Slashdot Mirror

MoneyT writes "As reported at vnunet, experts are claiming that Macs are no safer than PCs in terms of protection from a virus. Seems more to me like they're just saying that we Mac users aren't invulnerable, but until I see things like nimda taking out my Mac, I'll stick with the iBook." The article doesn't mention that the "7,000 macro viruses" attack Microsoft products (leaving uses of a Mac only as a web server completely protected from them), nor does it quote any statistics about how many Mac vs. Windows viruses exist, and it doesn't address the real- world fact that Macs are hit with viruses far less often than Windows machines.

hettb writes "How often do you clean your keyboard and surrounding work area? A recent study (also discussed here) found that computer workstations harbour 400 times more health threatening bacteria than the average toilet seat. If you're anything like me, spending most of both professional and personal time in front of your computer, this is sobering news. "

Pig Hogger writes "According to this VNUNET article, KAZAA-Lite, a new hacked version of spyware-ridden KAZAA file-sharing software is being circulated, sans spyware. The new, improved version has apparently been hacked by a russian programmer, as a matter of course."

d6y writes "Over on the O'Reilly weblogs there's an entry on the relationship between Sun's Java Community Process and Apache. Sun have been rubbing people up with wrong way (the problems of licensing open source J2EE containers; stuts v. JavaFaces; log4j v. JDK 1.4 logging....) and I hope this gets sorted out real soon. See also the original VNUNet article and Apache's position paper."

A reader wrote to us about a summary article regarding IDS ^? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.

Updates and revisions for you on various and sundry stories you've seen here recently, from Parrot to Linux on handhelds to the recent judgement against MP3.com and more. Read on below to find them.

At least the jurors don't get to set the value of Pi. openbear writes: "According to a story at c|net the jurors meant for MP3.com to pay $3 million and not $300,000 in the court decision made last week. This may sound bad for MP3.com, but considering that TVT was originally going for $8.5 million I suppose that $3 million still looks like a good ruling. Espically since they have $42.9 million set aside for damage awards in pending suits."

(Here are some other articles about MP3.com as well.)

Parroting the (ORA, ActiveState, etc.) company line: rjoseph writes: "Perl.com's managing editor Simon Cozens has written a quick article on O'Reilly.com that explains the April Fools joke of the faked colaboration between Perl and Python to produce Parrot. He explains how the most interesting aspect about the whole affair is the fact that, to pull it off succesfully, the Perl and Python communities had to work together more than they had in a long time!"

Humor may suffer from analysis, but this is a cool explanation of what it took to pull off what turned out to be probably the most convincing Fool of the year, at least for those in the very small Venn diagram with the background and motivation to care about open-source programming languages and their creators;) Of course, now no one will believe it when the two do actually merge. (For a while I thought that the talk of "Python 3000" was a joke, too.)

Small steps on tiny machines n7lyg writes: "IEEE Computer has an article this month about a prototype PDA developed at Compaq's Western Research Labs: Itsy: Stretching the Bounds of Mobile Computing. Itsy has been through two implementations and has several unique features, including using MEMS accelerometers to implement a gesture interface (Rock'n'Scroll). This is all just research, but it does show promise for Linux-based PDA's. Itsy runs the X Window System and Qt Palmtop. The WRL website for Itsy is here."

This is really cool background material; now the earlier Itsy work has led to Linux on the iPAQ, I wish Compaq would actually sell a PDA with the size and shape of the Itsy itself. And tiny accelerometers for gesture-control would be welcome on my visor as well, and surely for small video game systems.

Big Blue, Big Blue, your transmission is fading, please say again, over. An Onymous Coward writes: "This sucks. At LWCE there was a big display at the KDE booth using ViaVoice to control KDE apps through Qt. Now it looks like the project is dead in the water, according to this article at Newsforge -- maybe lack of interest from IBM?"

What with the billion dollars that IBM has pledged to spend on Linux-related projects, and the fact that ViaVoice has shipped for a while with the high-end boxed version of Mandrake, hopefully this is just an oversight. ViaVoice is a cool technology -- but if things don't work out between Qt and IBM, perhaps KDE (and GNOME, and others, level playing field here!) can work on integration with Sphinx. An Apache-style license should be all-around friendly, right?

mikey writes: "vnunnet.com has an interesting article about Steve Jobs; his love for cubes, a bit of a history behind NeXT, why it failed, also why it was so way ahead of its time, also some Bill Gates stuff. All in all, a great piece, and to give Slashdot readers some insight into what was NeXT, and how now it has basically taken over Apple."

onion2k writes: "In this article on VNUnet, Toshiba are saying that the Transmeta chip doesn't quite live up to its hype. Bit of a strange thing to do considering Toshiba were one of the original investors, but hey, thats corps for you ..." Talks mostly about the power consumption of the chips. If you're following Transmeta, this is worth a read.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Recently WAP ^[?] has come under serious criticism from a wide variety of places... Angus wrote a short piece saying that it'll be replaced. IcesTorm-I sent us an message on an IETF mailing list criticizing the format, and to suggesting that we use open formats like LEAP instead. Even Microsoft rejects the standard. Slashdot has supported WAP (well, kinda anyway) since I got bored a few months ago and slapped it together, and I'd tend to agree that its a crappy standard, but more due to the limitations of the devices that use it. (note: if anyone has a PDA format they're dying for on Slashdot, Send diffs -- not requests! We're working on some PDA formats, but there are only so many hours in the day, and we don't have devices that can do most of the formats users email me asking for). [Updated 7 July 18:25 GMT by timothy] Readers may also be interested in a WAP report prepared by Rohit Khare for 4K Associates, which is probably the most incisive (and one of the most critical) analyses on the topic to be had anywhere.

Angus writes "VNUnet have just posted a story that IBM is being cautious about the future of Transmeta's Crusoe in production machines. Suggestion is that Intel is still the player for the future of portables." An interesting comment at the end: 'All Intel has to do is cut prices to squeeze transmeta out of the market'

Angus writes "VNUnet have just posted a story that IBM is being cautious about the future of Transmeta's Crusoe in production machines. Suggestion is that Intel is still the player for the future of portables." An interesting comment at the end: 'All Intel has to do is cut prices to squeeze transmeta out of the market'

theGEEK writes "Rebel.com will be making Netwinders with the crusoe chip from Transmeta. In related news, Fujitsu, Hitachi, IBM and NEC will all be showing off notebooks using the Crusoe today."

Freshly Exhumed writes "This site has a couple of divergent OS sagas ... IBM is basically saying "Bring out your dead" to OS/2 fans. Compaq has listened to the faint cries of "I'm not dead yet" and announced a reprieve for OpenVMS." OS/2 has repeatedly refused to die before, though. One interesting snippet from the article on VMS: "The Wildfire version of the Alpha processor will allow users to run OpenVMS in the same box as Compaq's Tru64 Unix operating system, using hard partitioning techniques." IBM 390, upcoming Alphas ... when will mainstream chips do this? :)

Freshly Exhumed writes "This site has a couple of divergent OS sagas ... IBM is basically saying "Bring out your dead" to OS/2 fans. Compaq has listened to the faint cries of "I'm not dead yet" and announced a reprieve for OpenVMS." OS/2 has repeatedly refused to die before, though. One interesting snippet from the article on VMS: "The Wildfire version of the Alpha processor will allow users to run OpenVMS in the same box as Compaq's Tru64 Unix operating system, using hard partitioning techniques." IBM 390, upcoming Alphas ... when will mainstream chips do this? :)

theancient1 writes "According to this article, Microsoft is considering releasing a Linux version of Windows Media Player. 'Paul Boudreau, Microsoft's programme manager for music and entertainment, said at a briefing on the software giant's plans for digital media: We see a need for Unix players and are working in that direction, including Linux.' Of course, a little quote is quite a bit different from actually seeing a product, but it's still not exactly expected."

renaissance59 was the first to write to us with the news that Microsoft has decided to discontinue development of J++, and has signed a deal with Rational Software for them to develop J++. Interesting move, because Rational is not bound under the legal restrictions that Microsoft is when it comes to Java. I'll be keeping a close eye on what's to come.

smoon writes "The most expensive Linux platform available? IBM appears to be working on a port of Linux to S/390." First version is running on a VM. Second version will be running on 'Bare Metal' as they call it. Pretty cool if you happen to have a 390 sitting around somewhere ;)

Jah-Wren Ryel writes " Vnunet is reporting that IBM has a version of Linux ported to their S/390 mainframe architecture waiting in the wings. Apparently there are two versions, one that runs under VM (a kind of meta-os, sort of like VMware) and one that runs on the bare hardware." An "anonymous source" and "speculation from analysts" story. Nothing official from IBM. Please read and judge accordingly.

mypointofview wrote to us with an interesting interview with James Gosling ^[?] . It's an interesting interview format, similar to Slashdot's style. Good questions about Java, but also the problems of getting Java and Linux to *ahem* play nicely with each other.

bpdlr (who admits to being a PC Week writer) sent us a story that proclaims that SGI Will Drop IRIX in exchange for some little no-name penguin oriented OS that nobody has heard of. I'm hearing rumors of a new Linux based mega server coming out of SGI, as well as some hugely scalable systems. Interesting stuff.

I've been writing articles for Slashdot for an hour now, so forgive me for lumping these together guys- I need to do something else eventually. First, Kristian Köhntopp wrote in to tell us that Linux has claimed 2 of the top 10 books at many german book stores. Next, Alan wrote in to tell us about an InfoWorld letter praising Linux, written by the CEO of 4front. Finally This articleis from the UKs Computing Trade Magazine. Its good PR for Linux and Netscape, even if they did misspell Linus' name. Thanks to Mike Brodbelt for that one.