A quartet of security announcements from Debian, detailing a buffer overflow
condition with xloadimage (details), a number of
vulnerabilities in various LDP implementations (details), an output
handling exploit affecting netkit-telnet (details), and remote
exploit problems with fetchmail (details).

– By Dan Berkes –
Stocks took a minor beating this week as Cisco profits plummeted 99 percent and
the U.S. Federal Reserve hinted at recessionary times ahead. IBM gets another grid project,
software spending inches up, and Red Hat wants to sell you a suite. Also: Watch
Sun spin!The bigger picture
This was not a fun week to be an investor, especially one with a tech-heavy
portfolio. On Tuesday, Cisco Systems spooked Wall Street with its fourth quarter
earnings — a paltry $7 million and 99 percent lower than its 4Q 2000 earnings.
The company also warned that it was far from hitting bottom, and that its
earnings situation would likely decline in the future. That’s nearly all it took to
send tech stocks on a wild ride this week.

On Wednesday, the U.S. Federal Reserve released its “beige book” report, which
showed a continuation of the economic slump in the United States. Daring to use
the “R” word, the report did in fact note that the economy is teetering on the
brink of a recession. Combine Cisco’s earnings with a doom-and-gloom report from
the Fed, and the stock indexes inched lower for the rest of the week.

Not as low as it could go, however: The herd is spooked, but there’s something
about fear and uncertainty that’s drawing the buyers to market. Stocks certainly
haven’t plummeted as much as pundits have predicted at the start of recent
sessions. Of course, end-of-week speculation that the Fed might slash interest
rates one more time certainly didn’t hurt Friday’s performance.

At the Friday bell, the Nasdaq closed at 1,956.47, under the 2,000 mark for the
first time in several months, and losing 110 points for the week. The Dow Jones
Industrial Average rang the bell at 10,416.25, gaining a respectable 117 points
from Thursday’s close, but still down 96 points from the end of business on
August 3.

Nasdaq compensates for June outage
At least 111 Nasdaq-traded stocks had their opening and closing prices for June
29 changed, due to a trading outage that day. The changes could affect a
stock’s 52-week high high or low price. Complete lists of the adjustments made
can be found at Nasdaq Trader.

The future isn’t bright for hardware sales
When data researchers at IDC released some preliminary numbers on hardware
spending last month, it predicted an increase in sales for the fourth quarter of
2001 and a turnaround starting in 2002. With new data available, IDC has
revised
its forecast for the PC market, predicting a small amount of growth during
2002, but holding off recoveries for major markets, including the United States,
until 2003.

Software spending inches up
Consumers may not be upgrading their hardware as often as they used to, but
they’re still
buying software in record numbers. According a report from NPD INTELECT
Market Tracking issued earlier this week, 69.65 million software units — in the retail
channel, at least — were sold by stores in the
first half of 2001, beating the 69.6 million figure for the same period in 2000.
Revenues from those sales increased lightly, too, ending at $2.77 billion, up
from $2.74 billion last year.

The type of software being purchased speaks volumes about the current state of
the economy, not to mention computer security. Users are keeping an eagle
eye on their budgets during the economic slump, buying plenty of financial
software to keep track of their dollars and cents — not to mention the
annual April rush to file income tax reports. The popularity of always-on broadband
connections like DSL and cable, coupled with growing concern over viruses,
contributed to a leap in the purchase of security-related software.

Red Hat moving to services
North Carolina’s Red Hat Inc. is moving
into the field of services with its first e-commerce suite. The software is
fairly common for an Open Source deployment: Apache Secure Web server,
PostgreSQL database, and of course Red Hat’s Linux distribution. What Red Hat is
really selling with this setup is a simple and painless installation experience,
tightly integrated application functions, and dedicated support from its staff.
For all this, Red Hat is hoping that plenty of medium-size businesses will spend
about $3,000 each, once every year.

Big bucks for Big Blue
Distributed computing has taken off in a big way, and IBM has found itself in
the right place at just the right time to take advantage of that fact. Last
week, the company said it would create a supercomputing grid, with Linux as its operating system of choice.
This week, the National Science
Foundation awarded the company a contract to construct four Linux-based
supercomputer clusters to powers its own grid, to be called the Distributed
Terascale Facility. When completed in late 2002, the DTF grid will be 1,000
times faster than Deep Blue, the supercomputer that defeated chess master Garry
Kasparov in 1997.

Are you being served?
While consumers aren’t splurging on the latest systems, the picture is slightly
— very slightly — different on the business end of the market. Last Friday,
Gartner Group Dataquest released its
latest assessment of the server market, showing strong gains for Dell
and IBM. The worldwide server market showed a modest 0.7 percent growth for the
most recently concluded quarter, and Compaq is still top dog, with 26.7 percent
of server market share, followed by Dell with 18 percent, and IBM with 16.7
percent.

Those numbers show a year of strong growth for the two companies. Dell’s server
sales have jumped by 20 percent over the past 12 months, and IBM eked out a
respectable 10 percent increase for the same period. That growth comes at the
expense of other companies, of course: Sun Microsystems lost 15.4 percent, and
Hewlett-Packard fell 10.6 percent.

Sun spins, enhances Solaris
Sun Microsystems still managed to find good news in the Gartner report, and
issued a press
release to tell the world it captured the number one slot for the Unix
storage market. The company’s Unix-based storage efforts “continued to outpace
the overall market and increased by over 27 percent in 2000, to over $3.2
billion.” The company attributes is success in this market category to strong
sales of its T3 StorEdge arrays.

The company beefed up
its Solaris 8 Operating Environment on Monday, introducing three new
enhancements to make configuring and updating Solaris installations easier for
administrators. The update includes Live Upgrade 2.0, which loads software in a
manner that allows the system to continue running, the Network Cache
Accelerator, promising a five time increased performance of Web servers, and
Enterprise Dynamic Host Configuration Protocol, capable of managing IP addresses
for up to several hundred thousand clients.

Wind River floats high-availability software
Investors seemed to be mildly pleased with Wind River’s Monday
announcement of high availability (HA) extensions for VxWorks AE embedded
operating system. Called Foundation HA, the extensions support development work
for VxWorks AE OS on a number of operating systems and computer platforms,
including Solaris and Red Hat.

Who’s suing who
Or who’s announcing who’s going to be sued. Here’s a handy list of class action
suits and related legal announcements made this week:

Millberg Weiss have
announced a securities class action suit against TV recorder maker TiVo Inc. on
behalf of all individuals who purchased shares of the company between September
1999 and December 2000.

Schiffrin & Barroway
have announced a class period for similar reasons and the same time-frame, and
once again for TiVo.

Stull, Stull, & Brody
have Caldera in their sights, announcing a class action suit on behalf of
investors who purchased securities between March and December 2000.

Each case alleges that the defendants violated federal securities laws by
failing to tell investors that some underwriters had solicited and received
excessive, confidential commissions from certain investors. Those investors
were supposedly required to purchase additional shares of each company after the IPO,
sometimes at higher prices, causing the share price to rise to
artificially-inflated levels so that lead investors could then sell their shares
at higher prices. The nice one-word explanation for this practice on Wall Street
is “laddering.”

Here’s the stock picture in the Open Source world this week:

Date	Nasdaq	Dow
Fri – 8/03	2047.62	10512.78
Mon – 8/06	2032.51	10401.31
Tue – 8/07	2013.75	10458.74
Wed – 8/08	1966.36	10293.50
Thu – 8/09	1963.32	10298.56
Fri – 8/10	1956.47	10416.25

Company Name	Symbol	8/10 Close	8/2 Close
Apple	AAPL	19.02	19.50
Borland Software Int’l	BORL	12.97	12.49
Caldera International	CALD	0.73	0.75
EBIZ Enterprises	EBIZ.OB	0.12	0.14
Hewlett Packard	HWP	25.10	25.29
IBM	IBM	104.95	108.18
MandrakeSoft	4477.PA	e6.30	e6.19
Merlin Software Tech.	MLSW.OB	0.18	0.195
Red Hat	RHAT	3.81	4.04
Sun Microsystems	SUNW	16.22	17.72
TiVo	TIVO	6.90	7.00
VA Linux Systems	LNUX	2.00	2.20
Wind River Systems	WIND	14.95	15.72

Reuters: “The Code Red computer worm has shown up in a third, more
dangerous form, South Korea’s Information and Communication Ministry said Friday. “About 10 damage reports have come in which were believed to
have been the result of the latest Code Red III,” said Ko
Kwang-sup, an official at the ministry.”

Posted at LinuxSecurity.com: “The telnet daemon contained in the netkit-telnet_0.16-4potato1 package in
the ‘stable’ (potato) distribution of Debian GNU/Linux is vulnerable to an
exploitable overflow in its output handling.
The original bug was found by , and announced to
bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were
not believed to be vulnerable.
On Aug 10 2001, zen-parse posted an advisory based on the same problem, for
all netkit-telnet versions below 0.17.
More details can be found on http://www.securityfocus.com/archive/1/203000 .
As Debian uses the ‘telnetd’ user to run in.telnetd, this is not a remote
root compromise on Debian systems; the ‘telnetd’ user can be compromised.”

xcyber writes, “The Linux Cookbook contains Tips and Techniques for Everyday Use!
Over 1,500 time-saving recipes and hints for busy modern computer users!

Avaliable for free at http://dsl.org/cookbook/ or http://cookbook.xcyber.org/ (unofficial mirror.)”

A new issue of ApacheWeek is out. Among the items: “The main topic of discussion for the last month has continued to be the problems with the threaded MPM in Apache 2.0. The CVS
tree was tagged twice to make test releases of 2.0.21, and 2.0.22, but both releases were abandoned after problems found during
testing. Despite these problems, as a testament to the increasing stability of Apache 2.0, the server currently running on
apache.org has been serving requests for over nine days, through many restarts.”

The USENIX Association announced today that it has teamed up with Web based technology magazine Dr. Dobb’s TechNetCast to live broadcast the presentation of the highly debated SDMI research findings.
The presentation is part of the USENIX Security Symposium being held in Washington, DC on August 15 – 17, 2001. The paper, written by a team of researchers from Princeton and Rice Universities, will be followed by a panel discussion, featuring research team lead Dr. Edward Felten, to discuss the impact on the computing industry of the research and the legal proceedings the paper has recently endured.
“This is an issue that concerns a much wider audience than only those attending the conference,” said USENIX Executive Director Ellie Young. “USENIX has always been dedicated to moving technical information out of research and into the public eye. The impact of this paper and the discussion about legal freedoms it has generated are topics that our members and the public have asked be made available to them. That’s what this live broadcast aims to do.”
The live broadcast is scheduled to run on Wednesday, August 15, 2001, from six o’clock to seven thirty Eastern time. Users will be able to access the presentation in both RealVideo web stream and Ogg Vorbis, a general purpose, compressed audio format that is also a non-proprietary, patent and royalty-free alternative to MP3.
“The use of Ogg Vorbis underscores the importance of the availability of free software technologies for the distribution of rich media content over the internet,” said TechNetCast Producer Philippe Lourier. “Dr. Dobb’s has always believed that the open dissemination of source code and research information helps build better software and technology. Using these resources to make public an event that could not be distributed through traditional empowers technology users to make informed choices. And it matches the spirit of the presentation itself.”
Both the audio and RealVideo web stream broadcasts can be accessed at http://www.technetcast.com/sdmi-challenge.html. Viewers will have also have on-demand access to the recordings in the TechNetCast archives immediately after the broadcast.
For more information about the live web broadcast or to inquire about complimentary press badges to the USENIX Security Symposium, please contact Monica Ortiz at 415-990-5513 or email monica@usenix.org.
About the USENIX Association
USENIX is the Advanced Computing Systems Association. For over 25 years, it has been the leading community for engineers, system administrators, scientists, and technician working on the cutting edge of the computing world. USENIX conferences are the essential meeting grounds for the presentation and discussion of technical advances in all aspects of computing systems. For more information about the USENIX Association, visit http://www.usenix.org
10th USENIX Security Symposium
August 13 – 17, 2001
Washington, DC
www.usenix.org/events/sec01

– By John Leyden –
–The Register –

Noted cryptographer Bruce Schneier has produced a damning critique of the way the Digital Millennium Copyright Act was used to jail Russian software researcher Dmitry Sklyarov.Schneier, chief technology officer of Counterpane Internet Security, and inventor of the Blowfish algorithm, will argue in the next issue of his Crypro-Gram email newsletter that the Sklyarov case shows the DMCA is being used to restrict basic freedoms of speech.

A copy of his essay, which will be published on August 15, was sent by Schneier to the Register in order to raise awareness about the ramification for security research raised by the case.

Although Sklyarov was released earlier this week on bail of $50,000, the prosecution against him continues and Schneier’s comments are interesting because they highlight some of the wider issues the case raises.

One of the main points Schneier makes is that provisions in the DMCA that allow for security research “which I and others fought hard to have included” are being ignored in the Sklyarov case and others, such as the DeCSS case against 2600 Magazine.

“What the DMCA has done is create a new controlled technology,” Schneier argues. “In the United States there are several technologies that normal citizens are prohibited from owning: lock picks, fighter aircraft, pharmaceuticals, explosives.

“In each of these cases, only people with the proper credentials can legally buy and sell these technologies. The DMCA goes one step further, though. Not only are circumvention tools controlled, but information about them are.”

Sklyarov was engaged in legitimate security research, Schneier said, but for highlighting the poor security of eBook readers, and working for a firm that develops software that “circumvents these ineffectual security systems” he ended up in jail.

Schneier recalls cases in the seventies when the government failed to get a restraining article preventing The Progressive publishing an article containing technical information on H-Bomb design.

He compares this to Sklyarov’s plight which he said illustrates that publishing critical research on digital rights management technology used to protect electronic books is viewed as “more serious than publishing nuclear weapon design information.”

This seems to go a bit far but makes the point that freedom of speech is going out the window in this case, or as Schneier puts it: “Welcome to 21st Century America, where the profits of the major record labels, movie houses, and publishing companies are more important than First Amendment rights.”

Schneier compares the actions of the entertainment industry with the ill-fated attempt of the U.S. National Security Agency to restrict access to encryption technology in the 1990s.

Both the actions of the NSA of the use of the DMCA by the entertainment industry are prepared to resort to unconstitutional methods, Schneier argues.

“The entertainment industry is fighting a holding action, and fear, uncertainty, and doubt are their weapons,” Schneier writes, “The DMCA is unconstitutional, but they don’t care. Until it’s ruled unconstitutional, they’ve won. The charges against Sklyarov won’t stick, but the chilling effect it will have on other researchers will.”

All Content copyright 2001 The Register

Reuters (via ZDNet) reports that Red Hat will branch out beyond Linux by announcing Friday the Red Hat E-Commerce software collection, a broadening of its business plan to embrace other Open Source software tools.

Posted at LinuxSecurity.com: “Salvatore Sanfilippo found two remotely exploitable problems in
fetchmail while doing a security audit. In both the imap and pop3 code
the input is not verified and used to store a number in an array. Since
no bounds checking is done this can be used by an attacker to write
arbitrary data in memory. An attacker can use this if we can get a user
to transfer mail from a custom imap or pop3 server he controls.”