Slashback: Snapshots, Amends, Bazaarity

Slashback brings you some follow-ups tonight about Gartner's recommendation to dump IIS, Charles Connell vs. Eric S. Raymond on Open Source project management, xStore and the GPL, and (yes) the results of Deep Space 1's latest Final Mission.

Microsoft is just as secure as the competition, says Microsoft. Jon_E writes: "According to this article Microsoft is responding to the Gartner Report which recommends that enterprises drop IIS by claiming unfair targeting due to their popularity."

Whether because of better-trained or more vigilant administrators, or some other factors, the Apache servers running many web sites certainly haven't seen the devastating outages in the past month (Code Red, Nimda) as certain large IIS installations have.

If animated, this might make a really good Saturday cartoon. cconnell writes "Last September, slashdot published my critique of Eric Raymond's essay The Cathedral and the Bazaar. There was a lively (and sometimes scorching) discussion that followed. Here is Eric's reply to my critique, which Slashdot readers might enjoy. And here is my reply to Eric."

This was not faked in the same studio as the "lunar landings." mrsmalkav writes "Deep Space 1 has passed by Comet Borrelly within 1400 miles and took some very pretty pictures of the comet's core, all while collecting lots of data about said comet. NASA's press release discusses some of the details and findings of the flyby.

This is actually really impressive given that there was very little hope for this mission. From the Mission Logs on DS1's site, '[T]o be honest, DS1's visit with the comet simply is unlikely to work as well as we hope. Many mission logs have described the difficulty of keeping this aged and wounded bird aloft, and the encounter with Borrelly will present Deep Space 1 with the greatest challenge yet in its historic trek through the solar system.'"

Saint Aardvark writes "Space.com has an article about the images taken by DS-1, and they're stunning." And eldurbarn points to the NASA Images of comet Borrelly online at JPL.

How to satisfy customers with license objections, Part II brtb writes: "Soon after Slashdot posted my DiscZerver-GPL writeup last week, xStore added a link in their Download section for information about the use of GPL software in their products. Below is the e-mail I received in response (address changed to protect the spamless). Congratulations to xStore for supporting Free Software and bringing the DiscZervers into compliance with the GPL.

From: "Support" [support@xstoreonline.com]
To: "brtb" [slashdot@brtb.org]
Subject: "RE: GPL SOURCE CODE"

xStore is committed to complying to the full letter and spirit of the GPL. We are currently investigating the allegations of non-GPL compliance and communicating with the GNU.ORG and Free Software Foundation on this issue. We will produce a response to your request that is mutually acceptable to the copyright holders of the programs we have used that fall under the GPL and xStore itself. Due to the recent acquisition of this product, we are still in the process of preparing the required source code for distribution. xStore is commited to bring the DiscZerver product into GPL compliance, if it is indeed found to be not in compliance.

In the meantime, please provide xStore with information so that we can send you, the user of this product, the package that you are entitled to. Please provide the serial number of your DiscZerver product and the 'system page' with your response. The 'system page' is located at [http://your_Zerver_name_or_IP_address/admin-cgi/s ystem]. In addition, please send us a self addressed stamped envelope suitable for mailing a CD-ROM along with $14.95 to:

xStore, Inc.
Federal Highway Center
1200 North Federal Highway
Suite 200
Boca Raton, FL 33432

After we receive your written request along with the above items, we will process it and promptly send you the disc when it becomes available.

This thanks to the mostly behind-the-scenes work of people at the FSF. Congratulations to xStore for respecting the intent of the programmers whose work they're consolidating and packaging.

Zimmermann Article

[fizban]

There's another article in the NYT about the encryption restrictions being brought up for debate and it includes a nice jab at the Washington Post for misquoting Zimmermann on his PGP interview. Check it out here:

http://www.nytimes.com/2001/09/25/technology/25COD E.html

ObMSBash

[ENOENT]

From the IIS article:

...what differentiates Microsoft is our industry-leading response process."

I couldn't agree more. Apache just can't compete with the speed of Microsoft's PR department in spinning every horrendous hole as "innovation".

Re:what does an ion engine do?

[Danny+Rathjens]

DS1 How the Ion Engine Works

Has a great description. It even has pretty pictures.

How the Ion Engine Works

[d.valued]

This is simple physics, boys and girls.

First things first, you need a spacecraft as light as possible. Anything not needed goes away. Basically, you're left with the instrumentation, the navigation, the cameras, solar panels, batteries, and a couple of sizeable tanks of xenon.

Yes. Xenon. The heaviest non-radioactive noble gas.

Now, xenon is normally inert like other noble gases. I mean, there are no natural compounds containing any noble gas because they have no natural need to enhance their electron shell configuration.

However, xenon is pretty large (as atoms go) and, given enough juice (courtesy our light and ability to live, the sun, hence the solar panels), you can ionize xenon. You can strip off an electron or two and it's useful (For example, the compound XeF6, xenon hexafloride. What it's good for? Dunno. Still doesn't change the fact it exists.) More importantly, it's charged and can be directed.

Then, it's a simple matter of a small aperture (which can be directed), a positively-charged grid, and the xenon leaves in the direction opposite the spacecraft goes.

Don't expect this to power any spacefighters, however. At full power, the force this produces will barely move a piece of paper in front of it. The beauty of ion engine, though, is that because in space, inertia isn't hampered except by collision or a gravity field, this little bit gets larger as time increases. It's not much force, but given time it gets zooming.

Re:How the Ion Engine Works

[Captain+Nitpick]

For example, the compound XeF6, xenon hexafloride. What it's good for? Dunno. Still doesn't change the fact it exists.)

Well, from what google can find, xenon hexafluoride is useful for two things. Serving as something for chemists to talk about, and making quartz detonate .

Cluley clueless

[sllort]

Sorry, couldn't resist. But seriously:

The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.

You have to love how they pull the "everyone is jealous so they pick on us" stuff everytime they screw up. Suprise, shitstreak, Microsoft does not make the world's most popular Web server. That's Apache. "Hackers", as you call these jerks, do not target Microsoft because they're the most popular. They target Microsoft because Microsoft has made itself an easy target by making it really easy to hack their products. If popularity made you a target, we'd see scores of Apache worms.

answer: an ion engine wooshes in space

[ghostlibrary]

Since an Ion engine ionizes its supply of onboard gas (so it gets an electrical charge), then electrically accrelerates it out the back, that's why TIE fighters make that wooshing noise. All the gas they expel makes for enough of an atmosphere for sound to carry to the nearby cameras :)

Interesting article on ION drive.

[bIOHZRd]

subject says it all.

http://www.msnbc.com/news/206711.asp

While We're At It...

[Greyfox]

My Discordian sense of curiosity has kicked in again and I was wondering if we could use CSS in a clever way to encrypt Evil messages. From what I understand of how it works, a DVD is encrypted on several keys and the DVDs are loaded up with a key that should be able to decrypt the DVD. Can we create a DVD image such that most DVD players will play a burned image but one EXTRA SPECIAL DVD player mounted on the back of a camel will get extra subtitles? IE: One Extra Special key gets a bit more of the DVD than everyone else? It should be fairly easy to burn a firmware with an extra key and chuck it on to pretty much any commercial player, right?

Could we, in fact, turn a Disney DVD into a terrorist tool? Has it already been done? Should we be encouraging Congress to ban the CSS encryption scheme because it could have been used in such a way? Interesting questions, no?

Relative abundance of server variants...

[throx]

I thought a majority of web servers run a varient of linux

Here's the key to it. The majority of servers run some variant of Linux. Most buffer overflow bugs require a specific offset and known layouts in memory. If you look at the specific versions out there IIS is probably the most common single version of any product out there (can you get this info from Netcraft?)

On the other hand, it could just be stupid admins - check out http://www.netcraft.com/Survey/vuln.gif. I'm sorry, but those numbers make me puke when I think any of those people seriously call themselves admins...

Re:Relative abundance of server variants...

[scooterbooter]

Okay, it's time to debunk the M$ admins are lazy myth a bit..

Here's my work environment -- the products that I'm supposed to install, after I've chosen the hardware for 700+ desktops, and maintain, after writing policies and ops documentation.

Exchange (10) Servers, IIS (7) Servers, MS-SQL 6.5 and 7 (5) servers, Metaframe/NFuse (4) servers, RAS, VPN, 45 NT servers for general ops of all this stuff, a couple of Debian boxes for internal DNS, FreeBSD running MRTG, Nessus, etc, perform 2nd level support for 8 clueless admins and 6 semi-knowledgable ones. Additionally, let's not forget the "uhh, how do I do a word merge", boss ranting about multicasting (for which I am going to modify configs on 12 cisco Routers and godonlyknows how many switches), write policy and operational documentation for all of this. Manage the "network consultants" than run DNS, e-Trust and FW-1, provide support and knowledgable comment towards a $2mil software app development process in terms of "net and O/S", deploy 2000 server *sigh* next month and ensure that everyone makes a backup occasionally. (play nice with audit, 20 mangers and two other organizations [1 that owns us, 1 that we own]).

If *ANY* of you suckers handle all that daily, and still have time to mess with patches on a regular basis, I'd love to see you in action. This seems to be quite a common scenario for a lot of mid/small size companies, in my experience.

I'd love to live in your dream world. People wonder why I'm an alcoholic. :-P Perhaps if I had a nice farm of 600 identical boxes, I'd be a perfect admin. This is life, folks. Get on with it without making the comments -- without understanding the other side of the fence.

I did realize about three months before codered that we were a screaming hole for IIS exploits. Do I have time to cull through 30+ patches and tinker with which are appropriate to apply? Nope. Result: Nimda runs rampant still this week because I've been stuck in innane meetings all day.

Now: Suppose your boss is used to having a mini-vax, and asked for CPU usage reports by dep't and individual last week. Do you see the uphill battle? We're young. Management in a small/midsize company isn't likely to even understand what they have running, less what should be paid attention to technically. Politics, Politics, Politics all day long. Yay! Well, I guess of the rest of the world got messed, it's okay that we did too.

Have fun admin'n your two Apache boxes. Good Night.

No troll indended, it's just a rant.

S.

Sneak Peek at the Docs

[Greyfox]

Here is a sneak peek at the documentation for the new IIS rewrite. Of course there are a lot of bugs in this version of the document and it'll have to be edited quite heavily before the final release...

Re:$14.95

[andrewb]

Ah, yes. That would be a kibblesworth of 5c.

KIBBLESWORTH (n.):
The footling amount of money by which the price of a given article in a shop is less than a sensible number, in a vain hope that at least one idiot will think it cheap. For instance, the kibblesworth on a pair of shoes priced at £19.99 is 1p.
-- The Meaning of Liff, by Douglas Adams & John Lloyd

Graham Clueless strikes back...

[Chagrin]

• Graham Cluley, senior technology consultant at security firm Sophos, is concerned that a mass move to alternative Web server software would cause more disruption than sticking with Microsoft IIS and patching it. "Code Red was less about the vulnerability of IIS, as all software has bugs, but more about system administrators ignoring the warnings that came well in advance of Code Red," said Cluley.

Hmm... where do I remember him from?

• "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
  

Always nice to have a few staunch supporters ready to jump to your defense :)

Read the Gartner article again...

[un4given]

Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out ? almost weekly.

This is the biggest problem with maintaining Microsoft networks. Exploits in IIS or Windows are far too frequent, and almost all patches require reboots. You can imagine the response I get when I call management every other week and say "I need emergency downtime to patch 65 of our servers...".

Microsoft loves to talk about how their software has a lower TCO than other operating systems. Perhaps they don't count the cost of man-hours spent applying patches, or the downtime involved?

How bout a different approach?

[Phrogman]

I have been thinking about this as well as one of the places I do contract work for is getting pounded daily with Nimda and Code Red I/II attacks as well. Since the box is running Linux, the attacks don't matter but I have been wondering if there is some way that a sysadmin could take advantage of these requests to stop the attacking system.

Various people have mentioned writing a white hat virus that would shut down the attacker and all that - but in reality that just puts you in the same boat as someone attacking their system - and its therefore illegal.But if someone's computer makes an http request for a file from my server, am I responsible if what they get is not what they might expect to get?

What if I was to create a file consisting of nothing but the letter X that was, say, 1Gb in size, and leave it on my linux webserver with a name like "root.exe"? It wouldn't take all that many requests for the attacking system to run out of HD space. Granted service on my server might suck for a bit, but eventually if enough linux admins did this the target systems would simply shutdown for lack of swap space or HD space or whathaveyou.

Or perhaps I tell Apache to treat .exe files as PHP files and process them accordingly. Then I create a PHP script that sends prints nothing but Xs or random numbers in a long string back to the requesting server (with the execution time limit for PHP turned off). It would be like 5 lines of code total.

After all, its my server, so presumeably I put the file there for my own purposes, indicated in robots.txt that I dont want it indexed etc. If some other system makes a request for that file which I have in no way indicated is present on my system, isn't there fault/problem if the file is too big, or causes problems at their end?

I am sure the clever folks at /. could think of other things that could be done in this manner.

Just food for thought, and I would love to see some suggestions...