I’ve been submitting bugs far more often than usual since I moved to Ubuntu 12. Last week saw five or six in two days. At one point evolution gave me a segfault and on restart my Google sync’d calendar went to read-write only mode. I also couldn’t delete the calendar. Every time I started evolution I was given the dreaded unable to read a vEvent error.

No backend factory for ‘google’ of ‘VEVENT’

It probably was related to a crash. I was unable to find answers online for how to remove or repair the calendar so the fix for me was to manually edit the connection in gconf and then re-configure it in evolution.

WARNING: Since editing gconf is destructive be sure to have a backup of your evolution data before proceeding. You may lose everything if you do not back it up first.

To start, while not completely necessary, I reset evolution to its defaults to get a clean slate:

gconftool-2 --recursive-unset /apps/evolution

Next, run gconf-editor and navigate to “apps -> evolution -> calendar”. If you click on the “calendar” folder icon you should see “sources” in the right window under the name column.

Double-click on it and you will see the “Edit Key” window for /apps/evolution/calendar/sources.

Scroll through the values, find the Google XML statement, and click remove.

Then close down evolution.

evolution --force-shutdown

Now you should be able to start evolution, re-configure the Google calendar settings and continue using it.

The Australian police have been rescuing people who become stranded after blindly following Apple devices into unfamiliar wilderness and getting lost or stuck. A public warning has been issued to try and help avoid catastrophe:

“If it was a 45-degree day, someone could actually die,” Mildura’s Local Area Commander Inspector Simon Clemence told state broadcaster ABC.

“It’s quite a dangerous situation, so we would be calling for people not to use the new Apple iPhone mapping system if they’re travelling from South Australia to Mildura.”

Police said at least five vehicles had become stranded in the park after drivers followed directions on their Apple iPhones, some of them after being stranded for up to 24 hours without food or water.

It seems a bit extreme to tell people not to use the system at all. I’d have said use it with extreme caution or use it as a secondary device to local knowledge or recently verified information.

What the Australian incident news I have read fails to mention is that this is a long-standing problem. Not only are map devices prone to error but local authorities have previously warned about people relying on them too much.

I have spoken about this many times when presenting on the security risks of Big Data. Integrity issues of the data that people rely upon are a major problem. Here’s the most recent version of a slide from my deck:

The tiny white URL at the bottom of the slide takes you to the story.

Three young women escaped the sinking Mercedes-Benz SUV after the vehicle’s GPS directed them down a boat launch and into the Mercer Slough in Bellevue, Washington.

The driver thought she was on a road while following her GPS unit just after midnight, but she was actually heading down the boat launch.

Just last year after a conference in Las Vegas I started driving through the vast desert to the south of Death Valley. I noticed warnings both from Garmin and from law enforcement about over-reliance on any electronic map. The most common problem, they explained at that time, was taking a turn onto a road that no longer (or never) existed and becoming stuck in the sand.

It was true. As I drove down roads narrowed by soft and dangerous shoulders I could see on my map several turns where there was nothing but drifting sand.

The real story is thus that Apple is not doing enough to warn users of the risks of trusting their maps, leaving it up to small and local community budgets to carry the weight of education as well as rescue of outsiders arriving with flawed technology.

And it’s not just Apple.

This point was driven home to me (pun not intended) when I watched a Google speaker last week present on the future of big data applications. The presentation painted an almost nauseatingly rosy picture of transportation entirely dependent on their service. It was one of those moments when I knew the security industry was not being integrated enough and there would be a lot of work ahead.

Is there a song called “Let’s go everywhere man, only if we can get out again?”

A set of MySQL 0-Day vulnerabilities has been posted on the full-disclosure list with CVEs already assigned, as explained by Red Hat’s SRT

So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it’s a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I’ve spoken with some other Red Hat SRT members and we feel it is best to get CVE #’s assigned for these issues quickly so we can refer to them properly.

If Oracle security has already assigned CVE’s for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure.

• MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)
• MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day
• CVE-2012-5611: MySQL (Linux) Stack based buffer overrun PoC Zeroday
• CVE-2012-5612: MySQL (Linux) Heap Based Overrun PoC Zeroday
• CVE-2012-5613: MySQL (Linux) Database Privilege Elevation Zeroday Exploit
• CVE-2012-5614: MySQL Denial of Service Zeroday PoC
• CVE-2012-5615: MySQL Remote Preauth User Enumeration Zeroday

So far it appears from the MariaDB response and update notice (Oracle has yet to respond) that CVE-2012-5611 will be deprecated as a duplicate of CVE-2012-5579 but 5612 and 5614 require patches. 5615, a user disclosure issue, received this response from MariaDB

hardly a ‘zeroday’ issue, it was known for, like, ten years

And, last but not least, 5613 is a point of configuration.

The MySQL 5.0 Reference Manual Security Guidelines clearly state “Do not grant the FILE privilege to nonadministrative users” but someone may still make that mistake, as demonstrated in this video by Eric Romang

Still no word from Oracle…but MariaDB speculates on their behalf that their next releases shouldn’t be vulnerable to the CVE that they know about.

At a time when trust and transparency are more in demand than ever, security lists indicate a continuing trend in what some have described as this:

Oracle’s lack of communication regarding the future…