From O’Reilly: “One of the first lines of defense against hackers is your firewall. The firewall acts as a filter, blocking unwanted packets from reaching your network. In most cases, a properly configured firewall will protect a network from viruses such as the Code Red worm, even if there are vulnerable machines residing inside the network.”

Posted on Advogato is an open letter between a programmer living in the European Union, and Bill Gates. In it, he asks that Bill allow him access to certain documents about closed standards in Windows for the purposes of making things interoperable. And, if Bill refuses, he notes that under European Law, Council Directive 91/250/EEC, he would be able to do much more pervasive interoperablity (to the point of working around MS licensing setups).

From National Post online: “EBay Inc., one of the few true Internet success stories, is bringing its travelling “university” road show to Canada for the first time tomorrow in an attempt to drum up more business for the online auction service. eBay is hoping to get approximately 1,000 participants at its first Canadian eBay University, being held at the Toronto Convention Centre.”

From Wired: “From producing toilet paper and rubber boots in the 1800s to electronics equipment and software today, Nokia is famous for its frequent makeovers. Last year it entered the wired-line security space, garnering awards from prestigious entities such as PC Magazine. The publication’s “editor’s choice award” went to Nokia for its virtual private network, which lets users access company databases securely.”

From C|Net: “Just months after scoring key courtroom victories against online music swapping, record labels are now facing legal scrutiny over the music industry’s own plans for online services.”

Norbert Bollow writes “This Week in DotGNU, No 1 (October 19, 2001).
See http://dotgnu.org for general background information. After a temporary slowdown, DotGNU is quickly picking up speed again.”
DotGNU Portable.NET

This part of DotGNU contains a C# compiler, runtime engine, and related tools. There is as always good, steady progress.

DotGNU SEE

This Secure Execution Environment allows bytecode to be executed securely on the end user’s machine, allowing in particular the end user to execute webservice software locally, so that no-one can be locked into using the software as a webservice instead of running it locally. There has not been any progress with the code this week (the code is written in C++), but the Steering Committee has been able to resolve some internal misunderstandings related to the need for an official Windows port of DotGNU SEE. They’re (reluctantly!) going to ask Windows programmers to help with this. (The goals are to further the development and use of Free Software in general, and to enhance the GNU operating system in particular, not just make a popular collection of software. We want to provide users with a way to get more jobs done in full freedom, not just with some useful software packages. However, in order for DotGNU to do its job, it needs to be popular. For that reason, we are giving Windows support a somewhat higher priority level than it would normally have in a GNU project.)

Authentication, Authorization and Virtual Identities

The FrePort project of John le’Brecage is going forward, and it is now listed at http://dotgnu.org/proposals/active.html – This is will not be DotGNU’s only auth project, I expect that at least one or two others will follow soon.

DotGNU – Jabber meetings

Adam Theo is organizing weekly meetings for discussing possibilities of using the Jabber protocol suite in DotGNU. These meetings are well-attended, and things are starting to happen. I expect that an auth project will come out of this, and also a system (consisting of sysadmin tools and middleware) for managing the distributed flow of information through a network of webservice servers.

““This week in DotGNU” is Copyright (C) 2001 by Norbert Bollow. Verbatim copying and distribution of this entire issue is permitted in any medium or format, provided this notice is preserved.“

Jeremy Andrews writes, Kerneltrap has posted the latest in-depth kernel hacker interview with Russell King, who originally ported Linux to ARM and continues to oversee ARM Linux development. Russell King: “I started hacking on Linux for my Acorn A5000 machine back in Spring 1994 while still at Southampton University, after a fellow student, Martin Ebourne, introduced it to me. An A5000 is a desktop-like ARM based machine. It was already about 3 years old and underpowered at that time, with only 4MB of RAM but it was the machine I had.” Russell talks about ARM, the 2.4 kernel, the upcoming 2.5 kernel and much more.

– by Eric S. Raymond –
At this Microsoft.com page one Scott Culp, advertised to us as the “Manager of the Microsoft
Security Response Center”, exhorts people to stop publishing
information on computer security vulnerabilities. Culp’s rant is a transparently self-serving and dishonest attempt to
shift the onus for epidemics like Code Red, Lion, and NIMDA away from
where it belongs, which is squarely on Microsoft’s shoddy architecture
and negligent engineering.Culp is certainly right that no software will ever be perfectly secure
— but we know it’s possible to do a great deal better, before and
after the fact, than either Microsoft’s operating-system design group
or Mr. Culp’s bumbling bunch of Keystone Kops has ever managed.

Open-source developers are not frightened of what Culp calls
“information anarchy”. That’s because we have confidence (a
confidence justified by the track record of Linux, the BSD operating
systems, and Apache) that our security holes will be infrequent, the
compromises they cause will be relatively minor, and fixes will be
rapidly developed and deployed.

And we’re not getting passed over by crackers because we have fewer
sites, either. Apache runs two thirds of the Web servers in the
world. When was the last time you heard about an Apache remote
compromise? There are many fewer IIS websites — and yet they are
constantly getting cracked. Because they’re soft targets.
Ultimately, this is because the `security’ in IIS and Windows is
incompetently designed, and its source code has never been subjected
to independent peer review.

Cryptographers and security experts have known for years that peer
review of open source code is the only reliable way to verify the
effectiveness of encryption systems and other security software. So
Microsoft’s closed-source mode of development guarantees that
customers will continue getting cracked and Microsoft will continue
pointing the finger of blame everywhere except where it actually
belongs. (In Microsoft-speak, this sort of thing is called
`innovation’.)

What Culp is really saying is that he doesn’t believe Microsoft will ever get
its act sufficiently together for Windows or IIS to survive in a high-threat
environment, so Microsoft wants to blame someone else for the problem.

Here’s what I have to say to Mr. Culp: “If you can’t stand the heat,
get out of the kitchen. And if your OS can’t stand an environment
where attack tools are instantly disseminated, you don’t belong in the
operating-system business.”

Think of it as evolution in action…

— Eric S. Raymond

ZDNet has a brief commentary about the music industry’s treatment of its customers and the lessons that were – or were not – learned from the Napster episode.

Reuters reports via the Globe and Mail: “The world’s first test flight of a hypersonic “scramjet”
engine, which scientists believe will one day allow people to fly at
least eight times the speed of sound, will take place as planned in
Australia next week.”