–By Grant Gross –

The big news for the week was the release of Mozilla 1.0 after the browser had been in development for four years. The release opened a floodgate of reviews, mostly positive, including one from Tina Gasperson, who marveled at the browser’s configurability.
Other Mozilla reviews: CNet called it good but no Internet Explorer killer, while eWeek says Mozilla “impresses from all angles.”

What’s the problem with Linux security?

Robin “Roblimo” Miller points out that the cross-platform Simile.D virus, which is supposed to attack Linux as well as Windows, only works on Linux if you’re running as root. Now, who’s dumb enough to do that? Robin also suggests a “new” way of keeping your systems secure: Running operating systems so old the young script kiddies don’t know what to do with them.

Speaking of security, a soon-to-be-released white paper questioning Open Source security has some questions about who funded it. Conservative think tank Alexis de Tocqueville Institution has received funding from Microsoft in the past, although it won’t disclose who funded this current study. We spoke to study author Ken Brown, who runs Apache on the think tank’s Web site, and found a lot of assumptions he’s making about security that Open Source fans could argue with.Editor’s note: Here’s a link to the study, apparently released June 10.

Nader vs. Microsoft

Former U.S. presidential candidate Ralph Nader and technology consumer advocate Jamie Love threw their hats into the Microsoft antitrust debate this week. Nader and Love suggest the U.S. government could easily end the Microsoft monopoly by putting limits on the amount of Microsoft products it will buy. That’d give a new advantage to Linux and companies like Apple. Of course, it didn’t take long for someone to find fault with the Nader/Love idea. ZDNet said the courts should deal with antitrust and government offices should decide to buy Microsoft products on their merits.

Odds ‘n’ ends

The German government signed a contract with IBM to run SuSE Linux at a discount on a variety of government offices.

The government of Taiwan also has a Linux initiative involving the development of a local version of Linux.

Success story of the week

Maybe not a success story yet, but the word seems to be getting out about Linux. Half of those responding to a CNet poll said they expect Linux to play a significant or major role in their companies’ business plans.

Newly released

AbiWord 1.0.2 hit the download sites this week.

Linux kernel 2.5.21 was released.

Audacity 1.0, a multi-track and recording audio editor, was also released.

Newly reviewed

Norbert Cartagena takes ELX Linux for a spin and says the distribution aimed at people new to Linux should appeal to former Windows users, because it looks so much like Windows.

Linuxlookup.com has a review of Engarde Secure Linux Pro 1.1: ” I am happy to see a Linux distribution that is really secure straight from the box. You can tell that a lot of thought and planning went into it. Instead of lumping a bunch of programs together and calling it a distribution, Engarde was designed to be Secure from the ground on up.”

Linuxlookup also looks at Red Hat 7.3 and finds it “the best offering so far.”

LinuxWorld.com says Linux Mandrake 8.2 offers “the easiest installation ever.”

New at NewsForge/Linux.com

Among the other stories we reported first this week:

Tina reports that the Free Software Foundation says Lindows is moving toward compliance of the GNU General Public License after a public spat earlier.

Steven J. Vaughan-Nichols hunts for evidence of Linux on IBM pSeries hardware and doesn’t find much.

Stock news

The Nasdaq dived again this week, from 1,615.73 to 1.535.48. Where’s that rumored economic turnaround? Only four of our 11 Open Source-related stocks posted gains for the week, most of them just a few cents. Red Hat was one of those posting a gain after announcing a partnership with Oracle and Dell, dubbed “Unbreakable Linux.” The partnership will allow Oracle’s 9i database software to run on Red Hat Linux on Dell’s PowerEdge servers.

Here’s how Open Source and related stocks ended this past week:

Company Name	Symbol	5/31 Close	6/7 Close
Apple	AAPL	23.30	21.40
Borland Software Int’l	BORL	9.57	9.83
Caldera International	CALD	0.84	0.87
Hewlett-Packard	HPQ	19.09	18.69
IBM	IBM	80.45	78.30
MandrakeSoft	4477.PA	e2.20	e2.35
Red Hat	RHAT	4.81	5.03
Sun Microsystems	SUNW	6.89	6.42
TiVo	TIVO	4.37	4.20
VA Software	LNUX	.87	.821
Wind River Systems	WIND	6.72	6.32

Linus today announced the release of Linux kernel 2.5.21. The full changelog is at kernel.org.

farli writes “On Saturday, June 22, the Phoenix Linux Users Group (PLUG) invites the public to a Linux InstallFest at Scottsdale Community College. Attendees will receive expert help in installing the GNU/Linux operating system, a freely available secure operating system, on their personal computers.

After the InstallFest, users who brought their computers along can in many cases go home with working systems installed on their machines, free of charge. The package includes web browsers, word processors, and other usual tools that computer users expect.

PLUG’s organizer for the event is William Lindley, a computer consultant. “This is what the Free Software community is all about – helping each other, and we’ll be helping folks get started,” Lindley explained. “We’re all looking forward to this InstallFest.”

The software is an alternative to Windows and other proprietary systems. Linux, GNU, FreeBSD and other Open Source and Free Software systems do not require any licensing or upgrade fees, and are said by many experts to be more efficient and secure than Windows systems.

Businesses and home users alike are turning to Free Software which can be freely copied, modified, or examined, and which is considered by computer experts to be more robust and secure than proprietary systems.

Though there is no charge, the term Free Software actually refers to freedom from license restrictions: Users are never asked to click “I Agree” to a list of prohibitions before using it, and organizations need not store “Certificates of Authenticity” in their safe deposit boxes in case of an audit.

The Free Software products are available at no charge through the Internet or as an inexpensive distribution at most local computer stores, but the InstallFest offers users a completed installation by experienced Linux and FreeBSD administrators. Computer users are invited to bring their computers to the event. Usually, only the computer box, monitor, keyboard and mouse need be brought – see the PLUG web page for details.

“Your old operating system can remain as an alternative, or we can replace it entirely,” Lindley said, “depending on your plans for the machine and how much disk space you have to spare.”

“This is a important next step in development of computers and the Internet — making them more affordable and more secure,” Lindley said. “We are here to show how easy it can be for computer users to move up to the next level.” The event will be held from 10:00 a.m. to 4:00 p.m. in the College’s Turquoise Room, at 9000 E. Chaparral Rd., Scottsdale, AZ. A map is available online at PLUG’s web site, ( http://plug.phoenix.az.us ).

PLUG members will be available to answer questions about Linux, Open Source software, and the Phoenix Linux Users Group as well. For more information about the InstallFest, email contact@plug.phoenix.az.us or call William Lindley at 480-947-6100.

PLUG is an informal group that holds several monthly meetings, on both the East and West sides of Phoenix, to talk about what they’ve recently done with Linux, GNU and Open Source software; to share problems and solutions, and to discuss issues in the world of Free Software and computers in general. Knowledge of Linux is neither presumed nor required. Between meetings, PLUG members stay in touch through a busy e-mail discussion list.

More information about PLUG can be found on the website at http://plug.phoenix.az.us/ .

Scottsdale Community College offers two year degree programs in many disciplines including computers, arts, and science. SCC also offers university transfer programs and special interest courses, and has hosted several Free Software events.

Additional event sponsors are:

Arizona Open Technology Organization – http://www.azoto.org
Red Hat Linux – http://www.redhat.com
Yellow Dog Linux – http://www.yellowdoglinux.com
SuSE Linux – http://www.suse.com/index_us.html
TurboLinux – http://turbolinux.org
Open Source Education Foundation – http://www.osef.org“

– By Robin “Roblimo” Miller –
I don’t fully trust software reviews, even ones I write myself. User experiences and expectations are so variable that software reviews are almost as subjective as movie reviews. Let’s use StarOffice as an example.

I wrote a review of StarOffice 6.0 a day or two after the pre-release “review version” was made available to journalists. I said, right here, that it ought to be worth $50 to $100 for corporate users, but that I personally would probably keep using the less feature-rich, free OpenOffice.org version of what is essentially the same product because it does everything I need.

Note the word “I” in there. It’s there on purpose, because a software review, especially of a user-level piece like StarOffice, is really an account of one person’s experience with that software. Note, too, that I was flamed like mad by people whose experiences with StarOffice and OpenOffice differed from mine.

When I wrote that review, I was talking strictly about the Linux versions of StarOffice and OpenOffice, and I was speaking from the viewpoint of someone who has been using previous versions of StarOffice for a number of years. I took a brief, “Yup, it loads and seems to work okay,” look at the Windows version on the one Windows partition we keep around the house for things like that, but did not go deeply into the Windows side of StarOffice because, aside from the fact that I generally work while connected to the Internet and consider Windows far too insecure to use while online, I figured there were plenty of journalists out there who use nothing but Windows and would review StarOffice like mad over the next few months, so why should I add to the clutter?

So I started from a biased viewpoint, and openly admitted it in the review. Note that I have had a sterling opportunity to test StarOffice and OpenOffice beyond the usual reviewer’s fast look, including their handling of MS .doc files and collaborative features, because I used those two programs to write an entire book (due out from Financial Times Press in September), and went through the entire book markup process with MS Office-using editors, glitch free. But even this experience is mine alone. A friend of mine — an ardent Linux user — said he had nothing but problems trying to use OpenOffice back and forth with his publisher and ended up using MS Office and Windows even though he didn’t want to.

My manuscript contained embedded illustrations. So did my friend’s. Both went through several rounds of editing. The (laptop) computers we use are roughly comparable in performance. He uses Debian and I use Mandrake, but this shouldn’t affect the behavior of OpenOffice or StarOffice, because both programs are quite stable when running on either Debian or Mandrake.

Very strange.

Here’s a StarOffice review on InfoWorld.com. Or is this really a review? It seems to contain mostly statements that could have been found in PR material for StarOffice. Indeed, I see no evidence that the author of this article installed and used StarOffice. Maybe that’s because I don’t read well.

Here are several other reviews of StarOffice 6.0:

• ZDNet UK
• LinuxOrbit’s review of SO6 beta
• Washington Post
• WSJ.com
• ZDNet (US) on OpenOffice

Are we all looking at the same piece of software?

I think we’re looking at the many ways people use a program and the preconceived notions — biases, if you will — they bring with them when they write a review. I don’t feel my opinions are necessarily more valid than the ones Rob Pegoraro writes for The Washington Post or those Dan Farber writes for ZDNet, and I don’t feel any of our opinions are necessarily more valid than those posted by readers here on NewsForge or in the ZDNet talkbacks or in “reader response” forums at other online publications.

What do you think? Are software reviews trustworthy, especially “personal impression” reviews of user-level programs? Do they help you select the software you use? Do you feel — as I do — that reader comments attached to a published review are a vital part of that review?

These are real questions that rarely get asked. Let’s try to answer them — if we can.

“Commentary” articles are contributed by Linux.com and NewsForge.com readers. The opinions they contain are strictly those held by their authors, and may not be the same as those held by OSDN management. We welcome “Commentary” contributions from anyone who deals with Linux and Open Source at any level, whether as a corporate officer; as a programmer or sysadmin; or as a home/office desktop user. If you would like to write one, please email editors@newsforge.com with “Commentary” in the subject line.

Anonymous Reader writes “Baseline magazine has a story detailing security gaps that cropped up in the retailer’s wireless LAN, sending credit card information flying out into the parking lot.”

Anonymous Reader writes “Who said that the Linux community does not produce high quality Multimedia software? Audacity, the GPL’ed multi-track and recording audio editor has finally reached version 1.0. It is available for a wide range of platforms thanks to the underlying wxWindows C++ API it uses. OSNews got the review.”

LinuxToday: Check out this week’s edition of Release Digest for GNOME. New releases include new versions of Enlightened Sound Daemon 0.2.27, Libgnomeprint[ui] 1.115, David 1.0.1 and more.

EnGarde: “There is a buffer overflow vulnerability in imap which can allow a remote, authenticated user to execute commands as the user under which
imapd is running.”

+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   June 07, 2002 |
| http://www.engardelinux.org/                          ESA-20020607-013 |
|                                                                        |
| Package:  imap                                                         |
| Summary:  Remote buffer overflow in imap daemon.                       |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

OVERVIEW
- --------
  There is a buffer overflow vulnerability in imap which can allow a
  remote, authenticated user to execute commands as the user under which
  imapd is running.

DETAIL
- ------
  Marcell Fodor discovered a buffer overflow condition in the imap
  daemon from the University of Washington.  An authenticated user could
  send a malformed request to trigger the overflow and execute commands
  as the users UID/GID.

  The Common Vulnerabilities and Exposures project (cve.mitre.org/) has
  assigned the name CAN-2002-0379 to this issue.

SOLUTION
- --------
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version
  as outlined in this advisory.  Updates may be obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh file

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv file

UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux Community
  Edition.

  Source Packages:

    SRPMS/imap-2000c-1.0.23.src.rpm
      MD5 Sum: 0092526c93d8dbb0d52617f413f08116

  Binary Packages:

    i386/imap-2000c-1.0.23.i386.rpm
      MD5 Sum: abb2189c4168ef80dc7a1884af3bac05

    i386/imap-2000c-1.0.23.i686.rpm
      MD5 Sum: 3c6b50e75b8f09ebe5e97b71e94117d5

REFERENCES
- ----------
  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Marcell Fodor <m.fodor@mail.datanet.hu>

  UW IMAP's Official Web Site:
    http://www.washington.edu/imap/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020607-013-imap,v 1.1 2002/06/07 14:00:00 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2002, Guardian Digital, Inc.

------------------------------------------------------------------------
     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2001 Guardian Digital, Inc.                EnGardeLinux.org
------------------------------------------------------------------------

LinuxToday: This week’s KDE releases include the KNFSPlugin, Harbinger 0.4, XDrawChem 1.3.2 and more.

EnGarde: “There is a buffer overflow vulnerability in imap which can allow a remote, authenticated user to execute commands as the user under which

imapd is running.”

+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   June 07, 2002 |
| http://www.engardelinux.org/                          ESA-20020607-013 |
|                                                                        |
| Package:  imap                                                         |
| Summary:  Remote buffer overflow in imap daemon.                       |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

OVERVIEW
- --------
  There is a buffer overflow vulnerability in imap which can allow a
  remote, authenticated user to execute commands as the user under which
  imapd is running.

DETAIL
- ------
  Marcell Fodor discovered a buffer overflow condition in the imap
  daemon from the University of Washington.  An authenticated user could
  send a malformed request to trigger the overflow and execute commands
  as the users UID/GID.

  The Common Vulnerabilities and Exposures project (cve.mitre.org/) has
  assigned the name CAN-2002-0379 to this issue.

SOLUTION
- --------
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version
  as outlined in this advisory.  Updates may be obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh file

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv file

UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux Community
  Edition.

  Source Packages:

    SRPMS/imap-2000c-1.0.23.src.rpm
      MD5 Sum: 0092526c93d8dbb0d52617f413f08116

  Binary Packages:

    i386/imap-2000c-1.0.23.i386.rpm
      MD5 Sum: abb2189c4168ef80dc7a1884af3bac05

    i386/imap-2000c-1.0.23.i686.rpm
      MD5 Sum: 3c6b50e75b8f09ebe5e97b71e94117d5

REFERENCES
- ----------
  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Marcell Fodor <m.fodor@mail.datanet.hu>

  UW IMAP's Official Web Site:
    http://www.washington.edu/imap/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020607-013-imap,v 1.1 2002/06/07 14:00:00 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2002, Guardian Digital, Inc.

------------------------------------------------------------------------
     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2001 Guardian Digital, Inc.                EnGardeLinux.org
------------------------------------------------------------------------