LWN - Letters to the editor

Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Letters page.	Letters to the editor Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.	August 9, 2001

From: Joe 'Zonker' Brockmeier <jbrockmeier@earthlink.net> To: lwn@lwn.net Subject: Are you kidding? Date: Wed, 8 Aug 2001 13:09:41 -0600 (MDT) Hey guys, I think you blew it, saying that the Linux Today incident should be left behind so easily. Reichard only responded to the astroturfing accusation, saying nothing about the accusations that he refused to link to other sites, or that he was actively disparaging other Linux news sources. It also doesn't address the accusation that he's actively struck down other people's postings. I'm not saying that he has actually done all these things, though I have experienced LinuxToday holding news submissions appearing on other sites for upwards of three to four days, while other news submissions were posted immediately. But, he should have addressed all of these issues. Frankly, LinuxToday has sank farther and farther downhill since Internet.com has taken it over - and irresponsible people like Reichard do not deserve to be let off the hook so lightly. It's fine for him to have an opinion, but he should have the cojones to own up to his opinion under his own name. If he can't do that, he doesn't belong in the business. His apology does not go far enough. If this were a print publication, he'd be out on the street. I find it disheartening that anyone would feel that this should be dismissed so easily. Take care, Zonker -- Joe 'Zonker' Brockmeier -=- jbrockmeier@earthlink.net http://www.DissociatedPress.net/ Free Dmitry Skylarov! http://www.freeskylarov.org/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "I'll sleep when I'm dead." -- Warren Zevon

From: Theo de Raadt <deraadt@cvs.openbsd.org> To: jake@iki.fi Subject: RE: Usage of SSH Date: Wed, 01 Aug 2001 23:27:44 -0600 Cc: letters@lwn.net > I've just been wondering why every time there is a problem with Secure > Shell from SSH Communications Security Corp (which, believe me, is really > rare), it is so clearly stated that the problem is only in the commercial > product, but when the problem is in an open source implementation of the > protocol, quite a few sites don't bother making the point of specifying > the product. They just talk about SSH. That might be because (according to measurements we have been doing for about a year) OpenSSH is fast becoming the most popular SSH Protocol server on the net, especially for Protocol 2. As well, especially in the Open Source community, OpenSSH is very nearly the exclusive choice, since it is included in the OS distributions. See http://www.openssh.com/usage for our graphs. (They are currently being moved from elsewhere, so if you cannot get at them, try again later). Secondly, I think your sense of history is somewhat clouded. The deattack bug hit pretty much everyone's servers and clients, and it was very clear who fixed it first. We posted far and wide about the issue, pretty much saying we had screwed up. ssh.com took quite a while to fix it. Maybe people noticed? Or maybe not. > Don't get me wrong, I'm all for open source, but looks like open source > folks are quite good at FUD too. But probably not intentionally. Apparently you live in Finland, a fairly small country where ssh.com is located; if you attribute the situation stated above to malice on our part instead of an informed decision of the masses, are we to assume the same of you? No, let's just stop right there. ps. I can't believe I just used the phrase "informed masses".

From: Mace Moneta <mmoneta@optonline.net> To: letters@lwn.net Subject: Regarding Dmitry Sklyarov Date: Thu, 02 Aug 2001 08:07:17 -0400 Regarding Dmitry Sklyarov, I was wondering why the U.S. Attorney's Office has not arrested the researchers at IBM and AT&T Labs responsible for Quantum Computing and Quantum Factoring algorithms. Clearly, their primary function is the circumvention of existing encryption methods. In fact, there have been several papers explaining the weakness of commonly used encyption when confronted by a "quantum attack". These circumvention devices can render the encryption methods, which are used to protect not only copyrighted material but secret material as well, worthless -- a blatant and flagrant violation of the DMCA as far as I can tell. In fact, this development appears to be part of a broad conspiracy. There are "hacker communities" passing the "mathematics" and "physics" (terms commonly used by these hackers) to new generations. These "teachers" are the equivalent of drug dealers, giving our youth the taste of illegal knowledge needed to progress the battle against decent and law abiding copyright holders. I hope that our Attorney General steps in and declares war on these menaces to society. Sickening, isn't it? Mace Moneta mace@monetafamily.org

From: Joe Klemmer <klemmerj@webtrek.com> To: <letters@lwn.net> Subject: A minor clarification on the Dmitry Sklyarov situation Date: Thu, 2 Aug 2001 13:02:00 -0400 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While I, like any other US citizen with at least two brain cells, deplore the incarceration of Dmitry Sklyarov and the whole foundation of the DMCA there's one thing that might be good to point out. I've seen many people outraged over the fact that he is being held without a bond or parole hearing. As Mr. Sklyarov is not a US citizen he is not entitled to the same rights as the rest of us. Unfortunately the "government" can virtually hold him indefinitely. No I don't like it any more than you do but it's the way it works. - --- The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7aYePHeWRPx8OIHARAn3FAKCaVN8nTu8i5U57lgPBtQH6DHqJbACfeOgx Yi3VeaSlArpNJYEoXAZRUGA= =Bz+e -----END PGP SIGNATURE-----

From: Leon Brooks <leon@cyberknights.com.au> To: letters@lwn.net Subject: To vigilant, or not to vigilant - that is the question Date: Tue, 7 Aug 2001 10:27:29 +0800 By now we all know about CodeRedII and SirCam. We also know that hosting menaces like these is an almost exclusive property of Microsoft software. The question has been raised: do we have the right to, uh, proactively defend ourselves from the infected servers? And if so, how much defending should we do? In my case, as I write, each of the single-IP servers here is taking a hit about every three minutes. At about 460 bytes a hit, that's 8k per hour per server. Not something to get flustered about. OTOH, other places are reporting a hundred times the rate, and web service in general appears to be a bit dodgy at the moment. While any one server is not doing much damage, many raindrops make a flood. This flood is impacting my ability to use the Internet (my livelihood) and sooner or later the effect of exponents is going to result in something like a tidal bore. This morning, I contacted a software supplier for the client I am working for now, to find out why an update hadn't arrived. It turned out that over the weekend, SirCam had buried their Exchange servers in jokes, porn, proposals and service reports. Today, their intranet webserver was down for repairs after being CodeRedded, oh, and by the way their proxy server apparently had a web server up on it too, so all they have left is the 'phones and snail mail. Snail mail would take three or four days to get here from Queensland, and I'm going home tomorrow. So both directly and indirectly, CodeRedII and SirCam have damaged my business, and the businesses of those I contract to. At law, I have certain rights of self-defense. One of the side effects of SirCam is that it tells you that the originator is running binary emails. One of the side effects of CodeRedII is installing a public shell. Each machine has come to my client or server and told me how to get back to it and do what I please with it. The opportunities are obvious. What should I do with them? I wrote a one-pager PHP script that I call CodeRed2 Explorer, for point-and-click navigation of and experimentation with compromised hosts. But what next? The obvious first step would be to contact the originators and complain. This has several disadvantages, including that the the machine or mailbox might not be attended, the recipient might not understand or believe my message, and the recipient might not be able to do anything about it. So, am I within my rights to respond by deleting the offending program (Outlook or IIS) and/or shutting down the attacking machine? I'm pretty sure that uploading a Linux installer to the offending machine and running it is going too far, but I wonder how many others would agree, and how many would regard that as a final solution for the problem?

From: Matthew.Ramsay@lineo.com To: letters@lwn.net Subject: Reply to Jay R. Ashworth on PoPToP and SnapGear Date: Thu, 2 Aug 2001 20:05:39 -0600 I'd like to make some things clear about where PoPToP comes from, Jay Ashworth's comments and where SnapGear is taking PoPToP. I wrote PoPToP back in February 1999 for MoretonBay's NETtel platform (now called SecureEdge). Around April that year I made some changes for it to work on x86 platforms and released PoPToP to the GPL community. There was no existing PPTP server for Linux back then so the idea was to give back to the community I enjoyed being a part of by providing something that hadn't been written yet. In May 2000, Lineo purchased Moreton Bay and continued funding work on PoPToP on the Coldfire platform (of which the NETtel -- renamed SecureEdge -- used). At all times though we kept the PoPToP source code for the Coldfire platform (and x86 platform) available. I focused my efforts on the Coldfire and occasionally applied patches from various people to the x86 platform and released new versions. As I've got busier over the last year the x86 tree became more difficult for me to maintain. However, I'd be more than happy to help someone (perhaps Jay?) to fold Coldfire patches and other patches into the x86 platform and let them contribute back into the community. Also, SnapGear was recently spun-off from Lineo to target the SOHO VPN market and includes PoPToP as one of its VPN solutions. Again, SnapGear's focus is on the Coldfire platform. Both Lineo and SnapGear together have thousands of people and companies already using the Coldfire port of PoPToP as their VPN solution and it works great. In this environment it needs to work well.. and we've worked hard to make it so. Finally, of all the developers I've worked with and even the companies I have worked with (Moreton Bay, Lineo and SnapGear) they have all actively contributed to the GPL community and are continuing to do so. It is a great thing to see and be a part of. Cheers, Matt.

From: cpb@log2.net To: letters@lwn.net Subject: Woody by Christmas? Date: 2 Aug 2001 14:20:29 -0000 On the Distributions page of the LWN issue of 2001-08-02, you suggest that a release of Debian Woody is expected by Christmas. However, your reference (Debian Weekly News for July 31) says that Woody will be released by Christmas "if everything goes BETTER than planned" (emphasis mine). Anyone who expects Woody by Christmas is a...uh...optimist. But as Mr. Stallman says, "it will be done sooner if you help!" - Chris Bopp

From: "Schaefer, Peter" <peter.schaefer@gmx.de> To: "'lwn@lwn.net'" <lwn@lwn.net> Subject: "Open source databases have some catching up to do" - not quite Date: 8 Aug 2001 10:41:38 +0200 Dear LWN editors, this news article on your daily updates page finally triggered a response by me, because there is - since the beginning of the year - a full featured, 24/7 capable database system available as full GPL'd , LGPL'd open-source: SAP-DB. It's maybe not widely known outside of germany, but the SAP guys in Berlin do a tremendous good job. SAP-DB is used as the data center for many SAP/R3 installations worldwide, has nearby full SQL92 compliancy and can even be switched to other SQL-dialects like Oracle or AdabasD. Stored procedures, triggers and relational constraints are available, additionally several log backup strategies are possible without the need to pause the database, making 24/7 operation possible. Client libraries include JDBC, ODBC and a C-Precompiler; full source available, LGPL'd. Conclusion: There is at least one open-source DB which doesn't need to catch-up, i think ;). Link: http://www.sap.com/solutions/technology/sapdb/ Best Regards, Peter -- peter.schaefer@gmx.de

From: "Jay R. Ashworth" <jra@baylink.com> To: torvalds@transmeta.com Subject: Happy 10th Anniversary Date: Tue, 7 Aug 2001 10:53:44 -0400 Cc: letters@lwn.net What a long, strange trip it's been. Thanks, man; you gave me something to do for a decade. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink RFC 2100 The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015 Linux: the Choice of a GNU Generation