Slashdot Mirror

bemis sent us an article that talks about IPv6 and Wireless, and how the two seem to fit together pretty well. (Especially since at the rate we're going your home stereo is gonna need its own class C)

BrentN writes: "Network World is running an article on how IT managers should deal with Linux "sneaking in" to their networks, or more precisely, being surreptitiously installed on workstations on their network. Opinions of the IT managers they interview range from 'Reformat the hard drive and fire the person who installed that renegade operating system' to 'Don't ask, don't tell.' The article's author (rightly) points out that this is probably an unstoppable phenomenon."

resistant writes: "This article at Network World Fusion (seen at Linux Today) says, "In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones." The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."

resistant writes: "This article at Network World Fusion (seen at Linux Today) says, "In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones." The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."

resistant writes: "This article at Network World Fusion (seen at Linux Today) says, "In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones." The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."

Fruitiger writes: "Well, P2P / distributed computing is all the rage these days, so if you want a good breakdown of who's doing what when, check out this article at Network World Fusion. Focuses on Porivo Technologies and provides some glimpses of what's to come in the future. An interesting appetizer before Intel's P2P Working Group meeting later this week."

Fruitiger writes: "Well, P2P / distributed computing is all the rage these days, so if you want a good breakdown of who's doing what when, check out this article at Network World Fusion. Focuses on Porivo Technologies and provides some glimpses of what's to come in the future. An interesting appetizer before Intel's P2P Working Group meeting later this week."

A few words from HP on the Linux-based but Linux-unfriendly print server (read gently, and be thankful for small blessings); happy news from the "the NSA secretly controls PGP and its creator" front; more detail on the sordid, awful things that the MPAA used to say about VCRs, and an online Linux magazine for those who like read in 5 languages at once. (phew!)

Sheesh! All the guy ever promised was pretty good security! :) zenith744 writes: " Now available here is PGP v6.5.8, which appearently "...corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys...". This bug was previously brought to light about a week ago and reported on slashdot. A little more security, a little less stress. A happily balanced equation."

And an unnamed reader points to a story on Network Fusion about Zimmerman's response to the hubbub. Paraphrased: "It was a bug. We're embarrassed about it. Now it's fixed." In an imperfect world, you gotta admit that PGP is one of the bright spots.

It's always "wait a minute," isn't it? Tjisana M. Lewis, Product Manager, Emerging Products World-wide Business Management at Hewlett Packard (and who hopefully doesn't have many middle names to remember) wrote in response to the article on Slashdot recently about HP's new print server which runs Linux internally but does not support LDP client printing: "I've read some of the responses and (understandably) there is much speculation on WHY we did not support LPD client printing in the product's first release." She sent the following response, which strongly hints at better Linux support in the future for this product.

"The JetDirect 4000 Print Appliance can send print jobs to any LPD enabled destination whether such destination is a Linux box, JetDirect print server, or any other vendor's print server. Currently the JetDirect 4000 does not receive LPD print jobs, however in a few months, this [and other features] will be available in a free firmware upgrade.

As a vendor with a Linux based product, HP is extremely committed to supporting the Open Source community. We support developers in the Samba team including Jeremy Allison and Andrew Tridgell by contracting with both VA Linux and Linuxcare to develop features for the print appliance. These features are part of the Samba project and will be available to everyone under the GPL. An example is NT Printing functionality that will enable the use of native NT tools and features such as "point and print." Point and print enables automatic downloading of a print driver to a Windows client when the client adds a printer.

Furthermore, HP, in working with SAMBA, adds testing resources during the development process of the release thereby increasing the final quality of the release."

Care for some salt with your wound, Mr. Valenti? Master of Kode Fu writes: "The New York Times has an article quoting MPAA President Jack Valenti saying this: "[it] is to the American film producer and the American public as the Boston Strangler is to the woman alone." He wasn't talking about DeCSS, Napster, Scour, FreeNet or Gnutella -- he said it in 1982 and he was talking about VCRs. He didn't see that VCRs would eventually become as important an income stream for films as box-office sales. Will the MPAA (and similarly, the RIAA) learn from historical precedent, or is file sharing over the 'Net a completely different case with different circumstances?"

Isn't it funny how the fight to prevent consumer taping went away when the companies involved realized that what VCRs really represented was a whole new way to make money? Hmmm. Extend, project, extrapolate ... I smell money here, too. Don't they?

Contribute to the death of excuses! The excuses not to at least try Free software keep dwindling, and it's nicer than strangling dodo birds. Remember when "But there aren't any books!" was a valid complaint about Linux? How about "I can hire MSCEs and know they have at least some knowledge of the systems they purport to administrate -- but there aren't Linux equivalents!"? That one's gone too, for better or for worse. And now, if your boss (or spouse) grouses that there aren't any free, multilingual Linux journals online, not only do you know their excuse barrel is near empty, but you can point them to ... well, let Atif Ghaffar explain:

"LinuxFocus (LF) is a multilingual magazine about the operating system Linux.

LF is managed and produced by Linux volunteers, fans and developers. There is no subscription necessary to read LF, it is freely available on the web with mirrors all over the world.

Lf is published almost every two months. The master website for Linuxfocus is at http://www.linuxfocus.org

Articles this month include pieces on Rebol, a presentation application for X Window, distro reviews, a book review and more. Get it while it's Free!

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

ebresie writes "Here's an interesting article about a new technology that is being developed by the IETF. It's being called itrace. This is basically an ICMP Traceback Messages." There's a lot in this to think about.

Stilgar writes: "Seems like one of the Internet architects, Marshall Rose, is at it again. This time he invented a Blocks Extensible Exchange Protocol (BXXP) which seems a *much* nicer alternative to the aging HTTP (if the IETF will give it a chance). Check out the story at NetworkWorldFusion news." From the article: "One special feature of a BXXP connection is it can carry multiple simultaneous exchanges of data - called channels - between users. For example, users can chat and transfer files at the same time from one application that employs a network connection. BXXP uses XML to frame the information it carries, but the information can be in any form including images, data or text."

BugBBQ writes "The NetworkWorld Fusion News reports that SCO is going to jump on the bandwagon and produce its own Linux Distro. " The article also has some analysis of what the SCO folks could bring to the scene as well as what extras they have to add.

dlc writes, "Someone with too much free time and an insane streak has ported Apache to NetWare. It's still in the experimental stage, and only runs on NetWare 5.1, so don't ditch Linux yet, but still, it's pretty interesting. Only time will tell if the Apache team takes advantage of NetWare's strengths, such as NDS, in this port. The Apache site has an official page for the project. "

EdA wrote in to tell us about this piece, where Red Hat takes heat for its certification process. From the article - "I'm no more of a fan of Microsoft than the next person, but I can say that the support we get from Microsoft is superior, and less expensive," Daher said. "Microsoft always comes to our door, they bring demo units, keep us in touch with their engineers, and certification for our people costs only $2000 each, on-site. Red Hat wants $5,000 a person and we have to fly our people to Durham, [N.C.]."

JTMatrix writes "RedHat takes last place [in an IDG Network Operating Systems showdown]." The information on how they benchmarked everything is readily available on the site. Go check it out. Update: 01/26 01:07 by H :Check out this link for more technical information.

hajmola writes "a recent study has shown that AM radio may be causing problems for ADSL. According to this story at Network World, interference from AM stations can slash high-speed bandwidth by 40% on approximately 15% of ADSL connections. While AM interferes with download speeds, it does not affect upload speeds. AM frequency only affects ADSL and its subsets (not SDSL), including rate adaptive DSL and G.lite. "

Akamai is introducing FreeFlow, a dynamic mirroring technology that mirrors pages to servers closer to the source of demand. Unlike similar proxies, like Janet's in the UK, the service does not improve access speed to all sites, only to those sites that pay a fee. Interestingly FreeFlow is Linux based. Link found on LWN.

For the first time since 1994, BugNet will not be issuing an award this year. BugNet's awards go to those Windows-software companies that have debugged their software the best during the year. Apparently bug fix rates have declined with every new mass market version of Windows. The article also mentions that BugNet discovered a bug in FrontPage which allows users to delete their entire hard drives -- including Windows itself -- without a clear warning. Apparently they were told this was a feature, not a bug. In related news, NT 4.0 has failed FIPS 140-1 testing, meaning it cannot be sold to the US or Canadian governments.

An Anonymous reader wrote in to say "Network World reports that Oracle and partners are preparing a low cost entry level database server to compete directly with Microsoft's SQL Server. Linux is briefly mentioned as a potential 'hidden' OS for this appliance server. (site requires registration...) Sidebar - Nwfusion also includes a Linux v. NT thread at for all you zealots out there "

An Anonymous reader wrote in to say "Network World reports that Oracle and partners are preparing a low cost entry level database server to compete directly with Microsoft's SQL Server. Linux is briefly mentioned as a potential 'hidden' OS for this appliance server. (site requires registration...) Sidebar - Nwfusion also includes a Linux v. NT thread at for all you zealots out there "

David Gregory wrote in to send us a link to what will definately be an interesting event. Starting on Nov 16, Bob Young (Red Hat) will debate Ed Muth (manager of MSs Enterprise Marketing Group) on the merits of their OSs. It'll happen on Network Fusion, and you'll need to create a free login to read it.

Fredrik Lindgren writes "Don't know if this is old news, but I haven't seen it before. Network World InFusion (E-mail newsletter) has the following to say: Linux gets NDS boost and other top news: Novell officials last week revealed the company is plotting to port its directory services technology to Linux, giving the suddenly hot Unix variant yet another surge of momentum." The full article is here Ed: For those that can't read, this is NDS, NOT Netware (an existing product) For those of you that don't know, this site can be entered with user id "cyberpunks" and password "cyberpunks".

Rob writes "We have a great Linux story in Network World today. Lots of examples of Linux making inroads in corporate networks. Fairly well written, with a low FUD level, save for the "support" issue (which te author eventually does get right). The print edition had a box with a "how to pronounce Linux" blurb. Luckily the "we don't care what you call it as long as you use it" argument wins here. Remember: pronounciation flamage is reserved for the sub-13 year old demographic only!)"

John Bell wrote in this link where Peter Coffee talks about Unix in Mission Critical rolls. The other article is by Mark Gibbs and is titled "Lookin' into Linux" This link requires registration to read though. John noted several technical problems, but it is still a nice newbie article.

Zach "Gimp News" Beane writes "Network World has a columnist who wrote an interesting column about creating an alternative to Microsoft by investing effort in Linux. The web version of the article is at this link.

While HotSpot will be delayed until the summer, other vendors are testing alternative technologies. A favorite seems to be compilation to a native instruction set, which gives an insight into the speeds that could be obtained. New garbage collection algorithms and a better understanding of memory allocation issues should also help. And while current JIT's deliver lower performance, there are reasons to believe that JIT compilers might eventually become more efficient than native code. However, this does not mean that Java need be the portability solution: Taos is selling a new portable OS, Elate, written in a virtual assembly code based upon a run-time translator.