News from PANUG/BizNix - January 29, 2003 http://panug.org - http://biznix.org EMACS TRAINING This is a reminder that BizNix is holding a 3-hour training course on Emacs on Saturday, February 1, 2003 from 9:00 am to about 12:00 pm or, possibly, longer. This course will not be repeated soon. BizNix members may attend for free. Non-members pay only $10. You can join BizNix now and attend for free. Visit the BizNix Web site for details. RESUME WORKSHOP PANUG is offering a workshop on how to write an effective resume on Tuesday, Feb 11 at 6:30pm at the Novell Office. This workshop is free to PANUG members. It's $5 for non-members. BIZNIX BOOKS If you're a BizNix member, you can check out books from the BizNix library for free. Visit the BizNix Web site and click the Books link. SQL SLAMMER by Ed Sawicki - Accelerated Learning Center / Tailored Computers Most news articles about the SQL Slammer worm/virus mention that it targeted a known vulnerability in Microsoft SQL Server and that it "took down" 5 of the 13 root DNS servers. This led some people to believe that the root DNS servers are running Microsoft's SQL Server and were attacked. They are not and were not. Those servers were simply unfortunate enough to be sharing bandwidth with servers that were attacked. The attack consumed the bandwidth of the links - it did not take down the root DNS servers, which are running BIND on high-powered and reliable Unix platforms. There's a few points to be made. The first is that we must be suspicious of articles in the trade press. Many are written by people who may be good wordsmiths but do not necessarily understand the technical details. They're just parroting what others say and sometimes don't understand that what they're writing is misleading. Look to the technical people in your user group for greater accuracy in the technical details. The second point is that there are many good SQL database servers that are not as easily attacked. Some of these SQL database servers are free, such as the highly-regarded PostgreSQL and the more popular but less functional MySQL. The third point is that if you want to communicate with SQL servers in remote offices, use a VPN or some other encrypted link. In a shared environment like the Internet, we all suffer for the mistakes of those who know little about security. The fourth point is that perhaps it's time for us to demand from our ISPs knowledge about who our neighbors are. If you've taken steps to secure your site, why should you suffer when another of the ISP's customers does not. You should know that you're sharing bandwidth with someone who can steal your share of the bandwidth because they ignore security. If I were running an ISP operation, I'd segregate responsible customers from the irresponsible. The last point relates to the root DNS servers. This is the second time in recent memory that they were reported to be in jeopardy. The trade press now uses this as a yardstick for how severe Internet-borne attacks are. It wouldn't surprise me if we see attacks rated on the root DNS server scale. SQL Slammer was a "5". The next may be a 7. Heaven help us if we have a 13. Given this new yardstick, more attackers will be targeting the root servers. Is there anything we can do to protect ourselves from a 13? Yes, and this will be the subject of my presentation at PANUG's February meetings: "The Alternative Roots". FEEDBACK ON SCO AND LINUX by Raymond L. Robert The bit on SCO (fka Caldera) is long on sensationalism, short on facts. SCO is looking to charge royalties for using SCO libraries on Linux. It was quite common especially in the early days of Linux to run SCO applications, such as WordPerfect, on Linux. For this to work, though, you needed to copy some SCO libraries. See, e.g., the WordPerfect-5 How-to still posted on Red Hat's site. There is a wink-wink-nod-nod warning, "Do not violate SCO's copyrights!" I remember seeing similar advice on Usenet on how to run some databases on Linux. ZDNet Australia has the most balanced discussion of this I've seen: http://www.zdnet.com.au/itmanager/strategy/story/0,2000029582,20271243,00.htm. By the way, my SCO version of WordPerfect 5 (which I run on SCO) seems to me superior to my WordPerfect 8 for Linux and vastly better than WordPerfect 200x for Windows. FEEDBACK ON MICROSOFT OPEN SOURCE by Christian Bayer: Hmmm... I would think IBM would have an issue with Microsoft sharing the huge portions of OS/2 source code in there. Or maybe Windows is now so bloated, that the OS/2 code now comprises the secret mere 3% of the total. : ) by Ken Barber Please note the following: 1.This initiative is only available to national governments, not state or local entities. 2.Those who participate will not be allowed to modify and/or recompile anything, only to inspect. 3.Windows 2000 was widely reported to consist of 65 million lines of code. I have not heard how many are in XP. Further, it is very likely that each participant will be bound to a strict non-disclosure agreement. This means that each government will have to hire its own programmers to comb through 65 million lines of code looking for security flaws at taxpayer expense. This can amount to a significant expense, and no one will be allowed to share any information about what they find. So the government of, say, Great Britain will spend zillions to find the same bugs that the government of, say, the United States is also spending zillions to find -- and Canada and New Zealand (not to mention California, Texas et. al.) will still not know anything about any of it. I think that Microsoft still does not "get it." They're still focusing on appearances instead of actual function (or, if one wants to be more cynical, we could compare them to hunters putting out decoys that "look like a duck," but meet none of the other criteria in the Duck Test, to attract the unwary). Or maybe they do "get it." After all, it's a wonderful way to get their code audited at taxpayer expense. I see little benefit to the governments involved, and I doubt that this program will be a success. by Scott Rainey: Opening source code to one organization is a bit different than opening it to a lot of organizations. It's a lot like trying to be just a little bit preggers. If The Goon Squad(tm) at Hollywierd Inc. can't keep Star Wars-VIII from appearing on the net within an hour of its first public presentation, what chance does Gates & Co have of keeping the source code we actually care about secret? Nada. Of course they know this, so what's their real game?