Slashdot Mirror

friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."

friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."

Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA." Update: 08/15 06:10 PM by J : Meanwhile, see Keith Irwin's paper which has been released despite the DMCA. Update: 08/15 07:00 PM by J : And someone else points out this old thing. Everyone who hasn't written a paper on cracking HDCP raise your hand.

Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA." Update: 08/15 06:10 PM by J : Meanwhile, see Keith Irwin's paper which has been released despite the DMCA. Update: 08/15 07:00 PM by J : And someone else points out this old thing. Everyone who hasn't written a paper on cracking HDCP raise your hand.

SSH Communications Security Corp (ssh.com/ssh.fi) announced on bugtraq last night that their commercial product SSH Secure Shell 3.0.0 is a gaping remote hole on various unixes. Technically it's not a root hole, but remote access to users like "adm," "bin," "daemon," and "sys" is not good. Strangely, I don't see an announcement on their homepage. If you're running the $99 workstation version or the $475 server version, go upgrade to 3.0.1 now because it's an amazingly trivial exploit (especially on Solaris, but also on other unixes, excluding NetBSD and OpenBSD which are not affected at all). If you're using OpenSSH, or some other program you didn't pay for, no worries.

SSH Communications Security Corp (ssh.com/ssh.fi) announced on bugtraq last night that their commercial product SSH Secure Shell 3.0.0 is a gaping remote hole on various unixes. Technically it's not a root hole, but remote access to users like "adm," "bin," "daemon," and "sys" is not good. Strangely, I don't see an announcement on their homepage. If you're running the $99 workstation version or the $475 server version, go upgrade to 3.0.1 now because it's an amazingly trivial exploit (especially on Solaris, but also on other unixes, excluding NetBSD and OpenBSD which are not affected at all). If you're using OpenSSH, or some other program you didn't pay for, no worries.

At this moment, there's an office somewhere in Waggener Edstrom with its lights on and a fresh pot of coffee. Microsoft's PR firm is racking its brains working on strategy and tactics for their phone calls tomorrow. As of right now, hundreds of thousands of wormy Microsoft machines are throwing packets at the Bush White House (and missing -- see below). Bill Gates really, really doesn't want Sunday papers editorializing about how shoddy and dangerous his security flaws are. Will billg be the hero or the goat? Slashdot, in its fine tradition of laughing in the face of overworked netadmins, is running a contest. Walk a mile in Waggener Edstrom's shoes, predict the Times's headlines, and win yourself a T-shirt.

Waggener's goal is to minimize the PR damage that the worm will cause. This is potentially a very damaging story for them. Not so much because it underscores the dangers of an insecure, monocultural environment monopolizing our vital networks. Not even because of the embarrassing and ironic nature of the worm. More because it involves a hot button political topic -- Bush and, allegedly, China -- which the average reader will be interested in and might even almost understand.

So what's their battle plan?

Well, first Waggener will try to predict the yield. Our guesstimates as of right now, 11:36 PM EDT Thursday evening, are that it's a dud -- whitehouse.gov is still accessible and my IRC server hasn't gone down. This is probably because whitehouse.gov simply sidestepped its IP address (the stupid worm author hardcoded it instead of using DNS): White House dodges Web worm.

But at least 196,000 machines were infected. You'd think something would happen. Maybe a router will crash and Delaware will fall off the map. Who knows?

Second, Waggener will have an overall strategy. This might range from overhyping the potential danger ("turn off your computers! prepare for Armageddon! oh it didn't happen -- we saved you") to distraction with trivia ("we are pleased with the judges' verdict last week. look over there!"). How will the firm modify our reality?

Third, Waggener will use different approaches on different audiences. Reporters from different tech publications will talk to different handlers, and hear different things. Keep in mind which way these publications lean when you predict what their reactions will be.

Here's the contest. OSDN will be giving away four Slashdot T-shirts (or some other ThinkGeek shirt) to the four readers who most accurately predict newspaper headlines about the "Red Code" worm.

The newspapers of record we're using are the Washington Times and the New York Times. The categories are:

Headline on the Washington Times news story, Saturday morning
(label it: "WT News") Headline on the New York Times news story, Saturday morning
(label it: "NYT News") Title of the Washington Times editorial, Sunday morning
(label it: "WT Ed") Title of the New York Times editorial, Sunday morning
(label it: "NYT Ed")

Type up four guesses and submit them in a comment below. If your guess for any of the four is the closest in its category, you win a T-shirt!

For example, if our contest had been to predict headlines about global warming on July 19, and you'd said:

"WT News: Bush Visits Europe, Says Many Words Correctly
NYT News: Bush Promises Called Into Question
WT Ed: Good News on Global Warming
NYT Ed: Clueless on Global Warming"

...then you'd win, because you guessed the NYT editorial title correctly.

So put on your corporate-PR "spinning" caps, get out there and make us proud!

The Small Print:

1. Top headline only, you don't have to predict subheads or whatever.
2. In case of two stories/headlines, we pick the biggest one, our discretion.
3. Up to four guesses to a post, one for each headline (post early, post often, but slow down cowboy!).
4. One T-shirt to a person.
5. Ties go to the f1rst p0st.
6. No posts after the paper's out, of course (print or electronic, whichever's first) - first edition print is the goal.
7. No OSDN/VA Linux employees or relatives eligible.
8. You must either be logged in when you post or include one email address in your comment; email is how we'll contact you for your snail-mail address. Spamarmor it if you like, as long as we can read it.
9. If for some crazy, absurd reason one of the papers doesn't run a story/editorial about this at all, we'll go looking for a "similar" paper's story/editorial and pick its headline. We're thinking L.A. Times, Wall Street Journal, that kind of thing. If the papers actually run stories today (Friday), well, darnit that wasn't much of a contest was it? We'll still look for editorials on Sunday.
10. All judges' judgments are final.

altek writes: "CNET has an article describing a worm that has taken down over 12,000 MS IIS webservers." Bill Kendrick points to another CNET story, which reports that the worm will "cause every infected computer to flood the Whitehouse.gov address with data starting at 5 p.m. PDT," writing "Time to shut down all those IIS servers before the Internet gets flooded."

Slow Internet service due to all those extra packets of malice may not be the worst effect: As sp1n writes: "It appears that due to the way the worm formats its HTTP request and the semi-random way it seeks out vulnerable systems, it is also causing Cisco 67x DSL routers, widely deployed by Qwest, using firmware prior to 2.4.1, as well as some others, such as 3Com LanModems, to crash -- recoverable only by a power cycle. I have yet to see any news outlet cover the affect this is having on DSL service. Qwest's Interprise networking department confirmed they are receiving reports from all 14 states in their territory. Some routers running pre-2.4.1 firmware are crashing even though the web admin is disabled. This has become a huge support nightmare for every ISP in the region."

unFKNreal writes "A fellow by the name of Georgi Guninski has discovered a local root compromise in OpenBSD 2.8 & 2.9. He says its due to a race in the kernel, similar to the linux kernel race a few months back." The patch is out as of a few hours ago. Even a BSD newbie like me got his firewall patched and rebooted with no problem, after taking a moment to reread the patching instructions and kernel rebuild FAQ. The bad news: the hole was posted to bugtraq Thursday morning, with exploit code, so the black hats had a jump on you (sadly, note the date Guninski says OpenBSD was informed). If your system has any users you don't fully trust, check it over carefully after you patch! Update 3h later by J : Apparently NetBSD is affected too, and a fix is in-tree.

cloudscout writes: "This Report at SecurityFocus.com warns of a problem with the Apache webserver running under Apple's new MacOS X operating system with the case-insensitive HFS+ filesystem. HFS+ is the default (and recommended) filesystem for MacOS X, yet its case-insensitive nature circumvents directory-based security in the Apache webserver that comes with the operating system. The Server version of MacOS X ships with a module that fixes this problem, but this module isn't available unless you purchase MacOS X Server. So much for Apple's boast about 'giving back to the open-source community.'"
From looking through SecurityFocus, this doesn't appear to be the only problem.

An unsigned submission notes: "Kevin Poulsen's new article on cybercrime in Vegas features tons of cool stuff from pimps, prostitutes, and Gambino family mob hits to an explanation of Sprint's telephone infrastructure. Check it out at SecurityFocus ..." This stuff is worthy of a book.

If you are interested in reading an informative article on attacks against TCP connection sequences, CERT has posted a nice alert about it. The article does a nice job of going into the history of such attacks. Normally I find CERT's pretty worthless and outdated compared to what you find on Bugtraq, but this one is pretty good.

Thangorodrim writes "First saw this at SecurityFocus, but it seems as if someone at COTDC finally got around to coding a nice SMB session hijacker for NT/2000. I've tested this on some machines...its pretty brutal. And just in time to coincide with the release of l0phtcrack 3.0... The story linked doesn't have a link to the actual utility, but you can grab it here." *cough* For testing purposes only, of course.

CelestialWizard writes: "After the Linux Kernel 2.5 summit, a new security model is to be created for the next kernel. You can see the post from Cripsin Cowan on BUGTRAQ. " Interested folks should look at the mailing list; my guess is this is gonna be for the techies only.

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."

Tonight: Reactions and reductions of previous Slashdot appearances, including but not limited to: in-dash video gaming for the less upwardly mobile; a CSS descrambler you could scratch as a crib onto the side of your #2 pencil; and more on the engineers vs. scientists brouhaha. Enjoy!

I like the driving game in front of the windshield. Not everyone has the cash or the gumption to outfit his Macintosh with a Pathfinder; for the computationally experimental on a more modest budget, there is an easier way. wing_king writes: "A fellow named Troy Kellogg managed to hack an actual Atari 2600 console into the dashboard of his 1978 Volkswagen. The "AtariMobile" even has controller ports and a screen built right into the dash! The AtariMobile site has some pictures of the unit and some details on its construction. What a way to kill all that time sitting at stoplights."

Please tell me this is only for passengers and while parked, ok? I own one of these micro televisions, and it seems like playing on a screen that size while hunched over the stickshift might constitute more work than this labor-intensive project took in the first place. Wow.

Stir, reduce and simmer, stir in indignation: Aimster has removed the Pig Latin Encoder software from its site. And if that wasn't enough trivial encoding for you ...

If just over 500 bytes still wasn't small enough for your new MPAA-mocking tattoo, note that the famous Content Scramble System most famously De-flated with DeCSS has fallen anew.

PotatoNO writes: "Charles H. Hannum has created an even smaller DeCSS decoder than the perl script posted a few days ago. This one is written in C and takes 442 bytes, beating the perl script by 30 bytes. It's small and in C, so of course it's speedy. Hannum's program can decode in excess of 21.5MBps which is faster than the DVD spec allows for. That means it can actually be used for realtime playback."

Now hold on a goldarned minute there! William Evans, of Clark University's Dept. of Computer Science, took issue with the report Tuesday night in which drhpbaldy wrote: "At the latest ACM meeting, scientists and engineers threw mud at computer scientists for not contributing anything useful."

Wrote Evans in response:

"There seems to be some confusion as to what computer science is, and who computer scientists are. Programmers and other IT workers are not, for the most part, computer scientists--they're programmers and other IT workers. This is by no means disparaging, but simply a delineation based on definition.

Computer scientists study the branch of mathematics dealing with computation.

In the terms of your story, it was perhaps 'computer scientists' throwing mud at 'programmers and other IT professionals.' In actuality, though, it was mud thrown at business executives, and the ages-old indictment of the larger culture of western corporate management."

What medal do you get for 11th? ;) Rathnor writes: "I've spent the last week or so in Vancouver, Canada in the lead up to the ACM International Collegiate Programming Contest World finals. I'm a reserve in the University of NSW Team from Australia. Its been a great week with lots of cool things done for us from IBM and UPE.

The results are officially out and presented: The winners were: St Petersberg State University Second place: Virginia Tech the rest of the standings can be found here. (We made 11th)"

ShareSniffer is profiled in a SecurityFocus article today. The company has come up with a new and guiltless way to trade MP3s: just use someone else's hard drive. They have a "bevy of lawyers" (bevy, n., a group, esp. of girls or women) who say taking advantage of public Windows shares is perfectly legal. And why not? Clicking "I Agree" without reading a license agreement is legally binding, right? So when you click "Share This Folder," whether you understand its implications or not, you've authorized the world to play with your drive, and have no right to complain.

</devilsadvocate>

achurch writes: "Paul Vixie has posted a message to bind-announce suggesting the formation of a "members-only" security information list for BIND, the DNS server used on most Internet systems. Membership would be limited to root/TLD nameserver operators, software vendors using BIND, and 'other qualified parties,' and members would have to sign 'strong nondisclosure agreements.'" I'm not sure how I feel about this, but I'm sure a lot of readers do.

The Dev was the first of several zillion to point out that security holes were found in BIND. The detailed table of known vulnerabilities will help clarify (and it has tarball links too), but the short version is, if you're running BIND 4 or BIND 8, set aside some time today to upgrade to 4.9.8 or 8.2.3 (not beta, betas of 8.2.3 are vulnerable). And now's a good time to reconsider version 9, too. SecurityFocus warns that the last time a BIND hole of this magnitude was found, it was followed by a "cyber-crime wave." Exploits for these holes were successfully created by COVERT Labs, but nobody seems to know whether they're in the wild yet. Obviously, they soon will be. Post your questions and answers about upgrading below.

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.

A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

Can your parents install Debian?

Now there's some smidgeon of Justice for ya Foggy Tristan writes "

According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

" You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

So that's why the bidding on eBay went so high, eh?

Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

Can your parents install Debian?

Now there's some smidgeon of Justice for ya Foggy Tristan writes "

According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

" You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

So that's why the bidding on eBay went so high, eh?

Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

Can your parents install Debian?

Now there's some smidgeon of Justice for ya Foggy Tristan writes "

According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

" You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

So that's why the bidding on eBay went so high, eh?

Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

Kirk writes: "SecurityFocus is reporting that the cable industry submitted an FCC filing last week indicating that digital cable systems will use a patented, Hollywood-approved copy protection scheme called Dynamic Feedback Arrangement Scrambling Technique (DFAST). Under the scheme, HDTV-compatible recorders will refuse to tape movies, shows and sports events that have a 'don't copy' bit set. Consumer electronics makers fear an end to fair use rights, but cable companies will force compliance with DVD-style licensing agreement and the DMCA." And the Register notes that all hard drives will include copy protection by next year, under a plan put forth by the manufacturers to please the entertainment industry. Alan Cox doesn't like it, but Alan Cox doesn't call the shots here. T13.org has more information, including the specifications and some presentations explaining the system.

Kirk writes: "SecurityFocus is reporting that the cable industry submitted an FCC filing last week indicating that digital cable systems will use a patented, Hollywood-approved copy protection scheme called Dynamic Feedback Arrangement Scrambling Technique (DFAST). Under the scheme, HDTV-compatible recorders will refuse to tape movies, shows and sports events that have a 'don't copy' bit set. Consumer electronics makers fear an end to fair use rights, but cable companies will force compliance with DVD-style licensing agreement and the DMCA." And the Register notes that all hard drives will include copy protection by next year, under a plan put forth by the manufacturers to please the entertainment industry. Alan Cox doesn't like it, but Alan Cox doesn't call the shots here. T13.org has more information, including the specifications and some presentations explaining the system.

cvbear0 writes: "SecurityFocus has an article explaining a ruling from a U.S. district court ruling in Georgia about port scanning. The judge ruled that that port scanning tools neither "impair the integrity nor availability of the network." Both parties agreed not to appeal the judge's ruling."

A computer that Madonna might approve of, ubiquitous boxes delivering Internet acccess all over paradise (and why not everywhere?), and some more insight about Moore's Law and Intel's tiny new transistors, from the horse's mouth. Read more below, in this edition of Slashback.

Insatiable demand and a limited supply mean ... slashdoter writes " Remember the Virgin webplayer? The co-op has got a deal to buy the unsold units at $100 each, add on $10 for shipping and some extra for the Beer fund for our fearless leader and you too can have a hackable webplayer (without a TOS). You only have 2 or 3 days to get in so come on over and read the small print."

It may be officially too late to join, but this still would be a smart site to inquire at if you're looking to find one of these cute little machines, and just like waiting outside a ("sold out") Elvis Costello show, you might find a reasonable re-seller.

"Oooh! It's so cute and little!" rm-r writes "The New Scientist has an interview here with Gerald Marcyk, the head scientist behind the world's smallest transistor announced by Intel last week. The article also has some interesting pieces about the problems chip makers have as they get smaller and smaller."

Now if these were everywhere, where would be put the AOL CDs? The mysterious unnamed correpsondent writes: "This article was published on Securityfocus.com today about Linux Kiosks. It seems that with the Costa Rican Government providing free internet access to all citizens, this is a timely followup about how a country could use a RedHat Linux system to offer Free Internet Access much like we see present day telephones...on every corner, in every restaurant, and at every gas station. It was written by Anton Chuvakin, a Ph.D student in Europe, and maintainer of the Pocket Linux Distribution HOWTO."

This certainly is an interesting vision, and not far-fetched. Can't we all pitch in and lay some fiber like Hands Across America?

[Update]-- until someone pokes an eye out. Here is part six of the continuing reprint of Jon Katz' Hellmouth Saga. Parts five, four, three, two and one are also available to digest if you've not before.

A computer that Madonna might approve of, ubiquitous boxes delivering Internet acccess all over paradise (and why not everywhere?), and some more insight about Moore's Law and Intel's tiny new transistors, from the horse's mouth. Read more below, in this edition of Slashback.

Insatiable demand and a limited supply mean ... slashdoter writes " Remember the Virgin webplayer? The co-op has got a deal to buy the unsold units at $100 each, add on $10 for shipping and some extra for the Beer fund for our fearless leader and you too can have a hackable webplayer (without a TOS). You only have 2 or 3 days to get in so come on over and read the small print."

It may be officially too late to join, but this still would be a smart site to inquire at if you're looking to find one of these cute little machines, and just like waiting outside a ("sold out") Elvis Costello show, you might find a reasonable re-seller.

"Oooh! It's so cute and little!" rm-r writes "The New Scientist has an interview here with Gerald Marcyk, the head scientist behind the world's smallest transistor announced by Intel last week. The article also has some interesting pieces about the problems chip makers have as they get smaller and smaller."

Now if these were everywhere, where would be put the AOL CDs? The mysterious unnamed correpsondent writes: "This article was published on Securityfocus.com today about Linux Kiosks. It seems that with the Costa Rican Government providing free internet access to all citizens, this is a timely followup about how a country could use a RedHat Linux system to offer Free Internet Access much like we see present day telephones...on every corner, in every restaurant, and at every gas station. It was written by Anton Chuvakin, a Ph.D student in Europe, and maintainer of the Pocket Linux Distribution HOWTO."

This certainly is an interesting vision, and not far-fetched. Can't we all pitch in and lay some fiber like Hands Across America?

[Update]-- until someone pokes an eye out. Here is part six of the continuing reprint of Jon Katz' Hellmouth Saga. Parts five, four, three, two and one are also available to digest if you've not before.

SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."

krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."

RatzMilk writes: "Quova Inc. claim they have completed a global scanning system [Note: first mentioned on Slashdot in July -- timothy] that pinpoints the geographic location of Internet users in real time. The information gathered is then sold as a tool called 'GeoPoint' that can be used by advertisers to better target their advertisments to people based on their location. It doesn't rely on cookies or voluntary submissions from users, instead, using a data base built by scanning every host on the Internet. In gathering this information, they set off alarms all over the world, and yet, it seems that this is an accceptable practice in the eyes of the law. Individual people are having their computers impounded and in some cases are being incarcerated for doing the same. ... Further details on this story can be found at Security Focus." (Sorry, but Security Focus is not designed for direct linking; click on the link that says "Scanning Mystery Solved.") [Updated 5:58 GMT by timothy] Scratch the comment about deep linking; I've restored the link RatzMilk provided, which originally brought me only "page not found" errors. Hope it works for everyone ...

Carnage4Life writes "In a radical departure from it's previous stance of security through obscurity, the Computer Emergency Response Team, CERT, has stated that it will fully disclose all vulnerabilities in software that come to it's notice 45 days after the fact whether or not companies have provided a fix. The change of policy can be found at the CERT site and there is also a story on C|net. The change is not a complete embrace of full disclosure because CERT will not release exploits as some other software security watchdogs do."

EPIC requested almost 600 pages of data on the FBI's Carnivore through the Freedom Of Information Act. Yesterday, about 200 were "redacted in full" (withheld) and the rest were sent with varying amounts of black marks. EPIC is scanning them and putting them online as quick as it can; SecurityFocus has an interesting overview. It turns out the supposed email scanning tool also stories copies of webpages you read, and, at least in an earlier version, looked into tracking voice-over-IP.

Just for reference:

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

pbf writes: "This article from securityfocus.com has an interesting view on what RIAA-funded site Cybercitizenship.org believes is legal or not on the Internet, as well as how you should educate your kids for that matter. This is quite interesting and the conclusion indicates fairly accurately the tone of the article: "When did federal prosecutors and hi-tech industry moguls became regarded as authorities on cyber ethics or effective parenting?" Indeed... So are you surfing like a hero or are surfing like a zero ?"

pbf writes: "This article from securityfocus.com has an interesting view on what RIAA-funded site Cybercitizenship.org believes is legal or not on the Internet, as well as how you should educate your kids for that matter. This is quite interesting and the conclusion indicates fairly accurately the tone of the article: "When did federal prosecutors and hi-tech industry moguls became regarded as authorities on cyber ethics or effective parenting?" Indeed... So are you surfing like a hero or are surfing like a zero ?"

Edgester writes "There is an article at Security Focus about Digital Convergence and the CueCat Barcode Scanner. DC thinks that those Cease and Desist letters completely stopped the hacker community from hacking the CueCat scanners." Oh - and we should just point that in the continuing example of Digital Convergence's wonderful security their site was cracked and all user info was captured.

Edgester writes "There is an article at Security Focus about Digital Convergence and the CueCat Barcode Scanner. DC thinks that those Cease and Desist letters completely stopped the hacker community from hacking the CueCat scanners." Oh - and we should just point that in the continuing example of Digital Convergence's wonderful security their site was cracked and all user info was captured.

bobby writes: "There a commentary on SecurityFocus that has me thinking: they argue that the infamous Brown Orifice holes in Navigator are examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together. 'The most dangerous, well-concealed, complex, and noteworthy security flaws in the future will be of this sort,' they write, adding that only the Mozilla project can save Netscape. "

Esqueleto sent us an interesting story from Security Focus on convincted hackers and employment in the security field. When you get past the zillions of obnoxious frames, you'll read an article about a wierd problem: the guys who have a criminal record are tougher to hire... in this case they're talking about Mark Abene (Phiber Optik) being snubbed by @Stake, the guys who merged with L0pht. Of course this makes total sense from a corporate perspective, but considering many of the folks in the industry will admit freely to doing the same things, the conviction on your record makes all the difference.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

SmooC writes "This is SecurityFocus's reaction to Fred Moody's article, claiming that NT is more secure than Linux. Ran on slashdot last wednesday. Ben Greenbaum who manages the Microsoft Focus Area, sees it from a different perspective."

SmooC writes "This is SecurityFocus's reaction to Fred Moody's article, claiming that NT is more secure than Linux. Ran on slashdot last wednesday. Ben Greenbaum who manages the Microsoft Focus Area, sees it from a different perspective."

Zarf writes: "A start-up called Quova is pinging and tracerouting the entire Internet, causing firewalls and Intrusion Detection Systems to go crazy, and some security-types to get mad, according to this story at Security Focus. What's interesting is that the company won't say what they're doing with the information they're gathering, but records with the Patent and Trademark Office suggest it has something to do with selling "psychographic" information, i.e., matching advertisments to particular lifestyles and beliefs."

Zarf writes: "A start-up called Quova is pinging and tracerouting the entire Internet, causing firewalls and Intrusion Detection Systems to go crazy, and some security-types to get mad, according to this story at Security Focus. What's interesting is that the company won't say what they're doing with the information they're gathering, but records with the Patent and Trademark Office suggest it has something to do with selling "psychographic" information, i.e., matching advertisments to particular lifestyles and beliefs."

ll0yD asks: "There is an article at Security Focus blowing the horn on network security companies working to stop file sharing over the Internet and private networks. The main reason they are working on this is to combat Napster and other related "evil" network programs. I understand the need to protect copyrighted material, but this looks like it is going a little too far. If someone can stop MP3's from moving around the net what stops someone from stopping your electronically filed taxes or the bills you pay online? Besides isn't file sharing what the Internet is about? What are your views?" This disturbs me. The Internet is all about sharing, but not just files, but ideas, be it via Napster, or a browser. Now I'm worried that some fool will start making noises about banning FTP.

Renfield writes: "Security Focus has the details on how the New York Times released a SECRET CIA report on the Agency-sponsored 1953 Iranian coup on their Web site as a PDF file, with the names of foreign agents covered up with black lines and boxes. It turns out the Times didn't merge layers, and John Young of Cryptome discovered that by freezing the rendering at the right time, he could view the edited text before the black boxes covered them. He's putting up the full, unedited document on his site now. The Times says he's endangering lives, but why, oh why, didn't they use eraser tool, and how many other PDF files, Word documents, etc., contain more than meets the eye?" I wonder if there are any "aggressive" pdf viewers built to scan for just such information, too.