Slashback: Shelter, Panic, Intrusion

Welcome to Slashback for the evening: Yes, another big security problem with the world's second-most popular web server, a slight revision of the plight of Silicon Valley's homeless, and good news from the Indymedia front.

Remember, Free Software Sinks Ships curtS was one of the many to point out that "MSNBC has an article about a security hole you could throw a cat through." This might be more exciting if it was the first time, but jamie posted about a very similar-sounding flaw a few months ago.

Calling off the dogs of war. An anonymous reader writes: "Slashdot reported that Indymedia had received a court order to hand over the logs and other records pertaining to the IMC's coverage of anti-globalization protests in Quebec City. Now FBI has dropped the case. Here is the press release."

phunhippy points to coverage at Wired as well.

This Old House - gr8dane writes "I was just checking out the Sunday posting on /. about .commers in homeless shelters and Salon is running an update to the same story. The previous post prompted quite a bit of feedback on /. and this update article seems to support those who felt the Sunday article wasn't indicative of the industry as a whole. 'John Sacrosante says he went from six figures to a shelter. His friends say there's something fishy in San Jose.' Quite interesting ... "

DoctorZ writes: "In response to reading the recent article about Zero-Knowledge's withdrawal from Linux development for Freedom. I emailed them discussing my concerns along with everyone else's. Here was their response:

'Hello,

We know....

We understand your disappointment. It is not a easy decision. We are not giving up on Linux. Our entire Freedom Network is Linux based!This decision was taken in response to the number of people purchasing the Linux version as compared to the number purchasing the Windows version. While many of us at Zero-Knowledge are Linux enthusiasts, the number of interested Linux users downloading Freedom simply didn't warrant continued development efforts, and we have chosen instead to apply our development resources in a way that will maximize value to our customers.

Once again, thank you for expressing your concerns.

Regards,

Alan"

Precarious Timing for Microsoft

[Cycon]

Right now I'm keeping my fingers crossed that no security holes of similar magnitude in Open Source software are discovered for at least the next few weeks.

Let's face it, every major operating system has security flaws, either in the past or just waiting to be discovered. The benefit of Open Source is not only that it makes it easier for everyone to see its flaws, but it makes it easier for anyone to fix them.

Right now we have Craig Mundie preparing to argue the merits of commercial licenses over Open Source, and having a hole of this magnitude (read the article for details) showing up in closed-source software so close to this debate only serves to make our case look better.

There are times when a closed-source license scheme will work out better for a particular company, and there are times when an open-source one will be better (and I'm only talking in regards to the company, not the rest of society). This security hole will hopefully reduce the FUD level against Open Source software, particularly from a security point of view.

I can't wait to hear the Mundie debate next week.

--Cycon

Re:Holes in MS Software

[Devil+Ducky]

when are companies going to start coming out with really refined and good code

Microsoft has been releasing software with good, refined code ever since they used BSD code in Windows.

Devil Ducky

Homeless Proofing Yourself

[StefanJ]

There's an old truism that advocates of the homeless are fond of: "We're all one paycheck away from sleeping in the streets!"

My response: "What do you mean WE?"

You need to have to burn a lot of bridges to actually end up in the street. You have to lose your income, your savings, your friends (or the goodwill of your friends) and what might be called Social Capital.

The trick is to have a lot of bridges to begin with, and to keep them from catching on fire.

Most of this will sound utterly obvious to nearly all of you, but you've got to reserve money (for upcoming bills and insurance payments), save money (for no particular purpose . . . a rainy day fund), be absolutely fanatical about paying off your debts, and stay in good with friends and family.

Short of a natural disaster or major crash, someone who does this won't end up on the street or "car camping."

And if there is a major crash, think of the great blues songs you can write! "Once I built a network, made it run, . . ."

Stefan

You need to reword that.

[J.C.B.]

Yes, another big security problem with the world's second-most popular web server

For a second I thought ./ had been compromised again.

Re:Buffer vulnerabilities

[blang]

Yes it should be standard procedure especially for a resourceful company as Microsoft. There are a few ways to discover buffer overflows. HP has a compiler (I think the name is insure) that can discover many memory-related problems at compile time. Then there are tools that can discover memory leaks and buffer overflows at runtime (for example purify from Rational).

Then there's proper unit testing, which should include full coverage testing. Unit test should be written so that they provide all sorts of legal and illegal input. Most software shops do not have the resources to do this properly within their deadlines. They might fore up the tools if they see som insane memory leaks or if the program crashes.

But again, I'd think Microsoft has all the resources they need. Judging on the poor quality of their software they probably have figured that the (lack of) quality of their software has no detrimental effect on their sales, so they probably leave the testing to GUI monkeys, and hope for the best. Even a 0.5 trillion $ company can make a few bucks extra by spending a few pennies less.