job functions too. Those of you who have IM’ed or called me at odd hours over the past few weeks now understand why it seems like I’m always at my desk!

Also the larger community began to realize that Apple was dropping the ball on this issue as well. Even if they didn’t run their DNS servers on OS X, they understood that Apple owed a patch to their customers, the sooner the better. My friend John Welch, in his usual frank style, took Apple to task on his blog. One of our clients, the great folks at TidBITs published a series of articles about the issue as well.

I did what the Apple employee told me to do, and something I figured I’d never do in my lifetime… write an email to Steve Jobs. I tried to be rational and not whiny, and just stick to the facts. Here it is:

Mr. Jobs,

I would not write to you if this issue were not urgent. I am an operations exec at a managed colocation provider headquartered in Seattle, and one of our historical markets has always been support for Apple computers in our facilities. Our current crisis, why I am at work at eleven on a Thursday night, and why I am writing you right now is a major vulnerability that must be mitigated as soon as possible. We have been patching servers, and assisting our customers to patch their servers with security updates for the past week and a half. Of the many thousands of servers in our facility most all have been patched, except those running MacOS X, or MacOS X Server. This is because no official patch has been released by Apple as of yet.

What is more worrisome is that no word has come out of Apple, officially or unofficially even acknowledging the existence of the vulnerability or a forthcoming patch – despite Apple having been notified of the issue in early May.

The vulnerable code is not Apple’s. In fact the protocol itself is vulnerable and the patch is merely an attempt to mitigate, not cure the vulnerability. The ISC BIND DNS server code that MacOS X’s implementation is based upon has been patched, well over a month ago, before the vulnerability was announced.

I recognize that implementation is complicated and requires testing, deployment, etc. But time is of CRITICAL importance in this case as exploits for this vulnerability are “in the wild” as of 24 hours ago. The Internet is actively being scanned for vulnerable hosts.

There are unofficial “hacks” out there which can be applied, but your customers are all waiting for an official security update, direct from Apple, to appear in their Software Update application. At last check we have several hundred Xserves, actively being used as DNS servers in our facilities, all reporting as “vulnerable” to scans. Our Linux servers are patched. Our FreeBSD servers are patched. Even our Windows servers are patched. Our Macintosh servers remain vulnerable and we honestly have no idea when to expect an official update from Apple.

Those of us in the Internet’s operational community can not go home and sleep until we have done our part to secure our networks, and our customers. All we really ask from you right now is the same commitment. Ship the patch.

If that can not be done within the next 24 hours, then let the world know, so we can take alternative measures.

Info regarding the issue: http://www.kb.cert.org/vuls/id/800113
Info regarding Apple & the issue: http://www.kb.cert.org/vuls/id/MIMG-7ECL5Z

Regards,

blah blah blah.

That was a week ago. I’ve gotten to the point of checking Software Update now several times an hour. Most in the community have reached the end of their rope waiting for Apple’s (theoretical) patch. The TidBITs guys and my friend Chuq von Rospach have posted “how-to” articles on patching it yourself. Chuq’s even does it in a fashion that should keep the (theoretical) Apple patch from breaking something. Given that Chuq worked inside the belly of the beast that is Apple for almost 20 years gives him credibility in my view.

I posted an adapted “how-to” from the two versions on our customer support blog today, and I’ll be on the phone with the remaining “vulnerable” customers tomorrow encouraging them to patch. My goal was to have our network completely “clean” well over a week ago. At least now I can get it clean prior to the full disclosure of this vulnerability scheduled for next week.

Still it would have been so much easier if Apple had just done their share. Done the right thing. Done what should have been done about a month ago.

Being lied to is unacceptable, and the statement “Your software is up to date” is a lie.

Update on my Exhaust: Team CJ fumbles another one.

old and new

My new exhaust arrived this week! Above you can see the new parts laid out next to the old parts. I hope to put the new ones on the car later today.

If you recall the exhaust started making nasty noises last year on the GTTSR. We could see a crack on the driver’s side muffler, but the whole horror was revealed when I pulled the entire assembly off the car. This is a stainless steel exhaust system, and as such you would think it would last a lifetime. It was installed by Classic Jaguar 10 years ago. Being an exceedingly persistent guy, I sent an email to Dan Mooney to let him know the mufflers he sold my father had cracked…

Mr. Mooney,

The stainless steel exhaust system installed on my car by Classic Jaguar has failed in a catastrophic fashion. You can view the photos here:

http ://etc.goolsbee.org/jag/Exhaust/

Last time I had an issue (the engine, specifically the cylinder head), you absolved yourself from any warranty as I had brought the car to somebody else first. In this case nobody other than you & I know the condition of the exhaust system – so you’re getting the first pass. As you can see the mufflers are cracked half way through. Their interiors are seriously rusted and have disintegrated… perhaps these were on the car prior to being submerged and were never replaced?

So before I shop for a replacement system I wonder if Team CJ would stand behind their product & installation during restoration. Let me know.

–chuck goolsbee
65ots, 1E10715
arlington, wa, usa

Hey, I figured “what the hell”… I’ll keep offering the guy chances to redeem himself, after all… I’m an exceedingly persistent guy! Here is his reply:

Mr Goolsbee,

As a point of order, you are not now and have never been a customer of Classic Jaguar. To the best of my knowledge, you have never spent a single penny with Classic Jaguar. Furthermore, given your inaccurate, insulting and grossly misleading Internet rants about Classic Jaguar, I hardly feel inclined to assit [sic] you with any problems you may have with your car.

For the record, although I have no doubt you will misrepresent whatever I say on your website, your father only bought one exhaust system from Classic Jaguar and that was in the spring of 1997. It was not replaced when the car was rescued from the Houston flood in 2001. As to why it was not replaced at that time, I suggest you take that up with your father. Speaking of your father, please give him my sincere best regards.

On the positive side of things, at least the failed exhaust muffler will give you the opportunity of removing one more connection to myself or Classic Jaguar from your car – something which I understand is very important to you.

Best Regards,

Dan Mooney – Team CJ
danmooney@classicjaguar.com
www.classicjaguar.com

Really?

okay…. I don’t believe I’ve ever been “inaccurate, insulting and grossly misleading” in any of my statements about Classic Jaguar. If I have Dan, feel free to point them out and I’ll correct them gladly. Anyway, in terms of a vendor standing behind their products, which CJ claims to do, what I say in my little corner of the Internet should have nothing to do with any of this, right? So to try and get this conversation back on target I replied:

Dan,

In our last correspondence you indicated that what prevented you from considering upholding a warranty on your parts and workmanship was the fact that I had brought the car to another shop. Therefore, in this instance I figured I’d offer you first opportunity to stand behind your work and your product.

Let me know if you change your mind, as I’d like to have the car on the road again soon.

–chuck goolsbee
65ots, 1E10715
arlington, wa, usa

This conversation happened over a period of two days in early February. Want to venture a guess what I heard back?

Nada, Nuthin’, Zilch.

So whose statements are “inaccurate, insulting and grossly misleading”??
Team CJ components are the highest quality, most thoroughly engineered performance upgrades available for your Jaguar. We have invested thousands of hours of research and real world testing to ensure that our components are safe, practical, durable and easy to install. Your satisfaction is 100% guaranteed. Such is the confidence that we have in our products, many Team CJ components are guaranteed for life!” “Team CJ header systems are beautifully made, superbly engineered components that will enhance both performance and the appearance of any Jaguar engine bay. Constructed of the finest quality 304 stainless steel, mandrel bent and hand finished for perfect fit, our header systems will last the lifetime of your car.“These superb quality tuned headers have been developed entirely by Classic Jaguar. Any other stainless steel header system currently on the market is nothing more than expensive window dressing for your engine bay.” “Please do not confuse our exclusive Team CJ header system with some of the inferior products currently being peddled around the US market. By now you know our credentials – at Classic Jaguar we are building some of the finest E Types in the world and we install the parts we sell on a daily basis. The Team CJ header system is the best E Type header system on the market – otherwise we wouldn’t offer it.

Let’s take a close look at what Classic Jaguar defines as the highest quality, most thoroughly engineered, durable, 100% satisfaction guaranteed, beautifully made, superbly engineered components that will last the lifetime of your car shall we…

no flex joint

Above is the old “Team CJ” exhaust section between the headers and mufflers. Note the big sloppy weld. This was exactly how it was installed by Dan Mooney’s team. Not just purchased from them mind you… purchased and installed by crack Team CJ technicians. This is what that section is SUPPOSED to look like:

flex joint

There should be a flexible section between the headers and the mufflers. This allows the engine’s natural vibration to be absorbed without putting undue stress on the rest of the exhaust. I strongly believe that this ham-handed weld is what lead my “superbly engineered” Team CJ mufflers to crack in half.

Really?

Down at the other end of the system, between the mufflers and the pipes that go under the rear suspension we find…

welded joint

… ANOTHER ham-handed big fugly TeamCJ botched welding job.

This is what it is supposed to look like:

slip joint

Oh well. It is obvious that this system was doomed to fail due to the way it was installed by the inept Team CJ Ninjas of Classic Jaguar in Austin, Texas.

I bought some extra clamps to deal with the places where the old exhaust was welded. The old dirty clamps are currently soaking in some BioDiesel to clean them up. Unfortunately at the moment it is snowing(!) so even if I get the exhaust on I doubt I’ll be able to get much of a test drive.

I’ll update you all on how the installation goes soon, and tell my tale of dealing with a reputable, reasonable vendor with regards to my new exhaust as well.

Of the people, by the people, for the people.

Great words, written and spoken by a great man, who happened also to be a Republican.

It seems that our current Vice President, also a Republican, has forgotten those words, and their meaning. This stupid, endless war is destroying our economy. Most of the people were against it from the start (myself included), and history has shown that the reasons and justifications for entering it were lies and falsehoods… or if you want to be generous and forgiving, incorrect assumptions and wishful thinking.

“We will be greeted as liberators”

“There is no doubt that Saddam Hussein possesses weapons of mass destruction.”

“The war will finance itself through the sale of oil.”

Of course this is also the man who after having been voted in on the promise of “bringing dignity back to the executive branch” told a colleague on the Senate floor to “Go fuck yourself.”