Home Daynotes Home Week of 24 June 2002

Photograph of Robert Bruce Thompson Daynotes Journal

Week of 24 June 2002

Latest Update : Tuesday, 26 November 2002 12:29 -0500

Click Here to Subscribe Visit Barbara's Journal Page

Monday, 24 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

10:31 - Well, the new edition of PC Hardware in a Nutshell was supposed to be hitting the bookstores today, but B&N is showing it as one to two week delivery and Amazon doesn't list it at all. Back when I was a newbie author, I'd get upset at stuff like this, but I've seen it happen so many times that I don't even think about it any more. If it's not actually in the stores yet, it probably will be in the next few days.

I've been working on a lot of stuff, including the TechnoMayhem.com site. It's still just in the process of being stubbed out, but I am making progress. I announced the TechnoMayhem Forums on one mailing list over the weekend, just to help get the ball rolling. I'll probably announce it on a couple of more mailing lists today or tomorrow. Starting up a messageboard is always a chicken/egg thing, of course. There has to be interesting content available before many people will join, and there has to be a fair number of members before the board has much interesting content. If you'd like to help us get the ball rolling, please visit the TechnoMayhem Forums, register, and post some questions (or answers).

I'm also working on the TechnoMayhem Newsletter, the first issue of which is scheduled to go out next week. It's a free newsletter intended for authors and readers of suspense, thriller, and mystery novels. Although it has little to do with computers per se, I suspect most of the people who read this page would find the TechnoMayhem Newsletter interesting. And of course the more copies we have circulating the better. So if you have any interest at all, please sign up for the newsletter and forward copies of it to any of your friends who might be interested. We're using a double opt-in method to ensure that no one receives the newsletter directly from us unless they've really requested it, but a bit of viral marketing certainly can't hurt. If you want to subscribe, click here for instructions.

More later, maybe.


Tuesday, 25 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:23 - I emailed my editor yesterday to ask him what was going on with the new edition of PC Hardware in a Nutshell. He told me he'd received his copy late last week and it should be in the warehouses as of yesterday. So I called my local B&N, who said it hadn't arrived at their distributor yet but that they were expecting to get copies any day now. So if you've ordered a copy, it should be shipping any time. If you haven't, now would be a good time.

An important warning from Roland Dobbins:

-----Original Message-----
From: Roland Dobbins
Sent: Monday, June 24, 2002 11:39 PM
To: jerryp@jerrypournelle.com; thompson@ttgnet.com
Subject: Please post this ASAP, very important for all *NIX users/admins

The Apache thing got enough exposure that I didn't bother to send something out last week on it. This is just obscure enough that I'm afraid it'll fly under the radar, and so ask that you gentlemen post this email from Theo de Raadt in its entirety.


-----Forwarded Message-----
Subject: Upcoming OpenSSH vulnerability
Date: Mon, 24 Jun 2002 15:00:10 -0600
From: Theo de Raadt

There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week.

However, I can say that when OpenSSH's sshd(8) is running with priv seperation, the bug cannot be exploited.

OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches.

However, everyone should update to OpenSSH 3.3 immediately, and enable priv seperation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file:

UsePrivilegeSeparation yes

Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand?

3.3 does not contain a fix for this upcoming bug.

If priv seperation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us.

Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of that runs as root. But when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privs. This makes the daemon less vulnerable to attack.

We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny). HP's representative was downright rude, but that is OK because Compaq is retiring him. Except for Solar Designer, I think none of them has helped the OpenSSH portable developers make privsep work better on their systems. Apparently Solar Designer is the only person who understands the need for this stuff.

So, if vendors would JUMP and get it working better, and send us patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday which supports these systems better. So send patches by Thursday night please. Then on Tuesday or Wednesday the complete bug report with patches (and exploits soon after I am sure) will hit BUGTRAQ.

Let me repeat: even if the bug exists in a privsep'd sshd, it is not exploitable. Clearly we cannot yet publish what the bug is, or provide anyone with the real patch, but we can try to get maximum deployement of privsep, and therefore make it hurt less when the problem is published.

So please push your vendor to get us maximally working privsep patches as soon as possible!

We've given most vendors since Friday last week until Thursday to get privsep working well for you so that when the announcement comes out next week their customers are immunized. That is nearly a full week (but they have already wasted a weekend and a Monday). Really I think this is the best we can hope to do (this thing will eventually leak, at which point the details will be published).

Customers can judge their vendors by how they respond to this issue.

OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. On OpenBSD privsep works flawlessly, and I have reports that is also true on NetBSD. All other systems appear to have minor or major weaknesses when this code is running.

And I'm still working away, which doesn't leave me much to write about here. "I researched, I wrote. I researched some more. I wrote some more." That gets old fast.

I'm still working on the TechnoMayhem Newsletter, a free newsletter intended for authors and readers of suspense, thriller, and mystery novels. If you want to subscribe, click here for instructions.

13:30 - One of the things I like about Outlook 2000 is that when I have it configured to use multiple accounts it's smart enough to reply from the account the message I'm replying to was sent to. For example, if someone sends me mail at ttgnet.com and I reply to that message, the reply comes from my ttgnet.com account, whereas if the original message was sent to my hardwareguys.com account, my reply automatically comes from my hardwareguys.com account.

That's a very nice feature, but I wish they'd taken it one step further. Outlook 2000 allows me to specify a default sig, but if there's a way to vary the default sig based on the account I'm using to send, I can't find it. Surely that's an obvious requirement? But Outlook apparently provides no way to handle it, short of manually changing the sig per-message or changing the default sig. It's a minor aggravation, but an aggravation nonetheless.



Wednesday, 26 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:36 - Roland Dobbins points out that Evolution changes the sig to match the account from which one is sending. I actually knew that, but I'm waiting for Evolution to get a bit more stable before I start using it as my main mail client. The last time I used it intensively, Evolution was at release 1.0.3, and it crashed frequently. One one notable occasion, Evolution crashed and took all my desktop and taskbar icons along with it. I'm sure there was some easy fix for that, but as a Linux newbie I saw that one as a showstopper. I understand that the later releases have improved substantially, so I'll probably try Evolution again before long.

The Register posted an article by Thomas C. Greene yesterday about the effect of Palladium on the GPL in general and Linux in particular, entitled MS to eradicate GPL, hence Linux. I don't much care for Mr. Greene's politics, but he nailed this one. As I've been saying for years now, the answer has to be that we simply refuse to play on Microsoft's terms, and that we refuse to allow them to impose their terms on us. Make no mistake. Microsoft has declared a war of eradication against GPL in general and Linux in particular, and they'll do whatever is necessary to destroy them. The time for us to start fighting back is now.

11:22 - The RIAA/MPAA Copyright Nazis are at it again. Congressman Howard Berman (D - Disney) has proposed a bill that would permit music and movie companies to launch DoS attacks and similar exploits against peer-to-peer servers that they consider to be violating their copyrights. This bill would legalize actions that are currently illegal under federal law, and for good reason. Who decides which servers are attacked and shut down? Why, they do, of course.

I'm getting tired of writing about these outrages. Microsoft, the RIAA, and the MPAA regard us all as thieves, and are buying legislators and laws that treat us as such, but without even the protections accorded to a real thief. It's time and past time to start boycotting these sons of bitches. Please don't buy their products. Stop buying or renting DVDs and tapes. Stop buying CDs. Stop buying software from Microsoft. Vote with your wallet.

None of this is about piracy or copyright violations. That's a red herring. It's all about controlling us and eliminating Fair Use. Microsoft want you to pay them each and every time you boot up your computer or start your word processor. The RIAA and MPAA want you to pay them each and every time you listen to a CD or watch a movie. In the past, they've in effect sold you their products. Whatever the license agreement said, you paid them once were then able to use the product freely without additional payments.

That's no longer good enough for Microsoft, the RIAA, and the MPAA. They want you to pay and keep paying, and they'll do everything they can to force you to keep coughing up. They'll use activation schemes and copy-protection and Digital Rights Management. They'll insist that all new PCs include Son-of-Clipper-Chip. They'll pass laws that assume every one of us is a thief, despite the fact that all we're doing is exercising our Fair Use Rights. They won't be satisfied until they control your PC completely.

Screw them, I say. Stop buying their products. Vote with your dollars and put the sons of bitches out of business. Stop buying their products. I tell you three times. STOP BUYING THEIR PRODUCTS.



Thursday, 27 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:36 - FedEx delivered a copy of the second edition of PC Hardware in a Nutshell yesterday afternoon. At nearly 800 pages, it's almost 60% larger than the first edition, and I think we used that additional page count well. I spent an hour or two last night reading it, and it looks superb if I do say so myself.

Now that the book is in print, I'll archive the PCN2 directory and start a PCN3 directory. My goal is to have the third edition in the bookstores a bit more than a year from now, say August 2003. Of course, we haven't signed a contract for the third edition. Given the extremely slow computer book market, O'Reilly naturally wants to see how the second edition sells before they commit to a third edition.

I've gotten quite a bit of feedback about my suggestion yesterday that we all boycott Microsoft, the RIAA, and the MPAA. None of these messages have expressed any sympathy for those organizations, but several have made the same point. If we boycott them, these people tell me, the RIAA and MPAA will simply use these reduced sales figures as evidence that their products are being pirated.

I'm sorry, but although I'm sure that will indeed happen, I can't agree that that's a good reason not to boycott them. Consider the alternative. We continue to put our cash in their pockets and thereby keep their sales high. How does that benefit us? They'll still be pushing for control of our PCs and our wallets, because (as I said) this has never really been about piracy anyway. This is about their campaign to remove our Fair Use rights and to convert the traditional one-time payments for their products into a continuous revenue stream for them.

So the answer is two-fold. Boycott Microsoft, the RIAA, and the MPAA on the one hand, and support alternatives on the other.

The next time you're bringing up a server, don't buy a Windows license. Buy a copy of Red Hat Linux instead. Don't sign on to Microsoft's Licensing 6. Keep using what you have for now, and start planning to deploy Linux on your desktop systems next year or the year after. When you need to buy PCs, shun companies that bundle Microsoft software. Instead, buy your systems from local white-box resellers, who will be happy to supply them without software, and generally build better systems than the large OEMs anyway. Install OpenOffice.org or StarOffice on your desktops, and standardize on their native formats. None of this has to happen right away. You have a window of a year or two before any kind of software upgrade will be necessary. By that time, you should be prepared to abandon Microsoft and go with OSS alternatives.

Stop buying CDs from RIAA companies. There's a whole world of music out there that the RIAA doesn't control. Many recording artists sell their CDs directly, and in what should come as no surprise, many of these artists produce better music than the packaged, polished, commercialized crap products that the music industry pushes. Stop going to movies and stop buying or renting DVDs. Nearly all movies are garbage anyway. Read a book instead. You'll be better off for doing that.

If as a result of a boycott Microsoft's sales start falling, they probably will claim that piracy is a major factor. We need to be able to present convincing figures to rebutt that. We need to be able to say, "The reason your sales are falling is that you produce overpriced, crappy, insecure, buggy products with intolerable licensing restrictions and as a result of that people are migrating to better alternatives like Linux and other OSS software." When the RIAA claims that widespread piracy has cut their sales in half, we need to be able to say, "People are still buying music, just not from you. They consider your CD prices an outrageous ripoff and your stable of artists to be producing slick, commercialized, unoriginal crap, so they're buying directly from artists who price their CDs at reasonable levels and provide value for money." If the MPAA complains about sales plummeting, we need to be able to say, "99% of the movies you produce are crap, so we all decided to start reading books instead."

But it has to start with you. Individually, none of us can do a thing about these problems. But if enough people get angry enough to opt out of Microsoft, the RIAA, and the MPAA, things will start to happen.

12:48 - I sent out the following warning to subscribers this morning:

Thanks to Roland Dobbins for notifying me of this one:


This is a critical vulnerability ("run code of attacker's choice") in recent versions of Windows Media Player, of all things. What's ironic is that the basis of the security hole is a flaw in how Microsoft implemented DRM (Digital Rights Management). If you have WMP on your system (and you almost certainly do if you're running a recent version of Windows), you really need to apply this patch.

As for me, the question isn't whether I'm going to transition to Linux and OSS applications, but when. Every one of these gaping security holes is another nail in Windows' coffin, and by now it's pretty well nailed shut.

Roland Dobbins sends this link, which is a pretty good summary of what Palladium is all about.

Paul Robichaux challenges some of my statements about Microsoft:

-----Original Message-----
From: Paul E. Robichaux
Sent: Thursday, June 27, 2002 11:53 AM
To: Robert Bruce Thompson
Subject: RE: Another critical Microsoft security flaw

What about the gaping security holes in Linux? Apache and OpenSSH have both recently had similar exploits, and at least MS is making a concerted internal effort-- which is getting virtually no press coverage-- to comprehensively review their existing code base and fix what needs fixin'.

Yeah, but

(a) for every gaping security hole in Linux, there are dozens of such holes in Windows. I also think it's interesting that ISS dropped the bomb without any warning to the Linux developers.


(b) when there's a gaping security hole in Linux it gets fixed quickly. It took Apache something like 12 hours to issue a fixed version, and not much more for SSH to get fixed.

As far as Microsoft fixing anything, I'll believe it when I see it. Allchin said flat out that Windows code was so bad it couldn't be fixed.

-----Original Message-----
From: Paul E. Robichaux
Sent: Thursday, June 27, 2002 12:14 PM
To: Robert Bruce Thompson
Subject: RE: Another critical Microsoft security flaw

Yeah, but (a) for every gaping security hole in Linux, there are dozens of such holes in Windows.

Not. Check the stats at http://www.securityfocus.com/vulns/stats.shtml.

I also think it's interesting that ISS dropped the bomb without any warning to the Linux developers.

That is pretty interesting. ISS is usually pretty good about notifying vendors in advance of their public announcements, especially compared to some of the random Internet yahoos who "discover" MS vulnerabilities.

and (b) when there's a gaping security hole in Linux it gets fixed quickly. It took Apache something like 12 hours to issue a fixed version, and not much more for SSH to get fixed.

OK, but if many open-source eyeballs make such light work of security reviews, how is it that the vulns were still *in* the code in the first place? Answer: just because the code is available for inspection doesn't mean anyone's actually bothering to inspect it! And how many of the systems with these particular exploits are going to be patched in a timely manner?

As far as Microsoft fixing anything, I'll believe it when I see it. Allchin said flat out that Windows code was so bad it couldn't be fixed.

Fearless prediction: in 18 months or so, you will start to see a sharp downturn in the number of Windows vulnerabilities, and it won't be temporary. MS is expending a *huge* amount of resources to systematically find existing flaws, fix them, and roll the design and coding lessons learned into new products. There are some extremely talented folks working on this effort, and it's being done across all their product lines. I believe it's going to pay off.

You may be right, but as I said I'll believe it when I see it. I'm cynical enough to believe that Microsoft is concerned with security only to the extent that improving security will improve sales. Judging empirically, Microsoft seems actually to benefit from security holes in their products, because security holes drive paid upgrades.

I've not written code in years, and I never did code at the OS level, but I've talked to enough people that are in a position to know who have told me that the whole Windows edifice is unfixable that I believe that's true. Microsoft is trying to add security to an existing OS that comprises something like 40 million lines of code. I don't think they'll be able to do it effectively. But we'll see.

In a couple of years it won't make any difference to me at all, because I'll not be running any Microsoft software at all by that time. Even if their software is perfect I'll refuse to use it simply because I don't care for their licensing terms or for their close co-operation with the Copyright Nazis and other scum of the world.

14:07 - This from Greg Lincoln:

-----Original Message-----
From: Greg Lincoln
Sent: Thursday, June 27, 2002 1:53 PM
To: Robert Bruce Thompson
Subject: "Linux" security holes

I want to make a comment on the message you posted this afternoon.

It really annoys me when people call OpenSSH or Apache or "insert app that just happens to run on Linux here" vulnerabilities "Linux" vulnerabilities. OpenSSH and Apache are NOT Linux. They are applications that run on Linux. They also run on Windows and quite a few other OSes.

Most of the recent reports against Windows are in the media player or IE, or some other component which is considered by Microsoft as part of Windows and can not be removed. Therefore, they are holes in Windows.

Greg Lincoln
Muse Root

An excellent point, and one I should have made. Of course, to use reductio ad absurdium, we could argue that Linux has seldom (never?) had a security hole, because Linux itself is in reality just the kernel. But your point is good. A typical Linux distribution installs hundreds or even thousands of separate programs, and to count problems with any of those many programs against Linux is in a sense unfair. For example, the recent security hole in Apache is the first I can remember. Perhaps there have been others, but I don't recall them. On the other hand, Microsoft's IIS seems to have a hideous security hole uncovered about once a week. It'd be interesting to total the number of serious security holes in those two products over, say, the last couple of years to get a rough idea of how good Microsoft software is compared to OSS.

And then, just after sending that, I found the following message from Jon Abbey over on the Daynotes messageboard:

The SecurityFocus stats should not be used for comparison with Windows. The reason is that a RedHat Linux system comes with *far* more software than a Windows XP distribution. There are many hundreds, if not thousands, of discrete packages included in RedHat, and the security issues counted at SecurityFocus for any of the Linuxes counts all software included in the box.

You can argue that if the software is there and vulnerable, then that really should count, and on one level I won't disagree, but the majority of those issues won't allow privileged access to the system if, indeed, any given user is running that DNS server, or that DHCP server, or that whatever. Linux installs are much less homogeneous than Windows installs, which makes for significantly greater difficulty and confusion for users, but it also makes for a far more difficult to exploit environment.

Apache has had one (1) remote exploit in the last 5 years, and that exploit doesn't allow root access. How many did IIS have in the same 5 years?

Paul Robichaux is undoubtedly correct that Microsoft's security posture will improve greatly with their sudden attention to the problem, but the other issues you have discussed (Palladium, DRM, your computer under someone else's control) will not be solved to your or my satisfaction, because that is not in Microsoft's interest.

14:10 - And, in an all time record, I follow my 14:07 post with a 14:10 post. This from Greg Lincoln:

-----Original Message-----
From: Greg Lincoln
Sent: Thursday, June 27, 2002 1:56 PM
To: Robert Bruce Thompson
Subject: bah, forgot one last thing

Sorry to bug you again, but this just hit a sore spot with me.

That link he sent you to is a common trick used in FUD. So common that the page's author put this at the top in bold:

"The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made."

He explains why this is the case above the bold text.

Greg Lincoln
Muse Root



Friday, 28 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:36 - Hmmm. Two of my friends are engaged in a spirited debate about the relative security of Windows and Linux. First, I received the following message from Paul Robichaux:

-----Original Message-----
From: Paul E. Robichaux
Sent: Friday, June 28, 2002 7:55 AM
To: Robert Bruce Thompson
Subject: RE: Another critical Microsoft security flaw

I responded to you, Greg, and Jon at somewhat more length in my blog; see http://www.robichaux.net/blog.

And then whilst doing my normal morning round of website visits, I found the following article by Greg Lincoln on LinuxMuse.

These guys are both my friends, and both make some interesting points, but on balance I find Greg's position more convincing. Microsoft's software is largely monolithic. When I install Windows, I have no choice about many of the components that are installed as part of Windows. I get Internet Explorer and Windows Scripting Host and Windows Media Player whether I want them or not (and I don't). When I install Linux, I do get a choice about what I want to install. As it happens, the two major "Linux" security holes that have surfaced in the last couple weeks don't affect me. I don't have Apache installed, nor do I use SSH. With Windows, I don't have that choice, so any exploit against one of Windows' core components affects me, even if I don't use it and would not have installed it given the choice.

And those two announcements have made me wonder, as I'm sure they have many people. Who is ISS and why are they suddenly finding flaws in OSS and making high-profile announcements without giving the software companies or teams even short notice to allow them time to create a fix? Brian Bilbrey wrote an interesting article over on LinuxMuse about just that question. I confess that when the Apache hole was announced, I wondered whether ISS was a Microsoft pawn. When ISS then announced the SSH hole, I really started to wonder. Has Microsoft funded these people and tasked them with finding and announcing security flaws in Linux and OSS, with the goal of making OSS look bad?

If so, it's backfired. No one has ever claimed that OSS is bug-free, just that the openness of the source code makes it more likely that problems will be uncovered and quickly fixed. In both these cases, that proved to be true.

13:05 - Some comments from Roland Dobbins vis--vis ISS:

-----Original Message-----
From: Roland Dobbins
Sent: Friday, June 28, 2002 12:53 PM
To: Robert Bruce Thompson; Brian Bilbrey
Subject: ISS.

ISS are one of a number of what I call 'black-box security marketeers' who sprung up ca. 1998 or thereabouts - i.e., their mission in life is to convince executives that proper information security (or 'infosec', as they term it) merely requires the proper amount of expensive black boxes placed at strategic points on the network and managed - for a hefty monthly fee - by the vendor's 'NOC', or 'Tiger Team', or whatever. securityfocus.com have somewhat reinvented themselves this way, except that a) they aren't selling black boxes, but rather coordination/information services, and b) they've a much more thorough and clueful track-record when it comes to security vis-a-vis the history and continuing association of Bugtraq with securityfocus.com.

Are ISS Microsoft shills? In spades. Their first product was the Internet Security Scanner, basiscally a Windows-based vulnerability-scanner which attempts to do what the Open Source Nessus (http://www.nessus.org) does. It's now called the 'Internet Scanner', and it still can't hold a candle to Nessus running on *NIX.

The whole premise of ISS is that, with their expert guidance and various black boxes (at least one of which, the Nokia firewall 'appliance', runs Solaris), executives who're starting to get just a little antsy about all these various Microsoft vulnerabilities, sinister .NET and Palladium plots, etc. - maybe even getting a little heat from some of their investors and/or rank-and-file IT staff - can lean back, heave a sigh of relief, and keep right on clicking that $tart button, because ISS are on the job! They market, quite effectively, a panacea for companies which otherwise, without the fig leaf of an ISS to cover themselves, would have no excuse at all to offer their shareholders and customers for their continuing stupidity of buying and deploying Microsoft products.

So, these firms pay ISS lots of money in exchange for . . . assurance and hand-holding and alerting. So ISS a) have a vested interest in seeming to be 'out-front' with their assessments and warnings, and b) have a vested interest in shoring up their main (albeit indirect) source of revenue, Microsoft, in any way possible.

Some of the people employed by ISS are pretty smart. They've just sold their souls and discarded whatever professional integrity they may've once possessed in exchange for lucre.

So, yes, ISS definitely have their own agenda when it comes to things like prematurely disclosing Apache and OpenSSH vulnerabilities.

Theo is a paranoid git, but he's a very useful and necessary paranoid git. He isn't 'marketing' anything. Privilege separation is a Good Thing, and ought to be enabled on all OpenSSH installations. Theo doesn't get a dime for pushing it - and I don't see how he could've handled the vulnerability info any better than he did.

My guess is that ISS have probably gotten some heat from some of their customers (i.e., "Why am I paying you all this money for early-warning when I can get more timely/better info elsewhere, for less or for free?"), and possibly might be trolling to get acquired by Microsoft, and so they're having some of their smarter orcs to start banging away on Apache, OpenSSH, MySQL, etc. in order to demonstrate their technical prowess as well as to show Microsoft how effective they are at showing up Open Source software. I'm all for full-disclosure and the resultant improvements in security -irrespective- of the motives of the disclosers, but it is important to understand what makes rude and self-serving firms like ISS tick.

13:57 - CNN reports that this picture of a Palestinian baby dressed as a suicide bomber was described by family members as "a joke". Some joke, huh? These Palestinians' sense of humor really slays me.

17:01 - My apologies to Bob Walder, who informed me that his message was not intended for publication. I have accordingly removed his original message and the response made to it by Roland Dobbins.


Saturday, 29 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

9:31 - Barbara is off to a Border Collie trial today, and won't be back until mid-afternoon. I'm planning to work all day today and tomorrow on some stuff that I have to get done by Monday, so there won't be much if anything posted here. We'll also be getting ready next week for Barbara to depart on an 18-day bus tour with her parents, so things may be a bit hectic around here. Updates are likely to be short and sporadic.



Sunday, 30 June 2002

[Last Week] [ Monday ] [Tuesday] [Wednesday ] [Thursday] [Friday] [Saturday] [Sunday] [Next Week]
[Daynotes Journal Messageboard] [HardwareGuys.com Messageboard] [TechnoMayhem.com Messageboard]

10:00 - I sent the following message to my subscribers yesterday afternoon:

I sent out a warning to my subscribers on Thursday, alerting them to the presence of a security hole in Windows Media Player and referencing Microsoft Security Bulletin MS02-032. Microsoft says that this bulletin addresses "Three new vulnerabilities, the most serious of which could be used to run code of attacker's choice." and includes a link to download a patch.

Ironically, applying that patch gives Microsoft the right to run code of Microsoft's choice. An alert reader spotted the following addition to the EULA, to which you must agree before you can apply the patch:

"Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update."

So it appears we have two choices:

1. Do not install the patch, which allows an attacker to run root-level exploits on your system, or

2. Install the patch, which allows Microsoft to run root-level exploits on your system and to change your software without so much as notifying you.

I don't regard either of these choices as acceptable, so I plan to accelerate my transition to OSS in general and Linux in particular.

Since I sent that message, this latest Microsoft outrage has hit all the on-line news sources, including Slashdot, The Register, The Inquirer, and so on. Ironically, we all got it wrong. Oh, the substance is true enough. Where we were wrong is in stating that this modification to the EULA is recent. In fact, it appeared at least as early as last fall. If we ever needed any more evidence that no one reads EULAs, this is it. That little bomb has been in the EULA for months and of all the millions of people who've had a chance to see it, no one spotted it until just now.

So this morning I decided to see what I could do about removing Windows Media Player on my Windows 2000 desktop. My recollection was that it didn't have an uninstall procedure, but I looked in Control Panel -- Add/Remove Programs just to verify that. Sure enough, there was no option to remove WMP (despite the fact that I've gotten rid of all the "HIDE" commands to make everything visible in Add/Remove Programs). So I went off to Google in search of instructions. I found many hits, most of which said to fire up Control Panel and remove WMP in Add/Remove Programs. Perhaps in some cases there is an option in Add/Remove Programs to remove WMP, but I certainly didn't have it.

So I went off to Microsoft's web site and searched it for instructions. I did find one link that sounded like just what I was looking for, but when I clicked on that link I got a 404 error. So I did a bit more searching for instructions on how to remove WMP manually. I finally gave up and just tried deleting the Windows Media Player directory in Program Files. That didn't work. Windows told me I had a sharing violation. So I tried deleting the files in that directory manually. Each time I deleted one, it came back automatically. So I searched for each file by name and then deleted it first from the dllcache directory and then from the Windows Media Player directory. Each time I did that, of course, I got a horrifying warning about how deleting that file had made my system unstable. Tough luck.

I expected at least one of the files would refuse to delete because of the sharing violation, but I was in fact able to delete every file in the Windows Media Player directory. When I then attempted to delete the empty directory, though, I got the same sharing violation. Oh, well. Everything but the directory is gone, and clicking on an MP3 file popped up a warning that Windows couldn't find mplayer2.exe. With that done, I installed the plug-in pack for IrfanView, which gives me everything I care about that WMP provided.

So WMP is off my system. But that's only a temporary fix. The real fix is to get all Microsoft software off my systems. As Jerry Pournelle says on his page, "Mac and Linux look better all the time, simply in self defense."

I really have had it with Microsoft.



Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2004 by Robert Bruce Thompson. All Rights Reserved.