Out out blue, I decided to migrate to the latest Fedora Core 3. So I backed up all the database data and all custom scripts and rebuilt the server last night. One of feature is SELinux (Security Enhanced Linux backed by NSA), so I chose to turn it on. Soon I knew I made a mistake and it’s a nightmare to deal with the complications at its current state. That’s De Ja Vu like when I upgraded with Windows XP SP2. Suddenly, many applications just stopped working.
Aapche didn’t work at all. After I inspected the error logs, I realized that it’s been denied access to the web content folders. Finally I figured out to use chcon to change security context on the web content folders with httpd_content_t.
It got worse later when I restored PostgreSQL database and found out that it’s not working anymore. It turned out that Perl was being denied access to some important file for socket connection to the database server. Since I don’t intend to become a SELinux export, so I decided to just turn off SELinux to have a working system back in my hand.
SELinux will be a great feature, but I won’t use it until all major applications have deployed working policy. Without a working system first, a security enhanced system may just be a pile of hardwares without turning on the power:-).
With the $4.99 Unlimited T-Zones plan, I’m able to set up email access to corporate email and personal email via POP3 and SMTP. However, RoadRunner’s SMTP does not work, so I can only read emails from RR.
I have managed to login IB’s Mobile Trader, which requires SSL, with T-Zones GPRS security ON, but none of the links works after login.
Interestingly, according to T-Mobile, we can only access corporate email with its $9.99 Unlimited T-Zones plan.
I’m spending the weekends researching options on WAP security with my Sony Ericsson T610. I signed up a plan with T-Mobile with its T-Zones, which supports GPRS for web browsing, email, SMS and MMS. T610 also supports Bluetooth and IR connectivity. Using Bluetooth is really easy, there’s nothing to configure other than turn on the Bluetooth. Setting up IR with a PC is more challenging since it involves with PC and modem driver issue. I’m gonna get a Bluetooth USB adapter instead.
While playing with the phone, I found that the four trusted CA certificates were gone for reason unknown. I did do a master reset after changing many settings. Trying to figure out how to install trusted CA certificates looks impossible. I found no useful information on Google, Sony Ericsson and T-Mobile sites. Calls to the T-Mobile tech support were not helpful either.
I can not connect to T-Zones with security turned on. With security turned off, browsing web works, but I can not login into passort site, nor any other msn mobile sites such as hotmail and msn messenger.
I start to think that maybe T-Mobile does not support secured T-Zones on its unlimited T-Zones plan. It does have another unlimited T-Zones Pro plan, which supports additional WAP gateway other than T-Mobile’s.
The TabeletPC project was over. I spent three weeks in Austin in Samsung’s Austin facility prototyping a solution to replace their current paper based auditing process in the fab.
We had to start the prototyping on XP without a TabletPC on hand. Within a week, we finally settled down the GUI design options that were best fit for our users’ taste and preferences. A lot of time we spent on was trying to explore the new features offered by the digital ink and pen. We chose two most promosing desgins with simple prototypes then presented them to the users. It turned out that they liked both:-) So we ended up a new desgin incorporating the features from both prototypes.
Soon we found out that TabletPC SDK had some undocumented limitations on how many Windows handles could be used. Our design called for a journal like interface where a user could just write down some short-hand codes, counts of violations and comments. The codes and counts are recognized and validated against a known list. Due to limited time, we had originally laid out as many rows of ink controls as we would need on the form, it turned out that SDK could not support it. We ended up using a template of controls and reused them.
Using factoids and well defined wordlists, the recognition accuracy is very high, but a traditional combobox still works very well.
The whole solution consists of a GUI frontend implemented in Windows Form and deployed via No Touch web deployment, a web site for reporting inplemented in ASP.NET and OWC, a server component implemented and deployed as .NET Remoting objects and a SQL Server 2000 as backend.
The security model is integrated Windows security all the way from user’s computer, the web server and the datbase server. It has offline feature to handle WI-FI connectivity issues when roaming in a fab lab. It’s written in C#.
This is an illustration of how poorly the security could be designed and implemented even in a strong and technology-advanced company in web related technology. Here’s the screen captured in using the TerraServer (a nice service, by the way) on MSN. As you can see, the password is revealed to the public when a connectivity error occured.