LWN.net Weekly Edition for September 18, 2003 [LWN.net]

Whose Internet is it?

Verisign is, of course, the company that once had a monopoly in the registration of .com and .net domain names. That monopoly has been broken, but Verisign is still the maintainer of the underlying database. This job is a nice cash cow for Verisign; all it needs to do is keep the database running, and it can extract an annual rent from every .com and .net domain out there. Many people would be happy with such a business.

Verisign, it would seem, wants more than that. So, at the beginning of this week, the company slipped a little "wild card" entry into the databases for .com and .net. The wild card entry provides an answer for any domain query that does not otherwise appear in the database; it is a default answer which now appears instead of the "no such domain" response that came before.

What does this wild card do? If you look up something that doesn't exist, say "scolinuxlicense.com", you'll get back an IP address (currently 64.94.110.11). If you send mail to that address, you get the world's stupidest SMTP server (if you're bored, try a command like "telnet bogusverisignhost.net smtp" and type five lines of random junk at it). Web queries, however, go to the company's "sitefinder" service. There, the user is confronted with a search engine and paid links aimed to help said user find what they were really after. Note that, according to the terms of use:

The information provided through the VeriSign Services is not necessarily complete and may be supplied by VeriSign's commericial [sic] licensors, advertisers or others.

In other words, it's really just another low-class domain hijacking scam.

In this case, however, there is more to it. Verisign has, by making this change, fundamentally altered the way the Internet operates. A whole class of diagnostic information - the fact that a given domain lookup has failed - is no longer part of the DNS protocol when .com and .net are involved. This change was not discussed with any of the affected users or other responsible parties, it was simply done. Verisign may have lost its monopoly on front-line domain name registration, but it still seems to think it owns the underlying domains.

The change has had real consequences. For example, spam filtering which relies on domain name existence tests no longer works. Bouncing spam with fake return addresses now has to go through a discussion with Sitefinder's SMTP server. The change is a generally bad idea; to have simply made such a change without so much as a "by your leave" is an act of great arrogance.

The internet, however, is built on free software. There is already a patch available from ISC for BIND 9 which defeats the new wildcard entries. Linux users can find a program on this page which uses netfilter to fix Sitefinder replies; that page also has pointers to patches for a number of DNS servers and mail transfer agents. Verisign may or may not decide to back down on this "service," but, since we own the infrastructure of our net, we can fix the problem regardless - this time, at least. Verisign's next move may not be so easy to counter.

Comments (19 posted)

SCO's quarterly filing

SCO's quarterly 10Q filing is now available. These filings can often give some insight into the internals of a company. Since SCO's actions are, currently, somewhat relevant to the Linux community, this filing is worth a look. What follows is our summary of the current quarterly state of SCO.

The company claims a profitable quarter, of course. Total revenue is reported at $20 million, of which $11 million came from products, $2 million from services, and $7 million from SCOsource. As a result of this revenue, the company's claimed assets have gone from $21 million at the beginning of the fiscal year (October, 2002) to $26 million now; of that, almost $15 million is cash in the bank. $15 million is also, of course, what the company has received in licensing revenue from Microsoft and Sun this year.

The company has spent almost $4 million ($1.7 million in the quarter) on SCOsource. This figure includes internal SCOsource staff along with external legal fees. Most other expenditures are in decline; the company spent 31% less in research and development than it did last year. SCO laid off 35 employes - about 10% of its staff - over the quarter. It also shut down SCO Group Ltd., a subsidiary in the UK.

Litigation

Not surprisingly, ongoing litigation is an important topic in this filing. It mentions the Red Hat suit, stating:

On or about September 15, 2003, the Company filed a motion to dismiss the Red Hat complaint. The motion to dismiss asserts that Red Hat lacks standing and that no case or controversy exists with respect to the claims seeking a declaratory judgment of non-infringement. The motion to dismiss further asserts that Red Hat's claims under the Lanham Act and related state laws are barred by the First Amendment to the U.S. Constitution and the common law privilege of judicial immunity.

It is interesting to hear that "no case or controversy exists" with Red Hat. SCO may well be restricting its options with regard to the creation of future cases against Red Hat. The first amendment defense is interesting; the first amendment rights of companies in the U.S. is currently a topic of much debate - and an ongoing Supreme Court case.

Things are happening in other parts of the world:

The Australian Competition and Consumer Commission (the "ACCC") has contacted the Company and requested information regarding complaints it has received regarding the Company's intellectual property claims and the Company's statements regarding the need for commercial Linux users to obtain a UNIX license. [...]

Several entities in Germany have obtained temporary restraining orders in Germany precluding SCO GmbH, the Company's German subsidiary, in substance, from making statements in Germany that disparage Linux, or entities involved in the Linux business, or implicate Linux as infringing the Company's intellectual property rights. SCO GmbH has received an administrative fine of 10,000 Euro for a technical violation of one of the temporary restraining orders. [...]

Informal letter complaints similar to those raised in Germany have been received from companies in Austria and Poland. [...]

Pursuit and defense of the above-mentioned matters will be costly, and management expects the costs for legal fees and related expenses may be substantial. The ultimate outcome or potential effect of the Company's results of operations or financial position as a result of the above-mentioned matters is not currently known or determinable.

The end result is that the limited countermeasures taken against the company so far are being felt. The "risk factors" section of the filing also has this statement:

We are informed that participants in the Linux industry have attempted to influence participants in the markets in which we sell our products to reduce or eliminate the amount of our products and services that they purchase. They have been somewhat successful in those efforts and will likely continue.

In other words, SCO is discovering the costs involved in angering its customers.

Sun and Microsoft

Of course, SCO's customer base is shifting; a large part of its revenue comes from exactly two companies: Sun Microsystems and Microsoft.

SCO's previous quarterly filing had noted that the "second SCOsource licensee" (being Sun Microsystems) had received, as part of its deal, a warrant allowing it to buy 210,000 shares of SCO stock at $1.83 each. Subsequently, a second warrant for 12,500 shares has been issued to Sun, at the same $1.83 price. There is still no explanation of why SCO stock is being issued to Sun. Most software licensing agreements do not include this sort of equity component.

Sun, which was responsible for 12% of SCO's revenue over the quarter, still owes $2.5 million on its licensing deal. That money is to be paid by the end of November.

Microsoft contributed 25% of SCO's revenue over the quarter. "On July 31, 2003, Microsoft exercised an option to acquire expanded licensing rights. Upon delivery, we expect to recognize additional revenue related to this option." There is no further discussion of what these "expanded licensing rights" are, or what Microsoft is paying for said rights. Chances are, however, that this is the "Fortune 500" customer for SCO's "Linux license" that we heard about in early August.

Vultus and Vista

The quarterly filing gives a few details with regard to SCO's dealings with a couple of other Canopy-funded companies. In June, SCO acquired Vultus, Inc., which is a web services business. The purchase itself required the issuance of 167,590 shares of SCO stock, of which almost 37,000 went to Canopy. But Vultus also owed Canopy a little over $1 million, so another 138,000 shares of stock (worth over $2.5 million now) went in Canopy's direction to take care of that little problem. This deal is a significant transfer of resources from SCO to Canopy; the benefit to SCO remains unclear, however.

We've previously looked at SCO's dealings with Vista, which included the acquisition of $1 million in the company's debt for 800,000 shares of company stock, now worth many times that amount. The company has also fed the company $200,000 in other financing. The current state of that debt?

As of July 31, 2003, the $1,000,000 convertible note receivable discussed above as well as both $100,000 notes receivable were outstanding and in technical default; however, the Company had not demanded repayment. No allowance for the past due notes receivable was recorded as of July 31, 2003 since the Company and Vista continue to work together under the license agreement discussed above and the Company is evaluating its option to convert the notes receivable to equity in Vista.

Vista is fortunate to have such an understanding creditor.

Summary

This filing describes a company whose regular product and service offerings continue to decline in market share and revenue. The filing mentions new initiatives ("web services") but lacks specifics and does not go so far as to predict any sort of revenue from those initiatives. SCO's great hope for the future remains SCOsource. In that context, it is interesting to note that the company's "Linux license" is not mentioned in any significant way here. The first public announcement of this license came after the close of the quarter, but it was clearly in the works at that time. If SCO thought it would get any kind of real revenue from this license, it would not have hesitated to say so. Instead, we continue to hear about exactly two companies - Sun and Microsoft - which are keeping SCO on life support and, apparently, intend to continue doing so. Meanwhile, attacks through the courts and the market are making themselves felt; SCO is finding itself fighting an increasingly defensive battle.

Anybody who is considering investing in SCO would be well advised to read this filing in its entirety.

Comments (17 posted)

OSDL hires analyst Stacey Quandt

[This article was contributed by Joe 'Zonker' Brockmeier]

The Open Source Development Labs (OSDL) have been on a bit of a high-profile hiring spree this year. First OSDL managed to sign Linus Torvalds to their roster, then followed quickly with kernel maintainer Andrew Morton. Now OSDL is bringing on open source analyst Stacey Quandt as Principal Analyst.

Quandt has worked for Giga Information Group, where she started Giga's Open Source Research program, and for Forrester after Giga was acquired by Forrester. As an analyst that specializes in open source, Quandt has been widely quoted in the tech press and she has been a longtime proponent of Linux and open source -- even on the desktop, judging by this quote from a June story on Ximian on Newsfactor: "The desktop is Microsoft's last stand for near dominance, which will gradually erode with greater awareness of the maturity of Linux desktop offerings."

Unlike many analysts, Quandt has not been willing to parrot the party line that Microsoft solutions are cheaper. After IDC released a study last year saying that Windows 2000 was more cost-effective, Quandt questioned the numbers cited by IDC according to this article in PC World:

...the acquisition costs for hardware and software that IDC cites are suspect, according to Stacey Quandt, an analyst with Giga Information Group. She said Windows systems would seem to account for more than 10 percent of the total cost due to ongoing licensing fees.

Quandt is also one of the analysts who refused to take SCO's word that Linux contains misappropriated intellectual property at face value. While Laura DiDio of the Yankee Group and several other analysts bought SCO's line, Quandt called for SCO to show its cards, and refused to sign SCO's NDA, calling the offer a publicity stunt.

We wanted to ask Quandt about her new role with OSDL, but she was unavailable to answer questions for this story, as she's on the Linux Lunacy cruise. Nelson Pratt, Director of Marketing, was available. Pratt says that Quandt's job will be working with research firms doing work on Linux:

Our members have consistently cited the lack of extensive Linux ROI, TCO and Migration Cost research as a problem for them. Several existing research companies are starting to address this, and many are interested in having OSDL participate in some way. Stacey's research background makes her the right person to represent OSDL in its work with industry research firms. Original research is also a possibility in the future depending on our members' needs.

The release also notes that Quandt will be principal speaker for OSDL at conferences and tradeshows. Pratt declined to comment on any other Linux luminaries that may be joining OSDL in the near future.

Comments (2 posted)

Page editor: Jonathan Corbet

Security

Brief items

A bad week

As a quick perusal of this week's "new vulnerabilities" section will confirm, this has not been a good week for the security of Linux systems. New holes have turned up in KDE, MySQL, OpenSSH (twice), pine, sendmail, XFree86, and more. Almost every Linux system out there will be affected by at least one of these problems.

The OpenSSH and sendmail vulnerabilities are of particular concern. Almost every system of interest runs OpenSSH, and vast portions of the net still run sendmail. Any vulnerability in those programs automatically opens up large numbers of systems to exploitation. These are the sorts of problems that will, someday, be used for the creation of a virulent worm which attacks Linux systems. If we are lucky, no such event will strike us this time around, but let there be no doubt about it: as long as software which is so widely deployed has remotely exploitable holes, we are vulnerable to that sort of mass attack.

Now that the obligatory scary talk is done, let's take a look at the better news here. It is not clear that the bugs in either OpenSSH or sendmail are exploitable in any large-scale way. Even if they are, once again the problems have been found first by the good guys and fixes have been made quickly available by the Linux distributors. The patches being released are small and relatively non-disruptive; administrators can apply them quickly and with confidence. So most systems will be patched in a relatively short period of time. These vulnerabilities were a scary warning, but it does not appear that there will be any great consequences this time around.

Nonetheless, this episode is a warning. Our security, while arguably better than that of the competition, is nowhere near good enough. We are still encountering bugs in crucial, highly-audited code; one can only imagine what lurks in programs which get less attention. And the network environment we are creating is still too monocultural. The network as a whole will be safer when there are multiple, interoperable programs capable of performing the basic infrastructural tasks.

Comments (11 posted)

New vulnerabilities

KDE: Two issues in KDM

Package(s):

kde, xfree86

CVE #(s):

CAN-2003-0690 CAN-2003-0692

Created:

September 16, 2003

Updated:

December 19, 2003

Description:

According to this advisory two issues have been discovered in KDM:

CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
CAN-2003-0692: Session cookies generated by KDM are potentially insecure

All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.

Alerts:

Mandrake	MDKSA-2003:118	2003-12-19
Gentoo	200311-01	2003-11-15
Debian	DSA-388-1	2003-09-19
Conectiva	CLA-2003:747	2003-09-19
Mandrake	MDKSA-2003:091	2003-09-16
Red Hat	RHSA-2003:269-01	2003-09-16

LWN.net Weekly Edition for September 18, 2003

Litigation

Sun and Microsoft

Vultus and Vista

Summary

KDE: Two issues in KDM

mysql: arbitrary code execution

OpenSSH: buffer management error

pine: remote exploits

sane-backends: several vulnerabilities

sendmail: remotely exploitable buffer overflow

XFree86 4.3.0 integer overflows in font libraries

2.4 kernel - several vulnerabilities

apache: multiple vulnerabilities in Apache HTTP server

autorespond: buffer overflow

bind buffer overflow vulnerability in DNS resolver libraries

Canna server: exploitable buffer overrun

eroaster: insecure temporary file

ethereal: security problems in Ethereal 0.9.12

exim: buffer overflows

Filename disclosure vulnerability in fam

fdclone: insecure temporary directory

fetchmail: buffer overflow

glibc: DNS stub resolvers contain buffer overflow vulnerability

gnupg: key validation

gtkhtml: malformed messages cause crash

inetd: DoS attack

kernel-utils: setuid vulnerability

libpam-smb: exploitable buffer overflow

libpng, libpng3: buffer overflow

lynx: CRLF injection vulnerability

mah-jong: buffer overflows, denial of service

perl-MailTools: remote command execution

mikmod: buffer overflow

mindi: insecure file creations

mpg123 - buffer overflow

Nessus NASL scripting engine security issues

netris: buffer overflow

net-snmp: denial of service vulnerability

nfs-utils xlog() off-by-one bug

openssh: timing attack leads to information disclosure

pam-pgsql: format string vulnerability

perl: cross site scripting vulnerability in CGI.pm module

PHP: vulnerability in mail function

phpgroupware - cross-site scripting and other exploits

postfix: denial of service vulnerabilities

PostgreSQL - more buffer overflows

Local arbitrary code execution vulnerability in Python

Multiple-use vulnerability in Safe.pm

semi: insecure temporary file

sendmail: bad DNS reply causes crash

stunnel: signal handler reentrancy DoS

sup: insecure temporary file

File overwrite vulnerability in tar and unzip

teapop: SQL injection

Multiple vendor telnetd vulnerability

unzip: directory traversal vulnerability

vim - modeline vulnerability

vixie-cron: Local vulnerability

webmin: session ID spoofing

wget:directory traversal bug

wget: buffer overflow

wu-ftpd: off-by-one bug

wu-ftpd: insecure program execution

Wwwoffle remote privilege escalation vulnerability

xinetd: Memory leak in xinetd 2.3.10

zblast: buffer overflow

Major and minor numbers

The new way

Connecting up devices

Deleting devices

Finding your device in file operations

Why things were done this way