Date: Tue, 8 Feb 2005 19:11:35 -0500 (EST)
From:"Linux Pipeline Newsletter" <>
Subject: [LPN] Linux Pipeline - 02-08-2005 - The Root(s) Of All Evil? Linux Pipeline Newsletter | The Root(s) Of All Evil | 02.08.2005
Linux Pipeline Newsletter
Tuesday, February 08, 2005

In This Issue:
  • Editor's Note: The Root(s) Of All Evil
  • Top Linux News
        - Open-Source Legal Center Offers Free Help For Developers
        - European Legislators Shoot Down Software Patent Push
        - IT Salary Survey: Seems Like Old Times
        - More News...
  • Editor's Picks
        - InformationWeek 2005 National IT Salary Survey
        - Review: Novell Open Enterprise Server
        - Torvalds: Companies Learn To Play The Linux Game
        - More Picks...
  • Voting Booth: Will Sun's "Linux-Killer" Draw Blood?
  • Get More Out Of Linux Pipeline
  • Manage Your Newsletter Subscription

    ------- Advertisement -------------------
    Join Transform Magazine for a FREE, on-demand TechWebCast on
    Management and Compliance of IM and P2P in the Enterprise.
    We'll provide insight into how companies can adopt and
    embrace IM efficiently and securely while meeting stringent
    regulatory compliance requirements.
    Register and view today:


    Editor's Note: The Root(s) Of All Evil

    Last week's report that a worm had infected thousands of Windows-based MySQL installations wasn't nearly as bad as it might have been. The bot didn't exploit a hole in MySQL's code--it exploited lazy or ignorant administrators who couldn't, at the very least, protect their systems with a decent root password.

    MySQL Worm Just Wants To Chat

    MySQL AB, the Swedish firm that makes the open-source database, still took some heat over the incident. Critics want the company to force users to change the default root password when they set up MySQL--or, better yet, to disable root accounts by default.

    Either of these changes probably would have stopped the attack dead in its tracks, and MySQL AB says it's thinking about disabling default root access in its upcoming version 5.0 release. That's not a bad idea, but I think the company is getting way too much grief over this. Anyone with a reason to install a database server should already know better--and if they don't, they need someone to kick them in the pants, not to hold their hands.

    This makes for an interesting comparison, by the way, to Linspire's default setup process for its desktop Linux distribution.

    Linspire, you may recall, is the company working with Wal-Mart to distribute cheap desktop PCs and laptop systems to the masses. The people who buy these systems probably aren't Linux geeks; many of them are likely to be first-time users who want a cheap box to get them onto the Internet. When these folks hear the word "hacker," they're more likely to think Michael Meyers than Kevin Mitnick.

    In order to make its Linux systems as easy as possible to use, however, Linspire allows users to set up default root access on their systems. In fact, if you don't already know what user accounts are and how to create them, you're likely to stay permanently in root on a Linspire box.

    Right now, a lot of Linux admins are breaking into a cold sweat at the thought of thousands--someday, maybe, millions--of systems running in root while their users bumble around the Internet in ignorant bliss. Linspire says it's not a problem: Their systems do come with unnecessary ports closed and with properly configured firewalls. Furthermore, as I've seen suggested on a Linspire discussion group, in a market where most Linux users always run their systems in single-user mode, is the taboo against running in root nearly as important as it once was?

    That's an interesting question, but I personally don't think the answer has changed: this is a potential PR nightmare for Linspire. As both of these cases show, however, there's a lot of confusion over what makes for good system security, how to enforce good security, and who should take responsibility for that enforcement. As more users--and more attackers--move to Linux, we'll probably get some answers to these questions the hard way.

    Matthew McKenzie
    Editor, Linux Pipeline

    Keep Getting This Newsletter
    Don't let future editions of Linux Pipeline Newsletter go missing. Take a moment to add the newsletter's address to your anti-spam whitelist:

    If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. Thanks.

    Top Linux News

    Open-Source Legal Center Offers Free Help For Developers
    New law center, founded with $4 million in OSDL seed money, will offer free legal help to non-profit open-source projects, developers and customers.

    European Legislators Shoot Down Software Patent Push
    The EU Parliament sends a proposal to legalize software patents back to the drawing board, handing European open-source advocates a major victory.

    IT Salary Survey: Seems Like Old Times
    The average IT worker's pay shrunk to its lowest level since 2001, says a Dice survey, although managers' salaries mostly escaped the axe.

    PalmSource Closes Linux Acquisition
    Mobile platform vendor closes deal to acquire a Chinese company that will develop a Linux version of the Palm OS.

    More Phishers Taking Spyware To The Bank
    Security experts are appalled at a 'harrowing' surge in key loggers, screen grabbers, and other types of identity-theft spyware on victims' PCs.

    Intrusion Prevention System Works With Open-Source Apps
    Metanetworks Technologies, Inc. has unveiled a wire-speed Gigabit Ethernet network intrusion detection and prevention system designed to work with open-source network security applications.

    Linux 2.6 Kernel To Include Xen Virtualization Technology
    A future update to the Linux 2.6 kernel will include the Xen open source project's virtualization technology, according to the person who maintains the Linux kernel.

    Utility Computing Still A Work In Progress On Linux
    As Linux running on x86 servers continues to grow in corporate data centers, questions remain about its cost and complexity compared to Unix servers.

    Red Hat Launches Government Business Unit
    Linux distributor Red Hat launches a business unit focused on government sales.

    E Escapes Spoofing Bug's Multi-Browser Attack
    A flaw found in most browsers--with the notable exception of Internet Explorer--could allow criminals to mislead users with phony URLs and SSL certificates.

    IBrix File System Simplifies Linux Clustering
    A new file system aims to support the growing number of business customers adopting storage solutions built on Linux clusters.

    Gnome 2.10 Hits Beta
    The Gnome Project releases the first public beta of its latest open-source desktop release.

    Quiet Month For IT Job Market
    Even employment among IT services firms, which showed steady growth over the past year, hardly budged in January.

    Open Source DBs Up Enterprise Appeal
    Highly anticipated releases of the top two open source databases, PostgreSQL 8.0 and MySQL 5.0b, are expected this month.

    Editor's Picks

    Survey: What HR Won't Tell You--But We Will
    Would you like to know how your job satisfaction and pay compare to your peers'? Help us help you find out: Take the InformationWeek 2005 National IT Salary Survey. The survey, now in its eighth year, tracks over 20 IT job categories. It's quick, it's easy, and it's completely confidential. It could even pay off: If you respond by Feb. 12, you're eligible to win one of several prizes, including a Panasonic wide-screen plasma TV worth more than $2,500.
    Click here to get started.

    Review: Novell Open Enterprise Server
    Novell brings NetWare to Linux, but missing components and clustering quirks should keep some firms on the fence until version 2.0 arrives.

    Torvalds: Companies Learn To Play The Linux Game
    The Linux creator joins three colleagues to discuss what works, what doesn't, and what's ahead for enterprise Open Source.

    Quick Review: Thunderbird Lays An Egg
    Mozila's open-source email client looks more like a watered-down version of Outlook Express than the second coming of Firefox, says Scot Finnie.

    LAMP Vs. J2EE: A Tale Of Two Platforms
    In the first of two articles, Ross Greenberg explains what makes LAMP a bright idea for certain types of development jobs.

    Torvalds Keeps An Open Mind About Open Solaris
    Linux creator Linus Torvalds said Sun's CDDL is a valid open-source license and he welcomes an open-source rival, but he notes that Open Solaris is not available yet.

    SPECIAL REPORT: The Firefox Guide: You Want It, We Have It
    One-stop shopping for all of your Firefox needs: Tips, tricks, extension picks, and a soup-to-nuts review of the world's most popular open-source browser.

    Voting Booth: Will Sun's 'Linux Killer' Draw Blood?

    Cast Your Vote Now!
    Sun's recent Open Solaris release has raised question about whether the company has what it takes to build the community required to guarantee its success. Will Sun's Solaris gamble pay off and take market share away from Linux? Let us know--this is the final week for the poll!

    Get More Out Of Linux Pipeline

    Try Linux Pipeline's RSS Feed
    Linux Pipeline's content is available via RSS feed: Get RSS link. The feed is also auto-discoverable to many RSS readers from the Linux Pipeline home page. Note: RSS feeds are not viewable in most Web browsers. You need an RSS reader, Web-based service, or plug-in to view RSS. Find out which RSS readers the Pipeline editors recommend.

    Check Out Our Linux Product Finder
    Don't reinvent the wheel. Find the right off-the-shelf product to do the job. How do you find the right one? Two words ... Product Finder:
       - Desktop Applications
       - Application Servers
       - Commercial Linux Distributions
       - Network Management
       - Web Servers

    Discover All The Pipelines
    Linux Pipeline is part of a large series of specialized IT sites from the TechWeb Network. Find out more about the Pipelines on the TechWeb Network Pipeline Publications page. Every Pipeline site has its own newsletter. Give them a try!

    Recommend This Newsletter To A Friend
    Do you have a friend or colleague who might enjoy this newsletter? Please forward it to him or her and point out the subscription page.

    ------- Advertisement -------------------
    Join Transform Magazine for a FREE, on-demand TechWebCast on
    Management and Compliance of IM and P2P in the Enterprise.
    We'll provide insight into how companies can adopt and
    embrace IM efficiently and securely while meeting stringent
    regulatory compliance requirements.
    Register and view today:


    Manage Your Newsletter Subscription

    We take your privacy very seriously. Please review our Privacy Policy.

    Linux Pipeline Newsletter
    A free service of Linux Pipeline and the TechWeb Network.
    Copyright (c) 2004-2005 CMP Media LLC
    600 Community Drive
    Manhasset, NY 11030