Sometimes, I can't help but gloat a little. But I also try to remember it might be our turn to play the fools someday.

I know it's not nice (and bad karma to boot) to revel in another person's misfortune. On the other hand, the sort of misfortune involved--another bunch of Internet Explorer users who never saw it coming--isn't a big deal in the scheme of things. Let's face it: Sooner or later, you're gonna bust a gut listening to the Microsoft shills who will, for the umpteenth time this year, insist that the company's own Typhoid Mary is doing much better, thank you, never mind that peculiar smell, go ahead and shake hands, there's nothing to be nervous about.

This week, Redmond's exercise in denial comes courtesy of some hackers who decided to get into the advertising game for a while. After hacking a German ad server last weekend, they spent several hours spoon-feeding malicious code to Internet Explorer users visiting an "unknown number" of sites in the United Kingdom, Sweden, and The Netherlands.

Hackers Get Creative With Unpatched IE Bug

Among the Web sites caught in the scam: The Register, a well-known U.K.-based technology news outlet that, ironically, would like nothing more than to see European anti-trust regulators bury Microsoft deeper than the foot wedged in Steve Ballmer's mouth after his speech in Singapore last week.

In a statement earlier this week, The Register advised readers to "consider running an alternate browser, at least until Microsoft deals with the issue." Of course, the Internet Explorer 6 users who carried home worms courtesy of the still-unfixed IFRAME bug may have to address some other business first, like tearing out their network connections until they can evict any unwelcome new friends.

Internet Explorer isn't just a security hazard; it's an electronic Petri dish baited with a decade's worth of ill-advised software engineering decisions. Yet no matter how many new embarrassments pile up on Microsoft's doorstep, the company somehow finds a way to make each of them sound like the world's wackiest coincidence--unlike those Linux hippies squatting across the hall, keeping odd hours, and sneaking who knows what kinds of subversive code into corporate IT departments.

But the chuckles we've enjoyed at Microsoft's expense can't last forever. Linux has coasted on its reputation, its relatively low profile, and (definitely) its superior security and reliability. Now we're stating to see signs that Linux users who practice sloppy security won't get off as easily as they did in the past.

Some things haven't changed. Linux--and, by extension, the open-source development model--is far better equipped to fix these types of problems before anyone can exploit them, much less before they require awkward explanations. And, certain bought-and-paid-for research types notwithstanding, I think open-source software is less likely to allow these types of problems into production software in the first place.

But it's not enough. Too many people in the open-source community are so busy high-fiving themselves that they don't see the banana peel that's about to lay them out on the sidewalk. "Security through obscurity" was once a mantra open-source developers and users could take to heart--no more, or at least not for much longer. The more Linux boxes we plug into the network, and the more delinquent code jockeys who notice all of these juicy new targets, the harder users, programmers, and administrators will have to work to stay one step ahead.

This raises a second dilemma, one Wayne Spivak described very nicely in his Server Pipeline column earlier this week: Experienced, highly qualified Linux administrators get harder to find every day, and the few available candidates often gravitate towards big firms offering big salaries. That leaves the other type of administrator--the ones who never met a default configuration they didn't like and who think open ports give a server the perfect welcoming ambience. They go home in the evening for a much-deserved rest, and when they come back to work the next day there's a Roach Motel where their server used to sit.

Linux delivers world-class security to anyone who knows how to take advantage of it. Most large enterprises have administrators who get the job done, but many smaller firms aren't there yet, and many more don't even know where they need to go. It's time to quit gawking at the Great Redmond Bug Hunt and take care of business before it takes care of us.

Speaking of business, stay away from it this weekend, and enjoy your holiday.

Matthew McKenzie
Editor, Linux Pipeline
mattcmp@sonic.net
www.LinuxPipeline.com

Researcher Finds Linux, Samba Security Bugs
A security expert reported two potentially significant bugs in Linux software used to share file and print services with Windows-based systems.

Microsoft Deal Aims To Serve Multi-Platform Customers
Microsoft takes a minority stake in a company that ties its Systems Management Server to non-Windows platforms, a key feature for customers with multi-platform IT environments

Firefox Heads For Main Street
Linspire Inc. opens a new front in its battle against Microsoft: selling the OpenOffice.org suite and Firefox browser as a single retail package.

Hackers Get Creative With IE Security Bug
A hacked German ad server exploited a still-unpatched Internet Explorer 6 security bug to infect users at an unknown number of Web sites last weekend.

Novell: Back In Black, Thanks To Linux
Novell turns in a Q4 profit due to strong Linux software revenue, and CEO Jack Messman says the company may build on its success with a Linux offering for small and medium businesses.

Microsoft Tempts NetWare Users With Migration Deal
Microsoft launches a major campaign to convince Novell customers to adopt Windows Server 2003 rather than SuSE Linux.

Sun's 'Mustang': Open, But Not Open Source
Sun Microsystems is releasing early source code snapshots of its next J2SE release to get outside programmers more involved in the development process.

NTT DoCoMo Rings Up Linux For 3G Mobile Phones
The Japanese telcom giant selects MontaVista Linux to power three of its new Foma third-generation (3G) mobile phones.

NEC Debuts Fault-Tolerant Linux Server
NEC ships a fault-tolerant Linux server that the Santa Clara, Calif.-based company guarantees will remain up and running 99.999 percent of the time.

S1Takes Linux To The Bank
The maker of software for the financial services industry says it will offer Linux versions of its software by 2006.

Opinion: Why Is 'Free' So Frightening?
Any organization that cuts itself off from GPL and other legitimate forms of licensed freeware is seriously hurting its own business, Fred Langa says.

Feature: Big Blue Paints A Black Future For Windows Server
IBM hails research predicting fast growth for Linux in enterprise apps--mostly at Microsoft's expense.

Opinion: Linux More Hackable? Bah, Humbug!
It's shocking that Windows, the bastion of bad code and patches, is more secure than Linux. That I just can't believe.

Opinion: SOX Me, Baby
If you work in the IT department of a publicly-traded company, you're probably familiar with Sarbanes-Oxley. If the very sight of that name causes an annoying facial tic and makes you want a cigarette, and if your company also happens to use open-source software, we need to talk.

Review: PearPC: As Good As The Real Thing?
PearPC is an open-source, multi-OS emulator for PCs and Linux machines. It's promising, but can it stand the rigors of OS X?

Check Out Our Linux Product Finder
Don't reinvent the wheel. Find the right off-the-shelf product to do the job. How do you find the right one? Two words ... Product Finder:
   - Desktop Applications
   - Application Servers
   - Commercial Linux Distributions
   - Network Management
   - Web Servers

Discover All The Pipelines
Linux Pipeline is part of a large series of specialized IT sites from the TechWeb Network. Find out more about the Pipelines on the TechWeb Network Pipeline Publications page. Every Pipeline site has its own newsletter. Give them a try!

Recommend This Newsletter To A Friend
Do you have a friend or colleague who might enjoy this newsletter? Please forward it to him or her and point out the subscription page.

We take your privacy very seriously. Please review our Privacy Policy.

Linux Pipeline Newsletter
A free service of Linux Pipeline and the TechWeb Network.
Copyright (c) 2003-2004 CMP Media LLC
600 Community Drive
Manhasset, NY 11030