Slashdot Mirror

jfruhlinger writes "Customers are always better off when government bureaucrats get out of the way and let the market work, right? Well, maybe not in all cases. As described at ITworld.com, a recent study compared the regulatory regimes and telecom environments in various European countries. The study concluded that in countries where regulators had more power to levy fines and punish monopolistic behavior, customers paid less and got more services." From the article: "The report, conducted by Jones Day and Strategy and Policy Consultants Network Ltd., showed that investment in telecommunications, which leads to better services for end users, is lower in countries where there is little competition."

An anonymous reader writes "Imagine my surprise this morning when AOL AIM popped up a window and introduced me to two bots that it automatically added to my buddy list. " Two seperate issues- one is simply auto adding robots to your friends list, which is very uncool. The second is a corporation using bots in an official capacity. This is an interesting trend, although technically speaking, not that far from the eggdrop of old.

Examancer2 writes "MIT is showing off a prototype of a $100 laptop. It uses a 500MHz AMD processor, stores everything on flash memory, and runs Linux. The AC adapter acts as the carrying strap, and there is a hand crank so if you can't find a source of electricity you can charge it kinetically. The prototype laptop is also much more flexible and durable than your average notebook. In addition the unit has a screen that has a special daylight-friendly black & white mode that makes a great ebook." From the article: "Nicholas Negroponte, the co-founder of the Media Lab at the Massachusetts Institute of Technology, detailed specifications for a $100 windup-powered laptop targeted at children in developing nations. Negroponte, who laid out his original proposal at the World Economic Forum in Davos, Switzerland, in January, said MIT and his nonprofit group, called One Laptop Per Child, is in discussions with five countries--Brazil, China, Thailand, Egypt and South Africa--to distribute up to 15 million test systems to children." More coverage of this story available from ITWorld, InformationWeek, BBC, ZDNet, and the Associated Press.

graemee pastes: "The District Court of Munich has ordered Fujitsu Siemens Computers to pay a copyright levy on new PCs. The landmark decision, announced on Thursday, ends a nearly two-year dispute between the largely Germany-based computer maker and the country's VG Wort rights society, which has sought compensation for digital copying. VG Wort had filed a suit against Germany's largest PC maker, Fujitsu Siemens, seeking 30 euro (US$41) for each new computer sold in the country. The court agreed to a 12 euro copyright levy."

Roland Piquepaille writes "It's a well-known fact that we're living in an era of data explosion, and that it's not about to stop. So it's not really surprising that IBM researchers are eyeing 100T-byte tape drive. Yes, you read correctly. They want to increase the capacity storage of their largest units by 250 times, from 400 GB to 100 TB. In order to achieve this goal, they're borrowing "nanopatterning" techniques derived from the microprocessor division. Today, the size of a tape track is about 10 microns. They want to reduce it to 0.5 micron -- or 500 nanometers -- in about five years. IBM doesn't really say when a 100-Terabyte tape drive will be available. But more importantly, the company doesn't say a word about future data transfer rates, which today reach a 80 MB/s. Read this overview for more comments about this problem of data transfer rates."

PSwim writes "Microsoft has said it will remove Media Player from Window, if ordered by the EU this week. The 'Windows-Lite' version will only be available in Europe. Best quote from the article involves its refusal to release networking documentation: '"The Commission says Linux would disappear" if Microsoft did not grant access to its documentation, Smith claimed. "But Linux is alive and well and I don't know any person at Linux or any Linux programmers who share the Commission's view."'"

Cryofan writes "According to Information Week, the lastest Bureau of Labor Statistics report shows that the number of Americans calling themselves IT professionals has decreased by nearly 160,000 in the last 3 years, and the number of programmers, analysts, and support specialists has fallen 15% since the first six months of 2004. According to IT World, the number of employed Software Engineers fell by 15% from April to July of 2004 (from 856,000 to 725,000)."

jfruhlinger writes "Howard Carmak, aka the 'Buffalo spammer,' has been sentenced to jail time for his spamming activities. Interestingly, the conviction was not for spamming per se, but rather stealing someone's identity, which he then used to launch his spam messages."

jfruhlinger writes "An article on Security.ITWorld.com seems to outline a coming information arms race. The European Union has decided to respond to the Echelon project by funding research into supposedly unbreakable quantum cryptography that will keep EU data out of Echelon's maw. Leaving aside the question of whether such a thing is possible, the political implications are troubling, indicating a widening rift within the Western world. Interestingly, the UK is part of the EU, but its intelligence services are among Echelon's sponsors."

sokk writes "Seems like Microsoft is paying attention to the Linux way of doing things. According to itworld.com, a new central engineering division will work on the core of Windows: "The Windows Core Operating System Division (COSD), within the company's Platforms Group, will be responsible for the core OS platform, including development, program management and testing, Microsoft said in a statement sent via e-mail.". A little further down the page analyst Rob Enderle: "They have been studying Linux extensively. Part of their study has been on how Linux has been able to maintain a high level of consistency in the kernel while groups around it maintain maximum flexibility,". "

cybermancer writes "ITWorld.com has a rebuttal by Linus Torvalds to Darl McBride's latest FUD on copyrights and Open Source. In a nutshell Darl states "SCO asserts that the GPL, under which Linux is distributed, violates the United States Constitution and the U.S. copyright and patent laws" and Linus points out that "the notion that the GPL has, of "exchange of receipt of copyrighted works," is actually explicitly encoded in U.S. copyright law". With Linus of course providing a link allowing the reader to see the law for themselves."

geoff313 asks: "I'm sure many of you are aware of the uproar over Nicholas Carr's article 'IT Doesn't Matter' which was published in the Harvard Business Review, back in May. While many big names in the IT world have responded already to Carr's article (Ballmer has declared it 'Hogwash' and Fiorina has pronounced it 'Dead Wrong'), Carr debated vendor executives Monday at the Comdex trade show, proving that the issues he raised are still resonaating through the industry. Do you feel that corporate IT budgets should be focusing on cutting edge technology to best serve its customer's needs, or should they focus on shoring up what they have now in order to maximize its usefulness to the customer? Some background can be found from the Washington Post, InfoWorld, and ZDNet, as well as at Nicholas Carr's site."

"For those of you unfamiliar his philosophy, it can be summed up pretty thoroughly by his statement 'Follow, don't lead,' arguing that the huge advances in the IT industry over the last two decades have erased the strategic advantage to be had by corporations for staying at the cutting edge of technology. In short, he advises 'executives need to shift their attention from IT opportunities to IT risks - from offense to defense.' Of course the head honchos at IBM and Microsoft disagreed with him, citing Wal-Mart's use of RFID tags to keep track of inventory and other forward thinking IT decisions as a refutation of his thesis.

What I am interested in is the opinion of those in trenches of the IT war."

mrgoatCEO writes "It seems SGI has finished up their test comparing SCO's Unix System V code and that of the Linux Kernel, according to ITWorld. SGI found that any similarities between the systems (amounting to only about 200 lines of code) have been removed in Linux Kernel 2.4.22, and added that the similarities were 'trivial in amount.'" This follows moves by SCO to terminate SGI's Unix license.

__past__ writes "The decision of the bavarian capital city Munich to switch their desktop systems to Linux has caused a lot of discussion, and has been widely regarded as an important step for Linux on the desktop. And even if Microsoft tried hard to make their offerings more attractive since, including a special license contract that could save the public sector 'a lot of money' according to interior minister Otto Schily, it looks as if Munich was only the beginning."

"9 more cities in Rheinland-Pfalz, including the capital Mainz, are seriously considering to replace most, if not all of their Microsoft software with Linux after their current contracts expire in early 2004, noting that there are many other cities in a similar situation, and with similar plans.

Meanwhile, the police in Niedersachsen (german) is busy rolling out RedHat Linux on 11,620 desktops and 120 servers, running both standard Linux software and a custom information system called "Nivadis" based on WebLogic and Oracle running on Itanium servers, citing savings of about EUR 20 Mio compared with a Windows-based solution.

In a less desktop-related project, the state Mecklenburg-Vorpommern started a project with SuSE, IBM and others porting a mission-critical system called ProFiskal from Reliant Unix to Linux on zSeries, again citing cost as the primary reason, but also noting the benefits of using open standards for both software developers and users."

An anonymous reader writes "Dennis Ritchie has acknowledged he with Ken Thompson wrote the code cited as 'proof' by SCO. This seems to fit perfectly with Bruce Perens' Analysis of SCO's Las Vegas Slide Show, and undermine Blake Stowell's claim 'At this point it's going to be his word against ours." Andreas Spengler writes "In the ongoing battle between SCO and the Linux community, German publisher Heise has shown that not only was the Linux implementation of the Berkeley Packet filter written outside of Caldera (now SCO), but that it was common practice there and at other companies to remove the BSD copyright notices from the internally used source code. In effect, SCO has proven publicly that they violated the BSD license." (Warning, article is in German.) Finally, a semi-anonymous reader writes "Learn all about how IBM's stomach will be roasted on a pyre of CDs at WeLovetheSCOInformationMinister."

An anonymous reader writes "Extremetech.com reports that: 'Computer scientists from think tank SRI will present a novel take on distributed computing at LinuxWorld, all in a search for a little lost penguin.' For more information on Centibots, head over to the Centibots Project homepage." ReadthePaper writes "I just read a great interview with Jon "Maddog" Hall of Linux International." And finally, Hawkxor writes "Sun Microsystems VP Jonathon Schwartz demoed Sun's new desktop-oriented Linux distro 'Mad Hatter' and 3-D Desktop Environment 'Looking Glass' at LinuxWorld. Sounds pretty cool."

Thanks to GameSpot for posting an article noting that MMORPG subscriptions from players in many European countries now have 17.5 percent VAT added, implementing "an European union directive on sales of electronically delivered goods and services" which became effective on the 1st July, and was something we mentioned a few weeks back. The specific reminder came as a "..news item on Sony Online's official sites for EverQuest, PlanetSide, and Star Wars Galaxies", and it'll be interesting to see how forcefully other MMORPGs will enforce this rule.

Eric Savage writes "The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad" torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""

And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"

And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.

eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."

gsfprez writes "Its been a while ... and strangely, the world almost seemed empty without the constant drumbeat of how Apple is on the verge of going out of business. If you're a fan like i am, then you're in luck, because this Canadian tech journalist didn't get the memo that Apple's been going out of business longer than most tech journalists have been in business. And besides, someone needs to let Robert Thomson know: when writing a story on how Apple is about to die, you have to call them "beleaguered". Come on, that's Tech Journalism 101, people. In any case, he brings up no new points to bolster his argument: he confuses his personal inability to use third-party software that works fine for most of us with legitimate bad third-party support, and uses this to draw his illogical conclusion. Illogical because it's the same reasons/unrealized conclusions that were the staple of tech journalism from 1985-1999."

seldo writes "According to ITWorld, losses in the last quarter at Microsoft's Home and Entertainment segment have doubled. From the article: 'The segment, which also includes Microsoft's TV platform and PC games, posted a quarterly operating loss of US$348 million, compared with $180 million in the same period a year ago.'" An anonymous reader points to similar coverage at news.com, pointing out that the company also reports "profits for Office, and one small note about an undisclosed presumably Japanese company that Microsoft if propping up. So, the big question on my mind is, who is Microsoft secretly holding above water, and why? The fact that they are presumably Japanese, seems to point towards an XBox partner. Could this explain the sudden flood of Sega exclusive games?" Another anonymous reader writes "Microsoft will be showing a smaller sized Xbox at E3 this May. In addition to the smaller size of the hardware, the Xbox Lite will also be integrated with Media2Go allowing Xbox users to download digital content such as music and movies. Wonder what this means for all the current Xbox Mod Chips?"

An anonymous reader submits "ITworld.com is reporting: 'The European Commission on Thursday presented a draft directive that punishes copyright infringement for commercial purposes, but leaves the home music downloader untouched, infuriating the entertainment industry.'"

replicant_deckard writes "Electronic Frontier Finland just got a huge legal victory. They report the local DMCA-copy (based on EU copyright directive) was dropped today at the parliament after heavy criticism. So far just two EU nations have accepted the innovation threatening law. Campaigns go on in different European states. They need your support!" cabra771 writes "The European Commission has put up a new proposal dealing with online music piracy that appears to have slightly upset a few people."

An anonymous reader writes "It would seem that UnitedLinux is pushing into the telecomms market according to this article at ITWorld. Is this the first market they are trying to meander into? I perticularly like this quote: 'Telecommunications grade servers must meet specific standards regarding electromagnetic interference, electrostatic discharge, corrosion, grounding and seismic durability.' Hmmmm."

JpMaxMan writes "On flight LH 418 from Frankfurt, Germany, to Washington, DC, Lufthansa AG began on Wednesday a three-month trial for a new onboard wireless broadband service that allows travelers to connect to the Internet some 10,000 meters in the sky."

Twirlip of the Mists writes "Looks like SmartDisk pulled a Time Canada. IT World reports, 'Several hours after announcing that it is introducing desktop hard drives that connect to Apple Computer Inc. computers using the new high-speed 800M bps (bits per second) FireWire standard, SmartDisk Corp. asked that the news be 'killed due to premature release.'" Sweet.

MaximusTheGreat writes "India beat U.S. supercomputer sanctions by building a teraflop $5 million PARAM Padma supercomputer, which is half the price of similar computers being sold in the international market. It can be scaled upto 16 teraflops, on a build-to-order basis For comparison, the fastest supercomputer in the U.S. is about 10 Teraflops. Some techical details and more info on CDAC , ITworld, Economic times and Asia Times. Also, India has been exporting older model PARAM 10000s to other countries like Russia, Canada, Germany etc. for some time, and expects to increase exports significantly with the new model PARAM Padma."

MaximusTheGreat writes "India beat U.S. supercomputer sanctions by building a teraflop $5 million PARAM Padma supercomputer, which is half the price of similar computers being sold in the international market. It can be scaled upto 16 teraflops, on a build-to-order basis For comparison, the fastest supercomputer in the U.S. is about 10 Teraflops. Some techical details and more info on CDAC , ITworld, Economic times and Asia Times. Also, India has been exporting older model PARAM 10000s to other countries like Russia, Canada, Germany etc. for some time, and expects to increase exports significantly with the new model PARAM Padma."

wayneh writes "There is a great article at ITworld.com about how Apple's Xserve is finding its way to high-end server vendors. The vendors who traditionally sold Sun and IBM servers are now looking into and stocking the Xserve as their clients become curious about the system. It'll be interesting to see how well the Xserve does among its more traditional competitors."

Jeff asks: "So the folks at a place called Conniption Films (great name) developed a camera called the Millisecond Camera which can shoot 12,000 frames of film a second. I read the article and thought 'Hmm that's neat' but then realized they were still using an analog process for shooting this highspeed film. Being a geek, not necessarily into the film side of things but curious nonetheless, I wonder, shouldn't a computer be able to do a better job of such a thing? They say the film runs around a spindle going 500 mph (!). Wouldn't that be prone to failure and use alot of energy? Wouldn't it be more appropriate, easier, and overall cheaper to just hook up a high res CCD to a beowulf </duck> cluster of 2 ghz+ machines and capture high speed images that way? Why hasn't it been done yet? Or has it and I haven't seen it yet?" I did a double-take, when I first read this question, and then got curious and did a little digging. Turns out, high frame rates are not exclusive to the analog photography world, and to illustrate my point, I provide this link. It's woefully short on details, and the explanations as to why a camera that can record 1M frames per second is limited to a playback of only 103 frames, but the technology is out there. Has anyone seen any other digital cameras out there with high frame-rates? What visual mischief could you aspiring photographers get into with such a camera?

Tsar writes: "ITWorld.com tells the story: Toshiba is getting out of the DRAM business. They had 6.2% of the world market last year, but soon their Manassas, VA facilities will belong to Micron, the Yokkaichi plant's DRAM production will be reduced to a trickle, and Toshiba will be out of the commodity memory market. Guess you can sell DRAM for a hundred bucks a gigabyte, but you can't make a living at it yet."

Tsar writes: "ITWorld.com tells the story: Toshiba is getting out of the DRAM business. They had 6.2% of the world market last year, but soon their Manassas, VA facilities will belong to Micron, the Yokkaichi plant's DRAM production will be reduced to a trickle, and Toshiba will be out of the commodity memory market. Guess you can sell DRAM for a hundred bucks a gigabyte, but you can't make a living at it yet."

Steve Nakhla writes: "I came across this article detailing how the Walt Disney Company is using ONLY gigabit ethernet in its new Japanese park, Tokyo DisneySeas. Previously, a combination of ethernet, ATM, and others were utilizied to create the network backbone in Walt Disney World and Disneyland. It's an interesting look at how the "magic" is created. For example, using CobraNet's technology, they are able to stream audio out to speakers with no loss of sound quality, while keeping the control rooms in a centralized location remote to the area."

A couple people noticed that NewsForge has a story running on the closure of LinuxWorld and UnixInsider, two of IDG's online efforts. Some of the efforts will live on in the parent ITWorld, but it's too bad to see them go.

A reader writes "PGP's creator is participating in an online interview this week. Phil is mainly interested in clearing the air about the recently discovered ADK bug, but the larger topics of encryption and worldwide organized snoop rings (Echelon) have already come up. The interview is open to questions from anyone; runs through Friday 9/8."

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.