Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for September 30, 2004Marketing OpenOffice.org It is a rare free software development project which feels the need - or has the resources - to develop a 50-page strategic marketing plan. OpenOffice.org is anything but an ordinary project however. Its Strategic Marketing Plan 2010 is available in a glossy, printer-stressing PDF format; those wishing to support the project can also buy the plan in book format for $7.95. In many ways, the OpenOffice.org plan resembles many other, similar documents which have been putting meeting attendees to sleep for years. It is very much worth a read, however; it offers a view into the project's ambitions and worries for the coming years.OpenOffice.org cannot be faulted for lacking ambition: the marketing plan calls for a 50% penetration rate by 2010. There is a little table which reads a bit like a Bush administration budget forecast - usage is supposed to jump from 35% to 50% between 2009 and 2010. By the end of 2004, the project will be satisfied with 2% penetration. Getting that many users will be a challenge, so much of the plan concerns itself with how OpenOffice.org will find them. There is a big emphasis on establishing OpenOffice.org as a global brand. The project has also singled out seven target markets which, it thinks, are especially ready for a jump to OpenOffice.org:
To push OpenOffice.org into these markets, the project has a whole set of "marketing contacts," is working on promotional materials, and has a set of development goals, such as the creation of "OEM kits." Feeding the demand side of the equation is very much at the core of the OpenOffice.org plan. There are some interesting things which are missing. In its introduction, the plan states:
As of today (2004), both OpenOffice.org and the Community are
heavily dependent on the support of Sun for their continued
survival. The Community has set itself a challenge to become
completely self-sufficient, and rely on volunteer effort and/or
funds generated by the Community.
This would clearly be a good thing for OpenOffice.org to do. The marketing plan does not really address this goal again, however. Raising funds appears to not be a part of this plan at all. There also appears to be little concern about marketing OpenOffice.org to developers. By most accounts, the bulk of OpenOffice development is still done by Sun engineers, and the project remains difficult for new developers to approach. Forks like ooo-build have appeared in response to developer frustrations, and Sun's ties to Microsoft have recently led to Bruce Perens calling for developers to not donate their code to the project. If OpenOffice.org cannot get past this marketing problem, it will have a hard time achieving self-sufficiency and its usage goals. The project's relationship with Sun is a recurring issue in this document. Clearly, as long as OpenOffice.org is dependent on Sun for funding and developers, one of its priorities must not be marketing to users, but marketing itself to Sun. Thus, the plan worries:
Sun Microsystems may lose the ability or desire to fund non-revenue
generating activities such as the Community.
and recommends that:
The Community should put significant effort into understanding
Sun's goals for StarOffice and OpenOffice.org and selling the
benefits to Sun of their continuing support of the Community.
OpenOffice.org has to step carefully around its patron. So there are no plans to try to "sell" OpenOffice.org into large businesses and other places where Sun is trying to do deals involving StarOffice. A fair amount of new OpenOffice.org functionality is being written in Java, which creates problems for some Linux distributors - there is no free, certified Java runtime which can be shipped to run that new code. So OpenOffice.org's plan contemplates the creation of a "Java-free" configuration (something the distributors have been doing for a while), but there is no thought given to making it all work with a free, non-certified runtime engine. The plan spends some time contemplating the threats faced by the project. These include confusion with StarOffice, the fact that others can fork the project, missing functionality (email, web browsing, group calendars, etc.), and software patents. The biggest threat seen by the project, however, is clearly Microsoft; somehow the planners have gotten the idea that Microsoft might not just stand by and watch while OpenOffice.org grabs the 50% of the market it covets. The project intends to respond by making migration from Microsoft products even easier, stressing the "full functionality for free" nature of the software, and targeting users who are facing forced upgrades or who fear license compliance audits. There is one threat which is not even mentioned by the plan, however: other free software projects. Names like AbiWord, Gnumeric, Scribus, KOffice, etc. simply do not appear at all. Some of these are, perhaps, shrugged off by proclaiming that OpenOffice.org is the only free integrated office suite - though the KOffice developers might disagree. It can also only be true that the OpenOffice.org developers do not wish to upset parts of the free software community by overtly tagging them as competitors and making plans on how to beat them. The fact remains, however, that a number of free "productivity" tools exist, and many of them are held, by some users at least, to be superior to the corresponding parts of OpenOffice.org. These tools will not go away; a "strategic marketing plan" that aims for 50% penetration while ignoring the other free alternatives runs a real risk of an unpleasant collision with reality as things play out. It is worth noting that the plan is not in its final form; this is, in fact, the first public release, which was intended to encourage discussion and debate at OOoCon last week. There will be, without doubt, changes to the plan as a result of that discussion, but LWN was unable to attend the conference and reports have been relatively scarce so far. Even so, the plan gives valuable insights into an important free software project which is at a sort of turning point. It indicates that the project intends to concentrate on "selling" OpenOffice.org to vast numbers of users rather than on engagement with the free software community. More OpenOffice.org users can only be a good thing; one can only wish the project luck in achieving its goals.
Mandrake shoots for EAL5 A consortium of five companies, including MandrakeSoft, has been awarded a contract from the French Ministry of Defense to deliver a Linux-based OS certified at Common Criteria Evaluation Assurance Level 5 (CC-EAL5). The three-year contract is worth €7 million, with MandrakeSoft's share totaling €1 million. Participating in the contract with MandrakeSoft are Bertin Technologies, Surlog, Jaluna, and Oppida. We contacted MandrakeSoft co-founder Gaël Duval about the contract and to get a little more information about the process. The EAL5 certification may seem a bit ambitious, particularly since no other Linux vendor has achieved that level of certification for a Linux OS. In fact, none of the competing OSes have reached that level of certification either. At the moment, the Linux distribution with the highest level of EAL certification is Novell's SUSE Linux Enterprise Server (SLES) 8 (PDF), which achieved EAL3+ with IBM's help. There are seven levels of CC-EAL certification. In a nutshell, a EAL5 certification designates that a system's features and security level are certified, and that development follows "formalized or semi-formalized methods." We asked Duval if MandrakeSoft had any prior experience with this type of project:
Not exactly but we introduced advanced security features in Mandrakelinux
products early (Mandrakelinux 7.0 which was released on early 2000). We
also sponsored projects several Open Source security projects. And we have
a line of security products (Single Network Firewall & Multi Network
Firewall). So security is a long-time tradition at Mandrakesoft.
Of course, MandrakeSoft is not the only vendor working on this project. Oppida is an officially authorized Common Criteria Information Technologies Security Evaluation Facility (ITSEF), making it an ideal partner for a project of this kind. Surlog's expertise is in providing tools to evaluate software and system dependability. Jaluna provides real-time and high-availability solutions, including solutions based on Linux. We also asked Duval how MandrakeSoft became involved with this effort, and how the consortium came into being. Duval didn't provide a great deal of detail:
We know these companies and they know us, so it's a natural arrangement
because every actor has some technology and expertise to bring.
Unfortunately, it will be some time before the work that the consortium is doing shows up for use by the community. According to Duval, the plan is to keep development separate from Mandrake Linux development:
It will be totally outside of the Mandrakelinux product roadmap. Several
actors take part in this project, which will be released in Open Source
after completion.
Duval did allow that some of the work might show up "later" in the development process. We also asked what license would be used for any work created for this project. Duval said that he doesn't have any information about licensing details, just that it would be an open source license. Three years is quite a long time, so it will be interesting to see whether MandrakeSoft is the first Linux vendor to reach EAL5, or if Novell or Red Hat beat them to the punch. Novell has already said that it hopes to gain EAL4 certification in the near future. No doubt, Novell will be setting its sights on EAL5 shortly thereafter. For the larger picture, of course, it won't matter whether Novell or MandrakeSoft reach the finish line first. Achieving EAL5 will be yet another feather in Linux's cap, another milestone reached that will allow governments and organizations to move to Linux instead of proprietary offerings.
Page editor: Jonathan Corbet Security Interview with Rootkit Hunter author Michael Boelen One of the greatest joys we Linux users have is to say to our Windows-running friends, family and co-workers that we do not suffer from viruses like they do. However, the reality is that we aren't immune from being attacked. There are plenty of nasty things out there that would be happy to trash our systems. One of these nasty things is something called a rootkit. Rootkits allow a cracker to ensure future access to a compromised system while hiding the evidence from administrators and users; see LWN's look at the Adore rootkit for an example. So how do you detect them? One way is to use the tool Rootkit Hunter. The following is an interview with the author of this utility, Michael Boelen. Joe Klemmer: Tell us a bit about yourself. Who is Michael Boelen?
Michael Boelen: I'm a 22 years old guy, working for a
small company (small webhosting, maintaining servers/services
and application development). My task it to maintain the
internal servers and perform administration for our customers.
I live in The Netherlands at my parents. Computers are my hobby
and my work, so I'm the author of Rootkit Hunter :-)
My main interests are networking, hardware, security and small application development. As many people, I like to read, but especially interested in computer related stuff. JK: What led you into system security?
MB: It's a special part of computer services, which
attracts me because it's never the same. It's a dynamic world
inside the big computer world. Although a lot of companies
aren't aware of the consequences of (a missing plan for)
security, I think it's a very important part. That's why almost
everyone in the computer world will use/need some security
enhancements sooner or later. In my case, open relays, Trojans
and viruses were the first signals to have a better look at
security.
JK: What, specifically, are rootkits?
MB: Rootkits are often little packages with some
binaries, some sources and an easy-to-use installer. These
packages are being created to 'stay root' after a successful
comprise of a host. The installer in these packages do check
the host and replaces the default binaries with the one in the
package. Most times these are binaries like 'ps', 'ls', 'top',
'netstat', where traces of the hacker/cracker/scriptkiddie are
being filtered, with one purpose: hide evil processes, network
connections etc.
Because rootkits are unwanted and difficult to find without good searching, automated tools are being created. Although an UNIX specialist is often able to find bad things better/quicker than automated tools, it can be a very valuable tool. Of course it is a nice addition to UNIX specialists, but also for average UNIX users which aren't able to find out with things of a UNIX system are good or evil (like hidden files, bad strings, not usual network ports etc). JK: You've said elsewhere that you built rkhunter because you didn't find the existing tools to your liking. What was it about them that you felt needed changing?
MB: The lack of active development is the most important
one. I won't say my tool is better than the others, but I try
to maintain it as active as possible. When users come with
(nice) new ideas, most times I try to implement it as soon as
possible.
JK: Over the course of rkhunter's evolution, have you found anything interesting about root kits? Any similarities or differences? Are there any trends?
MB: Yes, a lot of interesting information. I also have a
better idea now (since the development) why
hackers/crackers/scriptkiddies use rootkits and what to do to
detect them. The most difficult part is to maintain an utility
which keeps smart enough to detect suspicious traces on a
system.
Most tools use the same approach, so I tried to combine as many as possible ways to detect these suspicious traces. And although it gets better every release, a lot of things have to be done. Rootkits don't have a 'normal' trend like viruses/worms have, because viruses aren't often used for a single person to achieve his goal (beside breaking up systems, sending spam or planting a trojan). In fact, some individuals create rootkits for their needs at the moment they need them. These custom made rootkits contain often simple things like IRC bots, backdoors and sniffers. Within the next few months, those things will be getting special attention from me and added to Rootkit Hunter. Rootkits won't quickly disappear, so the war isn't yet over. JK: Do you know if rkhunter has had an impact on the root kit community? Are they now trying to design kits to work around rkhunter?
MB: I have really no idea, because most rootkits and
backdoors are still being used by individuals and use private
parts (although there are a lot of often used public tools). So
I haven't seen any tools yet, which are build to hide for
Rootkit Hunter. But I'll guess there will be variants already
available.
JK: I would guess that the battle between the root kit "developers" and the security community is similar to the anti-virus wars. Is the bulk of your work spent in catching up to new root kits? Or are you in a position of developing preemptive technologies to head off the kit builders?
MB: On both ways, because maintaining a 'rootkit hunter'
is almost similar to maintaining an anti-virus tool, with one
exception, viruses aren't made to be hidden for the system
(yet?). So anti-virus developers try to discover as quick as
possible new (unknown) viruses. The approach on rootkits is a
little bit different. It means also adding unknown rootkits,
but more important, adding new ways to discover all kinds of
hack traces.
JK: What do you see for the future of rkhunter? With the advent of SElinux will there still be a need for rkhunter and it's kind?
MB: I guess tools like this one, won't be quickly
useless, because even if you have a secured system (like with
SElinux and all other kernel and application improvements),
it's always possible someone breaks your system. At that stage,
tools like Rootkit Hunter (and the few others) can provide an
administrator very useful information.
This interview gives me the opportunity to ask people an easy question: If you find something interesting for me, can you send it to me? The question above gives an answer to your question, because although I can improve Rootkit Hunter a lot, I really need input from the users and the guys on the field. Rootkits, sniffers, ideas and even books are needed to keep on improving. Till now I have already got a lot of input, but I still need more information. So have a simple thought about the future: it only will be better, but only if I get support from the community!
New vulnerabilities apache: protected pages vulnerability
getmail: filesystem overwrite vulnerability
jabberd: remote denial of service vulnerability
sendmail: pre-set password
subversion: metadata information disclosure
Updated vulnerabilities Apache mod_proxy: denial of service
apache2: stack-based buffer overflow in ssl_util.c
aspell: bounds checking problem
cdrecord: failure to drop privilege
cups: denial of service
Filename disclosure vulnerability in fam
flim: insecure file creation
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: denial of service
Gaim: remote code execution vulnerability
gtk2, gdk-pixbuf: buffer overflows
glFTPd: Local buffer overflow vulnerability
glibc: Information leak with LD_DEBUG
gnome-vfs: backend script vulnerabilities
gtkhtml: malformed messages cause crash
heimdal: root escalation
httpd: mod_ssl input filter denial of service vulnerability
apache2: IPv6 denial of service
imagemagick: buffer overflow vulnerability
imlib2: buffer overflows
iproute: local denial of service
kdebase: multiple vulnerabilities
kernel allows unauthorized changes to the group ID
kernel information leak
kernel-utils: setuid vulnerability
lha: stack-based buffer overflow
libpng: multiple vulnerabilities
libxpm4: stack and integer overflows
logcheck: symlink vulnerability
Midnight Commander: extfs vfs vulnerability
mikmod: buffer overflow
mod_python: denial of service vulnerability
mozilla products: arbitrary code execution and other vulnerabilities
mpg123: buffer overflow bug
mpg321: format string vulnerability
neon: buffer overflow
netpbm: insecure temporary files
OpenOffice: information disclosure
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
pavuk: buffer overflow
php: remotely exploitable memory errors
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||