Slashdot Mirror

Slashback this evening with another round of clarifications and additional links regarding recent Slashdot stories. Steve Job's Grammy acceptance speech, details on the proposed higher levy on CD-Rs in Canada, more on the claimed clash between satellite radio and 802.11 devices, and more.

After the bowling ball, the mouse. jonny writes: "Most people here know the story of the Mac and the growth of the GUI. Most of you probably don't know the whole story though, namely you probably don't know the story of the mouse, important as it is... Interesting too."

Additional reading material for the math-inclined. Bruce Schneier dropped a note with some good reading material for anyone interested in the recent Slashdot posts on factoring and SNMP. "I've written essays on the Bernstein factoring paper and SNMP SNMP vulnerability."

Americans shouldn't be too smug about this stuff. An Anonymous Coward writes, in response to the proposed increase in levies on various recordable media in Canada: "An excellent FAQ including information on how manufacturers, importers, and consumers can avoid the levies on CDRs and CDRWs"

It's not all sweetness and light. Lord Omlette writes: "Ok, I know ya'll ran the story on Apple winning a grammy. But! The acceptance speech got cut for time reasons & stuff, so Dr. Dobb's Journal put a transcript of the speech online for posterity & stuff. I didn't see it in the previous Slashdot story or the Apple press release, so I thought you might be interested."

Uncle, uncle, make him give me his toy! Sabalon writes "NetStumbler is running an article about Intersil and Motorola's response to Sirius and XM's appeal to the FCC to restrict the 2.4Ghz band. Intersil points out some interesting points, such as why the frequencies directly surrounding those that Sirius uses is not an issue, and Motorola believes the source of the interference is not 2.4Ghz, but probably engine and ignition noise."

How to save some very expensive seconds. In case a 23-second kernel compile is too long to bear, perhaps you just need to upgrade a bit. An Anonymous Coward writes: "Linux Weekly News reports that a kernel was compiled in 7.5 seconds on a Power4 with 6 GB of RAM."

Finally, it has come to this. Another reader points out: "Be, Inc., the company that developed and marketed the loved Be operating system, has announced sale of the be.com domain.

This would be a great time for someone to sweep it up. ;) *cough*OpenBeOS*cough*"

This edition of Slashback has updates and clarifications on the official release of Sony's PS2 Linux, relative security among various operating systems, dirty output on power-boosted Linksys wireless access points, and more, flying hardware you might have figured was no more, and more.

Maybe a bad day at the factory? An anonymous reader submits: "I'm not sure where the other fellow got his WAP11, but mine don't show the dirty output his does." See this diagram for a much more desireable outcome, if you care to play with (a little bit of) fire.

First application should be a GPL'd AIBO obedience school. gonz writes: "An update to the previous reported linux on ps2 kit has been submitted by Sony Computer Entertainment Europe (SCEE) to the people previously registering interest on their technology sites. The update consist of that it will be released in May on both SCEA (us) and SCEE (pal areas, including Europe and Australia) territories. A website has been set up at this place. On a side note, registering for notification when pre-ordering can apparently be done too: 'Finally, although sales haven't yet started, if you send an e-mail with the message "subscribe" to ps2linux-request@technology.scee.net we'll let you know when pre-ordering starts.'"

Lessons in obviousness. John Kozubik writes: "I have written an article describing, in a manner I have not yet seen, why the court decision by the U.S. appeals court in SF that claimed in-line linking was not fair use was inherently flawed. It is a short piece written for both the technical and the non-technical, and I think it raises a strong point concerning the arbitrary nature of browser behavior."

If they'd launch some pigs, perhaps global phones would be affordable. Guppy06 writes: "Many of you may be surprised to learn that Iridium (famous for trying to compete with cell phones and failing miserably) is still throwing up satellites (I sure was). The article on CNN tells of the technical woes of getting this particular Delta II off the pad in Vandenberg as Iridium tries to put five more spares into orbit."

Couldn't they have spayed or neutered them instead? Speaking of old hardware, Anonymous Radio Shack Employee writes: "RadioShack has sent a notice to all of its employees to destroy all CueCats (preferably with a hammer). Apparently the CueCat is among a couple of dozen items that RadioShack has given up on, and wants destroyed. The memo says that store employee's can not benefit from the items on the list. Which sucks because my store has over a hundred of these things just sitting in the back room." This week's Linux Weekly News has a great, detailed followup to the recent flap over relative OS security sparked by a post in Windows Informant.

davidu writes: "The Fraunhofer Institute in Germany (makers of the mp3 codec) licensed the divx ;-) video codec for future use. This is good for users because the codec is open source and is now on its way to becoming a standard. For those who don't know, this is unrelated to the failed Circuit City program, hence the smiley. ;-)" On the audio side of things, Mike Hicks writes: "Saw this on LWN's Daily Updates. Kenwood has come up with a car audio playing system that understands the Ogg Vorbis compression format, the Music Keg. Me want.. Time to start digging for spare change in the couch ..." Update: 02/05 03:24 GMT by T : Two clarifications below put a slight damper on each of these, though the overall news is still good.

Vince Busam from Phatnoise writes: "The author of the mp3newswire article goofed big time! Nowhere does it state that the Keg plays Ogg files, only the desktop software. Ogg will be supported when free ARM libraries are available. The author is further incorrect when he mentions the Kenwood X959 plays MPEG video files on the tiny OLE display. I have no idea where he got that idea." And reader Guspaz points out: "OpenDivX is indeed opensourced, but it is not the same as DivX 4, which was what was liscenced (And is what people download to use)."

tercero writes: "over at the Gentoo Linux website there is an update on the AMD processor bug mentioned here. The sum up is that AMD claims it's not a bug with the Athlon processor, but with the motherboard. More detailed information can be found on this LKML post." An Anonymous Coward points to a similar explanation at Linux Weekly News. Update: 01/25 01:25 GMT by T : Daniel Robbins from Gentoo clarifies: "AMD is not calling this a 'motherboard' issue, it is an interaction between a feature of the Athlon called 'speculative writes' and the design of the GART, which is not cache-coherent. It's a 'Athlon/cache coherency/GART' problem, not a 'motherboard' problem."

DeadBugs writes: "Linux Weekly News is reporting on a new linux controversy. The inclusion of a Kernel Autoconfiguration program that would make it easy for almost anybody to build a custom Kernel on their computer. Eric Raymond supports this idea saying that this will bring Linux to a wider market. Those that oppose this idea mainly think that only those educated few should custom build their own Kernels. I for one hope this gets included if only to make standard installations and upgrades faster."

Slashback tonight on the slipping of Be through the fingers of Palm, further squashing of ZeoSync, the age of gophers, the invention of everyone's favorite electric-powered pronoun, and more -- just read on.

But can you backtrack through a google cache? pointym5 writes "Checked out the ZeoSync web site lately? Remember all those PhDs on the scientific staff? Well, like I'm sure others did, I sent e-mail to a few of them expressing interest in more technical details. All that I contacted responded with absolute disclaimers of any relationship whatsoever with ZeoSync. This morning I note that most names are gone from the 'org chart' and the scientific team list. There are only five left, including Dr. Piotr Blass, 'developer of one of the world's first web sites.' Wow!"

How smooth is smooth? juct writes: "I appreciate it, that Slashdot gave the SmoothWall Team an opportunity to answer to the concerns in my review of their firewall. But it is full of errors and might leave a wrong feeling of security. So I invite everybody to my Tour on SmoothWall where you can judge for yourself."

Whispered words of wisdom, 'Let it be.' Sander van Dragt writes: "Many BeOS news lately. Not all so good for the BeOS community though. BeUnited, the organization which tried to license BeOS from Palm, has received today a final answer from Palm: '...we have made a firm decision NOT to license any part of this technology other than that which we incorporate into the Palm OS.' It is already known that the new 32-bit PalmOS will feature some elements of the Be technology, but that OS is built for PDAs, not for the desktop."

You can read that letter and the rest of the article on OS news.

And take this as you will -- An Anonymous Coward writes: "osnews.com is reporting that there is a new version of BeOS on the way... A German company called 'yellowTab' is said to be ready to ship a new version of BeOS (Just when everyone thought it was dead, and the final shovel full of dirt laid on top), get the full article here ... Hrm, I sure liked BeOS, I hope this one works out."

Dig, my brethren -- the Gopher Palace is almost complete! SuperguyA1 writes "Lwn is reporting that the gopher team has done it again with a 3.0 release marking Gopher's 10th anniversary. Happy birthday gopher. Thanks for helping me find all the muds I wasted so much time in college on:)"

"Bad connection, say again, you invented WHAT?" mi writes: "Yahoo! reports a potential problem, the Segway Scooter may have in Japan -- a Japanese robotics professor seems to have a patent on something very very similar since 1996. On the other hand, the USPTO knew about, when granting the patent to Segway's Dean Kamen, but still found Mr. Kamen's invention worthy of a patent in 1999. My favorite is the Kazuo Yamafuji's words: 'I would hand over my patent for one dollar if Mr. Kamen admitted that we were first.' Indeed, he just sat on the invention for 15 years."

From the people at Eklektix Inc. (ok, everyone knows them simply as LWN or Linux Weekly News) have written the Linux 2001 Timeline (you can read it all at once with this link, though it's 1MB download). Lots of funny notes from Linus, Eric Raymond, RMS, some sad moments. Who would have remembered that Linux kernel 2.4.0 went out only a year ago (Jan. 4, 2001), Eric Raymond promising SourceForge mirrors, and other tidbits -- A definite must-read.

From the people at Eklektix Inc. (ok, everyone knows them simply as LWN or Linux Weekly News) have written the Linux 2001 Timeline (you can read it all at once with this link, though it's 1MB download). Lots of funny notes from Linus, Eric Raymond, RMS, some sad moments. Who would have remembered that Linux kernel 2.4.0 went out only a year ago (Jan. 4, 2001), Eric Raymond promising SourceForge mirrors, and other tidbits -- A definite must-read.

From the people at Eklektix Inc. (ok, everyone knows them simply as LWN or Linux Weekly News) have written the Linux 2001 Timeline (you can read it all at once with this link, though it's 1MB download). Lots of funny notes from Linus, Eric Raymond, RMS, some sad moments. Who would have remembered that Linux kernel 2.4.0 went out only a year ago (Jan. 4, 2001), Eric Raymond promising SourceForge mirrors, and other tidbits -- A definite must-read.

An AC wrote: Forget Beowulf ^? clusters, Jacques Gelinas has made available a kernel patch to enable many virtual servers running on the same machine, even the same kernel. Read his original message posted to the Linux kernel list." Imagine what this will mean for hosting companies...

GroundBounce writes: "The front page of LWN has an interesting three-year-after analysis of the predictions in the Halloween document, which was "leaked" from Microsoft around Halloween of 1998. It's interesting to see how their predictions have/have not panned out."

DanDan writes: "It seems that Linux Weekly News may be on the rocks. Tucows has cut support and they have lost their Senior Editor. It would be sad to see them go." Anybody who has bright ideas or cash burning a hole in your pocket should check out their discussion list.

DanDan writes: "It seems that Linux Weekly News may be on the rocks. Tucows has cut support and they have lost their Senior Editor. It would be sad to see them go." Anybody who has bright ideas or cash burning a hole in your pocket should check out their discussion list.

DanDan writes: "It seems that Linux Weekly News may be on the rocks. Tucows has cut support and they have lost their Senior Editor. It would be sad to see them go." Anybody who has bright ideas or cash burning a hole in your pocket should check out their discussion list.

sasha328 writes "I found reference to this email on the LWN.NET site which was sent to the SecurityFocus mailing list. It asks a very valid question about how much you can disclose before malicious virii can be possible."

sasha328 writes "I found reference to this email on the LWN.NET site which was sent to the SecurityFocus mailing list. It asks a very valid question about how much you can disclose before malicious virii can be possible."

WeaselOne writes: "Interesting Q&A with Bruce Momjian (one of the core PostgreSQl developers) on LWN.net. They caught up with him at O'Reilly where he was speaking (great intro sessions on PostgreSQL BTW). He lays out some interesting stuff about the direction of the database."

jd writes "IBM's Journaled Filing System becomes the second commercial filing system for Linux to reach the exalted 1.0 status! It also follows close on the heels of another of IBM offering, the PThreads Next Generation project, which also hit 1.0 today." Check out this LWN story on it as well. It's worth noting that this is a free as in open source version - GPLed. There will be another commericial version as well.

meldroc writes "Or should I call it "Shared Library Hell"? The top story of LWN.net this week states that the newest version of GnuCash requires sixty libraries(!), many of which are new versions that aren't available out of the box with most Linux distributions. Managing shared libraries, with all their interdependencies and compatibility problems, is a major hassle. How should we go about dealing with the multitudes of shared libraries without driving ourselves mad or descending into the DLL Hell that makes Windows machines so unreliable?" Well, GnuCash 1.4.1 works fine for me, and I feel no immediate need to update to 1.6, the version that needs 60 libraries. But still a good point here.

navindra writes: "While KDE and GNOME often grab the headlines, other projects are silently making progress. Dennis Leeuw tries to make sense of the situation in this interesting GNUstep article featured on LWN Daily."

navindra writes: "While KDE and GNOME often grab the headlines, other projects are silently making progress. Dennis Leeuw tries to make sense of the situation in this interesting GNUstep article featured on LWN Daily."

Information (yes, in English;)) below about superconducting cables in Denmark, more information on how not to get your server broken into (process, not product, naturally), and another update for the Linux Kernel Summit.

Under the sea, a strange force was brewing ... Dag Willén, Group Leader, Superconducting Technologies at Denmark's NKT Research, wrote in regards to the recent story about superconducting cables in Denmark, saying "Info in english about this project can be found at www.supercables.com. (sorry for our "one-size" web design for 600x800 px, it was limited budget and talent.)"

Thanks, Dag.

Moving pictures of moving words Recently, a kernel summit took place, and many of the top kernel developers gathered in San Jose to wear funny hats, drink, and decide (or at least debate) on further directions for development of the Linux kernel. Chris DiBona pointed out there are now videos and sound recordings available for download, and you no longer need Real (as originally announced) to enjoy seeing and hearing all these smart people at work. Hopefully, these will one day be joined by Ogg versions as well;)

Don't trust malicious scumbags is part of "trust." AltGrendel writes "SecurityPortal has an article on how Apache.com was compromised. As the Billy Joel song says 'It's a matter of trust'." As always, Kurt Seifried is lucid and informative -- and brings up good points on protecting sites no matter how careful the admins are.

An Anonymous Coward writes: "I found this at SecurityPortal, here. I use IPF and I noticed last week in the snapshot the license changed: 'Yes, this means that derivitive or modified works are not permitted without the author's prior consent.' which was kind of bad since it violated OpenSource guidelines. Now the current snapshot of IPF says 'Redistribution is not permitted' which completely violates any Open Source style license. Does this mean IPF will have to fork an older version or someone needs to write a completely new version for all the BSD's/Solaris/etc?" The old license certainly doesn't read this way to me, but IPF author Darren Reed asserts this is only a clarification of the license, not an actual change. Another ssh vs. OpenSSH? More coverage at LWN, partway down the page.

tom writes "It seems that the BSD community will have to face, presently and in the future, some copyright problems. In fact, the IPFilter code is copyrighted by Darren Reed who recently added the following to his license : "...Yes, this means that derivative or modified works are not permitted without the author's prior consent. " This little add radically changes the status of the software which can not be considered >as open source anymore. Shall this modification influence the future of projects such as the OpenBSD, who actually uses a modified version of IPFilter? This originally came from Linux Weekly News." It's down towards the bottom of the page, now.

wfrp01 writes: "Bruce Perens gives us the skinny on Linux Daily News. Notice his use of the term GNU/Linux in a business context." Of course, HP's printers are still shipping with Windows-only drivers... and Windows-only configuration tools... and described as "Linux-compatible" in their advertisements.

Robotech_Master writes "Looks like Loki is going to be offering substantial discounts to Linux User Groups wanting to make mass purchases of 10 or more copies of their titles. 50% off, and they cover shipping." Quite the deal for lugheads. Get your copy of Tribes 2. Loki continues to do really good things. I know things are tough, but hopefully they can make it. Good luck guys.

CelestialWizard writes: "After the Linux Kernel 2.5 summit, a new security model is to be created for the next kernel. You can see the post from Cripsin Cowan on BUGTRAQ. " Interested folks should look at the mailing list; my guess is this is gonna be for the techies only.

It's taken a bit of time, but the webcast from the Linux Kernel Summit is online at OSDN. There's some good talks in there, from some of the big wigs in kernel development - Real is required to view it, but instructions for download/installation are on the site.

mojo-raisin writes: "Linux Weekly News is providing a report of the 'Linux 2.5 Kernel Summit,' a gathering of 65 core kernel hackers. Notes are provided on the first day of session, which covers changes required to make Linux more capable on high-performance machines and more user-friendly with hot pluggable devices." 2.5 looks close on the horizon, especially now that Linus has donned a funny paper hat. Better get your feature requests in soon;)

mojo-raisin writes: "Linux Weekly News is providing a report of the 'Linux 2.5 Kernel Summit,' a gathering of 65 core kernel hackers. Notes are provided on the first day of session, which covers changes required to make Linux more capable on high-performance machines and more user-friendly with hot pluggable devices." 2.5 looks close on the horizon, especially now that Linus has donned a funny paper hat. Better get your feature requests in soon;)

impaler writes: "Looks like Woody is frozen. LWN has a message from the Woody release manager, saying it is frozen. So, I guess it is finally frozen. Hopeful in less than a year Debian 2.3/3.0 will be out. Yay. Well, really lots of yay. Nice gui installer(even though I'm fine with the text one) and automatic hardware detection(something I like...especially when installing Debian on a box you know almost nothing about its hardware i.e. at an installfest)." And it looks like the Debian Release Manager has absolutely, positively staked his life on releasing Woody no later than July 8, 2001, so we can set our clocks now and hold him to his sworn word.

horst writes: "Subject says it all -- IBM has released first GPL winmodem driver. Link found at LWN" I'll be even more excited when they release the code that works with my T20 ... I've never even dialed my modem *sniff*, but if you've got an MWave (600, 600E, 770) then you should be golden. But props to IBM for making a cool move. Hopefully it's not an isolated one.

assbarn writes: "The title pretty much says it all, but LWN daily is reporting that SuSE is laying off almost all of its US staff. What does this mean for their English distribution? The details are short (and sketchy), but the link is at LWN. " I've tried reaching both the U.S. and German branches: SuSE has yet to return a call placed to the U.S. office, and at the German branch it won't be business hours for a while. I've left that message at the SuSE American office, though, and will update with any confirmation/denial. Update: 02/08 12:03 AM by H :A couple people have sent in the LinuxToday piece. SuSE's PR agency has denied it, but LWN is standing by it, and several other readers have substantiated it to LinuxToday and LWN, including the original source on LWN. As well, SuSE did say that a number of positions were being relocated. We'll keep the story updated. Update: 02/08 04:38 AM by T : LinuxGram has some great information -- with real details! Skeleton crew of 12 to remain in the U.S. What's also interesting is that it confirms that the PR agency had "bad communication," which is an interesting statement to say the least.

assbarn writes: "The title pretty much says it all, but LWN daily is reporting that SuSE is laying off almost all of its US staff. What does this mean for their English distribution? The details are short (and sketchy), but the link is at LWN. " I've tried reaching both the U.S. and German branches: SuSE has yet to return a call placed to the U.S. office, and at the German branch it won't be business hours for a while. I've left that message at the SuSE American office, though, and will update with any confirmation/denial. Update: 02/08 12:03 AM by H :A couple people have sent in the LinuxToday piece. SuSE's PR agency has denied it, but LWN is standing by it, and several other readers have substantiated it to LinuxToday and LWN, including the original source on LWN. As well, SuSE did say that a number of positions were being relocated. We'll keep the story updated. Update: 02/08 04:38 AM by T : LinuxGram has some great information -- with real details! Skeleton crew of 12 to remain in the U.S. What's also interesting is that it confirms that the PR agency had "bad communication," which is an interesting statement to say the least.

LWN has an interview with Jason Haas where he talks about LinuxPPC and going non-profit. He raises some good points and says some interesting things. Good luck to ya Jason! Someday I shall acquire a titanium powerbook, I shall bask in the glory of your toil. I hope LinuxPPC stays around for a long time.

jonathan_ingram writes: "Two French hackers have reportedly broken SDMI. Various other groups participating in the SDMI challenge have claimed to have accomplished this already. However, this group has decided to publish their results, available at their site. The site includes a detailed technical report, together with the history and background of SDMI, and the SDMI challenge." Ah, what a seemingly good idea SDMI was for the media companies - now I fully expect to see a story "Newborn infant cracks SDMI, burps up on RIAA".

dlc writes: "Linux Weekly News interviews Larry Wall. 'Until now, the process of the design of Perl has been evolutionary. It's been done by prototype and modification over time. I talked about becoming stupid, but I've always been stupid. Fortunately I've been just smart enough to realize that I'm stupid.'"

dlc writes: "Linux Weekly News interviews Larry Wall. 'Until now, the process of the design of Perl has been evolutionary. It's been done by prototype and modification over time. I talked about becoming stupid, but I've always been stupid. Fortunately I've been just smart enough to realize that I'm stupid.'"

Netsnipe writes "In a few days time, DebianPlanet will be covering Linux Conference Australia (LCA) being hosted at the University of New South Wales by Linux Australia from January 17-20 in Sydney. The timing of this year's LCA has been coincidentally close to the release of the 2.4 Linux kernel two weeks ago and it is the first major gathering of important Linux developers of the year. In the spirit of the Debian project, we at DebianPlanet want to make our interviewing process as open as the Debian distribution is with their own reporting and processes. To further this aim we are inviting everyone to submit their own questions to our interviewees and share a major opportunity to learn where the Linux community is heading towards. Our question submission system is now open to all at our website. "

drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF file"."

drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF file"."

rar7 writes "See the whole year of Linux -- in all its many dimensions -- on one interesting and informative page!" There's a ton of stuff on this page. Amazing how much happened in the last 12 months. Anything critical missing?

mjh writes: "ESR gave an interview in which he says, 'I now think that Microsoft monopoly is going to collapse for other reasons in the near future.' He basically says that the drop in PC prices will cut into the margins that PC sellers can afford, and that they'll drop the M$ tax, and replace their bundled OS with something cheaper, like Linux. This was a very interesting interview." It's a good read, and ESR seems to be mellower in it than in some other venues (and to me, that makes him more persuasive than usual as well). However, the idea of Microsoft collapsing because of lost OEM-license dollars seems pretty stretchy -- they make money in a lot of other ways, and have a nice war chest to draw from if licensing losses should become anything like a crisis. Updated by timothy, 13 Dec, 5:52GMT: It's Microsoft's monopoly which ESR said could collapse, not the company per se. Apologies for the poor phrasing.

The GCC Steering Committee has issued a statement on the use of snapshots in distributions. This statement is clearly in response to Red Hat's use of gcc-2.96 in its Red Hat 7 release. They didn't like it very much, and there are compatibility problems. Worth a read. Credits for this news goes to Linux Weekly News.

Here is an interesting Boot log on an Alpha. What is so interesting about this boot log? Nothing special, just that this Alpha's got 31 Processors, 256GB RAM -- looks VERY impressive. I wouldn't mind having one of those beasts at work *drooling all over*. Oh, and it compiles the kernel very fast :)

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

OnlyNou writes "IBM Develops Prototype of Wrist Watch Running Linux only a prototype, but it shows big blue has a lot of time on it's hands." The article is pretty vapourous: Its just a press release saying that they've done it. No pictures of linkage, so if anyone finds something informative, please post it. Update by HUNQ: Here is the picture of the watch, and it's DAMN CUTE! (credits goes to Linux Weekly News)

OnlyNou writes "IBM Develops Prototype of Wrist Watch Running Linux only a prototype, but it shows big blue has a lot of time on it's hands." The article is pretty vapourous: Its just a press release saying that they've done it. No pictures of linkage, so if anyone finds something informative, please post it. Update by HUNQ: Here is the picture of the watch, and it's DAMN CUTE! (credits goes to Linux Weekly News)

alessio writes: "On the front page of Linux Weekly News there is a report from the Ottawa Linux Symposium where the adorable Miguel de Icaza supposedly states that Unix has been built wrong from the ground up." It's actually a pretty cool interview, and as always, Miguel makes his point without any candy coating! The major point is the lack of reusable code between major applications (a major problem that both KDE and GNOME have been striving to fix for some time now).

Over at LWN, there is a report from JavaOne writtern by Nelson Minar - things looks really promising with Linux and Java. Definately worth a read for both Linux users and *BSD users.