News from PANUG/BizNix - June 21, 2002 http://panug.org - http://biznix.org FREE/BUSY DETAILS At last night's PANUG meeting, Tom Rich, the presenter, was asked about how Caldera's Volution Messaging Server handled free/busy information for Microsoft Outlook clients. Tom sent us a link to a web page that answers the question: http://docsrv.caldera.com:8457/en/volutionmsg_ag/msgag.caladmin.html WHY SOFTWARE IS SO BAD or "Software sucks because users demand it to." By Charles C. Mann http://www.technologyreview.com/articles/mann0702.asp?p=1 VERSION FATIGUE This article, which is not especially well-written and doesn't go as far as it could/should, points out the downside of products whose user interface changes with each new version: users are less willing to learn products when they know that that knowledge will be made obsolete by the vendor before long. This is not a new revelation. One PANUG member recognized this a year or two ago and referred to it as "throwaway knowledge".Perhaps he might want to write an article on the subject. http://www.techcentralstation.com/1051/techwrapper.jsp?PID=1051-250&CID=1051-061902B YET ANOTHER SECURITY INITIATIVE In reponse to yet another serious security hole in Internet Explorer, Microsoft announced it will put more effort and generally speed up plans to rework/remove bad code from many of their products. The move comes amid criticisms from industry analysts who point out that Microsoft's "Trustworthy Computing" initiative, announced in January, has up to now been more hype than substance. http://news.com.com/2100-1001-934363.html APACHE ISSUES by Ed Sawicki - Accelerated Learning Center / Tailored Computers A security hole in the Apache web server has been discovered and fixed. You should upgrade to version 1.3.26 or 2.0.39. The bug has to do with requests that use chunked encoding. Note that the problem was discovered by routine investigation by the developers. It was not discovered and used by a hacker/attacker to attack systems (yet). The full text of the issue is here: http://httpd.apache.org/info/security_bulletin_20020620.txt For those of you that enjoy the technical detail, this web page contains interesting information about the issue of multi-threading versus forking child processes - a perennial debate, especially between Linux and Windows developers. Here's the relevant text from the page: In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process, and starting new children uses non-trivial amounts of resources. On the Windows and Netware platforms, Apache runs one multithreaded child process to service requests. The teardown and subsequent setup time to replace the lost child process presents a significant interruption of service. As the Windows and Netware ports create a new process and reread the configuration, rather than fork a child process, this delay is much more pronounced than on other platforms. This seems to indicate that, in Apache's case, the pre-forking child process model used by Linux and other Unix platforms is a more efficient design - especially when the server is under attack by a child killer. The more efficient model also helps under conditions of varying load when the parent (normally) needs to terminate and respawn children. Another lesson from this is that, if high performance is important to you, it's best to configure Apache so it keeps an abundance of idle children around. This helps minimize the time-costly spawning process - regardless of the platform and model used.