Slashdot Mirror

JeffM2001 writes "InformationWeek is running a story by Fred Langa which gives an overview of the ways to create a true-Legacy-free computer. Finally we can have a PC not based on twenty year old technology." Update: 04/07 17:34 GMT by T : Pages past the first one of this article seem just to loop; here's the printable version, which has the whole article in one go.

JeffM2001 writes "InformationWeek is running a story by Fred Langa which gives an overview of the ways to create a true-Legacy-free computer. Finally we can have a PC not based on twenty year old technology." Update: 04/07 17:34 GMT by T : Pages past the first one of this article seem just to loop; here's the printable version, which has the whole article in one go.

JeffM2001 writes "InformationWeek is running a story by Fred Langa which gives an overview of the ways to create a true-Legacy-free computer. Finally we can have a PC not based on twenty year old technology." Update: 04/07 17:34 GMT by T : Pages past the first one of this article seem just to loop; here's the printable version, which has the whole article in one go.

HeelToe asks: "A while back I worked with someone who thought the US should simply impose tariffs on imported products to adjust their price to equalize foreign labor rates to the US minimum wage. I was laid off and my position moved to Canada last year. Since then, I've thought a lot about his ideas, as well as one of our topics of conversation a while back: Why doesn't the US tax the import of software? It seems to me like they should. It's not a "tangible" product (same reason used to deny my co-workers and me NAFTA and Trade Act benefits), but when someone outsources to another country with cheap labor for any other industry, there are usually import tariffs. Why is software different, and how would this change the climate of US IT jobs leaving for other parts of the world if we did tax software imports? I've done some looking on the web, but can find nothing in the Harmonized Tariff Schedule of the United States. I did find this thread from a few months back on informationweek.com's Career Development Forum, but not much else. What does Slashdot think?"

HeelToe asks: "A while back I worked with someone who thought the US should simply impose tariffs on imported products to adjust their price to equalize foreign labor rates to the US minimum wage. I was laid off and my position moved to Canada last year. Since then, I've thought a lot about his ideas, as well as one of our topics of conversation a while back: Why doesn't the US tax the import of software? It seems to me like they should. It's not a "tangible" product (same reason used to deny my co-workers and me NAFTA and Trade Act benefits), but when someone outsources to another country with cheap labor for any other industry, there are usually import tariffs. Why is software different, and how would this change the climate of US IT jobs leaving for other parts of the world if we did tax software imports? I've done some looking on the web, but can find nothing in the Harmonized Tariff Schedule of the United States. I did find this thread from a few months back on informationweek.com's Career Development Forum, but not much else. What does Slashdot think?"

Amsterdam Vallon writes "Apple recently reported an $8 million loss, its second straight loss, compared with a $38 million profit a year ago. It seems that upbeat laptop sales weren't enough to get this company out of the Wall Street basement. Hopefully, with increasing Mac OS X and wireless-related sales, we'll see a nice increase come next quarter and after that, perhaps a jaunt toward profitability!" The back was apparently tipped into the red with one-time restructuring losses, else there would have been a modest profit; Apple expects stagnant revenues for the near future.

scubacuda points to this article at The Register, about "what is believed to be the industry's first identity server based on Liberty Alliance Project specifications for federated network identity (date sheet here). Other reports of Sun's release: eWeek, Information Week, Computer World, & Y!"

DBordello writes "There's been quite a scramble as networking companies the world over rush to be the first to bring their 802.11g wireless gear to market. Linksys missed their early December launch date, and a company named Buffalo Technology has risen to steal their thunder. The company today issued a press release announcing their AirStation G54 broadband router access point and wireless CardBus adapter, the first 802.11g draft standard hardware to hit the market. More information can be found at the company's website." Update: 12/31 21:35 GMT by M : The story submitter apparently found this blurb on broadbandreports.com. Hey people, give credit where it's due. Update: 12/31 22:50 GMT by T : Karen Sohl of Linksys writes to say that despite the slip in dates, "Linksys is shipping our line of Wireless-G products. We have been shipping since last week. Honestly not large volume by any means-- but by the end of this week we'll have shipped over 10,000 units to distribution -- Ingram Micro and Tech Data." That's where even large retailers (think Amazon) buy their stock.

slashdotess writes "Information Week reports: "About a year ago, Patrick McCartney, a Johnson Center project manager, created a Linux desktop environment that could also run government-mandated Microsoft apps. This let his team of 30 engineers continue to program in a Unixlike environment and create Word documents and Outlook E-mail all on the same PC. This mixed-use scenario is slowly taking hold, encouraged by a growing number of applications for running Linux on PC desktops." Score another one for Linux on the Desktop."

An anonymous reader writes "Rational Software is going to be taken over by IBM. More info on Rational's website. RIP Rational. This is what rational is sending it's customers: To our valued customers: We are delighted to tell you that IBM and Rational Software have announced a definitive agreement for IBM to purchase Rational. This is a very exciting time for both companies and builds on the extensive business relationship IBM and Rational have had for over 20 years. Most importantly, it will provide significant benefits to you." Other readers submit links to the story in InformationWeek and the Mercury News.

Slashback is back, with a largish handful of updates and new information about previously run stories. Topics this go-round include Xbox sales in Australia, the Novell / MySQL connection, Adam Smith (no, not that Adam Smith)'s bizarre anti-GPL statement mentioned yesterday, and more. Read on for the details.

I thought Adam Smith was in favor of free markets and the exchange of ideas. mrjive writes "The plot thickens. In response to yesterday's story, it turns out that the attack on the free software movement was attached to the end of the letter in question by Rep. Adam Smith, D-Wash, who happens to have Microsoft as his biggest beneficiary. The original authors of the letter have sent an angry response for essentially twisting its original purpose. Read the full scoop here."

For the even-fuller scoop, see Roblimo's article on NewsForge.

Not bottling it up inside of himself. An anonymous reader writes "Richard M. Stallman has responded to comments made a week ago in response to his own Linux kernel mailing list post about the BitKeeper controversy. 'A technical issue or project sometimes raises ethical issues,' Stallman began. He did not stop there. More on the (newly cached and therefore a little bit Slashdot-immune) Linux and Main . Be gentle."

Free knowledge for sale for free, etc. OverCode@work writes "The complete LaTeX source to Loki Software's game programming book, Programming Linux Games, is now available on the author's site. This book was reviewed here a while back. Mad props to the publisher for letting this happen."

Everybody'sSQL haggar writes "MySQL (commercial license) will be shipped as standard with NetWare according to this announcement. I consider it a follow-up to the Slashdot story about the PostgreSQL port for NetWare. Apparently, the options for NetWare users are widening, thanks to open-source products!"

An iBook in every (lobster)pot! Call Me Black Cloud writes "Some time ago Maine awarded a contract to Apple for laptops for school kids. MacCentral has an interview with Maine governor Angus King where he discusses the success of the program. Despite the Maine state legislature's attempts to kill the program, it continues on. Why? Well, a $1M grant from the Gates Foundation certainly helped. Over the summer Apple delivered 18,000 iBooks and installed 239 wireless networks in 239 schools."

So long as they're not mandatory. Polo writes "I noticed that the Garmin Rino 110 and 120 are shipping. If you don't remember, these are FRS/GMRS Radios with integrated GPS. You can transmit your position to other units so they can hear you and see where you are. Pretty cool. This is a follow-up to an older story"

What the market will bear. His Nastiness writes "Just a follow-up that I ran across that indicates that Steve Ballmer may have just been blowing hot air on not selling the XBox in Austrailia anymore. See the previous thread here."

Kernel Panic writes "Looks like you can now be sued for using graphical and textural content on your e-commerce site. As everyone who has an e-commerce site does. A company in San Diego was granted one patent for using graphics and text to sell things on the web and another for accepting information to conduct automatic financial transactions via a telephone line & video screen. They have started their crusade with smaller companies that do not have the financial resources to fight back so as to build a "war chest" to take on larger companies like Ebay and Amazon. One site has taken the offense after becoming one of the first defendants of 50 companies so far. Curiously it appears the company was formed in March of 2002, less than a month before filing for the first lawsuit."

smudge writes "An Information Week article states that multiple small businesses with Web presence are being sued by PanIP LLC. The claims in these patents being asserted in the lawsuits refer to 'a computerized system for selecting and ordering a variety of information, goods and services' and 'an automatic data-processing system for processing business and financial transactions between entities from remote sites.'"

An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.

Bjarne Bula writes "In a message to the linux-thinkpad mailing list, Keith Frechette, former (as of Monday, June 24th) lead developer of Linux support on ThinkPads, reported that IBM has decided to no longer fund that project." I've been using Linux on a ThinkPad for some time now. If it stops being compatible, my next laptop won't be a ThinkPad. Too bad, because the machines are solid. Update: In an interesting counter-point, Information Week tells us that IBM will be opening a manhattan based "Linux Center of Competence" to show off Linux. Go figure.

Wonko42 writes: "Russian scientists who were trying to produce high-temperature superconductors accidentally created the first non-metallic magnet that is magnetic at room temperature (and up to 200 degrees Celsius). Previously, non-metallic magnets tended to lose their magnetism at -255 degrees Celsius. The magnet was created by superheating and pressurizing buckyballs to join them together as a sheet. The technology is ideal for use in magnetic storage devices, and could also be used in chips. The material is also photo-sensitive, which means it could be used as an optical storage medium as well. Yay for buckyballs!"

rkischuk writes: "InformationWeek has an article about a group of ex-Cray engineers working on a new architecture for clustering Linux systems. 'It's not easy trying to build scalable systems from commodity hardware designed for assembling desktop computers and small servers.' Per the article, 'As the number of CPUs in a Beowulf-style cluster-a group of PCs linked via Ethernet-increases and memory is distributed instead of shared, the efficiency of each processor drops as more are added,' but 'Unlimited's solution involves tailoring Linux running on each node in a cluster, rather than treating all the nodes as peers.'" Looks like Cray engineers think about clustering even when they're not at Cray.

rkischuk writes: "InformationWeek has an article about a group of ex-Cray engineers working on a new architecture for clustering Linux systems. 'It's not easy trying to build scalable systems from commodity hardware designed for assembling desktop computers and small servers.' Per the article, 'As the number of CPUs in a Beowulf-style cluster-a group of PCs linked via Ethernet-increases and memory is distributed instead of shared, the efficiency of each processor drops as more are added,' but 'Unlimited's solution involves tailoring Linux running on each node in a cluster, rather than treating all the nodes as peers.'" Looks like Cray engineers think about clustering even when they're not at Cray.

joescrooge writes: "IBM's got something new to give those LCDs a run for their money." That something new is CRT technology which removes the unsightly humps that take up most of the space of traditional monitors, and directing the electron beams through a magnetic panel about the size of the displayed image. Considering that 15" LCDs are now under $400 at Walmart, even cheaper ones sound like a pleasant fantasy for dual- and triple-headed flat-panel systems.

BorrisYeltsin writes " A story here at InformationWeek about a guy who has equipped his 3500 feild engineers using the new Agenda VR3 palmtop's. It brings up an interesting issue about the Sharp Linux PDA and how the different libraries and API's will cause problems for developers." Having now seen the iPaq running Linux, KDE, and even Konqueror, I now believe its possible.

BorrisYeltsin writes " A story here at InformationWeek about a guy who has equipped his 3500 feild engineers using the new Agenda VR3 palmtop's. It brings up an interesting issue about the Sharp Linux PDA and how the different libraries and API's will cause problems for developers." Having now seen the iPaq running Linux, KDE, and even Konqueror, I now believe its possible.

ideaspin writes: "Thomson Multimedia is pushing the adoption of its smart card technology (SmartRight) in all kinds of devices ranging from TVs to PCs and set-top boxes -- basically, anything that might play digital media. Information Week has an article about it as does Webnoize(subscription only). This doesn't smell like something that would survive on the PC and consumers aren't going to be thrilled about the restrictions that such technology will bring -- no recording, limited archivability, no sharing and additional hardware for every viewing device. Interesting thing is that they are trying to convince the government to require the computer industry to adopt such a standard. Along with the copy protection schemes built into portable media and hard drives, this is one of the many ways that they are trying to lock down 'rogue' PC devices."

PerlStalker writes: "Information Week has an interesting article about the Apache XML project's role in E-commerce. From the article: 'An important open-source tool for XML parsing and generation is called Xerces, which is being written by the Apache Group, creators of the Apache open-source Web server with input from IBM and other vendors. "Xerces could be very important, because it would provide a readily available set of XML tools that could spread throughout the industry very quickly," [John] Rymer says.'"

PerlStalker writes: "Information Week has an interesting article about the Apache XML project's role in E-commerce. From the article: 'An important open-source tool for XML parsing and generation is called Xerces, which is being written by the Apache Group, creators of the Apache open-source Web server with input from IBM and other vendors. "Xerces could be very important, because it would provide a readily available set of XML tools that could spread throughout the industry very quickly," [John] Rymer says.'"

An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.

An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.

PySloth wrote to us with a link to InformationWeek that speculates about what Corel might be doing differently soon. One of the possibilities is the sale of their Linux operations, which would be odd concerning the .NET portion of their deal with Microsoft.

peec writes: "Found this story in Information Week. It talks a great deal about IT stress. How to prevent it and what causes it in the workplace. Great for everyone in IT and their bosses."

peec writes: "Found this story in Information Week. It talks a great deal about IT stress. How to prevent it and what causes it in the workplace. Great for everyone in IT and their bosses."

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

I was just made aware of the somewhat old, but interesting article from Information Week entitled Open Source Moves To The Mainstream. In addition to Apache, the article also refers to Perl, PHP, MySQL and Linux as Open Source products that are "luring" developers away from commercial solutions.

I was just made aware of the somewhat old, but interesting article from Information Week entitled Open Source Moves To The Mainstream. In addition to Apache, the article also refers to Perl, PHP, MySQL and Linux as Open Source products that are "luring" developers away from commercial solutions.

Very cool, very deep story at Information Week about the IT "analysis and research" firms you often see quoted as authoritative sources in assorted media, and how accurate their predictions are - or aren't. A quote from the story: "The leading analyst firms have become so influential that their opinions can help IT chiefs gain senior-management approval for technology investments." Obviously, these firms carry plenty of weight. Should we be scared of their growing power? Or have they become an essential part of the computer and Internet business scene?

Very cool, very deep story at Information Week about the IT "analysis and research" firms you often see quoted as authoritative sources in assorted media, and how accurate their predictions are - or aren't. A quote from the story: "The leading analyst firms have become so influential that their opinions can help IT chiefs gain senior-management approval for technology investments." Obviously, these firms carry plenty of weight. Should we be scared of their growing power? Or have they become an essential part of the computer and Internet business scene?

booboo writes " Stuck with a firewall on NT? InformationWeek has the news that Checkpoint has announced plans to port their Firewall-1 and VPN-1 code to Linux (2.2 kernel) "

An anonymous reader wrote in to say "In this story Tivoli refers to the enterprise management software and a business unit of IBM. Tivoli is not only considering porting the gateway portion of the Tivoli Framework (the gateway allows management of workstations, windows, netware, os/2, as/400, etc.), but making it the only gateway platform supported!!! Thus every Tivoli implementation would require Linux. It would be important to note that currently many flavors of Unix and WinNT are the supported gateway platforms for Tivoli Framework 3.6 and there is no support for Linux at all right now. "

Information Week has an article debating the hidden costs of code reuse. Although Code Reuse is obviously not a magic bullet, three flaws appeared to me in their argument: First, companies only need to scramble to reuse their components because they keep their software proprietary: with a wider market (eg OpenSource) they could benefit from others' work by using others' components, while contributing themselves. Second, fewer lines of code and more uses of the same code stress it out better, so it should contain fewer bugs. Third, while it is very hard to come up with really good reusable objects or a good library API, this mental training results in employees with sharper minds able to see a problem from many angles rather than just employees that churn out Klocs of simple code... which might even improve employee productivity in the long run. What do you think? Link courtesy of Linux Today.

cio.com has an article we missed about the transition from Unix to NT from a CIO's perspective. Since an average of 48 percent of departmental server purchases are made by executives outside central IS-departments, NT cannot be ignored. On the other hand, NT is not scalable beyond 30 users and 4 processors, as a large European company found out. Although other companies have had similar experiences, it would appear that Aberdeen's report concludes that NT is cheaper than Unix, only because NT runs on PCs and Linux/*BSD are ignored. Given the $100 price-tag, I have not read the article. Does anyone know whether Linux is mentionned?