[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Back page page.

Linux links of the week


Are you curious about the occasional references to the "Wiki Wiki Web" or just "Wiki"? Wiki sites take a new approach to web pages by allowing anybody to make changes to any page on the site. Wiki sites are thus truly cooperative developments. It sounds like a recipe for chaos, but, thus far, it seems to work fairly well. See the original Wiki Wiki Web site at the Portland Pattern Repository for a starting point. Have some patience at the beginning, getting started with Wiki takes a bit of effort. See also the ZWiki site for a Zope-based implementation.

For a distinctively read-only experience, instead, William Gibson's classic novel Neuromancer is online.

Section Editor: Jon Corbet


May 18, 2000

   

 

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
 
   
Date: Thu, 11 May 2000 10:49:17 +0100
From: kevin lyda <kevin@suberic.net>
To: Nathan Myers <ncm@cantrip.org>, letters@lwn.net
Subject: proprietary distros?

Nathan Myers wrote:
> Perhaps once Potato is out, Debian will just take over the world; 
> then all those people working on proprietary distros can go home and 
> do something productive instead. :-)

huh?  one of the most propreitary distro's i know is corel - based on
debian.  mandrake is based on redhat, and seems quite open.  redhat's
distro is gpl'ed so people are free to copy it (like mandrake and a
number of other distro's outside the states).

redhat for one has done a great deal to increase the amount of gpl'd code
available, including but not limited to their own distribution.  to call
mandrake and redhat [proprietary] is a disservice to the entire free
software community by watering down the true meaning of propreitary.

kevin
-- 
kevin@suberic.net       "we were goin' for breakfast.  in canada.  we
fork()'ed on 37058400    made a deal: if she'd stop hookin', i'd stop
meatspace place: home    shootin' people.  maybe we were aiming high."
                                                   --porter, "payback"
   
Date: Thu, 11 May 2000 13:29:03 -0700
To: letters@lwn.net
From: Peter Lawson <peter.lawson@noaa.gov>
Subject: LoveBug "virus"

As a biologist, I see an obvious analog to the epidemic of LoveBug
infections.  In agriculture, large fields of genetically identical plants
are vulnerable to novel diseases precisely because there is no variability
among the plants. Each is equally vulnerable and each spreads the disease
in the same way.  The large population of Windows computers running Outlook
is a monoculture, just as large fields of corn or soybeans may be.  A
virulent virus spreads rapidly through the fields of Outlook just as it
would spread through a field of corn.

Nicholas Petreley comes closest to suggesting this analogy in his
LinuxWorld article when he pointed out that linux users are less vulnerable
to this kind of attack because there is so much variety in the mail
programs we use.  The problem is clear -- Microsoft has suppressed
variability in the software world with its monopolistic practices,
rendering the largest segment of the community vulnerable to relatively
simple attacks.  The solution is also clear -- do whatever it takes to
allow variability in software to flourish, as it would in a fair,
competitive environment.  This is the best evidence I have seen of the harm
that the Microsoft hegemony is causing in the computer world.

Cheers,

Peter Lawson
pnjreid@newportnet.com
   
Date: Thu, 11 May 2000 13:05:58 -0700 (PDT)
From: Colin Kuskie <ckuskie@cadence.com>
To: lwn@lwn.net
Subject: Programs that run random code


  It is fair to say that no self-respecting open source project would
  intentionally put out software which would run code from random
  users on the net.

This quote, from the main page of the May 11, 2000 Linux Weekly News
is a little inaccurate.  Perhaps it's picking nits, but I'll give a
couple of examples:

- I'm pretty sure that Mozilla runs Javascript, which is code from
  random users on the net.  Likewise with Java.  And I don't think
  that anyone really believes that either is as secure as they
  claim.

- Macro capabilities inside the open-source spreadsheets and word
  processors are just as dangerous.  Imagine if you could get root
  to run a Gnumeric spreadsheet with Scheme/Python/Perl bindings.

- Script-Fu for Gimp.

- The TCL browser plug-in.

Now, arguably later on you do say:

  It is true that Linux is highly unlikely to be caught by such a simple,
  email-borne bit of nastiness. But nobody would claim that Linux systems
  are 100% free of vulnerabilities.  A suitably talented malware author
  who wanted to shoot down some of those smug Linux people would not have
  that hard of a time creating an embarrassing incident

I would say that the immunity of Linux users comes from another
source.  We have an innate distrust for closed source.  It's my opinion
that most Linux users would actually read the source to executable code
before executing it, especially if it's a small attachment to an
email.

As our user base expands, that will no longer be true.  It will be up
to us to educate and to guarantee that the applications that they use
will by default protect the user, at the cost of not having embedded
spreadsheets and HTML in our email.  Aside from the fact that embedding
those things in email is stupid, it's a small cost compared to the
estimated six billion dollars in damage from ILOVEYOU.

Colin Kuskie

   
Date: Fri, 12 May 2000 11:40:26 +0100
From: Edmund GRIMLEY EVANS <edmundo@rano.org>
To: letters@lwn.net
Subject: Linux viruses

There was an entertaining discussion in the mutt-dev mailing list
about how Linux can be made to support viruses just as well as
Microsoft. Thomas Roessler suggested one recipe, which can probably be
adapted to work with mail clients other than Mutt (www.mutt.org):

  .mailcap:
  application/x-sh; sh %s; copiousoutput

  .muttrc:
  auto_view application/x-sh

I hope I am right in assuming that no reader of LWN is sufficiently
stupid to actually use this recipe ...

Edmund
   
Date: Thu, 11 May 2000 13:29:11 -0400
From: Pierre Baillargeon <pb@artquest.net>
Subject: Re: The trouble with redirects
To: letters@lwn.net

At the end of the article you mention that fixing the problem would "not 
be an easy problem to fix; it's buried pretty deeply in the structure of 
the web."

Well, the the fix may be better applied on the other side of the web: 
the browser. Wouldn't it be trivial just to ask the user approval for 
redirection, just like it is currently possible with cookies? Browsers 
could even detect that the URL contains a submission and only request 
the approval for such requests.

By putting the fix in the hand of the users, security conscious people 
can actively defend themselves against site which refuse to implement 
the proposed fixes. A knowledgeable coder could put this idea in 
practice in Mozilla now, providing yet another example of the benefits 
of free software: the possible quick response-time to a security problem.

   
From: "Chris Adams" <chris@improbable.org>
To: "letters@lwn.net" <letters@lwn.net>
Date: Thu, 11 May 2000 18:13:56 -0700
Subject: Re: The trouble with redirects

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.lwn.net/2000/features/Redirect.phtml

"The folks at Digital Creations have, in the process of tracking down a
security problem with the Zope application server, turned up a security
difficulty with the web as a whole. Given the way the web and
authentication-based sites work, a suitably unpleasant attacker could,
through the use of HTTP redirects and (perhaps) malevolent Javascript code,
cause actions to be taken on your behalf simply by getting you to look at
the wrong web page. The implications of this problem are stunning. Expect
to hear more about it in the near future. "

It's probably easier than we'd like to exploit. If the attacker can figure
out the URL to use (which is easy if you don't have a home-grown system)
they just need to get you to look at something while logged in; this is
particularly easy if we're talking about sites like Slashdot.org or
kuro5hin where they receive hundreds of unknown URLs every day.

Fortunately, the fix is extremely simple - probably a single line of code.
Basically what needs to be changed is the use of predictable form
parameters. The easiest solution is to require the use of a session
variable in the form data (e.g. "Confirm=$RANDOM_SESSION_VARIABLE" instead
of "Confirm=Yes"); I added this to some PHP scripts in a single line of
code. If this is done, there's no way to construct the redirect in such a
fashion that an action will be made automatically since the browser never
sends the attacker's server the cookies stored by the trusted server. Using
the session  identifier cookie's value is the easiest way as it requires no
changes other than the check and the value must be unguessable in any case
(or an attacker could directly hijack the session); more paranoid folks
would use a random session variable.

Regards,
Chris Adams


-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQA/AwUBORta1NRugjSFkeg+EQJ2VgCdH/Xy6lmL65q6p96nQDMHuLcocugAn2LQ
eKSBHMY56mIJ7IV8Mpt5jiFn
=NX7B
-----END PGP SIGNATURE-----


   
Date: Fri, 12 May 2000 20:28:46 -0700
From: Carl Thompson <cet@carlthompson.net>
To: lwn@lwn.net
Subject: Re: The trouble with redirects

Linux Weekly News wrote about the browser redirect security problem:

> ...

> This will not be an easy problem to fix; it's buried pretty deeply in
> the structure of the web.  Short-term fixes can include user training
> (always log out immediately), defensive server measures (look at the
> referrer header, time out logins aggresively), or HTTP fixes
> (specially mark redirects or Javascript-submitted requests). None are
> perfect, and none can be implemented immediately.

This is not accurate.  HTTP redirects are handled by the client software
(browser).  When the client requests a web page from a server, the server
can return a web page that has a "302 redirect" message in its headers. 
(The body of the returned page would typically say that the requested page
has moved elsewhere.  However, the body is usually not seen because the
client sees the redirect and automatically loads the page specified by the
redirect instead.)  What this means is that this problem can be very easily
fixed by fixing clients (browsers) to do any of the following:

* Ignore redirect messages
* Don't send authentication or cookies to pages to which the client
  was redirected
* Pop up a warning box for all pages that are redirected
* Pop up a warning box only for pages that are redirected to pages
  that require authentication or cookies

All of these are relatively trivial modifications to the client software
only that can be implemented immediately.  No HTTP protocol or server fixes
are necessary.  The problem is definitely not "buried pretty deeply in the
structure of the web."

Having read the article at

   http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan

it's clear that the true problem is the author's insistence on attempting to
find a server side solution to a client side issue.

> ...

Carl Thompson
   
Date: Thu, 11 May 2000 21:28:18 -0500 (CDT)
From: Dave Finton <surazal@nerp.net>
To: letters@lwn.net
Subject: Where mp3 users and businesses have it wrong


MP3 and/or similar formats have the potential to flip the entire media
industry on its head.  It's no wonder the lawyers have come out
a'marching.  Scarcely a day or week goes by without some major new
development about such-and-such a band suing so-and-so mp3 company.  How
can we fight this, when the current state of laws lean heavily towards the
copyright holders?

The problem is our insistence of taking old media and converting it over
to the new.  The old media doesn't want to give up their current
position.  So why force them?  What we should be doing it creating
original content (lots of it) and distributing that through these brave
new formats.

It would be the best strategy to follow because 1) the media companies
can't sue when they don't own the copyright of the distributed content in
the first place and 2) the DMCA would protect the new media just as
effectively as the old.  If this strategy were followed to the point of
critical mass (much like the internet did) the new media would simply
supplant the old in a manner similar to how the internet is slowly
supplanting newspapers and TV today.

One way to do this would be to encourage independent labels to jump on
board.  MP3.com and napster both have been moderately successful in
signing up some bands; let's continue the trend.

At any rate, it sure beats a no-holds-barred lawsuit.

                          - Dave Finton

P.S. I know this isn't directly related to Linux but the open nature of
mp3's lend themselves to being the favorite format of open source
enthusiasts (as well as many other people as I've seen in my
experience)... and it's definitely an important matter when the DMCA is
involved no matter what.  So I apologize for being somewhat
off-topic.  :^)

---------------------------------------------------------
| If an infinite number of monkeys typed randomly at    |
|   an infinite number of typewriters for an infinite   |
|   amount of time, they would eventually type out      |
|   this sentencdfjg sd84wUUlksaWQE~kd ::.              |
| ----------------------------------------------------- |
|      Name:      Dave Finton                           |
|      E-mail:    surazal@nerp.net                      |
|      Web Page:  http://surazal.nerp.net/              |
---------------------------------------------------------


 

 

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds