Slashdot Mirror

• A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
• Another security alert from later that year.
• A security alert also from 2003 regarding a remote buffer overflow.
• A security alert from 2002 regarding a trojan horse horse sendmail distro.
• Some freebsd specific Sendmail alerts.
• A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
• A plethera of similar or smaller security concerns can easily be found.
• The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

• A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
• Another security alert from later that year.
• A security alert also from 2003 regarding a remote buffer overflow.
• A security alert from 2002 regarding a trojan horse horse sendmail distro.
• Some freebsd specific Sendmail alerts.
• A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
• A plethera of similar or smaller security concerns can easily be found.
• The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

• A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
• Another security alert from later that year.
• A security alert also from 2003 regarding a remote buffer overflow.
• A security alert from 2002 regarding a trojan horse horse sendmail distro.
• Some freebsd specific Sendmail alerts.
• A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
• A plethera of similar or smaller security concerns can easily be found.
• The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

• A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
• Another security alert from later that year.
• A security alert also from 2003 regarding a remote buffer overflow.
• A security alert from 2002 regarding a trojan horse horse sendmail distro.
• Some freebsd specific Sendmail alerts.
• A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
• A plethera of similar or smaller security concerns can easily be found.
• The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

Seems to be pretty old. Here's a 1998 CERT advisory with the original SSH 1 exploitable under the exact same conditions: http://www.cert.org/advisories/CA-1998-03.html

Some "good" news, however - SP2 seems to prevent this music from playing in the background.

From what I've read, I think that might be because some developers on the Linux camp have been a factor of irritation when they produce Linuxisms is C code, foresaking portability.You see this phenomenom mentioned in what regards GNOME in the article. It almost sounds as if GNOME developers are a clique that don't give a shit about other projects.

Another famous little war was Linuxers resistance (glibc maintainers, to be exact) resistance against the safer strlcpy and strlcat functions from OpenBSD's libc:
See these amazing threads that illustrate prejudice against the OpenBSD developers. After 2 or smth years, they finally gave in and the OpenBSD functions are part of glibc. But here's my sample:

Here's a Debian developer calling on GNOME developer's biased and prejudiced views against OpenBSD's innovation for safer C programming:
http://lists.debian.org/debian-devel/2002/03/msg00 305.html

Here's the guy that sends the patch for glibc: http://sources.redhat.com/ml/libc-alpha/2000-08/ms g00052.html

Here's the amazing answer from the glibc's maintainer Ulrich Drepper, a real insight into strong software engineering principles. No wonder Linux boxes got so rootkitted:
This is horribly inefficient BSD crap. Using these function only
leads to other errors. Correct string handling means that you always
know how long your strings are and therefore you can you memcpy
(instead of strcpy). http://sources.redhat.com/ml/libc-alpha/2002-01/ms g00002.html

Theo's take:
TdR: They're still not in glibc. They're everywhere else. They're in Solaris. We invented them two years ago. They're showing up in vendor operating systems. We made a convincing argument why these things are necessary. http://www.ddj.com/184404914

Look at CERT's list for "glibc" vulnerabilites here. Please draw comparisons with BSDs. Answer honestly: who's got bragging rights?

Before you make the purchase, make it clear that you do not want the pre-installed software, and that you will consider any un-patched security flaws in it at the time of purchase to be defects. Since you are sure that it has such defects, you will be returning the defective software for a refund.

CyLab at Carnegie Mellon has an education component. They are also aligned with CERT.

If there's an issue over whether Vista will put the big antivirus companies out of business, I don't see it as consequential. IMO, the software companies themselves will be responsible for their own demise, regardless of whether Microsoft enters the market. Programs like Norton Utilities used to be valuable, but now these once-critical utilities have morphed into bloaded virus-like software incarnations that are best not installed in the first place.

Furthermore, both McAffee and Symantec products have been hosts to numerous flaws, security holes and vulnerabilities themselves.

If Microsoft wanted to do it right, they could merely have Vista identify both programs as "malware" right off the bat, remove them from the system, and most users would be better off.

http://www.kb.cert.org/vuls/id/834865
http://www.kb.cert.org/vuls/id/MIMG-6MPUH2
Solaris 8 will be patched to update sendmail to version 8.13.6+Sun following the 8.11.7p2+Sun patches.

http://www.kb.cert.org/vuls/id/834865
http://www.kb.cert.org/vuls/id/MIMG-6MPUH2
Solaris 8 will be patched to update sendmail to version 8.13.6+Sun following the 8.11.7p2+Sun patches.

Note: Bind9 doesn't fetch glue, ever, but won't error on the fetch-glue statement according to this document.

Correct. Here is the CERT writeup from 2000.

While this is a fair point, many root compromises happen in two parts. First someone gets shell access as a non-priviliged user through a hole in some service, or through a compromised account. Then they use some local privilege escalation attack to become root.

The fact that OS X doesn't run ssh by default is good for desktop users, who aren't going to be running a lot of services which can be compromised. Nonetheless, local exploits are still a problem.

For instance, apparently there was a recent OS X vulnerability where a malicious web site could execute arbitrary code when you visited it (with Safari). I don't know how easy this would be to exploit, but it could probably be used in conjunction with a local exploit to compromise a desktop.

Hrm, I wonder how well SCTP would fare under a Naptha (http://www.cert.org/advisories/CA-2000-21.html) type attack. Perhaps I should test it and find out. A good way to kill an afternoon...

... ability to use javascript is for simple things like form validation and contacting websites. It can be used to authenicate a user trying to read a document with a security server, for example.

Because what the world really needs is yet another document and/or image format that lets you include code or download code when the document is opened.

One day they'll learn. Apparently it isn't today.

RedHat
Mandrake
Slackware (IIRC)

... and any other distro which enabled OpenSSH versions 2.3.1p1 through 3.3 by default.

So, is that $10,000 per instance...? ;)

Those nifty "TO" and "FROM" fields let them know who you're contacting

and, of course, those can be spoofed. So, using e-mail header information to identify criminals and/or terrorists seems like it could produce a lot of false positives.

They already do. So you should be prepared.

Sure, they may run out of names, but they can reuse names as they do for hurricane names, with the exception of widespread popular hurricanes/worms/virii, which can be retired, just like some hurricane names.

And... I believe the first network aware self propogating worm was the Morris worm (1998/11/02) meant to gague the size of the internet.

I believe the third worm and the first on-purpose malicious network worm was Wank from October 1989. It attacked VAX machines running on DECNet, changing passwords and lol phoning all the people who had accounts to annoy them ;). Cert Wank Advisory CA-1989-04 ;)

Earlier in 1988 there was the hi.com worm, but that was just a zombie. It was meant to send a Merry Christmas message to all infected users on 25 December 1988 ;)


W O R M A G A I N S T N U C L E A R K I L L E R S
Your System Has Been Officially WANKed
You talk of times of peace for all, and then prepare for war.

Someone might know of an earlier malicious network aware worm, but this is the first one I know of.

Yes. It's a bloody hazard.

Here's an exercise which may convince you that browser scripting is indeed a problem: Go look at the CERT Advisories for the last couple years, and figure out what percentage of browser vulnerabilities have "disable active scripting" or the like listed as a work-around.

Personally, I find it incredible that web developers expect to be able to run their code on my machine. Did we learn nothing from Word Macro viruses?

Here
Here
Here
Here
Here

Or you can search for php vulns and worms like Santy... Some of the above are probably dupes.

"I honestly expected better from the CERT [us-cert.gov] folks. I don't know why, but I really did."

Maybe you were thinking of the original CERT http://www.cert.org/ at Carnegie Mellon.

Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws.

Like, oh, the libpng vulnerability fixed in August less than two years ago?

"On 4 August 2004 a new jumbo security patch was released to address several potential vulnerabilities in libpng, at least one of which is quite serious." link

And by "quite serious," they mean "remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system." link

Remind me how many *nix distros use libpng?

Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory.

From the top of the CERT advisory:

By causing the service to render a specially crafted TIFF file, an attacker could execute arbitrary code or cause a denial of service.

From the advisory:

To disable the image attachment distiller 1. On the desktop, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Enterprise Server Configuration. 2. On the Attachment Server tab, select Attachment Server from the Configuration Option drop-down list. 3. In the Distiller Settings section of the window, clear the Enabled check box for Image Attachments. 4. Click Apply, then click OK. 5. In Microsoft Windows® Administrative Tools, double-click Services. 6. Right-click BlackBerry Attachment Service, then click Stop. 7. Right-click BlackBerry Attachment Service, then click Start. 8. Close the Services window.

In summary, the CERT advisory says it might be possible to execute arbitrary code on the server. The Blackberry advisory recommends disabling all image attachment processing on the server. No one has proved that an exploit exists to take advantage of this, but how can you know there isn't an exploit. In cases like this, the burden of proof lies with the one who claims it's safe to continue processing image attachments. Maybe there isn't a serious problem. Would you leave the attachment service running with without disabling the image attachments?

I take the liberty to read this passage differently from the grandfather.

* Should I just block all .WMF images? This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

http://www.kb.cert.org/vuls/id/181038: Please note that Windows Metafile data may be saved with an extension other than WMF. A file with any extension that is associated with Windows Picture and Fax Viewer can be used to exploit this vulnerability. By default, Windows Picture and Fax Viewer is associated with the following file extensions: BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF

I have yet to read the definite statement that Opera and Firefox do not fall back to gdi.dll, ever.

However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).

I know, speculation. But not more uncertainty than in the grandfather's post.

CERT was apparently wrong, so for reference (I forgot to add the link earlier) that quote was grabbed from http://www.kb.cert.org/vuls/id/181038

Sure, it very well could break something important, but SP2 broke things for a number of people as well. Testing is the best thing to do.

Do I expect anyone to roll it out in a corporate environment? No.
Do I tell my friends to install it? Definitely.

After all, uninstalling the patch is much easier and faster than dealing with an infected system.

Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going

Why isn't this drivel modded as flamebait?

If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day. Want an example? The ASP.NET team had 505,000 test scenarios for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.

This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin.

This is the cause for a simple reason: Imagine you're a programmer making an app that runs properly as a less-privileged user. You do a little developing. You log out. You log back in as a less-privileged user. You test the app, using printf as the main debugging tool. You log out. You log back in. You restart the IDE and get everything back like it was. You do a little developing. And so forth. It's a waking nightmare of the type formerly encountered only in H.P. Lovecraft stories.

Microsoft's tools punish you for trying to do the right thing, because they want bad software so the customers expect to be on an upgrade treadmill.

*The original total rewrite of the C-language tools, the Java toolset, and the CLR toolset.

The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux.

Here's text from the CERT advisory which was updated today:

disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).

http://www.kb.cert.org/vuls/id/181038/

That sure sounds like more than a flaw in User Space applications.

No. It's another exploit in the same system:
http://www.kb.cert.org/vuls/id/181038

".wma" and ".wmv" file extensions seem closer to the ".wmf" extension than ".jpg" or ".tif" extensions
It only seems that way - image formats (wmf, jpeg, tiff, gif ...) would be opened by the routines that vulnerable. Animations would have a different handler. Though as you say, if the handler is working correctly, it should detect WMF and use the appropriate routines.

If you are using FireFox, and don't open images with external viewers or plug-ins, you should be reasonably safe. FF doesn't appear to have WMF capability. (Someone should submit an enhancement request.) The same goes for Opera. (No enhancement requested there.)

If you use an MS IE based browser, they will render wmf files "natively", even with the extension changed to mask the contents. This will likely trigger the vulnerability, given what CERT says.

The question now is - does this affect embedded images in, say, Word documents?

Shut the fuck up and stop lying.

Yes, Microsoft, who very much agree this is a new vulnerability has fixed a wmf hole before, and no this is not the same hole. Guess what? Same piece of software can have several entirely unrelated buffer overflows.

CERT:
This new vulnerability may be similar to one Microsoft released patches for in Microsoft Security Bulletin MS05-053 (VU#433341). However, publicly available exploit code has been discovered that reportedly affects systems updated with MS05-053.

So much to explain, except that you seem to find your own mind so amusing already that I see no point in interrupting your amazement. Forgot to run your spellchecker, eh?

Here's a starting point for you. http://www.kb.cert.org/vuls/id/118892 Don't try to monitor keystrokes, Don. There aren't any. Is there even sensitive data where the menu app is running? Doh!
You're thinking "X application" and you haven't yet imagined that you should be thinking "GUI". Why should anyone do anything with an application that can do better with a GUI? The answer is, of course, they shouldn't, but it was asking the right question that was the hard part, if there was a hard part. It didn't seem hard to me. I keep running into people like you who savor the orgastic delight of imparting "You can't do that" to others. What is it with you people, anyway? I don't mind if you think you're very clever. The part I'm having trouble with is the part where you think that when you enter a complex system all you need is an ego and a closed mind. Well, my grandchildren did enjoy those little Sims 'characters' for a while but they're back to playing Diddy Kong Racing. They prefer multi-user software and 3D GUIs.

I'm not even a programmer except I do a little with the graphical programming environments that I build for various application-specific vertical markets, but I spend my days inventing software paradigms for people who need software tools. Right now I'm real busy separating the software from the hardware and dissolving applications into GUIs. I simply don't respect the limits that you and others accept.

I guess we all feel bad about the way Dan Turner expressed the frustrations of many with your work in the QuickTime4 GUI but hey, don't take it out on me. I feel your pain, man. I have my own frustrations. Many of my GUI innovation are used everywhere you look but I don't make a dime for 'contributing' them since I didn't patent them and chase people with lawyers. Maybe that was a key dynamic in their universal adoption, though. Funny, that.

Or it may just be that it's the most widely-used browser and absolutely 100% guaranteed to be available (if not used) on a (half-way modern)

I'm not convinced that the embedding is necessarily a bad thing,

KHTML is as embedded in KDE as MSHTML is in the Windows shell; it remains to be seen how that pans out if and when the use of KDE-based distros becomes widespread.

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

"Results showed that all of the computers faced some
form of Internet attack during the experiment, with a combined total of
305,955 attacks recorded; the largest number of those attacks targeted
the regular Windows SP1 machine. The computers were successfully
compromised a total of ten times over the fourteen-day experiment period
with the very first compromise occurring on the regular Windows XP SP1
machine in less than 4 minutes immediately after placing the computer
live on the Internet."

"Four out of the six computers used in this
experiment were not successfully compromised by an Internet attack:
Linspire (Linux), Macintosh OS X 10.3.5, Windows XP SP1 with ZoneAlarm,
and Windows XP SP2. The Linspire (Linux), Windows XP SP1 with ZoneAlarm
and Windows XP SP2 systems placed first, second and third respectively,
when measuring systems with the fewest number of Internet attacks. These
systems provided the best protection against attempts to compromise the
computer during the two week period with each receiving less than 0.50%
of the total 305,955 attacks."

I'm not uploading files to the bank, I'm sending HTTP requests over SSL to its web server. If I can somehow infect its servers from my computer, the bank has a HUGE problem (there is no reason why this should be possible.)

Unless they're running an unpatched IIS.

According to MacAfee its: It is a modified derivative of the Linux/Slapper ...

And according to a 2002 cert advisory the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..

Surprisingly their seem to be no mention of it a apache.org which leads me to think it's pretty benign and not wide spread. I could be wrong.

Consequently, I don't think it will be a question of whether or not we will be using Vista but merely how Microsoft will have managed to improve upon the mostly unimproveable experience of Windows XP. If they compete with anything, it will be their own success.

Uh, you're kidding, right?

Right?

I spent 4 hours yesterday helping a techno-neophyte (but good friend from high school) get his wireless card to work with my wifi hotspot. A frustrating afternoon, where we discovered that

1) Windows Update, run manually, didn't work because of some ActiveX error that repeated attempts to fix did nothing and never could be made to work.

2) Windows Update, run "automatically" in the background, resulted in updates that wouldn't install, and there was no indication as to why.

3) The wireless card, when connected, with all the settings for DHCP and so on set correctly, still wouldn't update the routing table when "connected".

4) Windows Antispyware, AdAware, and McAffee Virus scanner all came up clean.

5) He'd used the system very little, and spent $1,500 on it about a year ago, and was pretty upset when *nothing* seemed to work. (as I would be, if we were talking about a TV, stereo system, or similar appliance in the same price range)

There were many more - this is just what I remember.


1) How about making sure that Windows Vista ... works?

2) How about making the "Administrator" account - an actual administrator account? I've *never* gotten a "permission denied" error, when doing something as root on a Linux system. WTF??!?

3) How about making Windows Update work without stupid, insecure, bug-prone ActiveX hacks (which you are supposed to disable?!?) ???

4) How about (re?)designing Windows so that the entire "Documents and Settings" folder can be copied, thus retaining all Outlook/Outlook express settings and data without having to do stupid import stuff? It's way retarded that you can't just copy over the "Documents and Settings" folder and have *any* confidence of having effectively grabbed all the users' data..


I'm sure you'll see plenty more in the replies to this post...

" They've been dealing with rootkits seemingly forever. How did they manage?"

tripwire - there's a commercial version available, and I've used the free version. Creates checksums to compare your system against...

A brief description here... (with download and install instructions)

http://www.cert.org/security-improvement/implement ations/i002.02.html

Sam
http:/// www . iamsam . com

there are other sources, SANS, cert, securityfocus, etc... but I like how secunia ogranizes the data they collect. they have nice easy to edit urls, too. cert's url is insanely long, with numerous 'obscure' variables http://search.cert.org/query.html?rq=0&ht=0&qp=&qs =&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2 &oq=&rq=0&si=1&qt=activex&col=certadv&x=0&y=0
Sans's is just a google interface...
security focus comes up with a lot more stuff including multiple pages of commentary on the same bug etc..
http://securityfocus.com/swsearch?query=activex&sb m=archive%2F1%2F&submit=Search!&metaname=alldoc&so rt=swishrank

so, secunia comes up with a nice clean layout of the data that was relevent... I don't see what the AC's gripe over using secunia is other than the fact that it's a company that makes it's living off selling a 'solution' for security problems.

Do you want examples of RFCs? Other Slashdot users could fill you in on this better than I could. But if a Content-type: header is present, why should the browser ignore it?

Or do you want examples of exploits? The Concept Virus (commonly called Nimda) and the Klez worm both use the vulnerability described in MS01-020: Incorrect MIME Header Can Cause IE to Execute E-mail Attachment and CERT® Advisory CA-2001-06 Automatic Execution of Embedded MIME Types.

All software contains bugs. Firefox isn't mature enough to be adequately assessed for its long-term security. Internet Explorer is obviously not secure enough. Perhaps Mozilla is suitable.

Like others have pointed out, general security policies should already be in place to mitigate risk; web browsing is only one of several ways in which malicious code can get into an organisation.

However there are some things you can do specifically to reduce the risk of web browsing. CERT have published an advisory that contains information for both web publishers and web surfers.

Federal Extreme Mismanagement Agency

Isn't FEMA part of the Department of Homer Sim...er, Homeland Security? Don't they read their memos?

The problem is that every advantage that you've stated about Linux on the desktop can not be proven. Even the cost advantage can be negated if Apple or Microsoft decide to lower their prices.

My point is strictly about marketing, not technical merits. I suspect that you're unfamilar with how companies market technology, and thus would you please explain your experience in and knowledge about how companies get consumers to choose their product?

Besides, I've never been trying to prove that Linux on the desktop is better or worse then another operating system, which is what you seem to be trying to do. I'm trying to explain that all of the advantages that you've stated are either temporary, irrelevant, unproven, or blatently wrong; and that in order for Linux on the desktop to be more then a cheap knock-off, it has to have features that will be attractive to people who will pay a few more dollars to stick with a brand (Windows or Mac) that they are comfortable with.

And now back to the technical debate.

With regard to security, everything you've said about Windows is also true about Linux. http://www.cert.org/advisories/CA-2002-27.html http://informationweek.com/story/showArticle.jhtml ?articleID=51200210 Yes, Linux historically has less issues, but it is not immune, and given Microsoft's recent attention to security, I find this argument moot for now. (BTW, Wine is not the only Windows compatibility layer.)

Linux becoming popular doesn't mean that it's making a sizable dent in Window's market share. Commercial Unixes like SCO and Solaris were the biggest victim of Linux.

Prove the argument on Linux attracting developers for desktop applications. I don't believe it. Every developer who I know, including people who are die-hard Linux users, loves working with Microsoft Visual Studio .Net. With regard to developing desktop applications, give me an example of a popular development environment on Linux? Remember, GCC is just a compiler, personal versions of VS.Net are free, and the Mono project provides some support for applications written in VS.Net on Linux.

The open standards argument doesn't apply here. You can run software that adheres to open standards on Windows. You can run other browsers and other office suites on Windows. (There was an alternate Word Processor bundled with my laptop.) Open Office runs on Windows and Mac. There is no garuntee that Microsoft will not support open office standards in the future.

With regard to content protection on Vista, it is primarily implemented in hardware and exists to appease the movie industry and to help keep documents secret. Given that restricted content will only exist if people create it and consume it, I've decided to take a wait-and-see attitude on this subject. Besides, what garuntee exists that a desktop Linux distro will not support content protection someday?

I don't think that it's a good strategy to sell a Linux-based desktop computer by calling Microsoft evil. Do you? Is "moral right" a good selling point?

Please put your comments on Vista on hold. We're talking about how to sell a desktop computer with Linux, not how to sell a desktop computer with Vista.

You can not walk into Walmart and buy a desktop computer with Linspire. They are only available off of Walmart's web site.

Again, before continuing a technical debate, I'd like to know how much experience you have in marketing. My original "knock-off" statement only had to do with marketing, and not Linux's technical merits, which I really prefer to avoid because its merits do make it desirable in markets other then the desktop.

http://www.cert.org/advisories/CA-99-15/rsa-patch. txt.asc

Here's roughly the letter I'm sending, please adapt it and use it as you see fit. Note that you need to send a total of six copies.

This is on a personal home server over broadband, please be nice.

http://www.mynamehere.com/dave/Copyright%20Office% 20MSIE%20Requirement%20-%20Generic.sxw

Text follows in case the server chokes...

August 15, 2005

Full Name
Street Address
City, State, ZIP

Copyright GC/ I&R
P.O. Box 70400
Southwest Station, Washington, DC 20024-0400

Subject: Proposed MSIE requirement for online filing of copyright preregistrations
RE: The open letter published at http://www.copyright.gov/fedreg/2005/70fr44878.htm l

To whom it may concern;

As a governmental body, I feel the copyright office should give accessibility to citizens a very high priority. This accessibility is best met with the use of tools that function on a broad range of browsers and operating systems by adhering to open and well-documented standards, such as those of the World Wide Web consortium (W3C).

Introducing a requirement for a proprietary browser supplied by a single party goes against this ideal, especially when that party has a history of illegal behaviors that include anti-competitive practices.

Support for open standards is clearly possible, as the open letter states that support for various open and non-Microsoft browsers is planned. It seems a waste of effort to develop a MSIE-only version followed by an open standards version when the open standards version can work with MSIE to begin with.

There is certainly an argument to be made to ensure that the browser used by the majority of Internet users is well-supported, but it is a fallacy to believe that this support must come at the expense of support for browsers unable to support proprietary features.

It will be further troubling if the reason for the lack of support for open browsers is an ActiveX requirement. ActiveX technology has been dogged by security problems for years, and its use cannot be justified given the availability of secure, open alternatives. The suitability of alternatives is demonstrated by the planned support of non-MSIE browsers.

While any complex web browser is subject to security problems, the fact that the US-CERT has repeatedly recommended using a non-Microsoft web browser (http://search.cert.org/query.html?col=vulnotes&qt =%22using+a+different+web+browser%22) is a strong argument against another government office requiring its use.

A requirement for businesses and individuals to use MSIE to make submissions to the copyright office is an onerous burden in terms of time, money, and security for those relying on non-Microsoft solutions in their affairs.

Sincerely,

Full Name

man do i hate ie

> what about when hackers can start sending these
> self destruct packets themselves
Been ther, done that:
http://www.cert.org/incident_notes/IN-99-03.html