– by Jack Bryar –
Open Source Business –

We have an Internet security problem. Everyone
agrees about this. However, there’s a great deal of disagreement about
what type of security problem we have. Is the Internet too secure from
government snooping? The last few days have generated scare stories about terrorists using the Web to coordinate their
activities. At the same time, many business leaders and ordinary citizens are
worried that their Internet messages are not secure enough. There’s lots of new
technology coming on line, especially from the Open Source community,
that is likely to complicate the discussion about where and how to draw the
line between privacy and security.

Following the catastrophe in New York and Washington, there’s been a
lot of talk about the Internet and security. A lot of that talk has
focused on suggestions that world governments lack the tools they need to
identify suspicious messages from among the billions of communications exchanged
around the world. A good example of those suggestions was the
recommendation by U.S. Senator
Judd Gregg (Republican-N.H.), to ban any encryption system lacking a backdoor
to enable government snooping. Coming from a state that employs a
larger percentage of its workforce in high technology than anywhere else in
the United States, Senator Gregg’s comments were technically naive as well as more
than a little alarming to civil libertarians. According to most security pros I
have talked to, the total volume of messages and the
lack of language skills among U.S. security pros is a far bigger concern than
encrypted emails by bad guys.

Most businesses would probably suggest that the biggest problem with
Internet security is that there isn’t enough of it. A recent survey
completed by InfoWorld revealed that the number one factor retarding acceptance
of Web-based services was a lack of security. That perception may have
shifted, along with our perception of many other things during the last
week. One element of security is how well a system survives disaster.
In many cases, Web-based services were up and running well before basic
telephone services were re-patched together in lower Manhattan.

Nevertheless, recent events are going to heighten everyone’s
concerns about the integrity of their electronic messaging infrastructure
and its ability to withstand disruption or interference by outsiders,
whether those outsiders come from some script kiddie, or Al-Qa’ida. It is
a valid concern. For a system originally conceived as a means for
communicating during a national crisis, it is surprising how little attention has
been paid to the issue of Web and IT security generally.

One of the biggest vulnerabilities of the ‘Net and the enterprise
computing environment has been the development of a technical monoculture. Today
most companies deploy identical hardware and identical operating
environments across the entirety of their enterprise. While that may generate
efficiencies for administrators, it also means that a company’s infrastructure can
be taken down just as efficiently. Any virus or hack capable of
taking down one Windows configuration is likely to be able to take down
thousands of others. Diversity in the back end is one of the best guarantees of
safety. This is hard for a lot of IT pros to understand, but its true.

The connection to the Internet is the place where most enterprises
are the most exposed. Today, Web security systems are built around a
combination of public key encryption and use of the Secure Sockets Layer. Present
systems are neither efficient or hack proof. The protocols for managing the
exchange of public keys are particularly awkward. This is beginning to change.
One important open
standard being developed to address public key exchange issues is called XKMS
(The XML Key Management Specification). XKMS describes a process for
exchanging public keys via XML transactions. Combined with another security
standard being developed by the XML standards consortium OASIS, called SAML
(Security Assertion Markup Language), XML is being used to add
intelligence and efficiency (and added security) to the public key system.

Virtual Private Networks are part of any intelligent approach to
security over the web. However, VPNs are easy to screw up, and the Windows 95/98
IP stack unnecessarily complicates the process of setting up and
managing a VPN compared to Unix or Linux. There are a number of good VPN
solutions developed on Open Source platforms. One of the better shrink-wrapped
VPN Server platforms has been developed on a Red Hat Linux platform.
Developed by NetMAX, this package provides
users with a Linux-based, IPSec compliant VPN server, firewall, router and
proxy server. Prices begin at around $500. Trilogy’s
AdmitOne Server for Linux is another emerging VPN package coming onto
the market. Do-it-yourselfers can go to sites like Infomax
Consulting Services and learn how to configure Linux VPN elements
like
IP masquerade to their own systems. For integrators who really want
to get their hands dirty, Net Integration Technologies, formerly
Worldvisions, has LGPLed both a proxy
server and a VPN software program called Tunnel
Vision.

Although government agencies may hate it, peer-to-peer systems may
be the best security solution of all. Because peer-to-peer eliminates the
need for central servers, this defeats any server-level strategy for
intercepting or auditing messages between trusted systems. Admittedly, the use of
peer-to-peer networking may defeat government oversight of electronic messaging, but
it is worth remembering that not all government oversight is benign.
Technologies that complicate oversight by the FBI also complicate oversight by the
Chinese
Ministry of State Security.

Today, there are an estimated 300 vendors in the marketplace featuring
P2P based products. The P2P market is still in its infancy. It is
clogged with niche players and closed proprietary standards, but that is
beginning to change. Currently there are two groups promoting Open Source P2P
interoperability
protocols. The JXTA project is
sponsored
by Sun Microsystems. Intel
has been sponsoring the Peer-to-Peer
Working Group.

That group has focused its efforts on developing a peer-to-peer
Trusted Library (PtPTL) based on the OpenSSL Toolkit. While both projects are
still in the early stage of development, they promise a future
networking environment that is far more redundant, and secure from disruption or
supervision. Whether you think that is a bad thing or a good thing, it is
inevitable, and security types and public officials will have to understand that
and deal with it.

ZDNet reports that Caldera International has cut 51
jobs, or 8 percent of its work force, as part of its previously announced restructuring. Here’s a press release from Businesswire.

ZDNet UK reports that Web sites connected to Afghanistan’s Taliban rulers and to
other Islamic nations including Iran have been attacked, and the FBI is issuing warnings to system
administrators everywhere to tighten up their security.

Anonymous Reader writes, “This morning (September 18th) the CERT/CC (http://www.cert.org) started receiving reports of a massive increase in scanning directed at port 80 (http://www.cert.org/current/current_activity.html #port80). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 (http://www.kb.cert.org/vuls/id/111677) for information on the type of vulnerability being exploited.”

From Marco Ciolli and Paolo Zatelli:
The Open source GIS – GRASS users conference will take place in Trento, Italy, 11-13 September 2002.

This conference is the result of the joint effort of many GRASS developers and users all over the world to foster closer relations and provide opportunities for greater interactions among the open GIS and GRASS communities.
The aim of the conference is twofold: the exchange of experiences between Open GIS and GRASS users and developers and the possibility for the potential users to access first-hand information and GRASS capability demonstration, especially for users from developing countries.

The conference is organized by the Department of Civil and Environmental Engineering of the University of Trento with the help of an Organizing Committee including some of the most prominent GIS/GRASS experts around the world.
The researches projects at the Department of Civil and Environmental Engineering pursue the main objective of developing new strategies for the protection of the environment and the sustainable use of natural resources. The focus is on land protection and preservation with particular emphasis on the mountain regions, water resources, river and estuary dynamics, analysis of the environmental impact of infrastructures, urban settlement, design of ecological and energy saving buildings, as well as surveying, GIS and remote sensing.

Conference location is in S. Chiara Auditorium, in the center of the city of Trento, Italy.
Trento is a city of art, of history and represents a crossroads for the contrasting cultures of Italy and northern Europe. Originally a Roman city, Trento became famous for the Council (1545 -1563) which gave rise to the counter – Reformation. Among the many faces of Trento, one of the most striking is that of the alpine Renaissance city, which has been restored to its original splendor by recent restorations. On nearby Monte Bondone you can comune with nature against the panorama of the Dolomites, all of which make Trento, capital of the Trentino region, a symbol of international alpine culture.

The conference will be held for three days with oral sessions, poster sessions, workshop and tutorials. The meeting will cover all the aspects of open source GISs, with special focus on GRASS. Authors are encouraged to submit papers covering the following topics:

• Applications
• Development
• Education
• Technology transfer

Papers outside these areas are welcome too, special attention will be paid to papers involving authors or projects from developing countries.
The registration at the conference, the paper submission and the accommodation booking must be done via Internet at this web site. This is the first meeting on open source GIS, so it is difficult to estimate the number of participants. Pre-registration on the web site will help the organization of the meeting to find out in advance the number of people interested to attend.

B.Benciolini, M.Ciolli, P.Zatelli
Local Organizing Committee
Open source GIS – GRASS users conference 2002
E-mail:grass2002@ing.unitn.it
Web:http://www.ing.unitn.it/~grass
Department of Civil and Environmental Engineering
University of Trento
via Mesiano, 77
38100 Trento
ITALY

“This Week’s Summary: Hewlett Packard offering PCs preloaded with
Mandrake; Special Offer on ProSuite Edition at MandrakeStore.com; New
Product — Mandrake Linux Update CDs; New Mandrake T-shirts; Cooker
Weekly News Summary; Business Case of the Week; This Week’s Online
Poll; Security-related software updates; Headlines from MandrakeForum;
What’s New at MandrakeUser.org?”

Product News
               ----------------------------------------
               Hewlett-Packard now offering PCs with Mandrake Linux pre-installed.
               The HP Vectra models vl420, vl800 and e-pc40 now offer the option of
               MS-Windows or Mandrake 8.0 according to the HP website. The machines
               come equipped with Celeron or Pentium 4's. Please see the following
               links for complete information on the different models.
               http://www.hp.com/desktops/professional/desktop/vectra_vl420/
               http://www.hp.com/desktops/professional/desktop/vectra_vl800/
               http://www.hp.com/desktops/professional/e-pc/e-pc_40/

               --

               Save $50 when purchasing ProSuite at MandrakeStore.com.
               The Mandrake Linux 8.0 ProSuite Edition is a complete Linux Enterprise
               solution. Server Configuration Wizards allow you to quickly setup &
               configure services with just a few mouse clicks. The ProSuite Edition
               comes complete with Extended Server Support that covers installation &
               configuration of the operating system plus several key services
               (Apache, Postfix, Samba, FTP and SSH). Additionally, 2 free Update CDs
               are provided (when they become available) containing bugfixes and
               security updates.
               http://www.mandrakestore.com/en/storemdksa-prosuite-promo.php

               For detailed product descriptions of Mandrake Linux 8.0 ProSuite
               Edition, please see:
               http://www.mandrakesoft.com/products/80/prosuite

               --

               New Product Announcement -- Mandrake Linux Update CDs.
               Now you can receive the latest software updates in one convenient
               package. Mandrake Linux Update CDs contain security updates, bugfixes,
               as well as the most recent packages as of September 15, 2001. Update
               CDs are available for Mandrake Linux 7.2, 8.0, Corporate Server, and
               Single Network Firewall.

               Available now for $20 US (shipping included) at MandrakeStore.
               http://www.mandrakestore.com/

               --

               New Mandrake T-shirts featuring SuperTux!
               Get the latest T-shirt designed exclusively for MandrakeStore
               (currently only available outside of North America).
               SuperTux -- black short sleeve, 100% cotton with 3 color printing, XL
               only. "Building a friendly Linux World" printed on the back.
               $19 USD + $10 USD shipping & handling (tax included).
               http://www.mandrakestore.com


               What's Cooking at MandrakeSoft?
               ----------------------------------------
               According to the September 10th edition of the Mandrake Cooker Weekly
               News, a new wizard called "DrakeFirstTime" has now made its appearance
               in Cooker. DrakeFirstTime allows new users to configure their window
               manager and email client (at present KMail and Netscape), and also
               offers the opportunity to register for MandrakeOnline.
               MandrakeOnline is a new service which provides a Mandrake email alias
               (yourName@mandrakeonline.net) and allows users to record their system
               configuration and save it online (thereby making it possible to
               download this important information in case of system crash or file
               corruption). Additionally, MandrakeOnline will provide security update 
               alerts customized to the system's configuration.

               Read the current online version of the Mandrake Cooker Weekly News at
               http://mt.mandrake.org/mcwn/ or subscribe by sending an email to
               sympa@linux-mandrake.com with the words "subscribe cooker-mcwn" (no
               quotes) in the subject line.


               Business Case of the Week
               ----------------------------------------
               Benefit Software uses Linux-Mandrake for web development and surges
               ahead!!
               Benefit Software develops web-based applications using PHP, HTMLOS and
               MySQL. They use Mandrake Linux on their development computers because
               of the wide range of tools it supplies, its easy installation and its
               bleeding edge look at technology.
               "Linux Mandrake provides the many web tools we need to be productive,
               including the apache web server, php, mysql, gimp, ssh, vim, mozilla,
               galeon, gaim (communication) during install and constant updates at
               rpmfind.net."
               http://www.mandrakebizcases.com/article.php?sid=150

               Read many more examples of Mandrake Linux in the workplace at:
               http://www.MandrakeBizCases.com/

               If you use MandrakeSoft products in your business, please share your
               story by submitting your own personal "Bizcase".


               This Week's Online Poll
               ----------------------------------------
               This week's poll is a request from the developers: "Please help the
               developers improve the keyboard settings in MandrakeLinux by completing
               a brief survey. At the moment we are interested in finding out which
               language people use during the installation, which keyboards are most
               commonly used with each language, and how usable is MandrakeLinux with
               various languages."

               Please take a minute to help improve Mandrake Linux:
               http://www.mandrakeforum.com/survey.php?sid=7


               Software Updates
               ----------------------------------------
               Security-related software updates have been released for
               xli/xloadimage. See the entire list at:
               http://www.linux-mandrake.com/en/security/mdk-updates.php3?dis=8.0


               Top Stories of the Week from MandrakeForum
               ----------------------------------------
               The Beta 3 of Mandrake Linux 8.1 has arrived.
               Many beta-testers report their observations.
               http://www.mandrakeforum.com/article.php?sid=1160

               Moooouuuuseeee Shaaaaadoooow :-)
               Tom describes how to get a mouse shadow working with nVidia's video
               card: "The one feature I've always deemed as cool in Windows 2000 has
               been the 'mouse shadow', which adds a nice 3d touch to your mouse
               pointer."
               http://www.mandrakeforum.com/article.php?sid=1165

               Videoconferencing in LM 8.1 (beta)
               Deno writes: "A few days ago, Florin made gnomemeeting rpm package ,
               followed by server packages needed to set up a complete
               videotelephony/conferencing environment for your
               school/company/family/friends. If you have been looking for a good
               reason to try out the 8.1 beta, look no further: gnomemeeting is cool,
               easy to use, and compatible with other h323 clients (like netmeeting)."
               http://www.mandrakeforum.com/article.php?sid=1164

               How to get standalone Java applications working in KDE.
               Conman provides an easy-to-follow explanation of a topic that is
               quite important to many users.
               http://www.mandrakeforum.com/article.php?sid=1177

               Crossover plugin from Codeweavers: Quicktime, Shockwave and
               more for Linux.
               Great story for folks who keep saying that they can't use Linux because
               this or that doesn't work.
               http://www.mandrakeforum.com/article.php?sid=1156

               Getting Along With Windows XP.
               Tom tests Windows XP and posts a simple explanation on how to install
               Mandrake Linux together with XP, as well as how to get rid of either
               Windows or Linux afterwards.
               http://www.mandrakeforum.com/article.php?sid=1158

               Read these and other stories at:
               
SEO Vs SEM Advantages and Disadvantages



               What's New at MandrakeUser.org?
               ----------------------------------------
               Updated articles on:

                   * Hardware Configuration
                   * Removable Storage Devices
                   * IDE Hard Drives
                   * nVidia on Mandrake

               New articles on:

                   * Configuring automount, contributed by Kevin McCormick
                   * Multibooting WinSE, W2k and Mandrake, contributed by Scott Hanak

               Other

                   * The Mandrake Laptop Files now contain 300 entries.
                   * New Download Archive for September.

               http://www.mandrakeuser.org/


               ----------------------------------------

“Information about Linux in education has been sparse for the past week due to the world’s attention being focused on the horrible terrorist attack on the United States. This
report will have just a few observations and a list of new educational software.” More at SEUL.org.

InternetWire: “Personal Electronics Concealment, LLC, (PEC, LLC) the company which originally created the e-Holster(R), a
shoulder holster for personal electronics, is now introducing the e-Vigilance Bag[tm] a single-strap “carry all”
which provides a new, practical way for every American to turn “vigilance” into action and participate in the new “war on terrorism” by
wearing “anti-terrorism communications weapons” cell phones, digital cameras, PDA’s, handheld personal computers, MP-3 recorders
and the like.”

Lordbyron writes: “A great article on the hives of terrorist activity.. and networks.. really interesting perspective..

WashingtonPost.com.“

ZDNET: “Dell Computer launched on Monday the Dimension 8200, a new high-end, consumer-oriented desktop PC
designed for running 3D games, editing video and performing other intensive tasks.

Because high-end PC owners also tend to upgrade hardware over the lifetime of a PC, the Dimension 8200’s case
can be opened like a clamshell, without tools. The new design aims to increase the ease with which customers can
access the PC’s internal components, a Dell representative said. Its predecessor, the Dimension 8100, is no longer
for sale.”