Slashdot Mirror

"For over a decade, VMware has been accused of illegally using Linux code in its VMware ESX bare-metal virtual machine hypervisor," reports ZDNet, adding that "A German court has dismissed the case, but the struggle may not be over." VMware stood accused of illegally using Linux code in its flagship VMware ESX bare-metal virtual machine (VM) hypervisor... In 2011, the Software Freedom Conservancy, a non-profit organization that promotes open-source software, discovered that VMware had failed to properly license any Linux or BusyBox, a popular embedded Linux toolkit, source code... In 2015, having exhausted all other means, [Linux kernel developer Christoph] Hellweg and the Software Freedom Conservancy sued VMware in the district court of Hamburg in Germany. Besides the general violation of the GPLv2, "Conservancy and Hellwig specifically assert that VMware has combined copyrighted Linux code, licensed under GPLv2, with their own proprietary code called 'vmkernel' and distributed the entire combined work without providing nor offering complete, corresponding source code for that combined work under terms of the GPLv2."

The German court disagreed in November 2018. Helwig appealed and continued the fight, saying "The lower court dismissed the case as a result of evidentiary rules and likely an incomplete understanding of the documentation of the code in question...." [Monday] VMware rather mysteriously announced: "VMware is pleased with the Feb. 28, 2019 decision of the German appellate court in Hamburg to dismiss Mr. Hellwig's appeal and let stand the regional court's decision to dismiss Mr. Hellwig's lawsuit. "
Karen Sandler, attorney and the Conservancy's executive director, told ZDNet that "We strongly believe that litigation is necessary against willful GPL violators, particularly in cases like VMware where this is strong community consensus that their behavior is wrong. Litigation moves slowly. We will continue to discuss this with Christoph and his lawyers and hope to say more about it in the coming weeks -- after the courts provide their rationale for their decision to the parties (which has not yet occurred)."

Meanwhile, VMware stated that it "continues to be a strong supporter of open source software development," adding that it's been "actively" working on removing vmklinux from vSphere in an upcoming release as part of a multi-year project -- "for reasons unrelated to the litigation."

New submitter Dorgendubal writes: I work for a company with more than a thousand developers and I'm participating in activities aimed at improving the work experience of developers. Our developers receive an ultrabook that is rather powerful but not really adapted for development (no admin rights, small storage capacity, restrictive security rules, etc.). They also have access to VDIs (more flexibility) but often complain of performance issues during certain hours of the day. Overall, developers want to have maximum autonomy, free choice of their tools (OS, IDE, etc.) and access to internal development environments (PaaS, GIT repositories, continuous delivery tools, etc.) . We recently had a presentation of VMWare on desktop and application virtualization (Workstation & Horizon), which is supposedly the future of the desktops. It sounds interesting on paper but I remain skeptical.

What is the best working environment for a developer, offering flexibility, performance and some level of free choice, without compromising security, compliance, licensing (etc.) requirements? I would like you to share your experiences on BYOD, desktop virtualization, etc. and the level of satisfaction of the developers.

An anonymous reader writes "Best Buy and Barnes and Noble have a problem with showrooming — shoppers checking out the merchandise in their stores and then proceeding to order the goods at a discounted prices online. And Red Hat might have a similar problem with people (not just college kids and software professionals boning up on their skills at home, either) using the free-as-in-beer CentOS rather than licensing Red Hat Enterprise Linux and paying support fees. But according to CEO Jim Whitehurst, Red Hat's competitive position may actually be helped by CentOS in the same way that counterfeit Windows products sold on the streets in the Far East may have helped Microsoft — by cementing their position as the technology standard, in a marketplace that also includes entrants from SuSE, Debian, Oracle, and Ubuntu, just among Linux-based entrants. Who does Whitehurst consider to be Red Hat's most direct threat? VMWare."

New submitter stacey7165 writes "VMware shared the application architecture story of how they worked with the Ocean Observatory Initiative to build a 'Hubble Telescope' of the ocean. It's comprised of a massive network of global, regional, and coastal sensors that send information to a common framework called the Common Operating Infrastructure (COI). The COI resides in a hybrid cloud powered by VMware and Amazon. To cope with a total of 49 classes and over 700 instruments deployed off of 6 coastlines, and a variety of consumption use cases, the Ocean Observatory Initiative built out the system using a variety of sub-systems loosely coupled through a messaging system powered by RabbitMQ called an 'Exchange.' Organized into a system where message clients pubsub from 'Exchange Points' and 'Exchange Spaces', the system is easier to maintain, extend, and scale. According to the OOI's documentation on release 1, the Integrated Observatory Network uses AMQP 0.9.1 and RabbitMQ-Server v. 2.3.1 on CentOS 5.5."

New submitter stacey7165 writes "VMware shared the application architecture story of how they worked with the Ocean Observatory Initiative to build a 'Hubble Telescope' of the ocean. It's comprised of a massive network of global, regional, and coastal sensors that send information to a common framework called the Common Operating Infrastructure (COI). The COI resides in a hybrid cloud powered by VMware and Amazon. To cope with a total of 49 classes and over 700 instruments deployed off of 6 coastlines, and a variety of consumption use cases, the Ocean Observatory Initiative built out the system using a variety of sub-systems loosely coupled through a messaging system powered by RabbitMQ called an 'Exchange.' Organized into a system where message clients pubsub from 'Exchange Points' and 'Exchange Spaces', the system is easier to maintain, extend, and scale. According to the OOI's documentation on release 1, the Integrated Observatory Network uses AMQP 0.9.1 and RabbitMQ-Server v. 2.3.1 on CentOS 5.5."

New submitter stacey7165 writes "VMware shared the application architecture story of how they worked with the Ocean Observatory Initiative to build a 'Hubble Telescope' of the ocean. It's comprised of a massive network of global, regional, and coastal sensors that send information to a common framework called the Common Operating Infrastructure (COI). The COI resides in a hybrid cloud powered by VMware and Amazon. To cope with a total of 49 classes and over 700 instruments deployed off of 6 coastlines, and a variety of consumption use cases, the Ocean Observatory Initiative built out the system using a variety of sub-systems loosely coupled through a messaging system powered by RabbitMQ called an 'Exchange.' Organized into a system where message clients pubsub from 'Exchange Points' and 'Exchange Spaces', the system is easier to maintain, extend, and scale. According to the OOI's documentation on release 1, the Integrated Observatory Network uses AMQP 0.9.1 and RabbitMQ-Server v. 2.3.1 on CentOS 5.5."

New submitter stacey7165 writes "VMware shared the application architecture story of how they worked with the Ocean Observatory Initiative to build a 'Hubble Telescope' of the ocean. It's comprised of a massive network of global, regional, and coastal sensors that send information to a common framework called the Common Operating Infrastructure (COI). The COI resides in a hybrid cloud powered by VMware and Amazon. To cope with a total of 49 classes and over 700 instruments deployed off of 6 coastlines, and a variety of consumption use cases, the Ocean Observatory Initiative built out the system using a variety of sub-systems loosely coupled through a messaging system powered by RabbitMQ called an 'Exchange.' Organized into a system where message clients pubsub from 'Exchange Points' and 'Exchange Spaces', the system is easier to maintain, extend, and scale. According to the OOI's documentation on release 1, the Integrated Observatory Network uses AMQP 0.9.1 and RabbitMQ-Server v. 2.3.1 on CentOS 5.5."

Last year VMware introduced a complex pricing scheme based on the size of the memory associated with each virtual machine instance. New CEO Pat Gelsinger announced this week that this system (which he described as "a four letter word") has been deprecated, and VMware is back to more straightforwardly charging per physical processor. Adds reader hypnosec: "Pricing hasn't been announced yet but a file [PDF] present on VMware's site does give an indication about the new pricing."
Update: 08/28 17:18 GMT by S : Updated the headline and summary to reflect that the price is per processor, not per core.

Last year VMware introduced a complex pricing scheme based on the size of the memory associated with each virtual machine instance. New CEO Pat Gelsinger announced this week that this system (which he described as "a four letter word") has been deprecated, and VMware is back to more straightforwardly charging per physical processor. Adds reader hypnosec: "Pricing hasn't been announced yet but a file [PDF] present on VMware's site does give an indication about the new pricing."
Update: 08/28 17:18 GMT by S : Updated the headline and summary to reflect that the price is per processor, not per core.

Gunkerty Jeb writes "Purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to 'Hardcore Charlie,' an anonymous hacker who has claimed responsibility for the hacks. In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident."

msmoriarty writes "Three weeks after IT shops began complaining loudly that the licensing changes with vSphere 5 would cost them significantly more, VMware has revised the requirements (although not as much as some users would like)."

msmoriarty writes "Three weeks after IT shops began complaining loudly that the licensing changes with vSphere 5 would cost them significantly more, VMware has revised the requirements (although not as much as some users would like)."

Mierdaan writes "VMware's bare-metal hypervisor is available for free starting today. ESXi, which can either be installed or run from an embedded device available in certain servers, has a 32MB footprint and gives small businesses an easy way to get into the virtualization world, with easy upgrade paths to enterprise-level features such as (H)igh (A)vailability and (D)istributed (R)esource (S)cheduler. ESXi runs on most any hardware with a server-class disk controller, and previously retailed for $495. VMware is obviously shooting to prevent Microsoft's Hyper-V technology from gaining a foothold in the marketplace."

An anonymous reader writes "VMWare released a white paper detailing its concerns with license changes on Microsoft software that may limit the ability to move virtual-machine software around data centers to automate the management of computing work. Two choice quotes: '"Microsoft is looking for any way it can to gain the upper hand," said Diane Greene, the president of VMware.' And, '"This seems to be a far more subtle, informed and polished form of competitive aggression than we've seen from Microsoft in the past," said Andrew I. Gavil, a law professor at Howard University. "And Microsoft has no obligation to facilitate a competitor."'"

Rahul writes "Fusion is a new VMware product that enables Intel-based Macs to run Windows and Linux in virtual machines on Mac OS X. The Mac virtualization market is presently dominated by Parallels and it will be worth watching if VMware can gain the mindshare despite its late entry. Ars Technica reports: 'The nice thing about VMWare Fusion is that it already supports some of the stuff that the Parallels Beta2 released yesterday just added, such as USB 2.0 and most USB devices, CD/DVD drive support, and drag-and-drop between environments (unless the guest environment is Linux, that is). You can also run multiple Fusion environments at once or assign multiple processors to your virtual machine(s), if you're into that sort of thing.'"

muff1253 writes to tell us VMware yesterday announced the winners of the Ultimate Virtual Appliance Challenge (UVAC). The contest, which started at the end of February, was designed to test teams on their ability to create a "pre-built, pre-configured, and ready-to-run" application that could be packaged with operating systems in virtual machines.

Jim Buzbee writes "Those you keeping up with the latest virtualization techniques being offered by both Intel and AMD will be interested in a new white paper by VMWare that comes to the surprising conclusion that hardware-assisted x86 virtualization oftentimes fails to outperform software-assisted virtualization. My reading of the paper says that this counterintuitive result is often due to the fact that hardware-assisted virtualization relies on expensive traps to catch privileged instructions while software-assisted virtualization uses inexpensive software substitutions. One example given is compilation of a Linux kernel under a virtualized Linux OS. Native wall-clock time: 265 seconds. Software-assisted virtualization: 393 seconds. Hardware-assisted virtualization: 484 seconds. Ouch. It sounds to me like a hybrid approach may be the best answer to the virtualization problem. "

pdscomp writes "VMware has just announced at today's Apple WWDC 2006 Conference that they are developing a port of VMware to Mac OS X. People interested in beta testing the product later this year can visit this link to sign up for the public test. It will be interesting to see how things play out between VMware and Parallels. Will Microsoft bother porting Virtual PC now that there will be two other Intel OS X virtualization solutions available? Now all we need is to get Mac OS X running under Xen."

pdscomp writes "VMware has just announced at today's Apple WWDC 2006 Conference that they are developing a port of VMware to Mac OS X. People interested in beta testing the product later this year can visit this link to sign up for the public test. It will be interesting to see how things play out between VMware and Parallels. Will Microsoft bother porting Virtual PC now that there will be two other Intel OS X virtualization solutions available? Now all we need is to get Mac OS X running under Xen."

epit writes "VMware has released v1.0 of their VMware Server product for free (as in beer) as planned. Up until now, it had been a beta download. You can download your copy via the VMware website. Release notes are also available."

epit writes "VMware has released v1.0 of their VMware Server product for free (as in beer) as planned. Up until now, it had been a beta download. You can download your copy via the VMware website. Release notes are also available."

epit writes "VMware has released v1.0 of their VMware Server product for free (as in beer) as planned. Up until now, it had been a beta download. You can download your copy via the VMware website. Release notes are also available."

liliafan writes "In an effort to gain a market majority over VMware Microsoft announced it is giving Virtual Server away for free, additionally they will provide customer support for Linux. In a related move VMware have opened their partition file format to the community, aggressive and suprising moves in the virtualisation market."

Slashback tonight brings some corrections, clarifications, and updates to previous Slashdot stories including Microsoft denies Vista rewrite, Tuttle Oklahoma city manager still doesn't get it, MS Virtual Server slips and VMWare fills the gap, Samsung execs plead guilty to price fixing charges, Tux in retail part 2, a renewed bid to register the Linux trademark in Australia, OpenSPARC.net shades of the past, and a follow up on Mac botnets -- Read on for details.

Microsoft denies Vista rewrite. moochfish writes "Contrary to a heavily doubted feature earlier this week, Business 2.0 magazine reports that Microsoft will not be rewriting large portions of its operating system. From the article, 'Microsoft's own blogger Robert Scoble checked into the story and got a denial from an executive at Microsoft's PR firm, who says he's not aware of any Xbox programmers working on Windows.'"

Tuttle Oklahoma city manager still doesn't get it. gEvil (beta) writes "The Register has posted a followup to this past week's wonderfully humorous story about Tuttle, Oklahoma's technically inept city manager, Jerry Taylor. It appears that Mr. Taylor is not pleased with the publicity he has received due to the incident, despite his prior statement of, 'I have no fear of the media, in fact I welcome this publicity.' He sent an email to the Register's marketing team asking that people stop emailing him and making fun of him."

MS Virtual Server Slips and VMWare fills in the gap. nizo writes "On the heels of the announcement that Microsoft Virtual Server is slipping to 2007, VMware has announced the beta release of the VMware Virtual Machine Importer, which has the capability to convert system images stored in 3rd party formats (including Microsoft Virtual Server images) to VMware virtual machines. The good news is VMware released the importer as a free download."

Samsung execs plead guilty to price fixing charges. bdotcdot writes "Electronics News is running a story on Samsung executives who have plead guilty to the price fixing of DRAM. From the story 'According to the one-count felony charge filed in federal court in San Francisco, at various times during the period from April 1, 1999, to June 15, 2002, these three Samsung employees conspired with unnamed employees from other memory makers to fix the prices of DRAM sold to certain computer and server manufacturers in the U.S., in violation of the Sherman Act. The conspiracy directly affected sales to U.S. computer makers Dell Inc., Hewlett-Packard Company, Compaq Computer Corp., International Business Machines Corp., Apple Computer Inc. and Gateway Inc., the charge said.'"

Tux in retail part 2. silentbob4 writes "Mad Penguin brings us the second and final installment in their 'Tux in Retail' series, in which they interview Linspire CEO Kevin Carmony; Xandros CEO Andreas Typaldos; Mepis Linux founder Warren Woodford; and Kevin Jones, Micro Center Vice President of Merchandising, to get their take Tux's jump into big box retail. The first installment was run as an earlier Slashdot article."

Renewed bid to register Linux trademark in Australia? daria42 writes "A renewed bid to register the word 'Linux' as an Australian trademark must meet an early April deadline or face defeat." From the article: "'The deadline to file a response to the Examiner's rejection has not yet passed, and LMI and its attorneys are still determining if they will respond,' a spokesperson for the body told ZDNet Australia in an emailed statement."

OpenSPARC.net, shades of the past. Andy Updegrove writes "In what must have seemed to many as a bold move, Sun Microsystems recently announced that it would release the source code for its UltraSparc T1 processor under the GPL, supported by a new organization that it calls OpenSPARC.net. But to those that have been around for a while, the announcement had an eerily familiar sound to it, and that sound was the echo of an organization called SPARC International. Formed 18 years ago to license the SPARC chip design to multiple vendors to ensure second sourcing for the hardware vendors that Sun hoped would adopt it, SPARC International seemed to be every bit as revolutionary for its time as Sun's new initiative does today. Motorola launched a somewhat similar group called 88open to support its own RISC chip design, and later IBM, Motorola and Apple launched the PowerOpen Association to promote the PowerPC. The Websites of the PowerOpen Association and 88open are long gone, and seem to have escaped even the WayBack Machine's reach. But SPARC International's site, looking very retro and neglected, can still be seen - at least for now."

Follow up on Mac botnets. An anonymous reader writes "Washingtonpost.com has an interesting follow up to skeptical claims as a result of a previous Slashdot story. Mac OS X systems have indeed been spotted in botnets, thanks largely to several worms going around that take advantage of Web-based applications running vulnerable PHP software. From the article: 'By leveraging this PHP flaw, the attackers were able to seed the Mac systems with several tools designed to turn them into drones for use in waging destructive distributed denial of service attacks.'

Slashback tonight brings some corrections, clarifications, and updates to previous Slashdot stories including Microsoft denies Vista rewrite, Tuttle Oklahoma city manager still doesn't get it, MS Virtual Server slips and VMWare fills the gap, Samsung execs plead guilty to price fixing charges, Tux in retail part 2, a renewed bid to register the Linux trademark in Australia, OpenSPARC.net shades of the past, and a follow up on Mac botnets -- Read on for details.

Microsoft denies Vista rewrite. moochfish writes "Contrary to a heavily doubted feature earlier this week, Business 2.0 magazine reports that Microsoft will not be rewriting large portions of its operating system. From the article, 'Microsoft's own blogger Robert Scoble checked into the story and got a denial from an executive at Microsoft's PR firm, who says he's not aware of any Xbox programmers working on Windows.'"

Tuttle Oklahoma city manager still doesn't get it. gEvil (beta) writes "The Register has posted a followup to this past week's wonderfully humorous story about Tuttle, Oklahoma's technically inept city manager, Jerry Taylor. It appears that Mr. Taylor is not pleased with the publicity he has received due to the incident, despite his prior statement of, 'I have no fear of the media, in fact I welcome this publicity.' He sent an email to the Register's marketing team asking that people stop emailing him and making fun of him."

MS Virtual Server Slips and VMWare fills in the gap. nizo writes "On the heels of the announcement that Microsoft Virtual Server is slipping to 2007, VMware has announced the beta release of the VMware Virtual Machine Importer, which has the capability to convert system images stored in 3rd party formats (including Microsoft Virtual Server images) to VMware virtual machines. The good news is VMware released the importer as a free download."

Samsung execs plead guilty to price fixing charges. bdotcdot writes "Electronics News is running a story on Samsung executives who have plead guilty to the price fixing of DRAM. From the story 'According to the one-count felony charge filed in federal court in San Francisco, at various times during the period from April 1, 1999, to June 15, 2002, these three Samsung employees conspired with unnamed employees from other memory makers to fix the prices of DRAM sold to certain computer and server manufacturers in the U.S., in violation of the Sherman Act. The conspiracy directly affected sales to U.S. computer makers Dell Inc., Hewlett-Packard Company, Compaq Computer Corp., International Business Machines Corp., Apple Computer Inc. and Gateway Inc., the charge said.'"

Tux in retail part 2. silentbob4 writes "Mad Penguin brings us the second and final installment in their 'Tux in Retail' series, in which they interview Linspire CEO Kevin Carmony; Xandros CEO Andreas Typaldos; Mepis Linux founder Warren Woodford; and Kevin Jones, Micro Center Vice President of Merchandising, to get their take Tux's jump into big box retail. The first installment was run as an earlier Slashdot article."

Renewed bid to register Linux trademark in Australia? daria42 writes "A renewed bid to register the word 'Linux' as an Australian trademark must meet an early April deadline or face defeat." From the article: "'The deadline to file a response to the Examiner's rejection has not yet passed, and LMI and its attorneys are still determining if they will respond,' a spokesperson for the body told ZDNet Australia in an emailed statement."

OpenSPARC.net, shades of the past. Andy Updegrove writes "In what must have seemed to many as a bold move, Sun Microsystems recently announced that it would release the source code for its UltraSparc T1 processor under the GPL, supported by a new organization that it calls OpenSPARC.net. But to those that have been around for a while, the announcement had an eerily familiar sound to it, and that sound was the echo of an organization called SPARC International. Formed 18 years ago to license the SPARC chip design to multiple vendors to ensure second sourcing for the hardware vendors that Sun hoped would adopt it, SPARC International seemed to be every bit as revolutionary for its time as Sun's new initiative does today. Motorola launched a somewhat similar group called 88open to support its own RISC chip design, and later IBM, Motorola and Apple launched the PowerOpen Association to promote the PowerPC. The Websites of the PowerOpen Association and 88open are long gone, and seem to have escaped even the WayBack Machine's reach. But SPARC International's site, looking very retro and neglected, can still be seen - at least for now."

Follow up on Mac botnets. An anonymous reader writes "Washingtonpost.com has an interesting follow up to skeptical claims as a result of a previous Slashdot story. Mac OS X systems have indeed been spotted in botnets, thanks largely to several worms going around that take advantage of Web-based applications running vulnerable PHP software. From the article: 'By leveraging this PHP flaw, the attackers were able to seed the Mac systems with several tools designed to turn them into drones for use in waging destructive distributed denial of service attacks.'

Natales writes "VMware has announced that they will be supplying $200,000 in prizes for what they call The Ultimate Virtual Appliance Challenge. Big industry names such as Tim O'Reilly and Mark Shuttleworth are among the judges." From the article: "Using open source or freely distributable components and/or your own code, create the most inventive and useful virtual appliance and win the $100,000 first prize! The Challenge is open to anyone worldwide and will be judged by a panel of industry experts with input from the community."

rfinnvik writes "VMWare Inc. has released a new free (as in beer) virtual machine runtime called VMware Player. According to VMWare, this free VM runtime makes it possible for anyone to run virtual machines created in their Workstation, GSX or ESX products. It also runs virtual machines created in Microsoft's virtualization products. The runtime is available for both Windows and Linux."

rfinnvik writes "VMWare Inc. has released a new free (as in beer) virtual machine runtime called VMware Player. According to VMWare, this free VM runtime makes it possible for anyone to run virtual machines created in their Workstation, GSX or ESX products. It also runs virtual machines created in Microsoft's virtualization products. The runtime is available for both Windows and Linux."

An anonymous reader writes "Network World Fusion has an article about the Internet Storm Center's inner workings. The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.). The article talks about running W2K in vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."

josh asks: "For my next project, I've decided I want to do something related to x86 virtualization (the way VMware does it or Plex86 not Xen/Bochs/etc.) but I really don't know where to start. Googling hasn't been helpful (just look at the results if you don't believe me). Are there any resources for learning about this kind of x86 virtualization? I know virtual 8086 mode wouldn't work, but without that what advantage does something like VMware have over something like Bochs? Are there any F/OSS projects aimed at something along the lines of my thinking? Please enlighten me with any references and resources you might have. Thanks!"

slyall asks: "I work in the Network/System Admin team for an ISP. Our firm was recently bought by another company that has mandated that my team's desktops be switched over from Linux to Windows XP in the next few weeks. Some of us are have used Linux almost exclusively and going to Windows is a big change. Can people suggest any tips, books or websites to help Linux people shoved into the Windows world (especially those running lots of Linux and Cisco boxes)? We've all got years of experience on Linux but running Windows day to day is a big challenge. We don't yet know if the company will provide us with tools such as Cygwin or Windows Services for UNIX but we won't be allowed to install random programs and may not have admin access. We're not happy with the change but we're unable to stop it. What we are hoping to do is reduce the performance hit that the changeover is going to cause." This is probably one of those situations where a LiveCD-based distribution, for use in an emergency, might help.

securitas writes "The New York Times' Steve Lohr reports on a fundamental shift taking place in Silicon Valley in the post-dotcom era: the geeks are back in charge. New start-ups and companies that survived the bubble 'are based on innovation and are run by people with deep technical skills.' These companies have real technology and a solid technical base that have historically been the bedrock of Silicon Valley - something that was temporarily forgotten during the dotcom bubble. Profiled companies include Tellme Networks (speech recognition), InterTrust (DRM - digital rights management), VMware (virtual machines) and Scalix (Linux e-mail servers)."

RanmaPlex asks: "I've been asked by a university professor to design a network security lab for use by about 15 students. Designing a course was asked earlier, but little info was discussed on equipment. It needs to be vendor independent if possible. I've got ideas on using virtual machines, patches, IDS, firewalls/vpn and sniffers but would like to know what the Slashdot community can come up with."

Saqib Ali asks: "I m sure most of you have heard that Connectix, the makers of Virtual PC/Server, have been acquired by Microsoft. Based on the technology acquired, MS has developed a new product called Microsoft Virtual Server, using which a Windows Server 2003 based server can run multiple operating systems concurrently. I am doing a preliminary analysis of using MS Virtual Server vs. running VMware ESX Server 2.0 on Clustered Linux Environment. Both solutions offer a way of running multiple OSes in a virtual environment using the same underlying OS (Windows 2003 or Linux). Of course, running VMware on Linux, offers the stability, scalability, and reliability of Linux, and also prevents a business form being locked into one single vendor. However running Microsoft Virtual Server does have some merits from a business perspective (vendor viability, reduced licensing costs etc). Any thoughts on merits/benefits/downside of using either of the technology stacks?"

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

halfgeek asks: "I was just considering how keyboard-centric I've managed to make my setup, even under the mouse-hungry Windows GUI (no shouting; I regularly SSH to my Linux routing box for experiments, bring up VMWare when I need some X, and can't live without Cygwin). Almost everything I would want to do can be done without moving a hand to the mouse. I can open up an SSH to my server with Win+Shift+V, bring up a calculator with Win+C, run a one-shot console command with Win+0, open up the MW dictionary website to a highlighted word by hitting Ctrl+C (to copy) and then Win+Enter (to look up the contents of the clipboard). (Much of this is implemented with Perl programs and WinKey.) I also make frequent use of the volume knob and mute button built into my Logitech keyboard. If there is any good route to finding the keyboard I want with all the features I'm thinking of at a justifiable price, whether prefabricated or a wicked mod, I would just love to know about it." There are quite a few options the submitter is looking for, but it basically boils down to is this: the more keys, the better. What keyboards have you found, in your browsing travels, that have been stuffed full of useful features?

"I'm aggravated over having the mouse still so separate from the keyboard, and I've been looking through the available options along the lines of keyboards with built-in touchpads. The closest I've found to what I want seems to be the Adesso WKB-120, but this is by no means the ideal choice. It does have three basic properties I want: One, it doesn't have the ergo-split form I so despise. Two, its touchpad is situated in the right place, just below the space bar. Three, it's all one piece, so I can keep the board off the desk and on my knees, where it belongs, eh. But it also appears to have those three intensely undesirable and horribly misplaced power management keys, and lacks the volume knob, mute button, and media controls. An illuminated keyboard would also be cool, but I'd take standard beige; it's just that my current black keyboard is hard to see in the dark."

Loki_1929 asks: "Having just installed a trial of VMware workstation 3.2, I'm left wondering if anyone has used it as part of a security solution on a network. Specifically, has anyone had any experience using a virtual machine as a 'honeypot' on a business network that experiences a sizable volume of attacks? If so, what successes and problems have you run into? I would assume that a virtual machine compromise would pose no security threat to the rest of the network, and an 'undoable' disk would make picking up the pieces of the honeypot quite simple, but what other sorts of pitfalls are there to deal with, if any? As a consultant for many small to medium size businesses, it occurs to me that this may be a reasonably safe, secure, and cost-effective solution, but I thought the Slashdot community might have some experience and insights into the actual feasibility of a system like this."

An anonymous reader writes " This CRN article states that Microsoft is about to buy Connectix and enter the server consolidation market. Connectix makes virtual machines products that compete with those of VMware. Quote: 'The technology will be integrated into the Windows code, sources said.' Will Microsoft be able to pull this one off? Will their virtual machines run operating systems other than Microsoft's?"

n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.

Matthew Miller recently went through the RH300 training course, as well as the RHCE Certification Exam. He was kind enough to write an overview and give us his opinions on both of them, as well as his opinions on the relevance and quality of the training and the exam. Certification has been discussed extensively with regards to Linux, and here's a big scoop of food for thought.

The following was written by Slashdot Reader Matthew Miller

I'm fortunate enough to work at a place that realizes the importance of keeping employees educated and up-to-date. Since my largest current project is Linux-related, and based on Red Hat's distribution in specific, we thought it'd be worthwhile to send me to Red Hat for their RH300 course. I'm pretty familiar with Linux, but I'm a long way from knowing everything, and it's always interesting to learn what the vendor thinks are the most important parts of their product. We chose RH300 because it's the highest-level systems administration class currently offered. It's also the one linked to the RHCE exam, which was an added bonus, but learning was my main goal, not getting the certification. This is my report on the experience -- hopefully, it will help you decide if this is a good choice for you, either as a sysadmin or as an employer.

The Training Center

This course is not only available directly from Red Hat, but also from various partner organizations, including Global Knowledge, which has a training center here in Boston. However, we decided that if we were going to go to the expense of sending me, I might as well go directly to Red Hat, to increase the chances of getting a good instructor, and to insure adequate access to resources. We've had experiences in the past with third-party instructors who didn't know much beyond what was written in the materials. Of course, I don't know that this would be the case with Global Knowledge's version of RH300 -- perhaps someone else can comment on any experience they've had there.

So, it was off to the Red Hat headquarters in Durham, NC. Incidentally, I stayed in the Residence Inn there -- it was on Red Hat's site as being nearby. They didn't mention that it was on the other side of a major highway, with no provision for pedestrians to get across. Moral: stay at one of the closer hotels, or else get a car. Anyway, the RH building is very nice -- much bigger than I expected. (I suppose the IPO cash is going to good use.) Of course, as students, we weren't shown much of it -- no tour, and we weren't introduced to any of the celebrity employees. (Fair enough -- with several classes coming through every week, they'd never get anything done.) The people I did meet seemed pretty cool, and in general I got the impression that it's a fun place to work.

The classroom was about as I expected -- projection screen up front, rows of decent-enough small-brand Celeron-based systems (one per student). The machines were on a private network -- reasonable for the course, but unfortunately there was no provision for Internet access, which at the least would have been nice to have when I finished labs early.

We did have access to a breakroom with free soft drinks / juice and various snack items. This is also where the lunches were served -- to my surprise, these were quite good, and there were even decent non-meat choices.

The Teacher

The instructor was very knowledgeable -- not necessarily a complete guru, but he knew his stuff, including the "why" behind the course material. He was able to present the material in a good way, and was good at answering questions. I think the decision to go to Red Hat directly was wise; unlike a third-party consultant, he had some idea of what was going on inside of Red Hat and of their potential future plans. For example, during the section on the printing subsystem, he mentioned that they're considering a replacement for LPR in future releases -- perhaps LPRng or even CUPS. It's unlikely that someone from a different company would have had access to that kind of information.

Other Students

The other students in the course had a wide range of skills and backgrounds. I think that everyone probably met the listed better than pico. However, I could tell that some people were struggling. The instructor mentioned that the pass rate for the exam is about 65%, and I wouldn't be surprised if our class came out at that level or worse. It's not that anyone was stupid -- just that some people were out of their depth. On the other end of the spectrum, there were some people who were over-qualified: a few highly experienced sysadmins, and some folks from IBM taking the class because they are soon going to teach it.

The Course

The course was generally similar to the outline found on Red Hat's site, although I think the online information is a bit out of date. (Notice that the Web page makes reference to ipfwadm instead of ipchains or netfilter.) The eight units had slightly different names, and covered slightly different information. In the most drastic example, Unit 8, listed on the Web site as "Systems Administration and Security II", has turned into "Routers, Firewalls, Clusters and Troubleshooting". Some of the information listed in the online Unit 8 was moved into Unit 7, and some of it (cops, for instance) wasn't talked about at all. Hopefully, the online info will be updated soon.

Overall, the class went into less depth than I was hoping. Some of this was due to limitations of the lab setup -- it's a bit difficult to experiment with RAID in any meaningful way when you've only got one IDE hard drive, and obviously impossible to set up a cluster on one machine (short of running VMware). Other things where just plain introductory -- the section on the kernel, for example, focused on the steps required to build and install a new kernel, rather than being an in-depth discussion of tunable parameters. The part about Apache was similar; I was hoping to hear "You've all configured Apache before; here's things you should be aware of when you need it to do such-and-such", but the most advanced we got was setting up a virtual host. Building RPMs from source was mentioned briefly, but there was no information given on important and largely undocumented topics like --buildpolicy.

That's not to say I didn't learn anything -- the section on LVS / Piranha was enlightening even without hands-on experience, and I appreciated the part about quotas, which isn't something I've worked with much. And, I learned a large number of tiny things which add up to making the experience worthwhile to me. RPM can now do globbing over ftp! Portmap uses tcp_wrappers, but doesn't do reverse name lookups, so be sure to use IP addresses instead of names. RH Linux provides a little script called "service" that lets one avoid the tedium of typing /etc/rc.d/init.d/servicename all the time. And so on....

The "300" designation is a bit misleading. This isn't really what I'd consider an upper-level course -- it's more along the lines of SysAdmin 101. Overall, I think this class is probably worthwhile to someone with a good RH Linux background who hasn't done any systems administration. In fact, I'd even recommend it to people in that situation. On the other hand, if you've been a Linux sysadmin for a while, you'll probably be bored most of the time. It might be valuable to experienced Unix sysadmins who haven't dealt with Linux much (or even Linux admins who haven't used Red Hat Linux), but the course wasn't particularly taught from that angle and there are probably better options.

The Exam

Since I signed a confidentiality agreement, I can't talk about specific details of the test, but I will address the exam in general terms. It's a day-long three part process, with each part being worth 1/3 of the total. To pass, your overall score must be at least 80%, and you can't do worse than 50% on any one part.

One of the sections is a typical multiple-choice test, but the other two are lab based. I was quite impressed with the hands-on tests -- they are certainly what makes the RHCE meaningful. I'm not aware of any other sysadmin certifications that work this way.

For one of the lab tests, students are given a several-page specification, and must install and configure Red Hat Linux and several network services. This wasn't particularly difficult, and shouldn't be for anyone with much experience. For me, the hardest part was resisting the temptation to go beyond the spec -- since I finished the given requirements with plenty of spare time, I considered installing and setting up additional services in a way that would fit in with the listed goals. But, I decided that it'd be better to leave well-enough alone -- there's no concept of extra credit.

The other hands-on test is the cool and exciting one. Students are given preconfigured setups which are broken in some way, and given a task that must be completed. The system's problem doesn't necessarily relate directly to the task, but does interfere with it. The test-taker must find out what's wrong and correct the error. (Reinstalling packages is not allowed.) Being able to list the steps taken and to repeat the fix is important, but ultimately the test is scored on a works / doesn't work basis. One the examiner verifies that the problem is fixed, he or she wipes the system and provides another broken config.

This problem-solving section directly tests skills important to being a sysadmin in the real world; if someone has trouble with these, they're probably not ready for a systems administration job. Of course, just passing this test doesn't guarantee good problem solving skills (let alone all the other needed abilities), but it does seem a genuinely valuable indicator.

I've only two complaints with this part of the test. First, I'd make it a much larger section -- at least 50% -- and I'd increase the number of problems given so that there'd be a better sample size. The various challenges are assigned at random, and some are easier than others, and each tests knowledge of different parts of the system. The way it's done isn't bad, but it wouldn't hurt to have a lot more of it. Second, I'd give each student two computers, and make more of the problems network-related. This has logistical and cost issues (especially in places other than Red Hat's own training centers), but since many of the problems faced in the real world have to do with the way systems interact, I feel it'd be worth it.

The Exam Separated From The Course

You may have noticed that I seem a lot more excited by the exam than by the course itself. I think both are valuable, but they seemed aimed at slightly different levels. The course definitely can serve as a good review for the exam, but if you need the course, you won't do well on the test. If you're tight on cash and the certification seems valuable to you or to your employer, going straight to the exam would be reasonable. (Make sure you take a look at Red Hat's test prep page.) On the other hand, if you need to be quickly brought up to speed on the basic knowledge required of a RH Linux sysadmin, it might make sense to take this course without worrying about the test. Since RH300 is equivalent to RH033 + RH133 + RH253, this could be a much more intensive and time-efficient option.

Red Hat-Specificness

It's probably obvious, but bears mentioning anyway: this is a Red Hat Linux course and certification, not a general Linux one. I found this to be true both explicitly and implicitly. The instructor was good about saying "This is the Red Hat way of doing things -- it's possibly different on other distributions." (I found the increase-the-whole-pie attitude to be common to all of the RH employees I talked to.) There were also quite a few things that were just assumed. If you take the exam without knowing a lot about Red Hat Linux in particular, you're likely to have trouble.

This doesn't make the certification meaningless for organizations running other distributions -- many of the skills and knowledge required for the test (especially the problem solving part) are generally applicable anywhere. In fact, due to the lab-based testing process, I have more respect for this exam than I might for a multiple-choice test covering more distributions. I think this issue is a one-way sort of thing: the RHCE exam requires knowledge of Red Hat Linux, but anyone who can pass it shouldn't have much trouble picking up other flavors.

Stuff

Ok, the Web page promises that they'll give Red Hat promotional items to course participants. Yeah, well, they can do better on this front. Not even a t-shirt! C'mon, everyone gives t-shirts. Vendor shirts are a staple of my wardrobe! All we got was a mousepad, some stickers, and a baseball cap. (No chance of getting a red fedora.) Oh, and of course an official copy of the CD (with the 180 days of support). Many people in the class were surprised to learn that Red Hat doesn't sell anything from their offices -- you can't buy copies of the distro or additional merchandise. They've got a lot of students coming through there, so it seems like this could be a decent (even if relatively small) revenue stream.

A Bit About Study Guides

Before I went, I flipped through RHCE Exam Cram , the sole study guide I found at the local bookstore. Someone in the class actually purchased it and brought it with them, and I got a chance to read more of it then. I wasn't really impressed. The book was especially concerned with what it called "trick questions", and indeed its sample questions were sometimes a bit confusing -- and often poorly worded. After taking the test, I can say that this seems mostly to be a problem with the book, not something encountered on the actual exam, which was mostly straightforward and fair.

There are RHCE study guides, but I wouldn't recommend spending any money on any of them. As the course instructor told us: if you're going to pass, you'll do so even if you don't have a guide. And if you're going to fail, the guide won't be much help.

Conclusion

I think the RH300 course and RHCE certification can be valuable to both employers and individuals. The course provides a nice quick overview of the basics needed to move, for example, from being a systems operator to being an admin. I wouldn't think of it as either a requirement for the test or as something that can make someone not ready suddenly have the skills required for the exam. Since the exam is hands-on and lab based, those abilities can only come from real world experience. Looking at that from the other direction: this is exactly what makes the RHCE worth anything. While it's not a total statement on someone's talent, being able to pass is a strong indicator that they have the basic skills for a systems administration job. If I were making hiring decisions, I wouldn't make the RHCE a requirement, but I would have more confidence in applicants who have it.

ken_i_m writes "VMware has signed an OEM deal with Microsoft to offer various flavors of Windows pre-installed with their product. Here is VMware's news release." Don't get too angry about this; if you're using VMware, you're probably loading up a version of Windows anyway.

ken_i_m writes "VMware has signed an OEM deal with Microsoft to offer various flavors of Windows pre-installed with their product. Here is VMware's news release." Don't get too angry about this; if you're using VMware, you're probably loading up a version of Windows anyway.

Joey Lawrance writes, "FreeMWare, the LGPL'd replacement for VMWare, has a new name: plex86. From their site: 'The new name "plex86" is derived from the (pseudo)words multiplex and x86. Many users had requested a new name; one that is short, easy to remember, and directly relates to the function of the software.'" It's been less than a year since FreeMWare's first mention on Slashdot; looks like they've made great progress since then in creating a free/Free multi-OS platform. If you're interested in contributing (including documentation), they're looking for you.

There have been a spate of reports about the usefulness of FreeBSD's Linux ABI recently. First off, Daeron wrote in with the news that VMWare now runs on FreeBSD, thanks to the efforts of Vladimir Silyaev. Vladimir has a page up with instructions and caveats. Secondly, Jacob Hart has confirmed that the Unreal Tournament Demo works flawlessly. Finally, Mark van Woerkom has created FreeBSD ports skeletons for Linux Quake 3 Test.

SkyHigH wrote in, along with quite a few others, to alert everyone to the fact, that yes, VM Ware v1.0 has been released-and it's Saturday, so the congestion should be lower.

Tim Smith writes "VMWare has announced that there will be a $99 version for students, hobbyists, and non-commercial users. " This stands in contrast to the normal commercial version, which has a 299$ price tag.

nd writes "Kevin Lawton, author of the popular x86 emulator Bochs, has launched an open source project to create an application with functionality similar to that of VMware. Of course, he will need some help to get freemware (the title of this project) going. "

Ever want to Multitaks operating systems? Thomas Reagan has the answer for us- he says " VMWare for Linux Beta is out! Go to the homepage to download it! " Any of you who saw this have been pretty impressed. If I actually ran a different OS, I'd consider it. (now if only vmare.com had real bandwidth)

Josh H. writes "VMware will said they will debut a product at Demo99 that lets the user run multiple OS's here. If this thing really works like they says it does, this could means no more reboots to change OS's for those of us running dual-boots."