Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for October 9, 2003The future of the FUD mill There's yet another Microsoft-funded analyst study out there; this one, done by VeriTest, compares deployment times for Microsoft Windows Small Business Server and Red Hat Enterprise Linux. No doubt everybody will be surprised to hear that the study (available in PDF format) concludes that Windows is better. Four tasks were set out: install the system with basic services, set up performance monitoring and reporting, set up an intranet web site, and configure the network for remote management. Doing these tasks with Windows took, they say, 4 1/2 hours and 125 steps. Linux required 7 1/2 hours and 555 steps.It is not hard to poke holes in the study, of course. Somehow it was possible to set up an intranet server on Windows with zero steps - but it still took seven minutes. Somehow the report didn't comment on the discouraging time per step required to accomplish this task on Windows. Errors made by the (Microsoft-hired) consultants performing the Linux installation were counted as steps. Tasks like checking the system with nmap were also counted. Setting up remote administration took 100 steps; we could suggest a shorter way of doing that:
The VeriTest people, instead, set out on a series of tasks involving installing the kernel source, setting up PPTP, and carrying out several tasks on the Windows client - all of which counted as steps, of course. One could go on about this report for a long time; see, for example, the letter from Leon Brooks on this week's Letters Page. The more interesting development, however, is that Forrester Research has, after having Microsoft trumpet one of its studies, issued this statement on the integrity of its reports.
Recently, in two isolated and unrelated cases, we conducted
privately sponsored studies for two vendor clients. We stand by the
integrity of both studies. However, we erred in allowing those
clients to publicize the research findings. In response to these
two isolated events, Forrester has taken immediate steps to tighten
our internal process and clarify our Integrity Policy. As part of
this clarification, the company will no longer accept projects that
involve paid-for, publicized product comparisons. This move
revalidates and strengthens Forrester's research integrity.
Forrester, in other words, is getting out of the analyst-for-hire FUD business. Given that this business can only be lucrative, Forrester's decision to leave it behind is worthy of note. FUD-for-hire has long been an important business tool in the technology world. Analysts have been happy to have the business, and they have been able to live with the fact that their output always seems to support the sponsor's agenda. Technical journalists have long liked these reports; they can easily be cast into a story without requiring much in the way of creative or critical thought. The whole system worked smoothly as a way of shaping public perception of technology products. Something has happened over the last decade or so, however. The net has made it easy for interested parties to rip apart biased or poorly-done studies. And the rise of free software has greatly increased the number of people who feel some sort of ownership interest in the systems they use. As a result, anybody publishing a report critical of free software had better be very sure of his ground, because that report will be subjected to intense scrutiny. Some of the people performing that scrutiny will know far more about the subject manner than the analysts who wrote the text, and they will not be afraid to say, in public, what they think. Shoddy research and skewed studies do not fare well in the modern environment. It has been noted for years that FUD attacks on Linux tend to backfire; even Microsoft has commented on this fact. The combination of the net and the Linux community has managed to neutralize - or at least strongly diminish the effect of - FUD. Analyst companies which are seen as taking part in outright FUD attempts have seen their own credibility suffer; remember MindCraft? Now some analyst companies, concerned about the perception of their integrity, are realizing that the FUD business is a poor place to be in the long run. That is a victory for the Linux community, and for the level of technology industry discourse in general.
An Evening with Bruce Perens Bruce Perens was in Denver this week for IBM's Linux strategy briefing and offered to speak to the Colorado Linux Users and Enthusiasts (CLUE) Linux User Group the night before the IBM event. The talk was billed as "The Future of GNU/Linux and Free Software," but Perens talked a great deal about the history of free software as well.After covering his history with Linux and the open source movement, Perens turned to current events. He talked a little bit about how many companies doing Linux-related business suffer from multiple personality disorder. On the one hand companies like HP are looking to push Linux and are trying to embrace Linux and do the right thing for the Linux community. On the other hand, these companies have to maintain relationships with companies like SCO and Microsoft and participate in groups like CompTIA that actively work against open source. Perens cautions the community to pay attention to everything a company does, not just its support for open source.
We know that both Hewlett-Packard and the other members of CompTIA were
sponsors of the so-called Software Choice Initiative, which works
against open source. So, it's important to watch our friends.
Perens also noted that the next likely legal attack against open source would be via software patents, and said he thinks its unlikely that corporations like HP or IBM would help the community in that event. Though Perens says he hasn't made up his mind yet, he indicated he was thinking seriously about trying to form a community-driven answer to Red Hat's enterprise products.
I'm wondering if it's time for a grass-roots enterprise Linux, and
the way I figured I would do this... is first of all take Debian,
why is there a Fedora
project when there's Debian, a ten-year-old project with all its
policies done...with over a thousand developers? That is what the
Fedora project should be. Take that, and get together the
community of enterprise users who depend on Linux and really want a
zero-cost enterprise distribution.
After the talk, we caught up with Bruce for a few minutes one-on-one to ask about issues not covered during his talk, and to get further information on the grass-roots enterprise Linux effort. The first question was about the disagreement between the Free Software Foundation and the Debian Project over the GNU Free Documentation License (FDL). Perens has helped mediate between the groups, and says that they're on their way to working it out.
I wanted to take the emotion out of the whole thing, and it looks like
we're succeeding at that. I'm not tremendously happy to have coverage of
Debian and FSF bickering, we have a lot more important things going on.
I think that it's going to take care of itself more or less now. You probably will have some conference calls that are exciting... I'm not asking either organization to compromise with each other, I'm asking each organization to follow their own rules. I feel that it's not permissible for Debian to compromise its ethos for FSF nor is it permissible for the FSF to compromise its ethos for Debian and resolution of this issue does not call for either. Perens also clarified his thoughts on a possible "grass-roots" enterprise-ready Linux distribution:
It's something I'm still thinking about. I think I will go ahead and do
a call for people to work on it. Obviously I'm open for people who want
to discuss it. The project is not yet announced. I really debated this
in my own head for weeks now, and part of the reason was that, I feel
that it's a big personal expense to me to do any large project. On the
other side every open source thing I've ever done has paid back much
more than I've put into it... I feel that I must participate because I'm
one of the few people in the community with the cachet to pull this off,
who can talk to all the people on the executive side and all the people
on the community side and has reasonable credibility with both of them.
That doesn't mean I have to run it, definitely doesn't mean I want to be
its CTO, it does mean I would be evangelizing it publically for quite
some time.
I'm thinking about whether it is time for the community... to provide directly a Linux distro certified to LSB and to proprietary software providers that are willing to do so, guaranteed to be free software and free beer, free speech and free beer. A certified distribution that is zero cost, free software... and I'm convinced that creating a Linux distribution is a expense-sharing system rather than a profit-making system, even Red Hat now admits this as they attempt to offload production of their distribution to the community. We also asked Perens how he felt about companies that use open source software, but do not contribute substantially to the projects they use.
I have a scale for commercial collaborators with the community. It has
four points. It runs benefactor, partner, user, parasite. Benefactor:
NASA's a great example. They funded most of Linux's Ethernet drivers at
one time. At that time they were not able yet to make extensive use of
Linux, now they are. They put in more than they got out. Most companies
would not want to be benefactors, it looks bad to your stockholders.
Partner is what companies should be if they expect the cooperation of the free software community. At Hewlett-Packard, we could not get them to help us with the IA-64 kernel until we made the printers work. Very good lesson for companies, we put out 60 printer drivers on Linux because of that. User is a company that makes use of Linux and open source that complies with the licensing, but does not make any contribution unless they just can't avoid it. The usual GPL. I put Linksys in the user category if they finish resolving the issues they're working on with the FSF right now. Linksys is a division of Cisco, a very big company, that's important. Parasite, SCO comes to mind. They're making fraudulent claims to get value out of the Linux and open source community by kiting their stock and you can quote me on "fraudulent," "libelous," "slanderous," no problem with that. Other parasites, well who sold Linksys and Cisco that wireless access point? A chip company with a "B"... a number of engineering companies that seem to be in Taiwan and Korea, transfered intellectual property that was not theirs to Linksys and Cisco, in ways that did not comply with the licensing, leaving these companies whose goodwill we want out of compliance with our licenses and they don't know how to resolve the problem. So I don't like it because those Taiwanese or Korean companies made us enemies with Cisco when we want those guys to put Linux in their next product, we just want them to comply with the licenses and they should have been given full directions for doing so when they bought those WAP designs. Finally, we asked Perens if he had any thoughts on Eric Raymond's prediction that Sun is doomed.
Yeah, I wish Eric hadn't written that, actually. At least not quite the
way he wrote it, because first of all not having worked at HP as I have,
Eric doesn't understand how long a company can run on a legacy product
which is an extremely long time. And, secondarily, I think Eric was
angered by things Sun has been saying about Linux not belonging in the
data center and Sun's explicit collaboration with SCO spreading FUD.
However, Sun also helps us. Remember what I said about corporate
multiple personality disorders. They've done $70 million dollar investment in
OpenOffice, and I don't see where it paid off for them. They bungled the
strategic aspect of it, they need help with it, but it was a very large
contribution to Linux and open source. So, first of all, Sun's not going
away, they're not dying. If anything, they'll be acquired. They're still
a company with some value, and obviously their price is becoming more
attractive. Who will acquire them? I think it's either Microsoft or IBM.
We thank Bruce for taking the time to talk with us.
VeriSign backs down - for now The September 18 LWN Weekly Edition asked "whose Internet is it?" in response to VeriSign's deployment of its "SiteFinder" service. SiteFinder is an attempt to profit from mistyped domain names; it is implemented as a set of wildcard entries in .com and .net which direct the user to VeriSign's paid index pages. VeriSign's unilateral change broke a number of network services, modified how DNS works with no input from anybody else involved, and raised a great many privacy concerns. Nonetheless, VeriSign seemed determined to weather the storm and keep its changes in place. That is not a surprising position, given that the company expected SiteFinder to generate a revenue stream in the millions of dollars.Among other things, VeriSign had ignored a request from the Internet Corporation for Assigned Names and Numbers (ICANN) to suspend the service. It would seem, however, that ICANN is not entirely without clout - or value. On October 3, ICANN sent a more strongly written letter to VeriSign:
In addition, our review of the .com and .net registry agreements
between ICANN and VeriSign leads us to the conclusion that
VeriSign's unilateral and unannounced changes to the
operation of the .com and .net Top Level Domains are not consistent
with material provisions of both agreements....
Given these conclusions, please consider this a formal demand to return the operation of the .com and .net domains to their state before the 15 September changes, pending further technical, operational and legal evaluation. A failure to comply with this demand will require ICANN to take the steps necessary under those agreements to compel compliance with them. In response, VeriSign grumbled a little, then removed its wildcard entries and turned off the service. However, anybody who thinks that VeriSign has seen the light and realized that, as the steward of a public resource, it needs to act in a more responsible manner would be well advised to read this column by Mark McLaughlin, a VeriSign VP.
ICANN appears to have bought into claims that the Internet has
broken or will break. Anyone who has used it in the last three
weeks knows that claim to be false. More likely, ICANN caved under
the pressure from some in the Internet community for whom this is a
technology-religion issue about whether the Internet should be used
for these purposes.
The company also had some strong words at the special ICANN meeting held on October 7. Among other things, it said that it may have other surprises to spring on the net in the future. VeriSign, in other words, is absolutely unrepentant. This company's history suggests that it will not give up on the SiteFinder idea anytime soon. At the moment, it appears that the net's governance mechanisms have brought about the right result. But it would be a mistake to assume that this particular episode is over.
Quick SCO update Many people have wondered how it could be that SCO's stock price continues to increase even as the company's claims are publicly torn to pieces. A partial answer to that question came to light this week, in the form of this SEC filing. It would seem that Royce & Associates, the manager of the "Royce Technology Value Fund," now owns over 1.4 million shares of SCO. That is, as it turns out, over 10% of all the outstanding shares in the company, and almost 20% of the shares in active circulation. For whatever reason, Royce has made a huge bet on SCO, and has managed to keep the price high in the process.This fund is managed by Jonathan Cohen; some information about Mr. Cohen and SCO can be found on this page. Among other things, he has been talking up SCO stock in a number of forums; see, for example, this posting on MSN/CNBC. "Cohen said the company's stock has done well this year on the back of solid fundamentals. It has an enormous base of intellectual property rights, he added." Solid fundamentals indeed. Meanwhile, more documents on the IBM case, and, in particular, the pre-trial discovery process have come to light; they can be found on the always useful Groklaw site. There's some fun stuff there. Consider the following from "Exhibit E," SCO's response to IBM's discovery demands:
Please identify, with specificity (by product, file, and line of
code, where appropriate) all of the alleged trade secrets and any
confidential or proprietary information that plaintiff alleges or
contends IBM misappropriated or misused...
...SCO notes that discovery has just begin and it has not yet received responsive discovery from IBM that would allow it to fully answer this question because part of this information is peculiarly within the knowledge of IBM. SCO responds to a number of questions in this way. One way of translating this response into English would be something like "we don't know, we were hoping IBM would tell us." It is hard to imagine a judge being impressed. IBM also asked for information on "any person on whom plaintiff intends to rely as a witness, declarant, or affiant in this action." SCO's response was "None at this time." Could the company really have no witnesses at all? IBM has filed a motion with the court attempting to compel SCO to back up its claims. The company has also asked for an oral argument before the judge on the issue.
Good cause for oral argument exists because of the nature of the
discovery issued upon SCO and the significance of its refusal to
respond. SCO has the burden to prove the existence of a trade
secret or misappropriation by IBM of confidential or proprietary
information, and there is no presumption in SCO's favor in this
regard... As a result, SCO's apparent inability to respond to
IBM's interrogatories as required under the Federal Rules of Civil
Procedure has potentially outcome determinative consequences.
In other words, if SCO can't back up its charges, it's time to call the show over. Nobody ever thought IBM's lawyers would make it easy for SCO. Finally, Drew Streib is still trying to buy an SCO "Linux license," but still has not succeeded. "I can't believe that a sales force is this incompetent, or instead of that possibility, that SCO could be so blatantly outright in their lying about license availability." SCO also continues to state that it will not be sending out invoices because the "response has been adequate." One might conclude that the company is having second thoughts about its licensing program.
Authors wanted It has been the better part of a year since we first started taking externally written articles for LWN. That effort has had its ups and downs, but, overall, we have been pleased with the result. Externally contributed material has allowed us to bring new content and viewpoints to LWN. We have convinced ourselves that we can bring in more content and maintain the quality of our publication.So, the time has come to expand our external author program. Writing for LWN will not be easy; as editors, we are fussy and difficult to please. And it certainly will not be a path to riches, or even away from the day job. But it is a way to get your byline out there and help us make a better LWN. If you think you might be interested, please take a moment to look at our author guide. If you're still interested afterward, we would like to hear from you.
Page editor: Jonathan Corbet Security Security news The EFF's report on trusted computing The Electronic Frontier Foundation has released, to a fair amount of fanfare, its report on trusted computing. The report's author (Seth Schoen) has concluded that, while trusted computing architectures offer a number of security benefits, there are also potential problems that need to be addressed.The report mentions four different technologies that make up current trusted computing efforts:
The report acknowledges that all of these technologies can help to improve the security of computer systems. With a trusted computing architecture in place, a worm which is able to exploit a hole in one program will find its ability to do anything interesting on the system much reduced. The EFF does not have any real problem with most of the technologies discussed. That is not true, however, for remote attestation:
TCG attestation conspicuously fails to distinguish between
applications that protect computer owners against attack and
applications that protect a computer against its owner. In effect,
the computer's owner is sometimes treated as just another attacker
or adversary who must be prevented from breaking in and altering
the computer's software.
A few cases where the remote attestation feature could backfire on users are mentioned. One is web servers which refuse to talk to anything other than the One Chosen Browser. There are sites which do that now, but most modern browsers are capable of masquerading as something else, so these techniques are not effective. Remote attestion would change that. Other examples include software interoperability (i.e. eliminating Samba forevermore), forced upgrades, and forced use of digital rights management schemes. As a solution, the EFF suggests an "owner override" feature. The owner of a system could, while physically present at the machine, force it to produce an attestation for software that the owner has modified or replaced, making it look like something else. This feature would solve the problem for suitably capable users. It is hard to imagine users developing a widespread ability to safely perform overrides, however. The real conclusion to be taken from this report is that the owners and users of computers need to maintain control over their machines. When your own computer treats you like an attacker, it has ceased to be truly yours, and it becomes a tool for controlling your behavior. Free software users have understood this point for years, of course. We have built a system that allows us to stay in control. But we need to be careful that the hardware platforms of the future do not take that control away from us.
New vulnerabilities cfengine: stack overflow
Updated vulnerabilities 2.4 kernel - several vulnerabilities
apache2: Denial of Service vulnerability
autorespond: buffer overflow
bind buffer overflow vulnerability in DNS resolver libraries
Canna server: exploitable buffer overrun
eroaster: insecure temporary file
ethereal: security problems in Ethereal 0.9.12
exim: buffer overflows
Filename disclosure vulnerability in fam
fdclone: insecure temporary directory
fetchmail: buffer overflow
freesweep: buffer overflow
glibc: DNS stub resolvers contain buffer overflow vulnerability
gnupg: key validation
gtkhtml: malformed messages cause crash
KDE: Two issues in KDM
kernel-utils: setuid vulnerability
libpam-smb: exploitable buffer overflow
libpng, libpng3: buffer overflow
lsh: remotely exploitable buffer overflow
lynx: CRLF injection vulnerability
marbles: buffer overflow
mikmod: buffer overflow
mindi: insecure file creations
mplayer: remotely exploitable buffer overflow vulnerability
mysql: arbitrary code execution
Nessus NASL scripting engine security issues
netris: buffer overflow
net-snmp: denial of service vulnerability
nfs-utils xlog() off-by-one bug
openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1 and 3.7.1p1
openssh: timing attack leads to information disclosure
OpenSSH: buffer management error
openssl: vulnerabilities in ASN.1 code
pam-pgsql: format string vulnerability
perl: cross site scripting vulnerability in CGI.pm module
PHP: vulnerability in mail function
phpgroupware - cross-site scripting and other exploits
postfix: denial of service vulnerabilities
PostgreSQL - more buffer overflows
proftpd: remote root shell
Local arbitrary code execution vulnerability in Python
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||