LWN.net Weekly Edition for October 13, 2005 [LWN.net]

A pair of desktop initiatives

Whether or not they agree that Linux is "ready for the desktop" or not, most observers will allow that there remains plenty of room for improvement. And while some of those improvements will take the form of slick new applications, there is also quite a bit of less glorious work to do. So it is encouraging to see a couple of new efforts aimed at improving the quality of the desktop we already have.

Novell has sent out a press release announcing the launch of the Better Desktop initiative. This effort, part of the OpenSUSE project, intends to provide information to developers which will help them to make the Linux desktop a better experience.

User-oriented proprietary software companies have many techniques for improving the usability of their products. One of those is to film users trying to fight their way through an application, then lock the developers in a room and force them to watch the users struggle. No popcorn provided. Developers know their software, so they will not wander into the traps and dead-ends which confuse the rest of the world. Watching others run afoul of usability problems shines a light on those problems which cannot be denied. Once the problems are seen and understood, the developers can start to think about solving them.

The Better Desktop project cannot lock developers in a room, and it cannot deprive them of the refreshments of their choice. What it can do, however, is provide the films. As a start, the project has posted video streams of several users as they attempt to accomplish a set of objectives. Also posted is a small set of reports drawing conclusions from the videos. These conclusions are relatively simple (users want to see the username and password fields together on the login screen, for example), but they do demonstrate the sort of issues that developers tend not to see on their own.

The research results posted are just a beginning; one assumes that the project will run more experiments over time. Your editor suggests "figure out how to make betterdesktop.org display reports in firefox without popping up new windows" as a nice place to start. As this body of data grows, implementing usability improvements indicated by the results should be a relatively straightforward task. In usability, as in many other areas, the real challenge is figuring out what problems to solve, rather than implementing the solutions.

The Tango Project has taken on a different goal: get rid of visual inconsistencies between desktop applications, regardless of their source. In particular, Tango has targeted icons as an area needing improvement. So, the project has posted a set of style guidelines on how icons should be created and a specification on how they should be named. If applications adopt both, the result should be applications that look the same everywhere.

The Tango icon gallery gives a good demonstration of the guidelines in action. These guidelines call for bright colors and well-defined perspectives on objects. Not everybody will like the relatively cartoonish approach taken by Tango, but use of these icons will undoubtedly create a lively desktop.

Tango may or may not succeed in the real world. It is important, however, as a cross-desktop effort to improve the overall user experience. If the Linux desktop is to continue to get better, a great deal of usability and consistency work will have to get done. The fact that projects are coming together to make a start on that work can only be a good thing.

Comments (17 posted)

Single-company free software

This has been an interesting week for those who watch how free software and the business world interact. Oracle's acquisition of Innobase, Check Point's acquisition of Sourcefire, and the closing of the Nessus source all raise some fundamental questions. Free software users are secure - even smug - in the knowledge that the software they use cannot be yanked out from under them. Is that really true, however, in situations where an important component is owned by a single company?

Oracle has announced the acquisition of a Finnish company named Innobase. This company is the creator of the "InnoDB" storage engine used by the popular MySQL relational database management system. MySQL has a number of storage engines, but InnoDB is the one which seems to meet the needs of a large portion of MySQL's users. So those users may well have cause to wonder about language like the following, from the Oracle press release:

InnoDB is not a standalone database product: it is distributed as a part of the MySQL database. InnoDB's contractual relationship with MySQL comes up for renewal next year. Oracle fully expects to negotiate an extension of that relationship.

MySQL AB has put out a cheery press release "welcoming" Oracle to the free database market. Behind the smile, however, there may be some worry in the MySQL office. Oracle, after all, does not have a reputation for being a particularly pleasant company to negotiate with. MySQL is almost certainly paying Innobase for the right to include InnoDB with the proprietary versions of its software; it may be that the price is about to go up.

Should MySQL users worry? The current version of InnoDB is licensed under the GPL, and Oracle cannot take that away. What might happen is that development for the freely-licensed InnoDB may slow or stop. Nothing can prevent the user community - or MySQL AB itself - from forking the project and continuing development should Oracle take things in an undesirable direction. But MySQL AB's motivation to do so may be small if it is unable to include InnoDB in its commercial products.

Meanwhile, Sourcefire has been acquired by Check Point, a security firm. Sourcefire is the company created around the free Snort intrusion detection system. Snort users depend on it to catch and respond to attempts to compromise systems on their networks. So the idea that this code could go proprietary is of concern.

Check Point claims to be "fully committed" to the Snort open source community, so, presumably, Snort will remain free for a while. In the case of Snort, however, the users who truly depend on it are already paying for additional services. Among other things, a tool like Snort requires regular updates to its rule set to keep up with the latest attack signatures. Quick rule updates were already a value-added service, and that is unlikely to change. With luck, the free rules will continue to be updated regularly. If that fails to happen, and there is sufficient interest in the community, those updates will come from outside the company in the future.

Users of the Nessus security scanner were recently surprised by a Nessus roadmap posting. The upcoming 3.0 release will include a number of improvements, especially in performance, but it will no longer be licensed under the GPL. It will, instead, carry a "free beer" license which makes the distribution of binaries difficult or impossible. Tenable Software, the company behind Nessus, cites two reasons for the license change. The first is that other companies are using Nessus to compete in ways that Tenable sees as unfair:

A number of companies are _using_ the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our own competition and we want to put an end to that. Nessus3 contains an improved engine, and we don't want our competition to claim to have improved "their" scanner.

The exact nature of this "loophole" is unclear; selling an appliance loaded with GPL-licensed software does not change the GPL's requirements, as several router appliance vendors have found to their detriment. That said, it is clear that Tenable believes that distributing Nessus under the GPL is costing it business. When that belief is combined with the company's other claim - that the wider community has failed to contribute any worthwhile code to Nessus anyway - the reasoning behind the change becomes clear. Why bother with a free license when it hurts business and does not bring in any contributions from outside?

It is hard to say, from a distance, why there has been so little community contribution to Nessus. Certainly there is nothing readily visible on Nessus.org encouraging contributions. But there does not appear to be any indications that Tenable went out of its way to discourage or reject contributions. This may be one of those cases - certainly not the only one - where an outside development community has simply failed to come together for a particular project.

Once again, the current version of Nessus is licensed under the GPL, and nobody can take that away. Tenable has even said that it will continue to support the GPL version with bug fixes. So if the Nessus user community is truly upset by the licensing change, it will be able to fork the free version and carry it forward. It's worth noting that many Nessus plugins, which perform the actual security checks, have been covered by a different license for some time, however. Tenable requires third-party plugins to be distributed under the GPL, which indicates that the company sees those plugins as being derived from Nessus itself. How such plugins can be legally used with a non-GPL Nessus would be an interesting question for the lawyers.

All three of these cases illustrate a particular hazard associated with free software projects which are entirely owned by one company. Any such project can turn proprietary at any time, leaving users scrambling for a new solution. This risk is worth keeping in mind, but it should also be kept in perspective. Proprietary software is no more reliable; indeed, it can vanish altogether leaving users with no recourse at all. Free software, at least, cannot be taken away. Users have the option of carrying it forward, should they choose to do so. OpenSSH is a good example of how this freedom can work.

A bigger risk with single-company free software might well turn out to be that it has a harder time attracting developers. This may be especially true in cases where developers are required to assign their copyrights to the owning company on any contributions. It is hard to justify giving away your code when some company might just turn around and make it proprietary. For this reason, a number of companies based on free software projects have created independent foundations to own the copyrights and manage development. For both users and developers who are evaluating free software projects, the existence of such a foundation will provide a higher degree of assurance that the freedoms they count on will remain available in future releases of the software.

Comments (40 posted)

LWN status - a followup

The LWN status update posted two weeks ago generated quite a bit of feedback. We have also received quite a bit of mail; it has all been read, though we have not had a chance to respond to every message. Once again, we offer our thanks to all of you, who clearly care about keeping LWN going and making it better.

One of the most commonly-suggested ideas was a "send a link" feature for subscribers. Using this feature, a subscriber could generate a link which would enable a non-subscriber to access an article which is still behind the subscription gate. The idea would be to let our readers spread limited access to subscription content, thus helping to hook more readers. We will probably implement this idea, though the specific shape of it remains to be worked out. Stay tuned.

Other promotional approaches are being looked at and tried out. Ad campaigns run on That Big Search Engine have been disappointing so far, though we have not yet given up on that approach. What seems more effective is targeted trial subscription offers; a trial offer sent to the GnuCash and KMyMoney lists (so they could read the recent Grumpy Editor article) got quite a few takers. LWN does not need a reputation for spamming developer lists, however, so much care will have to be taken with this approach.

The idea of extending the subscription period did not inspire a great many replies, one way or another. We may try a modest extension (to two weeks, perhaps), maybe in conjunction with the "send a link" feature.

A few people have asked for a higher-priced subscription option or the ability to simply make donations. We may eventually add the higher level, though we expect that the uptake - which would be necessarily less than we see now for the "project leader" level - would be relatively small. There will not be a donation option added, however. Those of you who were with us when we first decided to try subscriptions will remember that we went through a major hassle with our credit card merchant bank. Donations are a red flag which, it seems, creates major anxiety in merchant bank risk management departments. Our current bank has proved to be far more rational than the one we had back then, but the ability to accept credit cards is our lifeline, and we cannot do things (like accepting donations) which put it at risk.

We do have a couple of options for anybody who would like to send more money LWN's way: (1) buy a gift certificate for a friend, or (2) buy a text ad promoting your favorite free software project.

A few users have suggested that the site could use a redesign to give it a more professional look. No doubt that is true, and a site makeover has been on the "to do" list for some time. Any such redesign, when it happens, will preserve the core philosophy of the current site: LWN is about high-quality text without a lot of distracting decorative material. So there is no need to worry that we'll be going to a frame-based, flash-encrusted, image-heavy presentation in the future.

Thanks to all of you for your support and feedback. LWN has truly been blessed with the best group of readers we could ever have hoped for.

Comments (58 posted)

Page editor: Jonathan Corbet

Security

Mail filtering in Thunderbird 1.5

Your editor recently had a chance to try out the second beta Thunderbird 1.5 release. There are a number of nice additions in this release of Mozilla's mail client - and a few not-so-nice subtractions, in the form of broken extensions. This article will concentrate on a couple of security-related features.

Thunderbird has had spam filtering for some time. Your editor has never given it a full test, however. Happily, an ideal resource exists for this purpose: your editor's 4000-spam-per-day mail stream. A quick config file tweak directed a copy of this stream, unfiltered, into Thunderbird to see how it would react.

The bayesian filter built into Thunderbird turns out to be a quick learner. After 100 messages or so, it was busily marking most messages itself. The speed with which it learns tempts the user to turn on automatic spam-canning of marked mail early in the process; it is such a delight to see that stuff simply disappear. Training a SpamAssassin filter takes quite a bit longer.

Unfortunately, the Thunderbird filter appears to learn too quickly, with the result that false positives become a problem. As long as Thunderbird is not configured to automatically refile spam, the false positives can be corrected with, one assumes, an appropriate tweaking of the filter. Once spams have been diverted, however, there appears to be no way to tell Thunderbird that it made a mistake. So new Thunderbird users would be well advised to look over its spam classification decisions for some time before empowering it to refile mail automatically.

SpamAssassin's more conservative approach may well turn out to be better for people who cannot afford to lose mail. Happily, Thunderbird 1.5 includes an option which causes it to defer to SpamAssassin on filtering. Thus, the system administrator can use SpamAssassin to add headers to mail, and individual users can have Thunderbird act on those headers if desired.

A truly new feature in 1.5 is phishing detection. A few simple rules have been added to detect phishy links; essentially, a message will be flagged if a URL contains a numeric IP address or the link text contains an address which fails to match the link destination. In these cases, clicking on a suspect link will result in a dialog explaining the situation and asking if the user wishes to proceed. Thunderbird will also mark such messages with a line saying "Mail/News thinks this message might be an email scam."

This capability is a step in the right direction, but it has some obvious shortcomings. It failed to detect a number of random phishes found in your editor's mailbox. The "this might be junk" message also overrides the phishing warning; arguably the scam warning should take priority. The real risk, though, is that users might think that, if Thunderbird does not flag a message, it must be legitimate. Remember, these are people who fall for phishing scams in the first place.

The best way to avoid that possibility would be to improve the detection of phishing messages. One wonders if the bayesian filter could be trained to this purpose as well as detecting spam. There is also ample opportunity for cooperation with anti-phishing groups which maintain lists of known phishing sites - though one would have to be careful to preserve a user's privacy when checking links.

Quibbles aside, Thunderbird 1.5 is a step in the right direction toward a more secure email environment. More work clearly remains to be done - but that is likely to always be the case. Meanwhile, tools which help to reduce the spam and phishing problems can only be a good thing.

Comments (8 posted)

New vulnerabilities

graphviz: insecure temporary file

Package(s):

graphviz

CVE #(s):

CAN-2005-2965

Created:

October 10, 2005

Updated:

October 21, 2005

Description:

Javier Fernández-Sanguino Peña discovered insecure temporary file creation in graphviz, a rich set of graph drawing tools, that can be exploited to overwrite arbitrary files by a local attacker.

Alerts:

Mandriva	MDKSA-2005:188	2005-10-20
Ubuntu	USN-208-1	2005-10-17
Debian	DSA-857-1	2005-10-10

LWN.net Weekly Edition for October 13, 2005

graphviz: insecure temporary file

kernel: multiple vulnerabilities

koffice: KWord RTF import buffer overflow

libuser: denial of service

mason: open firewall vulnerability

mozilla: symlink attack

openssl: protocol rollback

ruby: bypass object flags

squirrelmail: cross-site scripting

up-imapproxy: format string vulnerabilities

uw-imap: buffer overflow

weex: format string vulnerability

xine-lib: arbitrary code execution

xloadimage: buffer overflows

a2ps: input validation error

abiword: buffer overflow

apache information disclosure if modssl=yes

httpd: off-by-one overflow and cross-site scripting

apachetop: insecure temporary file

arc: temporary file vulnerabilities

awstats: command injection vulnerability

backupninja: insecure temporary file

bzip2: race condition and infinite loop

cfengine: insecure temporary files

common-lisp-controller: design error

courier: missing input sanitizing

cpio: directory traversal

cyrus-imapd: buffer overflows

dia: missing input sanitizing

elm: buffer overflow

emacs21: format string vulnerability in "movemail"

enscript: arbitrary code execution

ethereal: dissector vulnerabilities

evolution: format string issues

firefox: multiple vulnerabilities

Foomatic: Arbitrary command execution in foomatic-rip

gaim: buffer overflow

gdb: multiple vulnerabilities

gtk-pixbuf, gtk2: denial of service

gedit: format string vulnerability

gettext: Insecure temporary file handling

glibc: tempfile vulnerability in catchsegv script

gopher: buffer overflows

grip: buffer overflow

groff: insecure temporary directory

gtkdiskfree: insecure temp file

gzip: arbitrary command execution

HelixPlayer: arbitrary code execution

htdig: cross site scripting

Hylafax: insecure temporary file creation in xferfaxstats

imap: buffer overflow in c-client

imlib2: buffer overflows

junkbuster: heap corruption and settings modification

kdebase: local root vulnerability

kdelibs: kate backup file permission leak

kernel: buffer overflow

kernel: multiple vulnerabilities

krb5: double-free flaw

libconvert-uulib-perl: arbitrary code execution

libdbi-perl: insecure temporary file

libgadu: memory alignment bug

libgd2: buffer overflows in PNG handling

libnet-ssleay-perl: weakened cryptographic operations

libpam-ldap: authentication bypass

libTIFF: buffer overflow

libxml2 - arbitrary code execution

libxml2: multiple buffer overflows

libXpm: new buffer overflows

lm-sensors: insecure temp files

Mailutils: format string vulnerability in imap4d

masqmail: input sanitizing and symlink vulnerabilities

mod-auth-shadow: authorization bypass

mod_python: remote access vulnerability

mozilla: buffer overflow

Berkeley MPEG Tools: multiple insecure temporary files

mysql: buffer overflow

mysql: low-impact security fix

ncpfs: multiple vulnerabilities

nfs-utils: arbitrary code execution