dep writes: “In a brief but firmly worded statement to Linux and Main, Free Software founder Richard M. Stallman has spoken out against per-seat licensing, which will apparently be employed in the new “UnitedLinux” core distribution. Developers, he says, should refuse to go along with it.”

There really is a war going on, against Open Source. The powers that be in Corporate America are not ready for advances in technology combined with the collaborative spirit of today’s true development community. According to the Alexis de Tocqueville Institution: “Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal
government attempts to switch to “open source” as some groups propose.”
WASHINGTON–(BUSINESS WIRE)–May 30, 2002–Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal
government attempts to switch to “open source” as some groups propose.

“Opening the Open Source Debate”, a soon to be released white paper by Alexis de Tocqueville Institution details the complex issues surrounding
open source, particularly if federal agencies such as the Department of Defense or the Federal Aviation Administration use software that inherently
requires that its blueprints, source code and architecture is made widely available to any person interested – without discretion.

In a paper to be released next week, the Alexis de Tocqueville Institution outlines how open source might facilitate efforts to disrupt or sabotage
electronic commerce, air traffic control or even sensitive surveillance systems.

Unlike proprietary software, open source software does not make the underlying code of a software confidential.
“Computer systems are the backbone to U.S. national security”, says Fossedal, chairman of the Alexis de Tocqueville Institution and its Committee
for the Common Defense, which will release the study. “Before the Pentagon and other federal agencies make uninformed decision to alter the very
foundation of computer security, they should study the potential consequences carefully.”

–30–rlg/ny*

CONTACT: Alexis de Tocqueville Institution
Ken Brown, 202/548-0006
kenbrown@adti.net
www.adti.net

– By Jack Bryar –

Is there a chance that Microsoft, proprietary Unix vendors and the Open Source community might stop swearing at each other and actually begin providing
potential customers with usable information? Judging from the news of the last
week or two, it hardly seems possible. However, both Microsoft and the Linux
community are beginning to use cost and performance arguments that can
help their potential customers make intelligent choices. It might even
help repair the tattered reputations of a few vendors.
The scare tactics and disinformation campaigns of Microsoft, Sun,
and even some Open Source advocates have become boring and tiresome as well
as shrill and incredible. Sun is still recovering from its crude disinformation campaign targeting Linux users. John
Stenbit, the bluff, burly chief information officer for the U.S.
Department of Defense had to
personally swat down a whispering campaign by Microsoft that
claimed Stenbit’s flirtation with Open Source posed a threat to
national security. Stenbit, the former chief of TRW’s systems integration
business, has been advocating a
highly decentralized network-centric systems architecture [link is PDF]
that doesn’t sound much like Microsoft’s vision of the future, and he’s
considered a Unix guy in defense technology circles. Open Source advocates who
compare Microsoft to drug
pushers and corrupters
of foreign governments don’t do the credibility of Linux community
any favors, either. Is it no wonder that the many large customers are
so turned off? A senior IT manager I spoke to this week put it best when
he justified the freeze in his systems budget, saying, “We’re waiting for
our vendors to grow up.”

A couple of years ago, I suggested that the only way to re-energize
the market was to improve the debate about the merits of Linux vs. Windows.
It was past time for some honest comparisons of the type that
matters most to the average company. Vendors needed to explain the difference
between Linux and Microsoft systems in the only manner that means
anything to the average business manager: cost. Evangelists for Linux (or that
matter, Unix or Windows) should have to compare the cost — the total
cost — of owning a computing system based on Linux compared to the total
cost of owning an enterprise architecture based on a proprietary Unix or
Microsoft platform.

These “total cost of ownership” (TCO) calculations are a little more
complicated than comparing the cost of a package of a couple of Red Hat
CDs to the cost of thousands of Microsoft licenses. Even at
Microsoft prices, the cost of software is only a small part of
the total cost of managing a large IT environment. In recent years,
Gartner, KPMG, and Forrester have all issued reports that agree that hardware
and software combined represent less than 20% of the total cost of owning a
system.

Far more important are the costs of running the local
help desk, performing system audits and other administrative functions, and writing and supporting custom code. At most larger companies, these and
similar costs are far more significant than the price of the enterprise
software platform. So are the costs associated with improving or
degrading employee efficiency. A California-based financial services company I
worked with last year calculated it could justify the cost of a wholesale
upgrade of its enterprise architecture based on the fact the the proposed
system could shave five seconds off the time it took most of their 2,000 employees
to log on to their complex of system resources.

Reliable TCO assessments can be hard to do. Many firms attempting a
TCO analysis quickly give up. There claim there are simply too many
factors to account for. Many are difficult to calculate objectively. Most
evaluators lack the required expertise in accurate cost accounting and performance
benchmarking Even so, most companies can, if they try, assess
the financial impact of :

• Controlling the number of desktop and server images
• Reducing logon failures
• Reducing support costs
• Minimizing end-user training costs
• Lowering set-up costs
  
  Enhancing flexibility by allowing users to “work from anywhere”
  while accessing the system resources needed to do their jobs

Other factors are harder to quantify. For example, what is the
degree of risk associated with reducing unauthorized access to system
resources by outsiders? And what is the financial impact?

After a slow start, there’s a growing trend by vendors and
purchasers to perform TCO analyses when justifying competing IT platforms. Firms
like Compaq have introduced TCO as
an element of their sales and market education programs. Apple
enthusiasts are
promoting TCO analyses to justify retaining Macs in the workplace.
A variety of organizations have tried to use TCO analyses justify
the deployment of Linux throughout the enterprise.

Many of
these Open Source “analyses” are fairly primitive. Some do little more than
wonder aloud, “what possible combination of costs could Windows servers offer
a lower TCO than Linux or OpenBSD servers?” without an honest look
at those costs. Others have done their homework. Last year, Red Hat
sponsored a
devastating IDC study that quantified the TCO benefits of
running Linux compared to Unix. The study confirmed the findings of a
1999 Gartner Group study that suggested companies deploying a Linux
platform would enjoy a 20% overall cost advantage compared to firms running
Unix. Proprietary Unix vendors have been on the defensive ever since.

What about Microsoft? A study for the U.S. Department of Defense
conducted by MITRE [PDF] gave the lead to Linux over Microsoft NT in the back office because Linux was easier to manage, had more robust security features,
and supported remote monitoring and management more effectively. MITRE
found that each of these features resulted in measurable cost savings and
risk reduction. A
study for LinuxWorld.com was less credible, because the author cooked
the books a little. For example, he assumed that Microsoft-based systems
would require all parties to upgrade upgrade their equipment and software
every few years, but that, for some reason, Linux users somehow would
add nothing to their desktops and system managers would add
nothing to their back-end systems during the same period.

In any case, Microsoft’s product managers claim that much of the
reliability and support costs cited in these studies were specific to the
limitations in NT. Beginning last September, they began to use TCO justifications
to promote Windows 2000 as “An Operating System Even a CFO Would Love.” Microsoft has put together a “Rapid Economic Justification” SWAT team to promote sales based on quick returns on company investments in IT hardware and software. In
addition, the company has begun to publish a series of white papers and
customer profiles showing, the company claims, that Windows 2000 and its successors are generating dramatic improvements in reliability and significantly lowered
administrative and support costs.

Are these claims for real?

Compared to NT, they almost certainly are. Even in mixed NT/Unix
environments, it is not hard to believe the numbers in an upcoming customer study
that claims a company could reduce its internal domains, cut the number of
servers and reduce IT support staffing by 20% by moving off NT to a
different operating platform. Other Microsoft-sponsored TCO studies, such
as one focused on Allegis, merit a slightly more skeptical look.
According to that study, Allegis claims it could generate new product faster
running on Windows 2000 than on Unix. Perhaps.

In any case, such papers, and similar efforts by Open Source and
proprietary vendors represent a marked improvement over earlier, cruder efforts to draw cost comparisons between Microsoft and its
competition. Moreover, they advance the competitive discussion. Competing systems
vendors from the Microsoft, Linux and Unix communities need to move away from
from rancorous exchanges of disinformation and begin to focus on issues that
will advance the interests of their customers in a safe, secure,
inexpensive operating environment. If they compete hard enough, their products
might improve. And that wouldn’t be a bad thing, either.

It’s buried toward the bottom of this India Times article, but the threat of war between India and Pakistan that has caused the U.S, State Department to issue travel warnings about India and Pakistan is starting to affect the growing Indian outsoure programming business sector.

LinuxToday reports: “Red Hat, Inc. is taking a wait and see attitude on the subject of newly announced UnitedLinux.”

From Practical-tech.com: “Some Linux fans are pooh-poohing this announcement as not being that big a deal. They’re dead wrong. While it won’t make much difference to consumer Linux-United Linux (UL), a pure business operating system play, completely changes the Linux business landscape.
Why? Because at long last OEMs, like IBM and HP, and more importantly independent software vendors (ISV)s will need to work with, at most, two Linux versions-the other being Red Hat- instead of the five major versions they must deal with today. That will save these companies a bundle of application porting money.”

Gecko writes, “Remember the PCs without a pre-installed operating system, selling at Wal-Mart’s? OSNews got their hands on one of these and they test Windows, Linux and BeOS. Apparently, the company behind these products had immediatelyreplaced the on-board winmodem with a hardware PCI one, in order to be compatible with Linux, but their new AthlonXP/Duron PC models now come with a newer S3 Savage4 DDR integrated graphics card that is not supported by XFree86.”

Mandrake: “Fermin J. Serna discovered a problem in the dhcp server and client
package from versions 3.0 to 3.0.1rc8, which are affected by a format
string vulnerability that can be exploited remotely.”

______________________________________________________________________

                Mandrake Linux Security Update Advisory
______________________________________________________________________

Package name:           dhcp
Advisory ID:            MDKSA-2002:037-1
Date:                   May 30th, 2002
Original Advisory Date: May 29th, 2002
Affected versions:      Single Network Firewall 7.2
______________________________________________________________________

Problem Description:

 Fermin J. Serna discovered a problem in the dhcp server and client
 package from versions 3.0 to 3.0.1rc8, which are affected by a format
 string vulnerability that can be exploited remotely.  By default, these
 versions of DHCP are compiled with the dns update feature enabled,
 which allows DHCP to update DNS records.  The code that logs this
 update has an exploitable format string vulnerability; the update 
 message can contain data provided by the attacker, such as a hostname.
 A successful exploitation could give the attacker elevated privileges
 equivalent to the user running the DHCP daemon, which is the user dhcpd
 in Mandrake Linux 8.x, but root in earlier versions.

Update:

 The packages previously provided for SNF7.2 were the incorrect version.
 These new packages provide the proper version of dhcpd for SNF7.2.
______________________________________________________________________

References:

 http://www.cert.org/advisories/CA-2002-12.htmlhttp://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt
______________________________________________________________________

Updated Packages:

 Single Network Firewall 7.2:
 381344516b790101c2eee850879cb5aa  snf7.2/RPMS/dhcp-3.0b2pl23-2.1mdk.i586.rpm
 84e4567de46573b577b235079ce31e97  snf7.2/RPMS/dhcp-client-3.0b2pl23-2.1mdk.i586.rpm
 2616a1003b248b0f27b7fb70abca57cf  snf7.2/RPMS/dhcp-relay-3.0b2pl23-2.1mdk.i586.rpm
 5865549fc6715b730ddff90194c15b96  snf7.2/SRPMS/dhcp-3.0b2pl23-2.1mdk.src.rpm
______________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

______________________________________________________________________

To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one 
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig <filename>

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to 
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security@linux-mandrake.com
______________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security@linux-mandrake.com>

Linux Today: “As of the time of this report, the last security update announced on the US TurboLinux website was
on January 24, 2002, regarding a problem in xinetd. The last security updates released on the official US FTP site were on February 8, 2002. Additionally, the US TurboLinux security-announcement mailing list has been inactive since January 2002 as well. Inferring from these lapses, it would seem that TurboLinux Inc.’s Linux distribution contains multiple security vulnerabilities that remain exploitable at the time of this advisory.”

Slashdot notes that the GNU Mach Kernel 1.3 was released this week.