Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorials'Ramen Worm' attacks Red Hat-based systems. A new worm, dubbed the "Ramen Worm", was spotted on the Internet this week. For those of you unfamiliar with the term, a "worm" is a self-propagating attack, e.g., a script is written to attack a system, copy itself to that system and then automatically go out to find new vulnerable systems and attack them. This differs from the term "virus" in that viruses are attached to or embedded in otherwise innocuous files or programs. Linux is generally (though not theoretically) immune to viruses; it is not immune to a worm, since a worm is simply a specialized case of a successful, usually network-based, attack.Nonetheless, a worm is self-propagating, like a virus, so there are similarities. This particular worm was not an impressive example, at least to security experts. It was cobbled together from pre-existing components and exploits vulnerabilities that are four to seven months old. As such, it is a good example of why we warned back in November, 2000 that the Linux community should not become too cocky about its security record, based on its relative immunity to viruses. Given how easily this one was developed, we can expect to see more of them in the future. The biggest lesson from the worm this week is apply your security updates. The only systems vulnerable to this attack were those with vulnerabilities that had been reported months ago and for which fixes had long since been available. Obviously enough systems fit this criteria to fuel a significant attack. The actual impact of the worm is minimal, restricted to disabling anonymous ftp access and defacing websites. Unfortunately, it could easily be modified to be much more damaging. Confirming the lack of actual malicious intent, the worm has been reported to only attack systems with anonymous ftp enabled and then to close politely close anonymous ftp behind it, essentially preventing the system from being infected again via the same mechanism, unless the local administrator re-enables anonymous ftp without patching the system. (It is worth noting that the scanning traffic created by the worm is causing problems for some networks, especially those which use multicast). The worm found this week specifically targets Red Hat 6.2 and Red Hat 7.0 systems that have not applied security updates for wu-ftpd, nfs-utils and LPRng. Here are the advisories for the applicable security updates, though, of course, it is recommended that all security updates be applied:
Red Hat 6.2:
In addition, although the worm was written to attack Red Hat Linux systems, the vulnerabilities themselves are not specific to Red Hat and therefore the worm could also easily be rewritten to attack other Linux systems. Below are links to our coverage of the involved vulnerabilities, including links to updates from other Linux/BSD vendors:
This ZDNet article provides some interesting information on the worm. For more technical detail, several analyses of the worm have been published, including this one by Daniel Martin. The majority of first-hand information about the worm comes from the SecurityFocus Incidents mailing list, on which the worm was first reported on January 15th.
Signs of the times. Should anybody still doubt that the Linux business climate has changed dramatically over the last year, a couple of events from the last week should help to clarify things:
The current business climate is clearly no fun, especially if your business depends on obtaining funds from investors. Linuxcare, Turbolinux, and Lineo have all attempted to go public; none have yet succeeded. In a world where private investment has dried up, and the IPO market is closed, it is difficult for a startup business to get large enough to firmly establish itself. In such an environment, about the only "get big fast" route that remains open is consolidation. It would not be surprising to see a number of other Linux companies look to mergers as a path to growth. A year from now, there may be a much smaller community of Linux companies doing business. Turbolinux, meanwhile, has long taken the approach that it is a software vendor, and that it is not interested in the services-based plans adopted by distributors like Red Hat. The merger with Linuxcare is obviously the end of that strategy. It is also likely to be the end of Turbolinux's IPO bid, at least for now. Merging with Linuxcare is such a fundamental change that Turbolinux would essentially have to throw out its IPO filing and start over. In a time when the markets are openly hostile to initial offerings, the company is unlikely to bother with a new filing. An interesting question will be whether the merger is the end of Linuxcare's distribution-independent policy. A credible, neutral stance will certainly be harder to maintain when Linuxcare is part of a major Linux distributor. Those interested in speculation might wonder if, instead, Turbolinux is preparing to deemphasize, if not exit, the distribution business in favor of its clustering and other value-added offerings. According to its IPO filing, Turbolinux only derived 37% of its revenue from operating system sales in the first half of 2000. Might Turbolinux have decided that its future lies elsewhere? What the future holds for Lineo is unclear. Failed IPO bids are often followed by reductions in staff; Lineo has grown rapidly through its series of acquisitions and may now find itself needing to slim down a bit. It is also worth noting that the embedded Linux world is highly fragmented, with several companies all competing with each other. Some consolidation in that sector is to be expected. VA Linux Systems puts out another warning. In another sign of the times, VA Linux Systems has put out another warning that earnings will not be up to expectations. Revenue for the second quarter (which ends on January 27) is expected to be $50 million at best, for a loss of $0.24-0.28 per share. Among other things, VA says that the usual January sales upturn has not happened this year, and blames the state of the economy in general. VA has also been facing price pressure: Additionally, the current economic conditions are creating a difficult pricing environment resulting in lower gross margins. Going forward in this economic environment, we intend to focus on higher margin business and to manage expense levels such that we can achieve profitability given our revised revenue expectations.
Of course, "manage expense levels" is PR-speak for "lay people off." The "current economic conditions" aren't getting any better. (VA has legal problems as well; see this week's Linux in Business page for discussion of the class-action lawsuits against the company). Through all of this it's worth remembering that Linux and the businesses that have sprung up around it are two different things. It may not be the easiest of times to run a Linux business (though it's certainly far better than it was even five years ago), but Linux itself is doing great. Adoption and mindshare continue to increase, and the software is just getting better. And many businesses are doing well. For example... There is still money for Linux businesses, at least occasionally. Consider these examples:
Clearly some investors still believe in the future of Linux, even if the stock market is not currently favorable. As Linux and free software in general continue to grow, investors will figure out that their future is still bright. We will, with luck, never see a repeat of the frenzy of a year ago; but we should, at some point, leave the current depression behind as well.
Interview: Larry Wall. ChangeLog.net editor Maya Tamiya has sent us another interview. This time, Maya has interviewed Larry Wall at the Perl/Ruby conference, which was held in Kyoto, Japan at the end of last year. In this interview, Larry discusses a wide range of topics, including his job at O'Reilly, Perl certification, the commercialization of Perl, competition between open source projects, the power of laziness, Perl 6, post-modernism, software patents, documentation, and more. (This interview contains a number of pictures; there is also a smaller version available for those with limited bandwidth). Hardware sales are getting, well, hard. Earlier this week Tuxtops announced that it would be dropping its Linux laptop line in favor of a software product to be announced at a later date. The LWN.net staff immediately began to ponder if there was some real problem with getting Linux to run on laptops, or if making a business out of that was really all that hard. After all, LinuxLaptops and VA have both exited that market. ASL still sells them though the list of small laptop vendors with a Linux focus is dwindling. So, what about the big players? IBM lists 3 ThinkPad models (A20m, T20, and T21) that they ship preloaded with Linux. All are loaded with Caldera OpenLinux eDesktop. While they point out that IBM hardware has been Red Hat certified, a search through Red Hat's certified hardware database, searching for "IBM" and "Notebooks" (any architecture, any Red Hat release), comes up empty. Gateway doesn't make it easy to determine if it sells notebooks preinstalled with Linux from its site. Compaq's support of Linux is well known, but its Linux site has no information on laptops. Dell at least has a Linux specific section on its site, but it only mentions servers and desktop system as preinstalled. No obvious information on laptops is provided. So what's the deal with laptops and Linux? Of course Linux works well on laptops (most of the LWN.net staff uses Linux laptops of one kind or another). The lack of preinstalled support can be the result of a number of issues. First, many of the features that are used to add value to laptops by hardware makers are only now, with the release of the 2.4 kernel, becoming commonly supported: USB, Firewire, DVD, S-Video output, WinModems, and so forth. Since smaller hardware vendors like LinuxLaptops or Tuxtops (though not necessarily Dell, IBM or Compaq) are generally not also Linux distributors, they rely on well-known distributions to support these features. That will happen later this year. For now, these smaller vendors are on their own. So that would leave the larger companies, those with resources to produce drivers for the more modern hardware features commonly found on laptops, to write their own drivers. They can do that, so why the lack of preinstallation? The next issue may be margins. While Linux is inexpensive, laptops are not. Larger companies have to push these machines in volume, though probably not to the levels required for desktop systems. Laptops with Linux preinstalled may not be the high volume market needed to sustain smaller, Linux-focused companies. Of course, all hardware vendors have been hit fairly hard by a slowing economy and weak sales in general. The disappearance of a few smaller vendors is a normal shakeout under these circumstances. But that still doesn't explain why preinstalled laptops from the big three aren't well publicized. While hardware support used to be a viable reason for lack of support, it's hardly the status quo these days. Too many people are writing drivers for new hardware - IBM expects to put $1 billion US dollars into development this year alone. Preinstalled Linux, especially on laptops shouldn't be that hard. So what is the biggest reason Linux isn't preinstalled? Laptops aren't servers. And Linux is still trying to establish itself on the desktop. Hardware makers have everything to gain with preinstalled Linux servers. The value in preinstalled desktops - and laptops - has yet to be measured. Update: A number of readers pointed out that Dell's web site does indeed list preinstalled Linux systems. You just need to look at the sidebar to find the link to the right page. Additionally, David Sifry, CTO of Linuxcare, pointed out that IBM's certifications come through Linuxcare, not Red Hat, despite the way it appears on IBM's site. Looks like the IBM web designers were just told the systems were "Red Hat Certified", and not who did that certification. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
January 18, 2001
|