Interesting security bug

Similar Messages

• Ongoing fatal crash and security bug related to connecting external display

  The infrastructures in OS X to resume from sleep, to authenticate, and to change displays is fundamentally not working.
  The security bug I have encountered has to do with connecting a cinema display exclusively to a MacBook Pro. This is a specific situation, but please note that I have experienced the same problem on no fewer than three independent laptop. Plus, the Genius in the Apple Retail Store was convinced of the general instability of this infrastructure. The security problem is that hot corners no longer function if I transition between two states in the same reboot. The first state is where I have the laptop powered on and using its own internal display exclusively (when I'm on the road). The second state is when I have the laptop displaying its output exclusively on an external display (when I'm at home). What happens is that an attempt to use hot corners fails. There is no response. I even added configuration on all four corners (whereas I originally had settings only for the rightmost corners), and even then, the hot corner action (of sleeping the display or entering locked screen saver mode) does not commence. This prevents the user from being able to secure the display on demand using standard methods that are supposed to work.
  The instability level related to connecting the external display exclusively is high. Again, I've experienced this on no fewer than three independent laptops, and the Apple Genius at the Retail Store confirmed that this aspect of OS X did not work consistently. When I want to connect the cinema display to the laptop in such a way that the laptop's own display is not part of the active screen, the process I use succeeds about half the time. Supposing I have been on the road, where I am using the laptop display exclusively. I then put the laptop to sleep. When I return home with the lid open, I connect first the USB (power) from the cinema display to the laptop, and then I connect the Mini DisplayPort. When that step works, what happens is that the login screen shows on the cinema display despite the fact that my laptop lid is closed. This is good, and is what I want. At that point, I open the laptop lid and quickly log in.
  With Apple being a mobile device company, I rely on the laptop for tasks that one traditionally may use a desktop for. This simply points to the versatility of the laptop. But I'd like the bugs resolved, so that I do not have to hesitate to make use of the inherent flexibility possible with the MacBook Pro.
  Here's what happens when the process (of connecting the external display in a way that establishes itself as the only screen in use by OS X) fails. Firstly, when I connect the external display via Mini DisplayPort, the laptop doesn't even respond. Instead, it remains asleep. So to work around it I have to repeatedly disconnect and reconnect the Mini DisplayPort so that the asleep MacBook Pro will see that there is a display connected to it. Also, sometimes that isn't even enough and I have to open the laptop lid, and put it to sleep again so as to trigger whatever actions are necessary to recognise the external display (presumably by having the laptop recently awake). Around half the time, I have to play this game of disconnecting and reconnecting until it actually works. This high level of reproducibility (confirmed by the Apple Genius representative's confidence that this part of the system doesn't actually work) should make it easy for an engineer to look into the problem.
  Fatally, and recently, OS X has completely crashed when I have attempted to connect the external display. The external display has gone completely blue, and after a half a minute, it blanked out and my entire laptop became unresponsive. I called Apple Support and was given a case number. I also took the laptop into the retail store to see if I could recover my current session without rebooting. There was no process suggested to make that happen and I was told to reboot the machine. I've had this happen before on other laptops, and it is frustrating that the kernel reaches such a state that it cannot be used. As I see it, this problem is not too unrelated to the way that I need to play a game in order to get the external display connected exclusively. Here are some workarounds that could be added:
  Firstly, whenever I connect an external display, I'd like the laptop to see that this has happened, and to take action accordingly (such as resuming from sleep). Secondly, If I connect an external keyboard, and press a key on it, I'd like this to wake the laptop too (in the event that the first method fails for some unforeseen reason). I'd also like the connection of the cinema display's USB power not to cause the laptop to enter into a confused state between asleep and awake. Sometimes I need to disconnect and reconnect USB power in order to trigger the laptop into waking, but that's only because it's not doing it on its own properly. On the other hand, I also ensure that the laptop doesn't have the Mini DisplayPort connected without also having the cinema display USB power connected, because that also is an unsupported configuration.
  I've also gotten the laptop to become confused about whether it is asleep or awake. When I open the lid, it seems to enter into sleep mode, but closing it seems to bring it into an active state.
  Also, I've successfully logged on and authenticated with the screen showing exclusively on the external display. But just ten seconds after I start using the system, the laptop falls asleep--with the lid open! Whatever triggers that action doesn't seem to be on track. The laptop is open, there are incoming events such as mouse movements and key presses, and the external display is on and is in use. And then the laptop falls asleep! This has happened numerous times. Not only should this not happen; the instances where it does happen can cause further instability and put my system at risk of fatally crashing.
  Also, the authentication system itself is highly buggy--far more than it should be. At times I have opened the laptop lid and caught a glimpse of a window before I have begun the login process. Also, an external authentication application that asks for Kerberos/AFS login credentials has been able to overlay itself on top of the primary authentication (whereas I should only see a single login dialog when I need to authenticate to the system). Also, I've had several of these authentication screens overlay on top of one another, although it's been months since I've experienced that one (so it may have been fixed). Also, around a third of the time, the window that authenticates me (on the black background) somehow transfers itself into the background (even though there's only one window!). What that means is what I begin to type my password, and now the laptop starts beeping at me and I need to manually click on the password field and begin entering my password again. This really shouldn't happen, and indicates too much complexity in this authentication process (such as, more OS X code is involved than is strictly necessary, which is likely to make the authentication system more difficult to test). Also, at times, I have been using too much CPU, such that the authentication screen takes too long to emerge. That also means that I'm not able to logon until I uncleanly shutdown the laptop. If the laptop has been asleep, and is revived in preparation for login, then that login screen should be given highest priority, even if there are other heavy CPU or I/O intensive tasks running in the background. And maybe the login dialog shouldn't disappear when the user is legitimately attempting to log in. So even if there is a possibility that the system is under heavy resource use (or there is a stall or minor deadlock), it shouldn't prevent the user from logging in altogether.
  At the moment, the very fact that the system shut down uncleanly means that the full disk encryption suite that I used has entered into an undetermined state, suggesting I may lose access to all my data. It's my hope that I can rely on Apple's products to interoperate in a way that won't cause me to be fearful and restrictive in my use, so that I can freely connect an external display at times, and at other times carry the laptop on the road.

  Ive got the same problem with Samsung UE225010 monitor too, its full hd but it looks terrible, could it be Displayport adapter issue, because couple month ago Ive tryed with some IPS display, and it looked same bad.

• Is this a security bug in Windows 8.1?

  I think I have discovered a serious security bug in Windows 8.1.
  Today I was using my (non-Admin) user account and with Internet Explorer I saved a file in the default Downloads folder (under This PC). The file was saved, but when I went to that folder, the file was not there! Now, I was about to downloaded
  it again, using IE, same as before, when I noticed in the Save dialog box that the file had indeed been downloaded, and that it was there, in the Downloads folder under This PC. Frustrated, I went to that very folder, but the file was nowhere
  to be found. I was really puzzled.
  Then, by chance, while logged in another account (namely the Admin account), I happened to go to the Downloads folder, and there was the file that I had downloaded using the other account.
  Obviously, what I described above represents a security problem: firstly because my private files may get saved by mistake into another person's account without me even realizing it, and secondly because I was able to access another person account
  (i.e. the Admin account) via the IE's Save dialog box, seeing the list of the files there, and possibly even accessing them (I have not tried the latter, though).
  Has anyone experienced anything like the situation I described?
  I must also say that I later tried to replicate this abnormal behavior, but for some unknown reason I couldn't. Anyway, I am sure that what I described above is an accurate account of how things went.

  Hi,
  Since I cannot repro your issue on my own computer, it cannot be a bug.
  I suggest we try to use another user account to see if there is the same issue happened.
  Please make sure your location of download folder is right:
  Right click Downloads folder, and choose Properties.
  Make sure the location is right under your user profile.
  If not, please click Location and click Restore default.
  If we still fail to solve you issue, please run Process monitor at the end of the downloading process to capture the actions, and upload the save log here for further research.
  You can also check if there is any weird actions at the end of downloading process.
  Process Monitor v3.05
  http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
  How to use, please refer to this article:
  Using Process Monitor to capture system events
  http://www.sophos.com/en-us/support/knowledgebase/119038.aspx
  Keep post.
  Kate Li
  TechNet Community Support

• Interesting thread bug

  Hi,
  I'm developing a client/server whiteboard system for my term project. I've hit to an interesting threading bug. The very brief description of the goal is like this: A client has a method (getActiveUsers) to get the list of active(logged in) users from server. In order to accomplish this, it sends a command to server to receive the user list. In an undeterministic time frame, the server sends a message as a reply, which includes the user list. When the client gets the user list, it is expected to update its local user list. The code for these goes like this:
  // The method that returns the list of active users
  // in the system
  public Vector getActiveUsers()
  synchronized(activeUsers)
  channel.send(new ListActiveUsers(username));
  try
  activeUsers.wait();
  catch (InterruptedException e) {}
  return activeUsers;
  // The method that is fired when a new message
  // is received (Observer pattern)
  public void update(Message msg){
  if (msg instanceof ActiveUsersList)
  synchronized(activeUsers)
  activeUsers=((ActiveUsersList)msg).activeUserList;
  activeUsers.notifyAll();
  return;
  inform(msg);
  the Error message is this:
  java.lang.IllegalMonitorStateException: current thread not owner
       at java.lang.Object.notifyAll(Native Method)
       at domain.Whiteboard.update(Whiteboard.java:49)
       at services.messaging.Channel.inform(Channel.java:95)
  How can a thread be not owner of an object when it enters a synchronized block for that object?
  Thanks for any help.
  Regards...

  You synchronized on one object, referred to by your variable activeUsers, but then you reassigned activeUsers to refer to a different object and called notifyAll on that object. Remind yourself of the difference between variables and objects.

• Weblogic.developer.interest.security has moved!

  This newsgroup has been relocated. Going forward, please use the weblogic.developer.interest.security newsgroup, which will be located in the [url http://forums.bea.com/category.jspa?categoryID=2004]WebLogic Server/Java EE Newsgroups folder, located at:
  http://forums.bea.com/category.jspa?categoryID=2004

  Pls mention the WLS version & service pack level
            Kumar
            Kevin wrote:
            > Has anyone seen this nasty error before. It is killing my server and Idon't yet know why I get it.Tue Jun 26 19:10:52 CST 2001:<E> <ServletContext-General> Servlet failed with Exceptionjava.lang.ArrayIndexOutOfBoundsException: 7743536at weblogic.servlet.jsp.JspBase.service(Compiled Code)at weblogic.servlet.internal.ServletStubImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletStubImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextImpl.invokeServlet(Compiled Code)at weblogic.servlet.internal.ServletContextManager.invokeServlet(Compiled Code)at weblogic.socket.MuxableSocketHTTP.invokeServlet(Compiled Code)at weblogic.socket.MuxableSocketHTTP.execute(Compiled Code)at weblogic.kernel.ExecuteThread.run(Compiled Code)
            

• Another security bug??

  All,
  I am running Weblogic with SP3. In my web application configured to use
  form-based authentication. In the web.xml file I have:
  <servlet>
  <servlet-name>InfIIPSchedulerServlet</servlet-name>
  <servlet-class>examples.servlets.InfIIPSchedulerServlet</servlet-class>
  <load-on-startup>2</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>InfIIPSchedulerServlet</servlet-name>
  <url-pattern>InfIIPSchedulerServlet</url-pattern>
  </servlet-mapping>
  <servlet-name>InfIIPSchedulerServlet</servlet-name>
  <url-pattern>jsp/InfIIPSchedulerServlet</url-pattern>
  </servlet-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>iip</web-resource-name>
  <description>Informatica Information Platform (IIP)</description>
  <url-pattern>/jsp/*</url-pattern>
  </web-resource-collection>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  </login-config>
  public class InfIIPSchedulerServlet {
  public void service(HttpServletRequest req, HttpServletResponse res)
  throws ServletException, IOException
  HttpSession session = req.getSession(false);
  res.setContentType("text/plain");
  ServletOutputStream out = res.getOutputStream();
  try {
  if (session == null) {
  out.println("Session is null");
  } else {
  out.println("Session is " + session.toString());
  InfIIPSession ss =
  (InfIIPSession)session.getAttribute(com.informatica.viewer.util.InfHttpSessi
  onNames.USER_IIPSESSION );
  Context context = ss.getContext();
  out.println("<BR>Remote user is ");
  out.println(req.getRemoteUser());
  out.println("<BR>Principal is ");
  out.println(req.getUserPrincipal().getName());
  out.println("<BR>Principal in Context is ");
  out.println((String)context.getEnvironment().get(Context.SECURITY_PRINCIPAL)
  } catch (NamingException ne) {
  throw new ServletException(ne.getMessage());
  After loged in successfully, a welcome page came up. I got the following
  output when invoking the servlet with url
  http://localhost:7001/iip/InfIIPSchedulerServlet
  Session is weblogic.servlet.internal.session.MemorySession@69abf940
  <BR>Remote user is
  dtseng
  <BR>Principal is
  guest
  <BR>Principal in Context is
  dtseng
  With url http://localhost:7001/iip/jsp/InfIIPSchedulerServlet the output
  become
  Session is weblogic.servlet.internal.session.MemorySession@69abf940
  <BR>Remote user is
  dtseng
  <BR>Principal is
  dtseng
  <BR>Principal in Context is
  dtseng
  The difference is that the first url is not a protected resource, while
  the second is. Why req.getUserPrincipal().getName() returns different values
  depending on the context in which is is executed? Is this a security bug?

  I would like to see this feature of the phone given a significant overhaul. Instead of just displaying the dail pad, I'd like to have the choice of programming in certain numbers which could offered for dialing in place of the dial pad being shown for the Emergency call feature. Perhaps upto 10 numbers could be programmed in, so you could add the emergency numbers for your area and any other numbers you think would be useful. Of course, this should be optional so that the user has the choice of only allowing calls to the pre-registered numbers, the display of the numpad or both.
  That way, everyone would be happy, no?

• Security BUG in the web container!

  Hello,
  I have just accidently discovered a security BUG in the web container. The bug permits you to view the source of the JSP page (welcome page).
  To reproduce the bug, do the following:
  1. Create a web application. Create new page with name Index.jsp. Add "Index.jsp" into the web.xml as a welcome file.
  2. Deploy it under, let's say, "SecurityBugWebApp".
  3. Access http://host/SecurityBugWebApp/ or http://host/SecurityBugWebApp/Index.jsp - everything should be as usual - you should see a normal output of a JSP page.
  4. Access http://host/SecurityBugWebApp/Index.JSP (notice the case of the ".JSP" ). You should be able to see the source code of the web page. This bug even works if it is under security constraint! This doesn't seem to work, however, with JSPs not listed in the welcome file list.
  Sincerely,
  Sergei Batiuk.

  Peter,
  Thank you for your suggestion. This makes sense to
  try. I'm actually using a trial license of AS7 with
  no updates. I've found update 1 online with free
  trial, however, do you know if AS7 update 2 is
  available with a trial license and where it might be
  located for download?
  you can get AS7 update2 Platform edition from here.
  Platform ed. is FREE for both development and production deployment
  http://wwws.sun.com/software/download/products/3fb01655.html
  AS7 update2 Standard Edition can be downloaded from here.
  Standard Ed is free only for development, you need to buy a license to use it in production.
  http://wwws.sun.com/software/download/products/3f7df408.html
  Peter

• Security bug in 7.0.2 on 5s

  Hi
  I think ios 7.0.2 for iphone5s has a security bug! as you can see in this two videoes , my
  iphone has password but i can open my iphone with siri & use it with out asking my password!!
  of course it's not always true! sometimes it asks my password & sometimes not!
  I reset all settings from setting but it doesn't help me.
  please download this 2viedoes to understand me better.
  tnX!
  video 1(have problem)
  http://hipfile.com/vnadofjfemn6
  video 2(after few minuts,it's ok)
  http://hipfile.com/zk9fgs6ikbj0
  iphone 5s
  7.0.2

  Sorry, I don't watch video from a stranger.
  I tested it and it works.
  Note: Lockscreen is not Home screen,
  1. Switch Siri off as given in my previous post
  2. Press the top Sleep/Wake button to get you iPhone to sleep.
  3. Press the top Sleep/Wake button to wake iPhone up.
  4. Use a finger (not the finger that is registered in fingerprint) press the Home button and see if Siri comes up.
  You can try a reset before the test:
  Reset: Hold down the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Note: You will not lose any data

• How to report a security bug w/o ADC account?

  Hello! I did not find an approptiate forum, so i try here, i hope that's ok.
  There is a security bug in some browsers, and Safari 2 suffers from it, too. The other vendors are already notified, but a cannot find a way to inform apple.
  * It's an security issue, so i should notify Apple non-publicly before publishing
  * It's in Safaris certificate handlig, so it's not in WebKit
  * I do not have a MacOS system (with menu option +Report Bugs to Apple+ ) myself
  * I won't accept tons of legal code to sign up to an ADC acount
  * No, +Apple Care+ is not an option
  I don't mind publishing the issue without notifying apple, but maybe apple does. ZB.

  Well it looks like sending you here was a good thing.
  I appreciate your concerns about open posting of any specific information; I am sure Apple and the other browser makers do too.
  You might google on secunia and perhaps see if it's already known about. I did that for you.
  http://secunia.com/
  Good Luck, JP
  Message was edited by: Jpfresno 'I did that...'

• Serious security bug in weblogic 6.0

  when I use jaas authenticated to weblogic server 6.0. everything is beatiful. but
  I easily bypass the jaas authentication and could login to weblogic server 6.0
  as anybody with any credential. Think about it, if I login as system and with
  wrong password, and I get in , and the caller will be system.
  If anyone inside weblogic team is interested in talking about it, please give
  me a email. I don't want to post the way how I did it right now

  This potential vulnerability has been confirmed and has been fixed in BEA WebLogic
  Server 6.0 Service Pack 1 (SP1). SP1 is currently available for download from
  the BEA Download Center at
  http://commerce.bea.com/downloads/weblogic_server.jsp#wls.
  BEA advises every Service Pack be applied as they are released. Service Packs
  include a roll up of all bug fixes for each version of the product, as well as
  each of the previously released Service Packs.
  BEA treats security issues with the highest degree of urgency and does everything
  possible to ensure the security of all customer assets. As a policy, if there
  are any security-related issues with any BEA product, BEA will distribute an advisory
  and instructions with the appropriate course of action.
  Because the security of your site, data, and code is
  our highest priority, we are committed to communicating all
  security-related issues clearly and openly.
  BEA has established a permission-based emailing list specifically
  targeted for product security advisories. As a policy, if a user has opted in
  to our emailing list and there are any security issues with the BEA product(s)
  he/she is using, BEA will distribute an advisory and instructions via email with
  the appropriate course of action.
  REPORTING SECURITY ISSUES
  For immediate attention, BEA has established an email address to which you can
  send reports of any possible security issues in BEA products.
  These reports should be sent to: [email protected]
  All correspondence to this address will be promptly reviewed and all necessary
  actions taken to ensure the continued security of all customer assets.
  SUBSCRIBE TO EMAIL ALERT
  You may subscribe to the permission-based emailing list to receive alerts of security
  advisories by registering with BEA at:
  http://contact.beasys.com/bea/www/securityelogin.jsp.
  Sincerely,
  Marc Bishop
  Security Product Manager
  BEA WebLogic Server

• WWSBR_ALL_ITEMS and item level security - BUG?

  Hi,
  View WWSBR_ALL_ITEMS does not seems to work correctly when using item level security on a folder.
  If I add an item to a folder with item level security enabled and do NOT define any special access settings for this item, ie the item setting is "Inherit Parent Folder Access Privileges", then the view does not return the item.
  Has anyone else run into this? Is it a bug?
  Any help appreciated.
  Portal 3.0.9.8.0
  Oracle8i Enterprise Edition 8.1.7.0 - 64 bit
  IBM AIX 4.3.3

  I've been informed that patch 3.0.9.8.2 will solve the problem. Sorry about the double post.

• Security Bug in weblogic.httpd.enable

   

  Hi!
  When I set this "weblogic.httpd.enable=false". I will get UnmarshalException
  for WLStub at ejb client whenever I update my classes. Is this by design?
  When I comment out this, the error is gone.
  Regards
  Yew Yap
  "Vince" <[email protected]> wrote in message
  news:87f5ng$g7g$[email protected]..
  Hi all,
  I don't know whether you all know this or not, but I would feel guilty ifI
  didn't tell all of you. I found a bug in the properties file. WebLogic
  claimed that the httpd can be disabled for security purposes. However, I
  realized that no matter what boolean you assign to weblogic.httpd.enable,
  the httpd is still alive. The setting in the properties file has noeffect
  at all. For those of you who have to disable httpd for the security ofyour
  internal networks, this is really a problem. I have reported this to BEA
  and will see how they fix this. You can test this on your WebLogic server
  by setting the property to false and test to see if the clients canconnect
  to your server using http. I was be able to use a browser to connect tothe
  server and even more I could replace t3 with http in my java code toconnect
  to my EJBs after I disabled httpd.
  Vince

• DB links security bug?

  Hi,
  I have several DB links in my APEX environment. I use them for different applications to connect to different bases located on different servers.
  Everything works fine but few days ago we noticed that during login process, new session is created on each server, even if application uses only one DB link (so there shouldn’t be any references to another DBs). It looks like APEX logs in to all DB links it has defined.
  I use APEX 3.0 and internal Application Express Authentication Scheme.
  Is it some APEX bug? I don’t think it’s very secure.
  Regards,
  Przemek

  Hi Przemek,
  A database link session only gets created once an object in the remote database is accessed so unless this is happening when the login page is presented, then this should not be happening. I'm not sure if you are aware, but a database link session in a remote database is only associated with a database session in the local database, not an Apex logon. This is because Apex uses asynchronous connection pooling through the HTTP server (or any other type of server) and it may be that the DB session has already opened the DB link because of a separate Apex session.
  Regards
  Andre

• SECURITY BUG : You're sure your WPA is on ? You may be very wrong !

  Here is the problem.
  Some networks created on AirPort Extreme base station are wide open with no security on EVEN IF THE AIRPORT UTILITY SAYS SO !
  I hard rest my new AirPort Extreme, went throught the setup wizard to create a closed network with WPA2 Personal on. I checked the settings once the base was restarted but, to my surprise, I COULD CONNECT TO MY NETWORK WITHOUT PASSWORD, from my PDA and my neighbourg laptop. The network wasn't even closed !! I double checked the AirPort utility : it said that WPA was ON which is definitely NOT true.
  To confirm that, I choose to extend my network with my other base (Express). No problem except for the fact that, to access the Extreme base, the Express setting was : "open network, no security" (in preferred network, network preferences panel)
  MY ADVICE : don't trust what the AirPort utility says about security. It MAY be very wrong. You have to check if it is on or off using another device (Wifi PDA, a friend's laptop, whatever)
  Others users here found the same issue. I'm definitely not alone here. To me, this is a serious bug requiring a firmware update. Reply to this post if you have a similar problem.
  Thanks
  Gregory
  Toronto, Canada

  Hey, me again...
  I found the reason of my problem. This is indeed a problem with the AirPort utility. More an interface problem, let's say.
  The key is that the AirPort utility can be confusing when extending your network. And what can happens is that you end up with 2 NETWORKS with the SAME NAME, 1 with WPA and 1 with no security. And because of the default setting of the network preferences panel, you will automatically connect to the open one if anything happens on the WPA one. That is what happened to me. When extending the network of my main new Extreme, I somehow got an open network with the same name on my Express. And because this one was always plugged during my tests & hard resets of the Extreme, I always got connected to the open network, by default. So the AirPort was not completely wrong after all.
  KEY POINTS to avoid that and have a clean nice new WPA/WPA2 network :
  - Hard reset and configure the first base that will be your main one (WDS Main or simply the one connected to the Internet for a non-WDS network)
  - Be sure all the others bases are unplugged... Just to be sure
  - To set up your network on this first base, in the Airport Utility, don't use the wizard by clicking on "Continue". It is quite bad. Simply double-click on your base station with the weird name : it will open the settings page. Go to Wireless and create your new network with all appropriate options (WPA/WPA2 for example)
  - Don't use the "Closed Network" option so far. You'd better wait for your network to be completely extended, with all your bases. Or you will be in pain in the process of adding new bases !! For example, if you want to extend your WDS closed network, you cannot do it with the AirPort Utility Wizard because it will not show it in the list of available networks (and this list does NOT propose the "Other..." option where you can type the name of your network...)
  - Still before adding any other extensions base, if you want to set up a WDS network, enter ALL the AirPort IDs of your other "remote" bases now, in the WDS tab.
  - In general, don't use the Wizard when it is no necessary. You can do quite everything directly from the Settings page of your base. EXCEPT ONE ! To add a WDS Remote, USE THE WIZARD ! It looks like the complexe procedure to "register" a remote on a WDS main is not complete you enter the settings manually on your remote. And, be carefull, when adding a WDS remote, the AirPort utility will ask you several passwords. The first one is to connect to your (not closed) main network. But after, to complete the registration of your remote on the main, the utility asks for a password. IT IS THE MAIN Base Station password, NOT the network password (the prompt window is so confusing).
  - When you're done with all your stations one by one, check that every one has a different IP ! I know, weird, but in my previous problem with 2 networks with the same name, I noticed that both stations had 10.0.1.1 address. at the same time. A good indication that you have 2 networks right ?
  - Finally, go to your Network preferences panel, Airport section. Switch automatic to preferred networks and just clean up the mess here Just keep your network and check the level of security.
  So AT LAST, here is my situation, in my tiny appartment :
  - 1 Extreme connected on my cable modem, WDS Main, closed WPA2 network, 25% power transmition, wireless clients allowed.
  - 1 Express plugged in my bedroom (3 meters away...), WDS Remote, 25% power transmition and NO wireless client allowed (so my MacBook Pro connects ONLY on the Extreme base)
  - 1 HP Photosmart C5180 Ethernet printer connected on my Express with a ethernet cable.
  All lights green...

• JDk1.5.0beta3build58 security bug

  JWS isn't working with third party look and feel implementations wrt the FileOpenService.
  This seems to be a regression to 1.4.1 behaviour where I had to manually set the look and feel to the System LNF before trying to use the FileOpenService. I'm using JGoodies 1.2.2.
  I do not see this with JDk1.5.0 beta2.
  java.security.AccessControlException: access denied (java.io.FilePermission / read)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
       at java.security.AccessController.checkPermission(AccessController.java:427)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
       at java.io.File.exists(File.java:700)
       at javax.swing.filechooser.FileSystemView.getSystemDisplayName(FileSystemView.java:153)
       at javax.swing.plaf.basic.BasicFileChooserUI$BasicFileView.getName(BasicFileChooserUI.java:1157)
       at javax.swing.JFileChooser.getName(JFileChooser.java:1470)
       at javax.swing.plaf.metal.MetalFileChooserUI$DirectoryComboBoxRenderer.getListCellRendererComponent(MetalFileChooserUI.java:842)
       at javax.swing.plaf.basic.BasicComboBoxUI.getDisplaySize(BasicComboBoxUI.java:1182)
       at com.jgoodies.plaf.plastic.PlasticComboBoxUI.getMinimumSize(PlasticComboBoxUI.java:115)
       at javax.swing.plaf.basic.BasicComboBoxUI.getPreferredSize(BasicComboBoxUI.java:855)
       at javax.swing.JComponent.getPreferredSize(JComponent.java:1582)
       at javax.swing.plaf.metal.MetalFileChooserUI$1.getPreferredSize(MetalFileChooserUI.java:211)
       at java.awt.BorderLayout.preferredLayoutSize(BorderLayout.java:690)
       at java.awt.Container.preferredSize(Container.java:1558)
       at java.awt.Container.getPreferredSize(Container.java:1543)
       at javax.swing.JComponent.getPreferredSize(JComponent.java:1584)
       at java.awt.BorderLayout.preferredLayoutSize(BorderLayout.java:695)
       at javax.swing.plaf.metal.MetalFileChooserUI.getPreferredSize(MetalFileChooserUI.java:546)
       at javax.swing.JComponent.getPreferredSize(JComponent.java:1582)
       at java.awt.BorderLayout.preferredLayoutSize(BorderLayout.java:690)
       at java.awt.Container.preferredSize(Container.java:1558)
       at java.awt.Container.getPreferredSize(Container.java:1543)
       at javax.swing.JComponent.getPreferredSize(JComponent.java:1584)
       at javax.swing.JRootPane$RootLayout.preferredLayoutSize(JRootPane.java:824)
       at java.awt.Container.preferredSize(Container.java:1558)
       at java.awt.Container.getPreferredSize(Container.java:1543)
       at javax.swing.JComponent.getPreferredSize(JComponent.java:1584)
       at java.awt.BorderLayout.preferredLayoutSize(BorderLayout.java:690)
       at java.awt.Container.preferredSize(Container.java:1558)
       at java.awt.Container.getPreferredSize(Container.java:1543)
       at java.awt.Window.pack(Window.java:478)
       at javax.swing.JFileChooser.createDialog(JFileChooser.java:772)
       at javax.swing.JFileChooser.showDialog(JFileChooser.java:708)
       at javax.swing.JFileChooser.showOpenDialog(JFileChooser.java:620)
       at com.sun.jnlp.FileOpenServiceImpl$1.run(FileOpenServiceImpl.java:95)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.jnlp.FileOpenServiceImpl.openFileDialog(FileOpenServiceImpl.java:74)
       at com.wss.calendar.client.swing.ScheduleWorldFrame.jMenuItemFileImportFileCSV_actionPerformed(ScheduleWorldFrame.java:7402)
       at com.wss.calendar.client.swing.ScheduleWorldFrame$86.actionPerformed(ScheduleWorldFrame.java:4239)
       at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1849)
       at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2169)
       at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:420)
       at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:258)
       at javax.swing.AbstractButton.doClick(AbstractButton.java:302)
       at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1000)
       at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1041)
       at java.awt.Component.processMouseEvent(Component.java:5488)
       at javax.swing.JComponent.processMouseEvent(JComponent.java:3093)
       at java.awt.Component.processEvent(Component.java:5253)
       at java.awt.Container.processEvent(Container.java:1966)
       at java.awt.Component.dispatchEventImpl(Component.java:3955)
       at java.awt.Container.dispatchEventImpl(Container.java:2024)
       at java.awt.Component.dispatchEvent(Component.java:3803)
       at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4212)
       at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3892)
       at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3822)
       at java.awt.Container.dispatchEventImpl(Container.java:2010)
       at java.awt.Window.dispatchEventImpl(Window.java:1766)
       at java.awt.Component.dispatchEvent(Component.java:3803)
       at java.awt.EventQueue.dispatchEvent(EventQueue.java:463)
       at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:234)
       at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149)
       at java.awt.EventDispatchThread.run(EventDispatchThread.java:110)

  Looks like the original bug (4772834), which was really in javax.swing.filechooser.FileSystemView.getSystemDisplayName, where it opened a file w/o wrapping call in a doPrivilige() block, was worked around in Java Web Start 1.5.0 beta 1, by putting the whole FileChooserDialog, along with the Security Dialog surronding it, in the Look and Feel of Java Web Start.
  This caused regressions (by running Dialogs with differant Look and Feels in the same AppCOntext) such as the one in the TCK test ( 5060636 ), which were fixed in b57 by partially removing the original fix, so now the original bug is back.
  I will re-open it.
  /Dietz