LWN.net Weekly Edition for December 23, 2004 [LWN.net]

Looking back at 2004

LWN, like many publications, is not immune to the temptation to make predictions as the new year comes. We also like to look back at the end of the year to see how well our crystal ball actually worked. Predictions offer a clue to how the world appeared to us one year ago, and can thus help us to understand how our view has changed.

Besides, there's usually at least one hilarious error which is good for a smile. So, without further ado, let's look back at LWN's 2004 predictions.

Enterprise Linux. We concluded that the "enterprise Linux" business would do well in 2004 - not a particularly difficult prediction to make. Red Hat's business has indeed done well, and SUSE/Novell is coming along too. The future still looks bright for the enterprise Linux field.

We also predicted a growing backlash against enterprise Linux and their supporting business models, and the possible emergence of free alternatives. Certainly, resentment toward the enterprise distributors continues to exist in some parts of our community, and some of those people are doing something about it. But many of the projects which aim to undercut the enterprise Linux business model - CaOS, Whitebox Linux, UserLinux, etc. - appear to have made little progress over the last year.

Perhaps the largest surprise in this area is the emergence of Ubuntu Linux, which is an attempt to provide the best of a 100% free Linux distribution with longer-term support options. Ubuntu has succeeded in making a big initial splash; whether that will turn into a successful business remains to be seen.

Desktop Linux. From our viewpoint, it looked as if the KDE/GNOME flame wars of the past could return, driven by the distributors' need to minimize their support costs and choose one desktop or the other. Certainly that commercial pressure continues to exist, as witnessed by Ubuntu's choice to offer very much a GNOME-oriented distribution. But the desktop development projects have little interest in fighting with each other, and the flame wars show no real sign of returning.

What we are seeing instead is increased cooperation over bits of infrastructure which are useful to both projects. And when a distribution emphasizes one desktop over the other, the community tends to fill in the gap. See, for example, the Gnoppix and Kubuntu efforts. One year ago, we failed to fully appreciate the maturity of the desktop development projects. They are far too busy creating great software to be bothered with fighting each other.

We also made the obvious prediction that desktop Linux would make great progress and amaze us. We failed to see some of the specifics, however, especially the mainstream attention attracted by the Firefox browser. Firefox has arguably become the best browser available on any platform and the world is beginning to notice.

The SCO case. We figured that SCO might find a "backbone-challenged" Linux user who would choose "licensing" over a court fight; SCO found such a user in the form of EV1Servers.net. The EV1 agreement did not help SCO much, however, in terms of public relations, stock price, or cash flow. Neither did SCO's other suits, launched against DaimlerChrysler and AutoZone. The DaimlerChrysler case appears to have died outright, and the AutoZone suit (which has little to do with Linux) looks weak at best.

We predicted that "by the end of 2004, the SCO cases will probably still be alive in some form, but the end will be in sight." That much seems about right. If IBM's summary judgment motions and Novell's copyright ownership attacks do not do the job, SCO's cash situation may well bring the whole show to a quick end.

The GPL. We suggested that the GPL might finally be tested in court in 2004. That happened in Germany as the result of an enforcement action by the Netfilter project. The GPL was upheld by the German court; its detractors can no longer say that no court has ruled on its validity. Meanwhile, SCO has backed off from its attacks, saying that it never meant to question the GPL's validity as a license. It seems that the company has, belatedly, figured out that nothing else gives it the right to continue to distribute GPL-licensed software.

Security. We worried that the string of attacks against free software development sites would continue into 2005. Certainly there were problems, such as the recent compromise of freedesktop.org, but the attack on the community as a whole - if that's what it was - appears to have stopped for now.

Our prediction that hardened Linux systems would be more widely deployed by the end of 2004 now looks optimistic. Work continues toward that end, but hardening a Linux system (while keeping it usable) is a difficult task, and progress has been slower than many people had anticipated.

Kernel. The prediction that the 2.7 development series would start seemed obvious, but it was wrong. We did sense that the development process was changing, however, and predicted that the next development series would differ from 2.5. The pressures which might lead to a new development series still seem to be mostly absent - mostly because the 2.6 development model tends to prevent those pressures from building up.

What we missed: LWN would like to apply a small patch to its 2004 predictions to fix a few bugs. So we now predict that, in 2004:

Despite all appearances, software patents will not be enacted in the European Union. Yet.
Mandrakesoft will emerge from bankruptcy, shake off much of its debt, and start to function as a profitable company.
Longstanding frictions within the XFree86 project will force it to split; the core of X development will reassemble under the X.org banner.
New FUD attacks against Linux will target total cost of ownership and intellectual property concerns; none will have much success.
The Debian "sarge" release will not happen, and, in fact, will appear to be no closer at the end of 2004. Increasingly, Debian offshoot distributions will handle the task of creating release-ready versions of that distribution.
Some large companies will publicly promise not to use their patents against Linux users, or, even better, to use their patent portfolios to defend (at least some) Linux users against patent attacks.

And so on.

We did get one thing right, though: 2004 was an interesting year in the free software world. We may just have to reuse that prediction for 2005 as well.

Comments (9 posted)

James Barry Corbet 1936 - 2004

James Barry Corbet, your editor's father, passed away on December 18, 2004. To say that he will be greatly missed is an understatement; he lived a life which was full in the extreme, and he touched the lives of a great many others. This is a sad time.

Barry grew up in Vancouver, British Columbia. He attended Dartmouth College, but never completed his degree; instead, he moved to Wyoming to pursue his great loves of that time: skiing and mountaineering. He married Mary French, and was father to three children: Jonathan, Jennifer, and Michael.

He was in the group which performed the first ascent of the Southwest Rib of Denali. He was a member of the 1963 American Everest expedition, where he helped place the highest camp on the West Ridge ascent and lost one of his best friends to an avalanche; he also helped to film the whole exercise. With John Evans, he made the first ascent of Mount Tyree in Antarctica. If certain accounts are to be believed, he participated in an expedition to plant surveillance hardware in the Himalayas to monitor China's nuclear missile tests.

Barry also worked as a ski instructor in Jackson Hole; the infamous ski run Corbet's Couloir was named after him. He started the Jackson Hole Mountain Guides, and a mountaineering store as well. He joined Roger Brown's Summit Films, and the two of them created a classic series of ski movies, including the seminal Ski the Outer Limits.

Much of this came to an end in 1968. While filming a ski event in Aspen, his helicopter crashed, leaving him paralyzed from the waist down. Many people would have responded to such an event with depression and surrender; Barry Corbet was never one of those people, however. He built a new life for himself in a new house in the Colorado mountains. He continued making films, traveled around the country, and, increasingly, began to write. He learned to kayak, to the point of being able to roll up even without the vital hip muscles normally required for that maneuver. He spent three weeks rafting down the Grand Canyon, got dumped into the Colorado River when his raft flipped in Lava Falls, and swam his way out. He went to Korea to watch his daughter compete in the Olympics.

Disability was another mountain to climb. Barry accepted that challenge without hesitation, despite his full knowledge that he would have to climb for the rest of his life and still never catch sight of the summit. He wanted to show the world how far he could get. As time went on, however, he left this phase (which he called "supercrip") behind and turned his attention to helping others cope with disability. He traveled across the U.S., talking to spinal cord injury victims and learning how they had rebuilt their lives; the result was a book called Options, a concentrated distillation of experience with spinal cord injury. The message from Options was clear: it is possible to live a good life with disability.

Other books and films followed, along with a long period as the editor of New Mobility magazine. He feared no topics; his article on life with ventilators attracted much attention, but the annual issue on sex and disability was often the most controversial. Consider this classic quote from the Associated press:

Barry Corbet and Larry Flynt have at least three things in common. Both use wheelchairs. Both are in the magazine business. And both have been accused of peddling filth.

New Mobility has put up a collection of Barry's articles which is worth a read.

Barry's end came sooner than he had expected, but far later than anybody would have predicted after his injury in 1968. He ended his life as he lived it: in his own house, surrounded by family and dear friends, and on his own terms. In a letter sent to people he loved, he wrote:

I've had love overflowing, impassioned careers, a life of adventure and everything I've ever wanted. Nothing missed and no regrets.

Barry's accomplishments in his life are amazing. But what your editor remembers most is a loving father who insisted that his children be prepared and willing to follow their dreams, wherever they may lead them, and despite any obstacles that may appear in the way. He was an example of what life can be when it is truly lived without compromise. There is a huge empty space where Barry Corbet used to be, but the memories live on in the minds of the many people whose lives he touched.

A web site is being created at BarryCorbet.com for stories and photos.

Comments (86 posted)

SCO ends another year

December 22, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

SCO's teleconference on Tuesday may be more significant for what wasn't discussed during the call, rather than what was discussed. Darl McBride, SCO's Chief Executive Officer (CEO) and Bert Young, SCO's Chief Financial Officer, handled the call for SCO. McBride and Young discussed the company's fourth quarter results, provided a very brief summary of the company's legal situation, and answered a few softball questions from a handful of reporters and one private investor. Once again, LWN's reporter was not among the chosen few graced with an opportunity to ask a question.

What wasn't discussed during the call? Plenty. There was no mention of the Change of Control Agreement filed with the SEC by SCO on December 10, 2004. This agreement would allow "any stock, stock option or restricted stock" granted to listed officers to vest immediately upon takeover of the company. Officers listed in the filing include: Sr. Vice President and General Manager of the SCO Source Division, Chris Sontag; Sr. Vice President and General Manager, of SCO's UNIX Division, Jeff Hunsaker; SCO's Vice President, General Counsel and Secretary, Ryan Tibbits as well as McBride and Young.

The fact that Thomas Raimondi, President and CEO of MTI Technology Corp., resigned from SCO's Board of Directors, was not mentioned during the teleconference. The Canopy Group shakeup that forced CEO Ralph Yarro and CFO Darcy Mott out over the weekend was not discussed. The Canopy Group is SCO's parent company. Both Yarro and Mott are on SCO's Board of Directors, Yarro is the chairman of SCO's board. Yarro has been replaced by William Mustard, formerly a managing director at the Smooth Engine consulting firm. At this point, there's no way of knowing what effect, if any, Yarro's removal will have on SCO.

Perhaps even more telling, McBride was even more subdued during this conference call than during the Q3 teleconference held at the end of August. In August, McBride was still taking the occasional potshot at Groklaw and blustering that IBM had not delivered all documents that the company had been ordered to deliver by the court. The tirades against the GPL, Linux and IP "theft" are gone, and McBride sounded -- at least to this reporter -- quite deflated. In fairness, perhaps McBride is only suffering from the same cold that has plagued this reporter for the past week and a half.

It's also interesting to note that the company's teleconferences are getting shorter over time. The June teleconference was 65 minutes and 52 seconds, according to the SCO website. SCO's August teleconference was a mere 47 minutes and 22 seconds, and Tuesday's teleconference was only 36 minutes and 58 seconds.

So what was discussed during the call? SCO's dismal financial results were trotted out by McBride and Young, though the pair tried to put the best possible spin on the results. The company's revenue dropped to $10,075,000, compared to $24,290,000 during the fourth quarter in 2003. This includes a drop in SCOSource revenue, from $10,316,000 in 2003 during the fourth quarter, to $120,000 in 2004. The $120,000 is not from a new licensee, but holdover from the EV1 deal. In short, SCO realized no new revenue from SCOSource during the fourth quarter. Overall, SCO's 2004 revenue is $42,809,000, compared to $79,254,000 for 2003.

McBride also announced that the update for OpenServer, code-named "Legend," will be released in the second quarter of 2005. Previously, the company had said Legend would be released in the first quarter of 2005. SCO's UNIX product revenues were about $8.3 million. It would seem the only source of revenue for SCO in the immediate future is the Unix products line.

SCO did pocket $500,000 recently, thanks to a deal with Vintela, though it won't show up on the books until the first quarter of 2005. Back in April 2003, SCO sold everything related to its Volution product to Center 7 in exchange for a $500,000 promissory note. Center 7 has become Vintela, a company that provides products that allow organizations to manage Unix, Linux and Mac systems with Windows technologies like Active Directory. Vintela has been in the news lately due to a deal with Microsoft that puts about $10 million into the company. Canopy is also an investor in Vintela, though it's hard to tell from the Canopy Group website, which no longer proudly lists companies it has invested in. In fact, it's only a short walk from the Vintela offices to the SCO offices. Apparently, both companies are housed in the Canopy complex in Lindon, Utah.

SCO's Unix business brought in about $8.2 million, after expenses of $1.7 million. The company continued its "restructuring" during the fourth quarter, which has reduced head count to less than 200 employees. It's worth noting that SCO's head count in 2002, prior to filing suit against IBM, was about 340 with revenue of about $15.5 million for the fourth quarter of 2002.

SCO is not the cash-rich company it once was. The company has had to place about $5 million in escrow, and owes Boies, Schiller and Flexner about $24.3 million at the end of this quarter. The company had a closing cash balance of $31.4 million at the end of the quarter, according to Young, leaving SCO with about $7 million going forward.

McBride was sure to emphasize, several times, that the company had capped its legal fees with Boies, Schiller & Flexner. The company has also increased Boies, Schiller & Flexner's contingency fees. Should SCO prove successful in any of their legal attacks, Boies, Schiller & Flexner stand to get between 20 and 33 percent of the booty. McBride offered a very succinct summary of their legal position with IBM, and said "we feel our case is developing well, and the specifics of this are laid out in our filings with the court." It's worth noting that, in past teleconferences, McBride has been significantly more upbeat and effusive about SCO's legal developments.

McBride essentially admitted there was little left to the DaimlerChrysler case, saying that "we determined that it would not be a wise use of resources to pursue the timeliness claim alone." The court has denied SCO's motion to stay the case, and the case has been dismissed without prejudice with approval of SCO and DaimlerChrysler.

For those interested in listening to the teleconference in its entirety, there is an archive of SCO teleconferences on the SCO website. Groklaw also has a transcript of the call.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

Responsible disclosure

This week's "new vulnerabilities" section is somewhat longer than usual; a rather large number of packages have been revealed to have vulnerabilities. This surge in updates is a result of the posting of 44 vulnerabilities found by students in a security class taught by Daniel J. Bernstein.

There is no doubt that Mr. Bernstein has done us a favor by having his students find these problems, and by disclosing them. With luck, he is also teaching his students to avoid the creation of such vulnerabilities. Not everybody is pleased with how the problems were disclosed, however. The usual, accepted technique is to alert the maintainer of the affected software first, and to give them a bit of time in which to prepare and distribute a patch. In this way, the full, public disclosure of the vulnerability can be accompanied by an update.

That was not the path followed by Mr. Bernstein; instead, he opted to dispense with the prior notification to the maintainer, and to simply disclose the vulnerabilities publicly from the outset. The result has been a major scramble on the parts of maintainers and distributors who have found themselves trying to deal with a large pile of problems which have already been broadcast to the world.

Mr. Bernstein is not known for being apologetic in general, and he certainly was not in this case. In fact, he regretted that it took the reports one day to make it to Bugtraq: "It certainly wasn't my intention to give the authors an extra day of self-delusion." In a different discussion he has made his opinion clear:

On the contrary. Immediate full disclosure, with a working exploit, punishes the programmer for his bad code. He panics; he has to rush to fix the problem; he loses users.

You're whining that punishment is painful. You're ignoring the effect that punishment has on future behavior. It encourages programmers to invest the time and effort necessary to eliminate security problems.

So, it seems, the real solution to security problems is to punish programmers who release insecure code. There could be something to be said for this point of view: programmers who have been burned in this way might well find themselves inspired to pay more attention the next time around. The unfortunate side effects of immediate disclosure, however, include the punishment of users and distributors, and the possible creation of rushed, inadequate fixes. Compassion for people - other than the original developer - who are affected by vulnerabilities might suggest that allowing the developer to prepare a fix prior to disclosure might be the better approach.

Comments (24 posted)

Brief items

Critical phpBB vulnerability

The phpBB bulletin board package contains an input validation problem which can allow the hosting site to be compromised. This vulnerability is being actively exploited, and there is apparently a worm in circulation as well. Click below to read the CERT advisory this problem; upgrading to version 2.0.11 fixes the problem.

Full Story (comments: 6)

New vulnerabilities

abcm2ps: buffer overflow vulnerability

Package(s):

abcm2ps

CVE #(s):

Created:

December 20, 2004

Updated:

December 22, 2004

Description:

Limin Wang has located a buffer overflow inside the put_words() function in the abcm2ps code. A remote attacker could convince the victim to download a specially-crafted ABC file. Upon execution, this file would trigger the buffer overflow and lead to the execution of arbitrary code with the permissions of the user running abcm2ps.

Alerts:

Gentoo

200412-18:02

2004-12-19

LWN.net Weekly Edition for December 23, 2004

abcm2ps: buffer overflow vulnerability

acroread: buffer overflow vulnerability

cscope: insecure temporary file

cups: multiple vulnerabilities

cvstrac: cross-site scripting vulnerability

ethereal: multiple vulnerabilities

groff: insecure temp file

htget: buffer overflow

kdelibs: konqueror window injection vulnerability

kerberos5: execution of arbitrary code by authenticated user

kernel: amd64 root privilege escalation from setuid binaries

libtiff: buffer overflow

mpg123: playlist buffer overflow

MPlayer: multiple overflows

nasm: Buffer overflow vulnerability

perl information leak

php: multiple vulnerabilities

phpMyAdmin: multiple vulnerabilities

samba: integer overflow vulnerability

xine-lib: arbitrary code execution

xzgv integer overflows

Zwiki: XSS vulnerability

a2ps: input validation error

aspell: bounds checking problem

cdrecord: failure to drop privilege

cyrus-sasl: remote buffer overflow

dhcp: format string vulnerability

Filename disclosure vulnerability in fam

flim: insecure file creation

Foomatic: Arbitrary command execution in foomatic-rip

FreeRADIUS: denial of service

gaim: buffer overflow in MSN protocol

Gallery: cross-site scripting vulnerability

gtk2, gdk-pixbuf: buffer overflows

gettext: Insecure temporary file handling

ghostscript: symlink vulnerabilities

glibc: Information leak with LD_DEBUG

glibc: tempfile vulnerability in catchsegv script

gnome-vfs: backend script vulnerabilities

groff: insecure temporary directory

gtkhtml: malformed messages cause crash

imlib: buffer overflows in image decoding

imlib2: buffer overflows

iptables: missing initialization

kernel: IGMP and scm_send vulnerabilities

kernel-utils: setuid vulnerability

libgd2: buffer overflows in PNG handling

libpng: multiple vulnerabilities

libxml2 - arbitrary code execution

libxml2: multiple buffer overflows

libxpm4: stack and integer overflows

logcheck: symlink vulnerability

lvm10: creates insecure temporary directory

Midnight Commander: extfs vfs vulnerability

mikmod: buffer overflow

mozilla products: arbitrary code execution and other vulnerabilities

mpg123: buffer overflow bug

mpg321: format string vulnerability

mysql: several vulnerabilities

ncpfs: buffer overflow

netkit-telnet: invalid free pointer

netpbm: insecure temporary files

nfs-utils: denial of service

openssl: der_chop script temp file vulnerability

OpenSSL: denial of service vulnerabilities

php: remotely exploitable memory errors

PostgreSQL: Insecure temporary file use in make_oidjoins_check

ProZilla: Multiple vulnerabilities

qt3: BMP image parser heap overflow

rp-pppoe, pppoe: missing privilege dropping

ruby: infinite loop

sharutils: arbitrary code execution

sox: buffer overflow

SpamAssassin: Denial of Service vulnerability

SquirrelMail: cross-site scripting

Subversion: Remote heap overflow

sudo: environment variable sanitizing

File overwrite vulnerability in tar and unzip

tiff: buffer overflows