Slashdot Mirror

Whaddya wanna hear? a) Microsoft's licensing practices, while never to everyone's taste, perhaps, seem to have mellowed at least a bit from the projected future of pay-per-reinstall. 2) The SDMI boycott you read about here lately has lost a key proponent; the reasons are unclear and so is the eventual outcome. iii) If Linux is too cool, BSD too smug, Windows too ridiculous, perhaps you need ... a truly infernal OS. N) Yet more proof that Carnivore and its ilk may be annoying and a threat to the average user, but hardly a sting to a wired criminal worth his salt. All below.

Frankly, this would have been just too silly. steveha writes: "Microsoft just changed their 're-imaging' payment policy. Companies buying computers that come with Windows installed can once again re-image the system hard disk without Microsoft demanding an extra license payment. Here is the official Microsoft document. Computer Reseller News had the story."

Burn baby burn. rpeppe writes: "briefly, you can download Inferno here, for free.

you might remember from a month or so back that the UK firm Vita Nuova obtained rights to Inferno, a next-generation virtual/embedded OS created by the likes of Rob Pike, Ken Thompson and Dennis Ritchie. Inferno uses many of the ideas from Plan9 but, unlike Plan 9, there are no restrictive hardware requirements - it runs as a "virtual OS" under Linux, Windows, Plan 9 and others, mapping the resources provided by the host OS into a standard form for programs running within Inferno, which will run without change on any platform running it (including on bare hardware, such as SA1100 or MIPS)

we've just made free downloads available (for any use) for Linux, Windows and Plan 9. the actual kernel is not open source, but the download includes open source for all the user-level code in the system (applications, libraries, etc), plus unix-style documentation so there's plenty to tinker with.

this is a system that is genuinely trying to address the problems that are "too deep for unix to fix" and includes all sorts of interesting takes on some of the original unix philosophy (after all, it represents 30 years of evolution from the unix original). plus it's a really nice environment in which to write genuinely (and elegantly) portable programs."

Taking the meat from the jaws of Carnivore. An unnamed correspondent writes "Found a nice article on the circumvention of Carnivore which details steps one can take to avoid big brother. Article is nicely written which has a strange reference to the NSA's Verona project of World War II."

Nothing here may be all that new or surprizing to those already interested in online privacy or cryptography in general, but if you ever need ammunition in an argument about the nice government versus slithering heroin-dealing kiddie-porn terrorists, it'd be nice to point out how accessable these methods are to all involved.

OK, who has what up their sleeves, and why? Fervent writes "Interesting twist in the SDMI boycott -- Don Marti's backing down a bit. Apparently he and Leonardo Chiariglione, executive director of the SDMI, talked and found ways to get along about secure music. The article is here."

I'll be impressed if the music industry or anyone else can come up with a high-quality music format which can't be effectively copied with a modicum of hassle. "Anything that can be read," etc. Thta's not about to stop them from trying on both technological and legal fronts. Of the two, I'll take technological any day.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

There've been more rumblings from Compaq concerning the potential to "open" parts of the Tru64 source code. Spokesfolks for Compaq talk a bit about Linux, and working with the Community. However, no word about a license, what will be opened, or anything substantial.

Rene Pawlitzek writes " This is great news for all Linux and OS/2 lovers. Finally, after many years of pre-installed (and useless) Windows we will be able to buy laptops without any Microsoft operating system. Did the Windows refund day pay off? "

Found in the files of LinuxToday: Computer Reseller News has an article about SGI being in talks with Linux vendors, hoping to reach an agreement with one, presumably so they can ship it on their upcoming server line. The new servers will be for the telco and ISP markets. As was previously suspected, the company says it will "contribute components" of its technology to the open source community, including OpenGL. Maybe XFS will be in there, too. I've heard it's quite nice...

WonderClown writes "IBM is getting requests from corporate customers for the Linux version of their DB2 database, and so they reconsidering their decision to make it free. Of course, it never was free in the GNU sense anyway, since they weren't going to release the sources AFAICT. The story is here. " H: The reconsideration comes because of the huge amount of corporate interest-which I suppose is a good sign, in its own way.

shanelenagh wrote in with good news at Yahoo: Sun will be supporting Linux on their machines soon. I hope this means more Linux ports! On a similar note, the JDK 1.2 was recently released. Update: Chris Gori sent us a link to the actual article. Seems as thugh it won't be too end-usery. A funny quote at the end, as well.

AOL will renew its contract to use IE because its CEO believes "It is critical to be on the Microsoft desktop", the condition upon which Windows is shipped with AOL on the desktop. If AOL won't be using Mozilla, will it be interested in funding its development? Perhaps Sun will be the one to fund Mozilla development to increase the number of pure Java platforms.. update! According to this TechWeb article, Netscape's Mike Homer, director of Netscape's Netcenter division, is stating that Netscape will continue to administer Mozilla.org. Further confirmation comes in this Wired article.

Microsoft is divesting from RealNetworks. One reason is that Real did not include the interoperability features Microsoft wanted. A more intersting reason was that Real and Microsoft did not see eye-to-eye on the future of streaming, and have been feuding over future standards. Chris le Tocq, an analyst at Dataquest in San Jose, Calif. said the rare move by Microsoft is Microsoft "saying that you are not one of us". Interestingly this move came after Microsoft offered to work with RealNetworks on an underwritten secondary offering of stock, but the two companies could not agree on terms... Although normally this would reduce investor confidence in RealNetworks, its stock bounced up while Microsoft's fell. In related news, Gartner reiterated its warning not to move to Windows 2000 until 2001 at the earliest.

Rogers Cadenhead writes"Marc Andreessen is evidently souring a bit on Java after the cancellation of Netscape's all-Java version of Navigator. "My joke is that a Java Navigator will have a lot of good attributes," Andreesen told Computer Reseller News. "It's slower. It will crash more and have fewer features. So you can do fewer things. It will simplify your life."

Compare this to the March 23, 1995, quote from Marc Andreesen in the San Jose Mercury News that gave a huge boost to then-unknown Java: "What these guys are doing is undeniably, absolutely new. It's great stuff. There's so much stuff people want to do over the network that they haven't had the software to do. These guys are really pushing the envelope."

If anyone wants the "Javagator" source code after Andreesen's less-than-glowing endorsement, Computer Reseller News reports that Netscape has not ruled out an open-source release. "

As AMD and Intel report disappointing earnings, the price of computers continues its downwards spiral. Intel certainly did not anticipate the success of the sub-$1000 category, but AMD and Cyrix have failed to capitalize on the opportunity. The problem is that a bitter war of attrition will hurt the smaller players just entering the field. But then, perhaps they will address the lack of new features to excite one enough to buy a new PC. Or perhaps, they will find a solution to the root cause of high computer cost: bloatware.