Date: Wed, 24 Nov 2004 12:26:39 -0500 (EST)
From:"Linux Pipeline Newsletter" <>
Subject: [LPN| Linux Pipeline Newsletter - 11-24-04 - Are You Experienced? Linux Pipeline Newsletter | YAre You Experienced? | 11.24.2004
Linux Pipeline Newsletter
Wednesday, November 24, 2004

In This Issue:
  • Editor's Note: Are You Experienced?
  • Top Linux News
        - Vendors Press Ahead With Linux Interop Efforts
        - Researcher Finds Linux, Samba Security Bugs
        - Microsoft Deal Aims To Serve Multi-Platform Customers
        - More News...
  • Editor's Picks
        - Review: Is Firefox Ready To Rule The Roost?
        - Opinion: Why Is 'Free' So Frightening?
        - Feature: Big Blue Paints A Black Future For Windows Server
        - More Picks...
  • Voting Booth: Linux Security Threats
  • Get More Out Of Linux Pipeline
  • Manage Your Newsletter Subscription

    ------- Advertisement -------------------

    Join InformationWeek for a FREE, on-demand TechWebCast on Getting It All Together: Business Continuity Considerations in Physical Server Consolidation. We'll assess the drivers of server consolidation, and discuss collaborative planning for server consolidation and business continuity, and more. Register and view now:


    Editor's Note: Are You Experienced?

    Sometimes, I can't help but gloat a little. But I also try to remember it might be our turn to play the fools someday.

    I know it's not nice (and bad karma to boot) to revel in another person's misfortune. On the other hand, the sort of misfortune involved--another bunch of Internet Explorer users who never saw it coming--isn't a big deal in the scheme of things. Let's face it: Sooner or later, you're gonna bust a gut listening to the Microsoft shills who will, for the umpteenth time this year, insist that the company's own Typhoid Mary is doing much better, thank you, never mind that peculiar smell, go ahead and shake hands, there's nothing to be nervous about.

    This week, Redmond's exercise in denial comes courtesy of some hackers who decided to get into the advertising game for a while. After hacking a German ad server last weekend, they spent several hours spoon-feeding malicious code to Internet Explorer users visiting an "unknown number" of sites in the United Kingdom, Sweden, and The Netherlands.

    Hackers Get Creative With Unpatched IE Bug

    Among the Web sites caught in the scam: The Register, a well-known U.K.-based technology news outlet that, ironically, would like nothing more than to see European anti-trust regulators bury Microsoft deeper than the foot wedged in Steve Ballmer's mouth after his speech in Singapore last week.

    In a statement earlier this week, The Register advised readers to "consider running an alternate browser, at least until Microsoft deals with the issue." Of course, the Internet Explorer 6 users who carried home worms courtesy of the still-unfixed IFRAME bug may have to address some other business first, like tearing out their network connections until they can evict any unwelcome new friends.

    Internet Explorer isn't just a security hazard; it's an electronic Petri dish baited with a decade's worth of ill-advised software engineering decisions. Yet no matter how many new embarrassments pile up on Microsoft's doorstep, the company somehow finds a way to make each of them sound like the world's wackiest coincidence--unlike those Linux hippies squatting across the hall, keeping odd hours, and sneaking who knows what kinds of subversive code into corporate IT departments.

    But the chuckles we've enjoyed at Microsoft's expense can't last forever. Linux has coasted on its reputation, its relatively low profile, and (definitely) its superior security and reliability. Now we're stating to see signs that Linux users who practice sloppy security won't get off as easily as they did in the past.

    Some things haven't changed. Linux--and, by extension, the open-source development model--is far better equipped to fix these types of problems before anyone can exploit them, much less before they require awkward explanations. And, certain bought-and-paid-for research types notwithstanding, I think open-source software is less likely to allow these types of problems into production software in the first place.

    But it's not enough. Too many people in the open-source community are so busy high-fiving themselves that they don't see the banana peel that's about to lay them out on the sidewalk. "Security through obscurity" was once a mantra open-source developers and users could take to heart--no more, or at least not for much longer. The more Linux boxes we plug into the network, and the more delinquent code jockeys who notice all of these juicy new targets, the harder users, programmers, and administrators will have to work to stay one step ahead.

    This raises a second dilemma, one Wayne Spivak described very nicely in his Server Pipeline column earlier this week: Experienced, highly qualified Linux administrators get harder to find every day, and the few available candidates often gravitate towards big firms offering big salaries. That leaves the other type of administrator--the ones who never met a default configuration they didn't like and who think open ports give a server the perfect welcoming ambience. They go home in the evening for a much-deserved rest, and when they come back to work the next day there's a Roach Motel where their server used to sit.

    Linux delivers world-class security to anyone who knows how to take advantage of it. Most large enterprises have administrators who get the job done, but many smaller firms aren't there yet, and many more don't even know where they need to go. It's time to quit gawking at the Great Redmond Bug Hunt and take care of business before it takes care of us.

    Speaking of business, stay away from it this weekend, and enjoy your holiday.

    Matthew McKenzie
    Editor, Linux Pipeline

    Keep Getting This Newsletter
    Don't let future editions of Linux Pipeline Newsletter go missing. Take a moment to add the newsletter's address to your anti-spam whitelist:

    If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. Thanks.

    Top Linux News

    Vendors Press Ahead With Linux Interop Efforts
    Four firms announce a joint project to facilitate the development of software compatible across multiple Linux distributions.

    Researcher Finds Linux, Samba Security Bugs
    A security expert reported two potentially significant bugs in Linux software used to share file and print services with Windows-based systems.

    Microsoft Deal Aims To Serve Multi-Platform Customers
    Microsoft takes a minority stake in a company that ties its Systems Management Server to non-Windows platforms, a key feature for customers with multi-platform IT environments

    Firefox Heads For Main Street
    Linspire Inc. opens a new front in its battle against Microsoft: selling the suite and Firefox browser as a single retail package.

    Hackers Get Creative With IE Security Bug
    A hacked German ad server exploited a still-unpatched Internet Explorer 6 security bug to infect users at an unknown number of Web sites last weekend.

    Novell: Back In Black, Thanks To Linux
    Novell turns in a Q4 profit due to strong Linux software revenue, and CEO Jack Messman says the company may build on its success with a Linux offering for small and medium businesses.

    Microsoft Tempts NetWare Users With Migration Deal
    Microsoft launches a major campaign to convince Novell customers to adopt Windows Server 2003 rather than SuSE Linux.

    Sun's 'Mustang': Open, But Not Open Source
    Sun Microsystems is releasing early source code snapshots of its next J2SE release to get outside programmers more involved in the development process.

    NTT DoCoMo Rings Up Linux For 3G Mobile Phones
    The Japanese telcom giant selects MontaVista Linux to power three of its new Foma third-generation (3G) mobile phones.

    NEC Debuts Fault-Tolerant Linux Server
    NEC ships a fault-tolerant Linux server that the Santa Clara, Calif.-based company guarantees will remain up and running 99.999 percent of the time.

    S1Takes Linux To The Bank
    The maker of software for the financial services industry says it will offer Linux versions of its software by 2006.

    Editor's Picks

    Review: Is Firefox Ready To Rule The Roost?
    This is one open-source Web browser that can win over even the most committed Internet Explorer fans.

    Opinion: Why Is 'Free' So Frightening?
    Any organization that cuts itself off from GPL and other legitimate forms of licensed freeware is seriously hurting its own business, Fred Langa says.

    Feature: Big Blue Paints A Black Future For Windows Server
    IBM hails research predicting fast growth for Linux in enterprise apps--mostly at Microsoft's expense.

    Opinion: Linux More Hackable? Bah, Humbug!
    It's shocking that Windows, the bastion of bad code and patches, is more secure than Linux. That I just can't believe.

    Opinion: SOX Me, Baby
    If you work in the IT department of a publicly-traded company, you're probably familiar with Sarbanes-Oxley. If the very sight of that name causes an annoying facial tic and makes you want a cigarette, and if your company also happens to use open-source software, we need to talk.

    Review: PearPC: As Good As The Real Thing?
    PearPC is an open-source, multi-OS emulator for PCs and Linux machines. It's promising, but can it stand the rigors of OS X?

    Voting Booth:

    Cast Your Vote Now!
    Linux Security Threats

    As Linux moves into the commercial mainstream, it also moves increasingly into harm's way. What is the biggest security threat Linux faces today? Let us know, cast your vote!

    Get More Out Of Linux Pipeline

    Try Linux Pipeline's RSS Feed
    Linux Pipeline's content is available via RSS feed: Get RSS link. The feed is also auto-discoverable to many RSS readers from the Linux Pipeline home page. Note: RSS feeds are not viewable in most Web browsers. You need an RSS reader, Web-based service, or plug-in to view RSS. Find out which RSS readers the Pipeline editors recommend.

    Check Out Our Linux Product Finder
    Don't reinvent the wheel. Find the right off-the-shelf product to do the job. How do you find the right one? Two words ... Product Finder:
       - Desktop Applications
       - Application Servers
       - Commercial Linux Distributions
       - Network Management
       - Web Servers

    Discover All The Pipelines
    Linux Pipeline is part of a large series of specialized IT sites from the TechWeb Network. Find out more about the Pipelines on the TechWeb Network Pipeline Publications page. Every Pipeline site has its own newsletter. Give them a try!

    Recommend This Newsletter To A Friend
    Do you have a friend or colleague who might enjoy this newsletter? Please forward it to him or her and point out the subscription page.

    ------- Advertisement -------------------

    Join InformationWeek for a FREE, on-demand TechWebCast on Getting It All Together: Business Continuity Considerations in Physical Server Consolidation. We'll assess the drivers of server consolidation, and discuss collaborative planning for server consolidation and business continuity, and more. Register and view now:


    Manage Your Newsletter Subscription

    To subscribe to this newsletter please visit the:
    Linux Pipeline Subscription Center.

    We take your privacy very seriously. Please review our Privacy Policy.

    Linux Pipeline Newsletter
    A free service of Linux Pipeline and the TechWeb Network.
    Copyright (c) 2003-2004 CMP Media LLC
    600 Community Drive
    Manhasset, NY 11030