Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Back page page. |
Linux links of the weekAre you curious about the occasional references to the "Wiki Wiki Web" or just "Wiki"? Wiki sites take a new approach to web pages by allowing anybody to make changes to any page on the site. Wiki sites are thus truly cooperative developments. It sounds like a recipe for chaos, but, thus far, it seems to work fairly well. See the original Wiki Wiki Web site at the Portland Pattern Repository for a starting point. Have some patience at the beginning, getting started with Wiki takes a bit of effort. See also the ZWiki site for a Zope-based implementation. For a distinctively read-only experience, instead, William Gibson's classic novel Neuromancer is online. Section Editor: Jon Corbet |
May 18, 2000 |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 11 May 2000 10:49:17 +0100 From: kevin lyda <kevin@suberic.net> To: Nathan Myers <ncm@cantrip.org>, letters@lwn.net Subject: proprietary distros? Nathan Myers wrote: > Perhaps once Potato is out, Debian will just take over the world; > then all those people working on proprietary distros can go home and > do something productive instead. :-) huh? one of the most propreitary distro's i know is corel - based on debian. mandrake is based on redhat, and seems quite open. redhat's distro is gpl'ed so people are free to copy it (like mandrake and a number of other distro's outside the states). redhat for one has done a great deal to increase the amount of gpl'd code available, including but not limited to their own distribution. to call mandrake and redhat [proprietary] is a disservice to the entire free software community by watering down the true meaning of propreitary. kevin -- kevin@suberic.net "we were goin' for breakfast. in canada. we fork()'ed on 37058400 made a deal: if she'd stop hookin', i'd stop meatspace place: home shootin' people. maybe we were aiming high." --porter, "payback" | ||
Date: Thu, 11 May 2000 13:29:03 -0700 To: letters@lwn.net From: Peter Lawson <peter.lawson@noaa.gov> Subject: LoveBug "virus" As a biologist, I see an obvious analog to the epidemic of LoveBug infections. In agriculture, large fields of genetically identical plants are vulnerable to novel diseases precisely because there is no variability among the plants. Each is equally vulnerable and each spreads the disease in the same way. The large population of Windows computers running Outlook is a monoculture, just as large fields of corn or soybeans may be. A virulent virus spreads rapidly through the fields of Outlook just as it would spread through a field of corn. Nicholas Petreley comes closest to suggesting this analogy in his LinuxWorld article when he pointed out that linux users are less vulnerable to this kind of attack because there is so much variety in the mail programs we use. The problem is clear -- Microsoft has suppressed variability in the software world with its monopolistic practices, rendering the largest segment of the community vulnerable to relatively simple attacks. The solution is also clear -- do whatever it takes to allow variability in software to flourish, as it would in a fair, competitive environment. This is the best evidence I have seen of the harm that the Microsoft hegemony is causing in the computer world. Cheers, Peter Lawson pnjreid@newportnet.com | ||
Date: Thu, 11 May 2000 13:05:58 -0700 (PDT) From: Colin Kuskie <ckuskie@cadence.com> To: lwn@lwn.net Subject: Programs that run random code It is fair to say that no self-respecting open source project would intentionally put out software which would run code from random users on the net. This quote, from the main page of the May 11, 2000 Linux Weekly News is a little inaccurate. Perhaps it's picking nits, but I'll give a couple of examples: - I'm pretty sure that Mozilla runs Javascript, which is code from random users on the net. Likewise with Java. And I don't think that anyone really believes that either is as secure as they claim. - Macro capabilities inside the open-source spreadsheets and word processors are just as dangerous. Imagine if you could get root to run a Gnumeric spreadsheet with Scheme/Python/Perl bindings. - Script-Fu for Gimp. - The TCL browser plug-in. Now, arguably later on you do say: It is true that Linux is highly unlikely to be caught by such a simple, email-borne bit of nastiness. But nobody would claim that Linux systems are 100% free of vulnerabilities. A suitably talented malware author who wanted to shoot down some of those smug Linux people would not have that hard of a time creating an embarrassing incident I would say that the immunity of Linux users comes from another source. We have an innate distrust for closed source. It's my opinion that most Linux users would actually read the source to executable code before executing it, especially if it's a small attachment to an email. As our user base expands, that will no longer be true. It will be up to us to educate and to guarantee that the applications that they use will by default protect the user, at the cost of not having embedded spreadsheets and HTML in our email. Aside from the fact that embedding those things in email is stupid, it's a small cost compared to the estimated six billion dollars in damage from ILOVEYOU. Colin Kuskie | ||
Date: Fri, 12 May 2000 11:40:26 +0100 From: Edmund GRIMLEY EVANS <edmundo@rano.org> To: letters@lwn.net Subject: Linux viruses There was an entertaining discussion in the mutt-dev mailing list about how Linux can be made to support viruses just as well as Microsoft. Thomas Roessler suggested one recipe, which can probably be adapted to work with mail clients other than Mutt (www.mutt.org): .mailcap: application/x-sh; sh %s; copiousoutput .muttrc: auto_view application/x-sh I hope I am right in assuming that no reader of LWN is sufficiently stupid to actually use this recipe ... Edmund | ||
Date: Thu, 11 May 2000 13:29:11 -0400 From: Pierre Baillargeon <pb@artquest.net> Subject: Re: The trouble with redirects To: letters@lwn.net At the end of the article you mention that fixing the problem would "not be an easy problem to fix; it's buried pretty deeply in the structure of the web." Well, the the fix may be better applied on the other side of the web: the browser. Wouldn't it be trivial just to ask the user approval for redirection, just like it is currently possible with cookies? Browsers could even detect that the URL contains a submission and only request the approval for such requests. By putting the fix in the hand of the users, security conscious people can actively defend themselves against site which refuse to implement the proposed fixes. A knowledgeable coder could put this idea in practice in Mozilla now, providing yet another example of the benefits of free software: the possible quick response-time to a security problem. | ||
From: "Chris Adams" <chris@improbable.org> To: "letters@lwn.net" <letters@lwn.net> Date: Thu, 11 May 2000 18:13:56 -0700 Subject: Re: The trouble with redirects -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.lwn.net/2000/features/Redirect.phtml "The folks at Digital Creations have, in the process of tracking down a security problem with the Zope application server, turned up a security difficulty with the web as a whole. Given the way the web and authentication-based sites work, a suitably unpleasant attacker could, through the use of HTTP redirects and (perhaps) malevolent Javascript code, cause actions to be taken on your behalf simply by getting you to look at the wrong web page. The implications of this problem are stunning. Expect to hear more about it in the near future. " It's probably easier than we'd like to exploit. If the attacker can figure out the URL to use (which is easy if you don't have a home-grown system) they just need to get you to look at something while logged in; this is particularly easy if we're talking about sites like Slashdot.org or kuro5hin where they receive hundreds of unknown URLs every day. Fortunately, the fix is extremely simple - probably a single line of code. Basically what needs to be changed is the use of predictable form parameters. The easiest solution is to require the use of a session variable in the form data (e.g. "Confirm=$RANDOM_SESSION_VARIABLE" instead of "Confirm=Yes"); I added this to some PHP scripts in a single line of code. If this is done, there's no way to construct the redirect in such a fashion that an action will be made automatically since the browser never sends the attacker's server the cookies stored by the trusted server. Using the session identifier cookie's value is the easiest way as it requires no changes other than the check and the value must be unguessable in any case (or an attacker could directly hijack the session); more paranoid folks would use a random session variable. Regards, Chris Adams -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBORta1NRugjSFkeg+EQJ2VgCdH/Xy6lmL65q6p96nQDMHuLcocugAn2LQ eKSBHMY56mIJ7IV8Mpt5jiFn =NX7B -----END PGP SIGNATURE----- | ||
Date: Fri, 12 May 2000 20:28:46 -0700 From: Carl Thompson <cet@carlthompson.net> To: lwn@lwn.net Subject: Re: The trouble with redirects Linux Weekly News wrote about the browser redirect security problem: > ... > This will not be an easy problem to fix; it's buried pretty deeply in > the structure of the web. Short-term fixes can include user training > (always log out immediately), defensive server measures (look at the > referrer header, time out logins aggresively), or HTTP fixes > (specially mark redirects or Javascript-submitted requests). None are > perfect, and none can be implemented immediately. This is not accurate. HTTP redirects are handled by the client software (browser). When the client requests a web page from a server, the server can return a web page that has a "302 redirect" message in its headers. (The body of the returned page would typically say that the requested page has moved elsewhere. However, the body is usually not seen because the client sees the redirect and automatically loads the page specified by the redirect instead.) What this means is that this problem can be very easily fixed by fixing clients (browsers) to do any of the following: * Ignore redirect messages * Don't send authentication or cookies to pages to which the client was redirected * Pop up a warning box for all pages that are redirected * Pop up a warning box only for pages that are redirected to pages that require authentication or cookies All of these are relatively trivial modifications to the client software only that can be implemented immediately. No HTTP protocol or server fixes are necessary. The problem is definitely not "buried pretty deeply in the structure of the web." Having read the article at http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan it's clear that the true problem is the author's insistence on attempting to find a server side solution to a client side issue. > ... Carl Thompson | ||
Date: Thu, 11 May 2000 21:28:18 -0500 (CDT) From: Dave Finton <surazal@nerp.net> To: letters@lwn.net Subject: Where mp3 users and businesses have it wrong MP3 and/or similar formats have the potential to flip the entire media industry on its head. It's no wonder the lawyers have come out a'marching. Scarcely a day or week goes by without some major new development about such-and-such a band suing so-and-so mp3 company. How can we fight this, when the current state of laws lean heavily towards the copyright holders? The problem is our insistence of taking old media and converting it over to the new. The old media doesn't want to give up their current position. So why force them? What we should be doing it creating original content (lots of it) and distributing that through these brave new formats. It would be the best strategy to follow because 1) the media companies can't sue when they don't own the copyright of the distributed content in the first place and 2) the DMCA would protect the new media just as effectively as the old. If this strategy were followed to the point of critical mass (much like the internet did) the new media would simply supplant the old in a manner similar to how the internet is slowly supplanting newspapers and TV today. One way to do this would be to encourage independent labels to jump on board. MP3.com and napster both have been moderately successful in signing up some bands; let's continue the trend. At any rate, it sure beats a no-holds-barred lawsuit. - Dave Finton P.S. I know this isn't directly related to Linux but the open nature of mp3's lend themselves to being the favorite format of open source enthusiasts (as well as many other people as I've seen in my experience)... and it's definitely an important matter when the DMCA is involved no matter what. So I apologize for being somewhat off-topic. :^) --------------------------------------------------------- | If an infinite number of monkeys typed randomly at | | an infinite number of typewriters for an infinite | | amount of time, they would eventually type out | | this sentencdfjg sd84wUUlksaWQE~kd ::. | | ----------------------------------------------------- | | Name: Dave Finton | | E-mail: surazal@nerp.net | | Web Page: http://surazal.nerp.net/ | --------------------------------------------------------- | ||
|