Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for April 29, 2004Debian: too free? The Debian Project's social contract is that project's guiding philosophy. When the project considers a decision or an action, consistency with the social contract is one of the first requirements. Debian developers are also concerned with freedom, as witnessed by the endless battles over what should be done with the "non-free" repository. These two issues came together this month when the project's developers approved the first change to the contract since 1997. Where Version 1.0 read "Debian will remain 100% free software," the new version says, instead, "Debian will remain 100% free." The new wording requires that the Debian system and all its components conform to the Debian Free Software Guidelines. This change was clearly aimed at bits and pieces of non-free materials that have been present in Debian since the beginning: firmware in device drivers, GFDL-licensed manuals, etc.Whether intended or not, the new wording has already claimed a big victim: the upcoming "sarge" release. The next major release of Debian is already far later than had been hoped - but that is not particularly surprising for a Debian release. What is surprising is that release manager Anthony Towns has let it be known that the new social contract will delay things further. The sarge release, as it stands now, does not conform to the newly-reworded social contract. Given the overt nature of the changes to the contract, Anthony does not believe he can just look the other way and release regardless. Most Debian developers would appear to agree with his interpretation of the contract. In practical terms, this means that a lot of changes will have to be made to sarge before it can go out. The GFDL-licensed documentation (for small packages, like the C library) will have to be removed. Support for hardware requiring binary-only firmware downloads will be removed. The installer will have to be rewritten so that people who happen to have the firmware for their (otherwise unsupported) hardware can install the system. It has also been noted that a lot of fonts may have to be removed from Debian as well. All in all, Anthony figures that, with these changes, there is no chance that sarge will be released this year. The Debian Project, in other words, is in a bit of a bind. The current Debian stable release is approaching a truly geriatric state; few users are much interested in GNOME 1.4, KDE 2.2, XFree86 4.1, Mozilla 1.0, Netscape 4.77 (!), gcc 3.0, or the 2.2 kernel at this point (though, in fairness, there are 2.4 kernels available for woody as well). This release has done its time; it should not be expected to last into 2005. Somehow, if Debian is to remain relevant to anybody beyond those using the (occasionally scary but always highly useful) unstable version, it is going to have to find a way around this problem and get a new release out. One possibility is this new general resolution which is tentatively set for a vote in the second half of May. This resolution would create a "sarge exception" by revoking the social contract change - but only until the beginning of September, when the new language would, once again take effect. This resolution would enable the project to get a release out (and, incidentally, impose a deadline on that release) under the old rules. Subsequent distributions could then be purged of offending materials at relative leisure. In the longer term, Debian is going to have to come to a conclusion about where its priorities truly lie. Despite the incredible progress made over the last 20 years, creating a 100% free system is still a very hard thing to do. Most of us will never have the source to the firmware running in our network controllers. Maybe someday we will have 100% free fonts, but that is not this day. There will always be disagreements over which licenses are truly free - as witnessed by the fact that Debian is fighting over documentation licenses that have passed muster with Richard Stallman. Any distribution which insists on 100% purity is going to have a hard time producing a system that is actually useful in the near future. As Ted Ts'o puts it, this episode may be a fortunate thing in that it will force a debate over the project's goals. If Debian is really about making the best possible system, the developers will eventually get back to that task.
If instead, it turns out there are significant numbers of people
who believe their participation in Debian is really more about
proving that they are Holier Than Stallman, those that *are*
interested in making something useful for their users have their
choice of either (a) trying to see if they have the votes to
shut-out the fanatics, (b) try to build something useful that uses
Debian as a base, and leaves the insanity behind, or (c) join the
Fedora project, or some other distribution.
Others see things differently, however:
The goal of Debian is to have an excellent free operating system.
All three adjectives: excellent, free, and operating, are
non-negotiable. We will not sell out the second because you want
us to think it's a disaster if one or two fonts don't meet it.
In other words, the social contract change, its aftermath, and the philisophical differences behind it risk creating a fork in the Debian distribution. One might argue that this fork has already happened; look at UserLinux, for example. Such a fork would be an unfortunate thing; the Debian Project has been a technological and philosophical leader of the community for many years. One can only hope that Debian will figure out how to reconcile its goals and continue in that role well into the future.
The 2004 Desktop Linux Summit The 2nd annual Desktop Linux Summit was held at the Del Mar fairgrounds, North of San Diego, California on April 22 and 23, 2004. The event was sponsored by Lindows and several other companies. Attendance at the event was busy, but not overwhelming, the folks at Lindows said that there were over 1000 attendees, about twice the draw of the previous event. There were relatively few Linux-specific companies and organizations in the vendor booths, Lindows occupied many of the booths, and several vendor-neutral hardware companies were present.![[DLS Venue]](/images/ns/dls04/0423_007th.jpg)
As the conference's name implied, the focus was about the placement of Linux on the desktop, both in corporations and at home. During the event, there were several recurring ideas coming from the panel members and the audience. While many individuals and companies have been attempting to displace Microsoft from its position of dominance on the desktop, there was a growing feeling that doing so is an incredibly difficult task, especially in the US market. It is nonetheless, a task that many are still working hard at to accomplish. A large percentage of individual and corporate computer users have been tied to the Microsoft way of doing things for a long time, and they are very resistant to change, even if it means saving a lot of money. Never underestimate user inertia, as a former co-worker of mine is fond of saying. It's hard to compete with the big guys on their own turf. Also, the perpetual inability to purchase both desktop and laptop computers with Linux pre-loaded was brought up frequently. This is a major factor that is slowing Linux adoption by the public sector.
Another observation is that Linux on the desktop has become fairly mature, reliable, and repeatable. Most of the basic components are already in place. The operating system is reliable, the basic desktop components such as browsers, mail clients, and office suites are available, and reliable. There is, on the other hand, a notable lack of financial applications for Linux, none of the major commercial software vendors have ported their applications to Linux. Open file exchange formats were seen as both a strength and a weakness for Linux. For those dealing with Linux, the ability to use open file formats is a big plus, mainly because access to their own information will be possible for the foreseeable future. Lock-out due to changing proprietary file formats is not likely under Linux. The inability to reliably exchange files with the ever-changing proprietary formats from Microsoft was seen as a big obstacle in the adoption of Linux. That is also an obstacle to Microsoft's own customers, locking them in to a never-ending path of buying upgrades and having to convert older information forward. There is a notable shift in the browser arena, desktop browsers are rapidly losing ground to cell phone and PDA-based browsers. This is causing people who create web pages that are only viewable in Microsoft's Internet Explorer to lose viewers. On the amusing side, one of the popular T-shirts at the conference referred to recent SCO actions with "So, Sue Me" in big letters. The gun show that was being held in the adjacent building was mentioned a few times. Lastly, the current generation of PCs are increasingly being seen as being too fat for the desktop, both in hardware and software. Current PCs are power hungry devices that are loaded with multimedia equipment, giant hard drives, big memory, etc. Individual PCs now have hardware and software that is as complicated as the servers of just a few years ago, along with the associated systems administration requirements. There is a push toward making corporate desktop machines into simple, replaceable appliances. Of course, this may just be another swing of the pendulum in the oft-repeated cycle between centralized servers with dumb (X)terminals, and loaded desktops. The fully loaded multi-media boxes are increasingly headed for use as home entertainment centers. A number of different platforms were discussed as lightweight desktop appliances. Linux-based thin clients, diskless clients, Sun's Java desktop system, and laptops were all contenders for this space. The Desktop Linux Summit presentations and panel sessions are covered in more detail. Take a look for coverage of the international expansion of desktop Linux, Ian Murdock's talk on Componentized Linux, Doc Searls on making Linux the Chevy Cavalier of operating systems, an analyst's view of the current state of Linux on the desktop, mainstreaming the Linux desktop, Nat Friedman on the evolution of the Linux desktop, and what Lindows is up to.
The JPEG patent Just in case anyone needed further proof of the dangers of software patents, along comes Forgent trying to wring money out of users of the JPEG standard long after it has become entrenched. After two years of trying to wheedle licensing fees for JPEG, the company announced last week that it was suing 31 companies, including IBM, Apple, Xerox, Panasonic and Macromedia to name just a few, for infringement of U.S. Patent 4,698,672, entitled "Coding System for Reducing Redundancy."The company has been trying to monetize the '672 patent since 2002, and has managed to extract licensing fees from more than 30 companies, including Sony, to the tune of $90 million for use of the JPEG format. Forgent isn't exactly modest in its claims. In its press release, Forgent claims to have:
...the sole and exclusive right to use and license all the claims under the
'672 patent that implement JPEG in all "fields of use" except in the
satellite broadcast business. Forgent's "fields of use" for licensing
opportunities include digital cameras, digital still image devices,
personal digital assistants (PDAs), cellular telephones that download
images, browsers, digital camcorders with a still image function, scanners
and other devices used to compress, store, manipulate, print or transmit
digital images.
While Forgent presses on with its claims, others have expressed doubt as to whether the patent claims would stand up. The JPEG committee has issued statement saying that the committee "believes that prior art exists in areas in which the patent might claim application to ISO/IEC 10918-1 [the JPEG standard] in its baseline form." The statement was issued back in 2002, when Forgent initially began asserting patent claims. There seems to be some confusion over the actual expiration date of Forgent's patent as well. According to Forgent, the patent expires in October 2006. Others are saying that the patent is set to expire this October, seventeen years from the date the patent was granted. The U.S. Patent and Trademark Office's (USPTO) website seems to support Forgent's position. According to the USPTO FAQ, patents granted prior to June 8, 1995 "automatically have a term that is the greater of the twenty year term discussed above [from the application date] or seventeen years from the patent grant." The patent application was submitted October 27, 1986 and granted October 6, 1987 which gives Forgent a little more than two years to harass software companies making use of JPEG. The Independent JPEG Group (IJG), responsible for widely-used JPEG library (libjpeg), makes no mention of the Forgent claims on its website. In fact, the IJG makes little mention of anything on its website, including valid contact information. The README that comes with the JPEG library says that the software avoids the arithmetic coding of the JPEG specification due to patents owned by IBM, AT&T and Mitsubishi. No mention is made of the '672 patent. However, IJG organizer Tom Lane was quoted two years ago as saying that Forgent's patent does not apply:
The patent describes an encoding method that is clearly not like what JPEG
does. The patent describes a three-way symbol classification; the closest
analog in JPEG is a two-way classification. If the jury can count higher
than two, the case will fail.
At the moment, open source developers do not seem to be in a rush to remove JPEG capability from their projects, but are instead taking a "wait-and-see" attitude. The topic has come up on Debian-legal, the Gimp-developer mailing list and other project lists. So far, no project has come out to say that they would be pulling JPEG support, much to this writer's relief. A quick count shows that more than 150 packages installed on my system depend on libjpeg. Even if Forgent's claims amount to nothing more than a nuisance for a handful of proprietary software companies, they still highlight a problem for open source software. Companies will continue to press software patent claims so long as the legal system permits, and there's money to be made. It's only a matter of time before one of the suits has a serious impact on open source.
SCO Weekly News Last week, we discussed BayStar's wish to reclaim its investment in the SCO Group. Some observers may have thought that this move was a sign that BayStar had figured out the true nature of the company it had invested in. That may, in fact, be true, but not quite in the way some people had imagined. BayStar's real problem, it would seem, is that SCO continues to maintain the pretense of having a Unix business; BayStar sees that as a distraction from the real "value" of the company: its lawsuits. To regain BayStar's good favor, SCO would need to dump the Unix business and replace its top management with people who know more about intellectual property litigation and, while they're at it, have better control over what they say in public. SCO seems unwilling to give in to those demands, but if BayStar looks like it will go to court, SCO's board may find itself in a more accommodating mood.Groklaw has done some research into the background of Bert Young, SCO's new chief financial officer. Mr. Young, it seems, is not new to dishonest companies and legal action. He should, indeed, be a good fit for SCO. In the IBM case, SCO has filed a new motion asking that IBM's copyright-oriented counterclaims be dismissed or, failing that, split into a separate trial. SCO claims that the copyright issue is "pending in litigation in Nevada" and need not be considered separately in Utah. The Nevada case is the AutoZone suit. Given that copyrights are an issue in the IBM case, the chances of it being put aside for the newly-filed AutoZone case seem pretty small. ...especially since AutoZone has filed a motion of its own stating that SCO's suit should be put on hold pending the outcomes of the IBM, Novell, and Red Hat cases. Since those cases touch on issues like the validity of SCO's claimed copyrights and whether Linux violates those copyrights, AutoZone seems to think that their outcome might have some relevance to the charges it is facing. It will also, no doubt, surprise readers to find out that AutoZone is having a little trouble figuring out exactly which copyrights it is being accused of violating:
There is no reason for SCO to have been so obtuse in its pleading,
unless SCO is intentionally trying to avoid identifying the nature
and basis of its purported claims. The Linux code is freely
available to anyone to examine, and SCO has been in possession of
the code for years. Indeed, SCO was a distributor and developer of
Linux code until after it filed its lawsuit against IBM last
year. SCO therefore has substantial familiarity with, and can
readily identify, the lines, files, or organization of Linux code
that it claims infringes UNIX, and SCO can likewise readily
identify the corresponding lines, files, or organization of UNIX
that SCO claims to be infringed....
In other circumstances, AutoZone might elect to respond to SCO's Complaint as best AutoZone could without clarification of SCO's claims in confidence that it could later ascertain this information from SCO in discovery. However, SCO's "hide-the-eight-ball" tactics in the IBM case leave AutoZone with little realistic belief that SCO will voluntarily identify the basis for its claims without this Court's intervention. SCO filed its Complaint against IBM more than a year ago; yet, at least as of April 18, 2004, SCO still had not provided IBM with any reasonable identification of its claims. One might conclude, from all of this, that AutoZone has been paying attention to what has transpired thus far and is not in a mood to settle. DaimlerChrysler has filed a response to SCO's complaint (which, remember, is all about DaimlerChrysler's failure to provide the "certification" demanded by SCO). The text of that response is not yet available, though Groklaw may well have it by the time you read this. DaimlerChrysler has, evidently, raised a long list of affirmative defenses, and is asking for a summary dismissal of the case with prejudice. Worth a quick note: according to the NASDAQ, there were almost 4 million shares of SCO stock sold short as of the middle of April - an all-time high. Despite the fact that the company's stock is pushing toward its lowest levels in almost a year, many people seem to expect it to go lower. LWN is not in the business of giving investment advice, and you would be well advised to ignore us if we were. But it is worth noting that, at current volume levels, it would take almost three weeks of trading to cover all of those short positions. That is a recipe for a "short squeeze" and a stock price spike. Be careful out there.
Page editor: Jonathan Corbet Security Review: Exploiting Software ![[Cover]](/images/ns/exploiting-software.png)
The world is full of books on how to secure systems, how to write secure
code, and how to deal with breakins. There are rather fewer books that go
into details of how to compromise software and carry out breakins. That
gap has now been filled by Exploiting Software: How To Break Code by
Greg Hoglund and Gary McGraw. This book's purpose is not to help the
crackers; those people, according to the authors, already know about the
techniques described here. Instead, the authors wish to help programmers
and system administrators achieve better security through an understanding
of how security failures happen.
To that end, this book covers a number of ways of attacking software. Direct reverse engineering gets a full chapter, much of which is dedicated to things you can do with the Windows debugger. There is a chapter on server attacks; it looks at carefully crafted input, configuration attacks, filesystem browsing, poor authentication schemes, etc. The chapter on client-side attacks covers cross-site scripting, embedded control characters, and more. The creation of malicious input gets a chapter of its own, where issues of how to track what a server does with input, tricks with character encodings, and more are discussed; this chapter also looks at how to get malicious input past intrusion detection systems. Buffer overflows and format string vulnerabilities are discussed in detail; interestingly, the authors claim that format string vulnerabilities were known to the "black hats" for years before being more widely "discovered" and, mostly, fixed. The book finishes with a discussion of root kits. If you are a cracker wannabe looking to learn the trade, this book might provide a good start - though you will still have to fill in a lot of the details yourself. This book is not a simple cookbook for crackers, though some of its advice ("Also, remember that a Web server will create log files of all injection activity, which tends to stick out like a sore thumb. If this pattern is used, clean the log files as soon as possible.") is not necessarily useful for anybody else. The coverage of the book is not entirely complete either; it has little space for kernel attacks, SQL injection, or exploit generation tools, for example. While Linux is often mentioned, the bulk of the discussion uses Windows for its examples (though almost all of the concepts discussed apply equally to either system). Even so, Exploiting Software is a worthwhile addition to the bookshelf of anybody interested in security issues - as most of us should be.
Quick review: Secure Architectures with OpenBSD One other book that recently showed up in our mailbox is Secure![[Cover]](/images/ns/openbsd-cover.png)
Architectures With OpenBSD by Brandon Palmer and Jose Nazario. This
book is, primarily, a system administration manual, but, since it's for
OpenBSD, it is strongly oriented toward running secure systems. It covers
all of the usual topics, though often a bit more superficially than one
might like. The range of topics is wide, however, extending into
firewalling, Kerberos, S/Key, IPSec, IPv6, intrusion detection, etc. If
you're looking for a pure BSD administration manual, you may want to
supplement this one with the Unix Administration Handbook or
something similar. This book, however, is a good, thorough overview of how
the OpenBSD variant of BSD is put together and how to keep it secure.
New vulnerabilities ident2 buffer overflow
kernel - root exploit in MCAST_MSFILTER
LCDproc: Buffer overflows and format string vulnerabilities
racoon: denial of service vulnerability
XFree86 minor DoS vulnerability
Updated vulnerabilities apache - denial of service in mod_ssl
cvs: client-side file overwrite vulnerability
ethereal - multiple vulnerabilities
Filename disclosure vulnerability in fam
gtkhtml: malformed messages cause crash
iproute: local denial of service
racoon: failure to verify signatures
kdelibs: cookie disclosure
kdepim: VCF file information reader vulnerability
kernel: symlink overflow in the iso9660 filessytem
kernel: ext3 information leak
Linux kernel 2.2.10 failing function and TLB flush vulnerability
kernel-utils: setuid vulnerability
libpng, libpng3: buffer overflow
libxml2 - arbitrary code execution
logcheck: symlink vulnerability
mailman denial of service
metamail: integer and buffer overflows
mikmod: buffer overflow
mod_python: denial of service vulnerability
mozilla: multiple vulnerabilties
mpg321: format string vulnerability
MySQL: temporary file vulnerabilities
neon: format string vulnerabilities
Nessus NASL scripting engine security issues
netpbm: insecure temporary files
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
perl information leak
postfix: denial of service vulnerabilities
python: buffer overflow
ssmtp format string vulnerability
sysstat: temporary file vulnerability
File overwrite vulnerability in tar and unzip
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
Multiple vendor telnetd vulnerability
utempter problems with symlink and strncpy
XChat 2.0.x SOCKS5 Vulnerability
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Clay Christensen]](/images/ns/dls04/0423_010th.jpg)
