Slashdot Mirror

Indeed, and this makes it harder to write man pages to be distributed with free OS. Note that only the Linux project have a license, not everyone elses. Like Theo de Raadt of OpenBSD says : POSIX license

> Having POSIX in man page form might be a good thing.

Let us stay realistic. They did not make their documentation free. They gave someone a free license. That is not the same.

In Windows 95 and 98 (and probably ME and DOS) con (and others) are reserved words. You can't create a directory named c:/con/con. Attempting to do so will lock up explorer.exe and then promptly halt your machine. (Gotta love fault tolerance!)

Read about it more.

I used to work for a media company in the UK. I didn't have much choice over not installing real, but I was careful to opt out of everything, remove the startup options (hidden in the registry), and lo, the player puts the registry entries back in.

2 months later there's an icon on the desktop, advertising Tiscali, a crappy UK ISP. And it then starting appearing all over the place, on machines that had real installed. It never appeared anywhere else.

Then there's the hiding of real processes, by calling them "evntsvc", so you don't know it's a real player ad dropper.

I ended up documenting it on bugtraq and getting lots of replies saying other UK users had the same "problem"

You can get more information on the (german) site heise:
http://www.heise.de/newsticker/data/pab-27.11.03-0 00/

The full advisory from Werner Koch can be found here:
http://archives.neohapsis.com/archives/fulldisclos ure/2003-q4/2998.html

It seems that about 800 people are using the compromised keys.

To check if your key is in danger you have to check the type of the key. All type 20 keys can be compromised. Here is a small shell script to check our key:

gpg --list-keys --with-colon | awk -F: '($4 == "20") {print $0;}

If your key is in danger you should create a new one and revoke the old one immediately.

Being labelled arrogant is maybe the worst thing someone can say to me. You hit a loaded point here. Whatever. But I maintain my point : Linux is more secure than Windows.

For viruses : go there

For vulnerabilities : go there, or there.
Again, crude attack figures does not mean anything. And vulnerabilities, in my opinion, does not mean much, for they cater to local overcomes.

Maybe a more interesting comparison would be to know how much money did the OSS and proprietary software worlds lost in the following of viruses, and vulnerabilities.

Regards,
Jdif

Neither of the above make any difference. Any sane *nix installation doesn't allow root logins over the network, and as many have pointed out, all you really need to know is that you're after UID 0.

Somewhat less widely known is that the exact same is true on the Windows platform. The builtin Administrator account (which can't be disabled, is exempt from password lockout, and almost always CAN be used over the network) always has a RID of 500. The SID for the computer can be determined easily enough, so any anonymous user can find out exactly what you renamed your administrator account to.

See NT Bugtraq or JSI for more details.

It was UNC. Check the bottom of this page:

http://archives.neohapsis.com/archives/novell/2001 -q2/0001.html

This article on the recent vulnerability refers to "make replace" as "experimental". Have you successfully used it in situations like this?

(I've never seen it mentioned anywhere before -- if it can actually replace stuff in-line like it sounds like, that would be heaven.)

--saint

Do you trust anybody posting something they've heard? The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit). And afterwards he says "The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH.". Note he is loosing it, the exploit FUD without base... and all ppl there start to talk about the bug as a fix against an exploit, though *nobody*, not even Theo's nemesis Darren Reed, mentions there is an exploit on the loose.

So FU** YOU. You scare ppl, you hide that and to d o so spread more fud by making wrong paraphrasing of the mailing list, hiding behind the slashdotted main archive.

SO BAD THERE ARE OTHER ARCHIEVES AROUND.

... can be found here http://archives.neohapsis.com/archives/fulldisclos ure/2003-q3/

No, apple didn't use wu-ftpd, give them some credit, they used lukemftpd. Originally from netbsd I believe.

The realpath() function from bsd calculates the length of a resolved directory path. The problem is an off by one error. It actually affects more than than just an ftp deamon since it's a library function, just like the gzip vulnerabilty a while ago. See the sans report for more info.

3 days from disclosure to security update is pretty good though.

I haven't seen a Windows kernel advisory, either.

Here us one.

Alan Cox won't reveal anything about kernel security out of fear of the DMCA.

He can use an anonymous remailer if he wants to publish verifiable information about security vulnerabilities. But Alan is neither the Linux Security Czar, nor does he maintain 2.4.x.

However, it's true that publishing detailed vendor security advisories results in significant legal risks for the vendor. For software, it appears to be easy to exclude any warranties, but not for documents describing its behavior. But guess what? Microsoft is now willing to take such risks to protect customers. Why shouldn't Red Hat do the same?

Most of the published insecurities with either system are in the libraries or applications, not the kernel.

This certainly doesn't exempt developers from handling security issues if they arise anyway. There are still enough security issues in the kernel, and the maintainers should have gained some experience in dealing with it.

But the kernel is just symptomatic for the whole system. Many subprojects aren't much better. Some do not bother to issue any advisories at all, some prefer very cryptic ones (BIND, Apache, OpenSSH). Sometimes, there are shining exceptions, such as recent Postfix advisory (however regrettable its necessity might be). Everything's there, especially how to tell if you are vulnerable, and how to apply countermeasures without changing the software itself. Compare it with the advisory from Red Hat.

OpenBSD has issues with including GPL'ed code. Theo de Raadt gave a very short initial answer.

OpenBSD are very keen on keeping their code untainted.

OpenBSD is working on removing GNU software from their OS. By porting BSD userland to Linux, perhaps we can talk about BSD/Linux ;-)

I think you meant http://archives.neohapsis.com/archives/vulnwatch/2 003-q3/0008.html (ie without the extraneous space) but yeah, given that they're 100% identical to each other, including the name of the author, i'm guessing that they just _might_ be the same exploit.

This vulnerability was posted a couple hours ago on VulnWatch. Here's the summary:

Advisory: XBOX Dashboard local vulnerability
Release Date: 2003/07/04
Last Modified: 2003/07/04
Author: Stefan Esser [se@nopiracy.de]

Application: Microsoft XBOX Dashboard (up to today)
Severity: A vulnerability within the XBOX Dashboard allows to totally compromise the security features of the XBOX.
Risk: Critical
Vendor Status: Vendor is not willing to talk about XBOX vulnerabilities.

Well, not completely useless, although certainly much weaker than a signature. While having a checksum only on mozilla.org would be useless against this type of attack, checksums tend to get mirrored in various places--an attacker would potentially have to modify the checksum on tens/hundreds/thousands of machines. For example, that's how the OpenSSH trojan was noticed (within a few hours of the files being tampered with); the FreeBSD ports system keeps a checksum of the distribution file for this exact reason, as does NetBSD's pkgsrc.

But yes, a real digital signature would be so much better...

Disclaimer: I'm not associated with either the PaX or OpenBSD team in any way, and speak for neither organisation.

http://archives.neohapsis.com/archives/bugtraq/199 9-q4/0317.html

And I meant to mention that the first incident was at the beginning of March this year, and the second at the beginning of April.

Theo de Raadt wrote:

I have also forwarded [the DARPA statement] to the ACLU people who've contacted me.

Nice to know the ACLU is there to defend de Raadt's Constitutional right to taxpayer money.

Between crying the sky is falling because DARPA is cutting back and didn't want to pay for a little junket and refusing to give credit for work the team built on top of, Theo de Raadt is starting to look more like an immature, whining little brat every day.

I'd be unsurprised if DARPA did go ahead and actually cancel all funding after the tinfoil hat and black helicopter comments that have been made by the OpenBSD community.

Between crying the sky is falling because DARPA is cutting back and didn't want to pay for a little junket and refusing to give credit for work the team built on top of, Theo de Raadt is starting to look more like an immature, whining little brat every day.

I'd be unsurprised if DARPA did go ahead and actually cancel all funding after the tinfoil hat and black helicopter comments that have been made by the OpenBSD community.

Between crying the sky is falling because DARPA is cutting back and didn't want to pay for a little junket and refusing to give credit for work the team built on top of, Theo de Raadt is starting to look more like an immature, whining little brat every day.

I'd be unsurprised if DARPA did go ahead and actually cancel all funding after the tinfoil hat and black helicopter comments that have been made by the OpenBSD community.

The wlan-ng project has early stage support for the wusb12 card.
More details available @ the Linux-USB device site.

Luckily they don't use the hideous Broadcom chipset, which still does not have Linux support, even though it's sold in Dell, Linksys, Belkin and Apple (new Powerbooks, anyone?) wireless products, to name but a few. *grr*

What you are asking for cannot be done. Worse, it is a dangerous route to go down, because it gives an illusion of safety.

From a VM level you cannot know what a program it up to unless that program obeys certain rules. When dealing with x86 architecture (specifically), those rules are not sufficiently verbose to allow for the sort of checking you are after.

While a VM could intercept all stack access and prevent modification to the return address (presenting stack smashing attacks), it cannot tell if a malicious attack has caused values within a valid range in the stack or heap to be altered in a way that is not supposed to happen. Thus a VM approach would suffer all of the deficiencies of StackGuard.

So while you may be able to protect against a classic buffer overflow attack (overwrite the return address on the stack and jump to your own code), there is no guarantee against arbitrary modification of the behaviour of the software by adjusting variables.

The dangerous part is that you are trying to partition security and look at one aspect of it in isolation. This is shortsighted.

Using permissions, a binary running in a user acocunt is less of a threat to overall system security than a binary running as root -- irrespective of whether there are exploitable vulnerabilities in that binary or not.

Tools like the ptrace-derived sandbox further improve this situation -- an arbitrary binary could be denied access to the file and IO functions in the kernel, preventing a malicious intruder from reading or modifying the hard drive. Or those open function could be filtered by directory. Network access could be restricted, denying the opportunity of using the vulnerability as a springboard to probe behind a firewall.

There is an interesting Usenix paper relating to these issues. There is a list of sandbox possibilities plus another one here, and you should also check out Medusa. this article also points to several resources on ACLs.

Unix is a complete joke as far as security.

I don't know what you mean by "Unix", but I'm assuming it includes all POSIX-compatable operating systems (including GNU/Linux, *BSD, etc). In that case, maybe you should look at OpenBSD. It's about as Unix as they come, being BSD-derived and all. Yet it is also one of the most secure general-purpose operating systems out there. In the past 7+ years, OpenBSD has had one remote root hole in the default install (the OpenSSH off-by-one hole, I believe) and a handfull of priviledge escalation holes and the like. Compare this to Solaris or Red Hat Linux, and you'll see that not all Unixes are the same.

a.) It's ancient so most of the flaws are finally worked out.

I agree here, but I think that the point deserves more elaboration. Many of the flaws in Windows and Windows-related products like IIS stem from fundamental design problems, the kind that only massive time and energy spent reworking can fix. For example, the fact that any NetBIOS-enabled Windows machine will send you its password hashes upon request (by getting the machine to retrieve a remote file:// url) has been acknowledged by Microsoft as a pretty much unfixable design flaw. Similarly, the IIS URL parsing mechanism is overly complex, leading to holes like the Unicode ../../ problems. With Unix, most of the fundamental design issues have been worked out or worked around. True, there are still a few fundamental problems; the inflexible permissions system and the fact that many things run as root just to get one specific priviledge (ping, daemons, etc) come to mind. But most of the flaws in Unix programs come from buffer overflows, format string vulnerabilities, unchecked perl open() calls, and the like: little, isolated errors that are easy to make and almost as easy to fix.

b.) Nobody _gives a shit_ about Unix so there aren't a lot of hackers out there targetting it.

This point blatantly contradicts the others. If Unix is so unimportant, why (according to point a) have there been so many flaws found and fixed? Besides that, have you looked at how many companies are into Linux these days? I think that Red Hat, IBM, and HP (just to name a few) would disagree with your statement that "Nobody _gives a shit_ about Unix". With the release of Mac OS X, Unix is now also a popular desktop OS with a significant market share. As for "hackers" (I'll assume you meant crackers) targeting Unix, take a look at any security-related mailing list and you'll see that many Unix-related flaws are researched and found, and often exploited. Crackers and script kiddies do care about Unix (it accounts for over half of all webservers*, for example), and this is why so much effort has gone into and will continue to go into securing Unix.

*Netcraft says that 64.19% of sites run Apache, but does not mention the OS distribution. Since most Apache installs are on Unix systems, and since there are also some non-Apache Unix webservers, I figured that saying 50% was more than reasonable.

corvi42 wrote:

I'm not sure about the details of the current case

Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)

1. The original advisory about the IE bug (note that it includes sample code to execute "winmine") [Nov. 6]
2. The post pointing to zdnet forums. Note that it is on the ZDNet forums that this format code first appeared - I find it most odd that Wired chose not to mention that. [Nov. 11]
3. The post that got everyone's panties bunched up. Someone took the code that was on that ZDNet forums thread and posted it to Bugtraq. [Nov. 14]

One especially noteworthy point: Microsoft was informed of the bug on October 4th.

So:

• The original discoverer (that we know of), Sandblad, acted responsibly.
• Bugtraq was being perfectly responsible in posting Sandblad's advisory
• The format exploit code was free for the taking on public forums
• Bugtraq published the format exploit, creating a PR issue for Microsoft, after said code had been public for three days

My opinion? A wired writer needed a story.

corvi42 wrote:

I'm not sure about the details of the current case

Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)

1. The original advisory about the IE bug (note that it includes sample code to execute "winmine") [Nov. 6]
2. The post pointing to zdnet forums. Note that it is on the ZDNet forums that this format code first appeared - I find it most odd that Wired chose not to mention that. [Nov. 11]
3. The post that got everyone's panties bunched up. Someone took the code that was on that ZDNet forums thread and posted it to Bugtraq. [Nov. 14]

One especially noteworthy point: Microsoft was informed of the bug on October 4th.

So:

• The original discoverer (that we know of), Sandblad, acted responsibly.
• Bugtraq was being perfectly responsible in posting Sandblad's advisory
• The format exploit code was free for the taking on public forums
• Bugtraq published the format exploit, creating a PR issue for Microsoft, after said code had been public for three days

My opinion? A wired writer needed a story.

corvi42 wrote:

I'm not sure about the details of the current case

Then that's easy to fix: (all links to the neohapsis archive, since it's just nicer to look at than securityfocus)

1. The original advisory about the IE bug (note that it includes sample code to execute "winmine") [Nov. 6]
2. The post pointing to zdnet forums. Note that it is on the ZDNet forums that this format code first appeared - I find it most odd that Wired chose not to mention that. [Nov. 11]
3. The post that got everyone's panties bunched up. Someone took the code that was on that ZDNet forums thread and posted it to Bugtraq. [Nov. 14]

One especially noteworthy point: Microsoft was informed of the bug on October 4th.

So:

• The original discoverer (that we know of), Sandblad, acted responsibly.
• Bugtraq was being perfectly responsible in posting Sandblad's advisory
• The format exploit code was free for the taking on public forums
• Bugtraq published the format exploit, creating a PR issue for Microsoft, after said code had been public for three days

My opinion? A wired writer needed a story.

No. Even if you are playing a DVD that has a different region than your hardware, libdvdcss will do a cryptographic analysis which is usually successful and will still be able to play the DVD.

A thread on pen-test over at securityfocus has developed into an extremely well developed list of wireless security tools. The most recent thread post is archived at neohapsis, among other places, and the list of all the tools with description and license information is also online.

BRiX, unlike other modern operating systems, does not use hardware to isolate and protect applications from each other. Instead, it uses a single address space and relies on a safe-language to generate code that will not access memory for which it does not own. This language also handles many checks at compile-time that would be performed at run-time in other operating systems. ... bounds checks can be disabled for stable critical system components. Only untrusted user code is slowed down by the bounds checks.

The previous letter, post #3996524, was written by Florin Andrei on Bugtraq at Wed Jul 31 2002 - 16:26:30 CDT. For more quality Bugtraq'ing material, search the SecurityFocus Bugtraq Archives. Hope this helps.

Pieces? "Aye, now there's the rub"

Looking at the server page, it's hardly ready to go. Note the open server page mentions nothing about streaming Windows media, QuickTime, MPEG2 or 4, simply Real. All it seems to support is RTSP/RTP/RTCP/SDP. No MMS support? Well that's kind of useless then, as it the lack of HTTP streaming support.

Believe me I'd love to have a central streaming system, my business is all based on streaming, but forgive me for not expecting much from a company that releases what has to be the worse media player, which drops advertising icons on your desktop and hides it's advertising engine by calling it evntsvc.exe, and which drops the start up code back into the registry each time you remove it.

The program may be boxed, but the box has an exploit... In Unix terms: Apparently, it's about the csrss.exe process which I gather is the DOS box. The backspace characters reset the 'cursor' to before the beginning of the text buffer, and the subsequent space causes a segv, crashing csrss. Unfortunately, csrss is considered a system vital process, so NT has a kernel panic over this.

The bug is even easier to cause by having a sequence of tabs before the backspaces. Each tab counts as one character in the buffer, but when removing them the pointer goes back 8 positions... You should be able to cause this bug by simply using 'type' on a text file with a bunch of tabs, followed by the same amounts of backspaces, followed by a space. You have to have enough tabs to backspace past all previous output in the dos window (that's what your second program does, except it doesn't use the tab shortcut and so has to loop many times more. Change that string to "\t\b ").

This bug was first reported a couple of years ago. It affects every version of NT ever. Since NT4 won't get any more service packs it's permanently flawed. The bug pops up in many unexpected places. For instance you can make IIS crash the server by doing something like this.

Hmm... This machine is w2k. I'll post, then make a little experiment... I'll report back.

I'm only aware of a couple of other worms from last year:

• lpdw0rm
• x.c

From a few years ago:

• ADMw0rm
• Millenium

You'd be better off not looking at an Anti-Virus company's description of any of these worms. Because of the AV community's deep-seated belief that if they give away even the tiniest shred of information about how a virus works, they end up writing the least informative descriptions possible.

I'm only aware of a couple of other worms from last year:

• lpdw0rm
• x.c

From a few years ago:

• ADMw0rm
• Millenium

You'd be better off not looking at an Anti-Virus company's description of any of these worms. Because of the AV community's deep-seated belief that if they give away even the tiniest shred of information about how a virus works, they end up writing the least informative descriptions possible.

Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

Gmanske.

I tried this and in IE6 I got 'Access is denied' if the other frame had a page from any other site loaded. I was also denied access when I tried popping up a zero sized remote control window that paused long enough to for me to browse elsewhere and then took me back. I used objAttachWindow = window.parent.window.opener; to connect to the parent window and then objAttachWindow.history.go(-1); to take the parent window back a page in history.

There may be ways to get around the security. Also, there are known cross-frame vulnerabilities.

• Go to your software update panel and get current -- 9.2.2 and 10.1.3 for os 9/X, respectively

• Get Stuffit Expander/Deluxe 6.5 from Aladdin [aladdinsys.com]

• Under your Quicktime control panel (OS 9) or prefpane (OS X), turn Autostart off
• Get yourself a copy of Norton Antivirus for Classic or X. It's wonderful about letting you know if something is virused or if a disk image has a payload when it's being expanded.

• "QuickTime setting" control panel >>> "Autostart CD-ROMs" >>> turn off. (you mentioned too. :-) )
• Stuffit Expander >>> preferences >>> Disk images >>> "Mount Disk Images" >>> turn off.
• Change the initial volume name (ex. Macintosh HD) to other. (for Macinosh IE file execuion vulerability)
• Change the initial "Download Folder" (ex. Desktop Folder) of browsers to other. (for Macinosh IE file execuion vulerability)

• Go to your software update panel and get current -- 9.2.2 and 10.1.3 for os 9/X, respectively

• Get Stuffit Expander/Deluxe 6.5 from Aladdin [aladdinsys.com]

• Under your Quicktime control panel (OS 9) or prefpane (OS X), turn Autostart off
• Get yourself a copy of Norton Antivirus for Classic or X. It's wonderful about letting you know if something is virused or if a disk image has a payload when it's being expanded.

• "QuickTime setting" control panel >>> "Autostart CD-ROMs" >>> turn off. (you mentioned too. :-) )
• Stuffit Expander >>> preferences >>> Disk images >>> "Mount Disk Images" >>> turn off.
• Change the initial volume name (ex. Macintosh HD) to other. (for Macinosh IE file execuion vulerability)
• Change the initial "Download Folder" (ex. Desktop Folder) of browsers to other. (for Macinosh IE file execuion vulerability)

I believe it is impossible to write a completely safe OS or other application: there will always be some way to break into a system. People can only make it harder to do so. Security is only a feeling...

My real question is whether it will not terribly hurt Microsofts reputation when, after declaring their software "safe", somebody manages to break in. Look at Orcale, they declared their 9i suite "unbreakable" but in the meanwhile they have had their share of vulnerability discoveries (like here).

Whatever. Excel used to have a flight simulator embedded in it, for crying out loud! IIS had a back door password of "Netscape Engineers are Weenies" spelled backwords.

They've their excuse.

But it's very startling to hear "The cipher is symmetric..." Hey! Can't they do better cipher?! :)

The reality is that the differences are really minor, and, now that RSA is legal, openssh can be setup to act almost exactly the same as closedssh.

The only signicant difference between them for most peole is the price.

There used to be a fair bit of difference, but at least for unix, this is no longer true. Since 2.5 openssh has supported sftp. Since 3.0 it supports rekeying a session. With external PAM modules you can support smart cards and securid logins.

The one advantage that ssh has over openssh is that this is all integrated into one package. The smartcard support is built in, you don't have to go looking for support.

If you are not planning on using smartcards or tokens, then openssh wins based on price alone. You can get it pre-compiled for most platforms, so the compilation is not so much the issue. Otherwise you have to weigh the choices a little more carefully. Check to see if your required token/card is supported by both. If not, then it is likely to be easier to add support into openssh, having the source and all.

In terms of windows clients...that is one big differentiator. Again, mostly money! We use tera-term and that works quite well, but does not do ssh V2 protocols.

In either case, you are buying a big whack of security, but don't forget, passwords can be extremely weak! Don't let up on the other security policies just because you now have SSH. (And yes, I know that the poster is not responsible for this, this is just a general admonition :-)

Whatever you get, I wish you the best of luck.

Now for the gratuitous links: :-)

securid and openssh

some preliminary smartcard itegration with openssh

another smartcard and openssh link

Unlike 'Code Red', Nimda does not spread by pushing the worm binary in the HTTP request. The worm uses HTTP to find a vulnerable IIS server, then causes the IIS server to make a TFTP request out to the attacking host to retrieve the ~64K binary.

Most normal 'secure firewall' products aren't tuned to block outbound requests from the protected servers to internet hosts. Mine are, but that only gave me about 72 hours of lead time before it came in another way...

Even when firewalls block the IIS scanning, Nimda spreads by email, file shares, and by putting a copy of 'README.EXE' in the root of the IIS server and adding Javascript to all web pages on the server, pushing the worm at users of the infected web site server.

My firewalls block _all_ UDP packets, but my network still got hit hard, and probably incurred more like $60K in 'paper losses' -- lost productivity, bandwidth, overtime, etc.

We haven't found 'patient zero', but we have two good suspects, in both cases a user with a laptop that did not have updated anti-virus software and that got infected from one of these routes:

1. User took the laptop home and connected to an infected network/file shares.
2. User accessed 'hotmail' or a similar site and downloaded an attachment.
3. User visited an infected web site (probably at home) and ran README.EXE when prompted.

The common thread here is user error.

The best firewall is no protection against malicious, or just plain ignorant, users. Blame also falls on local admins for failing to push virus signature updates and keep up with system patches.

I've only ever seen around a dozen inside hosts from which the work was actively scanning HTTP, but the worm traffic from those dozen machines alone was enough to severely degrade WAN and firewall performance.

This comment violated the postercomment compression filter. Extra crap added!

I submitted this as an article this morning, but as it is still pending, and both my home and work servers are still under constant annoyance, I figured I'd pass it on here as well. If you are running a Windows NT server, kindly do us all a favor and just turn it off for a few months.

According to yesterday's Handler's Diary on www.incidents.org, "Microsoft has confirmed that if an IIS 4.0 webserver is using URL redirection, it is still vulnerable to Code Red even if the Microsoft patch is installed". The only known solution is to remove all URL redirections from NT servers running IIS 4.0.

-Tommy

Well the license was not redifined but "clarified" in it's meaning, the license never changed, there are no free versions.

So Darren has said recently. But, in all fairness, that just doesn't fit the evidence. See for instance this post from a year ago, where Darren refers to his work as "public domain." Contrast that with his more recent statement in computerworld that he has "never considered IPFilter to be open-source."

The license hasn't changed, no, but Darrens publically stated interpretation of the license sure as hell has.

Having followed this story closely, the best I can tell what happened is this. Darren initially intended his license to be BSD compatible, wrote it to be BSD compatible, and everyone using and contributing thought it was indeed BSD compatible. Darren didn't correct them because so far as he was concerned they were correct. Recently he got upset at the possibility or actuality (not sure which) of people distributing modified versions of his own betas, and added the "clarification" to a beta, intending only to prohibit modified versions of that particular version, not of regular releases. At this point Theo and others realised that the original license was indeed less than perfectly clear, and fearing that he would try to extend the prohibition further, and concerned that the license wasn't clear enough about modifications, they began to ask him to change the license. Apparently Theo managed to really rub him the wrong way in the process, and he got angry, and decided based on the vagueness in the licensing terms he could get away with closing it all retroactively, just to spite Theo. Begin the flamefests and the inevitable removal of ipfilter from OBSD.

1. He did not in the past correct people who were under the impression that it was BSD-licensed. Now, copyright law doesn't require this - but common courtesy does. See e.g. this thread:

Or how about his message on the FreeBSD security list, where he describes it as public domain

ipfilter is generally considered to be the "leading" public domain packet filtering package and I try to ensure it stays that way :-)

Helevius