[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

Other stuff:
Daily Updates
Calendar
Linux Stocks Page
Book reviews
Penguin Gallery

Contact us
Archives/search
Use LWN headlines

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

Leading items and editorials


Who do you sue? Few readers will need to be told about the "ILOVEYOU" virus/worm turned loose upon the net by somebody with a strange idea of fun. Millions of people were evidently affected, with damages estimated in the billions of dollars. Even accounting for a certain amount of overhype by the press, "ILOVEYOU" has been a disastrously expensive episode. One would think that people would be wondering about how it could be possible - and how to keep it from being possible in the future.

Microsoft disclaims any responsibility - its customers are evidently beating down its doors screaming for software that is insecure by design. But wasn't one of the shortcomings of free software supposed to be that there is nobody to sue when things go wrong? Billions of dollars of damages generally are a clue that something, somewhere has gone wrong. Microsoft's denial of any responsibility puts the lie to the claim that proprietary software comes packaged with somebody to go after for damages. It also guarantees that this all will happen again - as it has happened other times. The whole thing is pathetic to a degree that defies belief; no wonder that Phil Agre was moved to write that "Microsoft shouldn't be broken up. It should be shut down."

Events such as this tend to bring out smugness and condescension in Linux users. We don't have those sorts of problems, after all. It is fair to say that no self-respecting open source project would intentionally put out software which would run code from random users on the net. And when such a problem is found, free software developers almost always take (moral, though not financial) responsibility quickly and race to get a fix out as soon as possible. We live in a different world, and can only look in confused wonder at people who tolerate an environment where viruses are a routine problem.

Thus MandrakeSoft puts out an advisory on how Linux-Mandrake (and all other distributions) are not vulnerable. "Software viruses are programs that can infect poorly-secured computer operating systems and applications. Machines running the Linux operating system have never been infected by a virus yet." And Evan Leibovitch writes in ZDNet: "How many times do users of Windows need to be kicked in the head? It's as if we have a community of people who, upon discovery of 'kick me' signs attached to their backs, do nothing -- and then complain when they eventually do get kicked."

But life is not quite that simple.

It is true that Linux is highly unlikely to be caught by such a simple, email-borne bit of nastiness. But nobody would claim that Linux systems are 100% free of vulnerabilities. A suitably talented malware author who wanted to shoot down some of those smug Linux people would not have that hard of a time creating an embarrassing incident.

Consider, for example, the vulnerabilities in bind 8.2. Fixes were available back in November, but, according to this CERT advisory from last week, there are many sites on the net which have not applied those fixes. Many of those are likely to be systems where the administrators do not even realize that bind is installed and running. There are certainly numerous people out there who are sufficiently talented and malevolent to write a worm which would exploit those holes and propagate itself over the net. It would not catch any site with aware administrators or a decent firewall, but it could still make a large splash. It could put Linux advocates on the defensive in a hurry.

So we're best off remaining humble. We have a far better platform, one which will never support a whole anti-virus industry. But perfect security will continue to elude us for the foreseeable future. Best to keep working in that direction and let the results speak for themselves.

Feature: Beyond free software in Japan. Thanks to ChangeLog founder Maya Tamiya, we have this feature [Morphy One] article looking at two Japanese projects which stretch the traditional boundaries of open computing. The The Open Hardware Palmtop Computing Association has developed a palmtop system with the entire design being available under the GPL. It runs Linux, of course.

Then, for something completely different, there is the Open Source Toys Project. After all, cuddly penguins are interesting to more than just Linux hackers...

Red Hat changes direction. When Red Hat filed for its IPO just under a year ago, one thing that was emphasized in its business plan was its web portal. Selling Linux CDs wasn't where the real money would be - instead, it would emphasize other things, like services and the web. Recent events show that things seem to not be working out in quite that way.

For starters, Red Hat has laid off most of the staff from its Wide Open News site, and will cease doing original writing there. Instead, Wide Open News will simply repackage content from its partner sites (such as Salon). So the news business appears not to be going very well. Meanwhile, about the only other "portal" element to have come online is the Red Hat Marketplace, which has been up for less than a month. A year after the IPO filing, the Linux web portal turf looks to be strongly held by companies like VA Linux Systems, rather than Red Hat.

Instead, according to this press release, Red Hat is now in the venture capital business. "Red Hat Ventures" will make investments of $500,000 to $2 million in new, open source-related companies; investments have already been made in Sendmail, Inc., Rackspace.com, and e-smith. The more cynical among us could say that Red Hat, rather than figuring out a way to make money from its investors' capital, is hoping that some of these younger companies can do it instead. It's also true, however, that such investments can help improve the value of Linux (and Red Hat's distribution), give Red Hat early access to cool new developments, and pave the way for later acquisitions.

Meanwhile, Red Hat continues to sell lots of Linux CDs and related products. Some things haven't changed.

Inside this week's Linux Weekly News:

  • Security: Feature: The trouble with redirects.
  • Kernel: What's in Caldera's kernel; USB needs devfs?
  • Distributions: University Linux distributions unveil.
  • Development: A round-up of this week's development news and reports.
  • Commerce: The Free Standards Group
  • Back page: Linux links and letters to the editor
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


May 11, 2000

 

Next: Security

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds