Linux-Advocacy Digest #565, Volume #26 Wed, 17 May 00 20:13:06 EDT
Contents:
Re: Microsoft finally gets the idea... almost (Charlie Ebert)
Re: X Windows must DIE!!! (Johan Kullstam)
Re: progamming models, unix vs Windows (Gary Hallock)
Re: HUMOR: CSMA has the Tholenbot... we should have the Templetonbot. (Marty)
Re: German Govt says Microsoft a security risk (Clueless Bozo)
Question ("Raul Valero")
Re: Microsoft finally gets the idea... almost (Rob S. Wolfram)
Re: Beowulf (mlw)
Re: Question (Bastian)
Re: Ten Reasons Why Syphon Sucks ("Colin R. Day")
Re: Question (Brian Langenberger)
----------------------------------------------------------------------------
From: Charlie Ebert <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Microsoft finally gets the idea... almost
Date: Wed, 17 May 2000 22:39:15 GMT
[EMAIL PROTECTED] wrote:
>
> [EMAIL PROTECTED] (Rob S. Wolfram) writes:
>
> >The have been quite a few threads about the proper action on executable
> >content in email, as a result of the ILOVEYOU worm. What we (the *nix
> >advocates) have been saying all along is that the Outlook's behaviour
> >(launch executable content from the mail client) posed serious security
> >risks, as proven by the impact of the ILOVEYOU worm. We also stated that
> >this is nothing new, these risks have been warned for since rfc1341.
>
> What *really* strikes me as weird is that allegedly something like
> 65% of people opened the attachment. I mean, come on --- you start out
> with a mail with the title "ILOVEYOU". Not "I love you", not
> "I LOVE YOU", but just "ILOVEYOU". Would you *really* expect someone
> who might be in love with you to leave out any whitespace? How long
> have they been using email?
> Then, you look at the mail, and it contains absolutely *nothing* that
> personalizes it. You are not being addressed, heck, AFAIK, the whole
> thing doesn't even refer to one's gender at any time. And at the end,
> it says "please look at this loveletter from me".... Gimme a break!
>
> Now, *that* thing gets 65% of people. And as soon as you "open" the
> attachment, it has the run of your computer. So why stop with something
> as silly and obvious as that crap? Why not go for the full whammy --- look
> through the address book for addresses. Then look through the incoming
> mail folder (or archived mail) for the latest mails from these people.
> Look through the (archived) outgoing mail folder for mail *to* those
> people.
>
> Rip the "Dear Pete", "Distinguished Professor Feynman" or "Hi Jodie" from
> the last outgoing mail --- simply copy the first line, in 95% of cases
> that's what you are looking for.
> Then take the first (or second) paragraph from the last received mail,
> quote it, and add "I spent some time thinking about that issue, and I
> think you are right. I have put my thoughts into a document, which is
> attached to this email. I hope you might find it interesting".
> Rip the salutation from the last sent mail (the last non-empty line
> before the .signature, if it contains a ',', otherwise the last two
> non-empty lines).
> Name the attachment "thoughts.doc.vbs" (or exploit the latest ilk of
> Word Macro Virus, and make it just "thoughts.doc"), make the subject
> appear to be a reply to the last received message (possibly adding
> an "(again)" if you find that the last outgoing message on that subject
> postdates the last incoming one), and send it off.
>
> *That* I could see spreading around the world. *That*, while still malicious,
> is at least somewhat clever. But "ILOVEYOU"? PLEEEASE! You gotta be kidding!
>
> Bernie
>
> P.S.: And one might want to include and maintain a list of one-way hashes
> of the email addresses the thing sent itself to on its last 5 hops.
> That way, you can at least reduce the chance of hitting the same
> individuals over and over again, with messages that, while believable
> on their own, are similar enought to be noticeable when viewed in
> bulk.
> --
> The art of progress is to preserve order amid change and to preserve
> change amid order
> Alfred North Whitehead
I am shocked and in dis-belief that anyone in Microsoft admits they
have a security risk. In-fact, I refuse to believe it.
Charlie
------------------------------
Crossposted-To: comp.os.linux.x
Subject: Re: X Windows must DIE!!!
From: Johan Kullstam <[EMAIL PROTECTED]>
Date: Wed, 17 May 2000 22:39:15 GMT
[EMAIL PROTECTED] (Leslie Mikesell) writes:
> In article <[EMAIL PROTECTED]>,
> Johan Kullstam <[EMAIL PROTECTED]> wrote:
>
> >> He said he didn't want scaled fonts, although I don't understand
> >> why. The postscript and truetype fonts are going to be scaled
> >> unless you convert them.
> >
> >the reason i do not want scaled fonts is that they generally suffer
> >from severe raster damage. diagonal lines do not look like lines but
> >instead resemble sawblades or lightning bolts. i don't want a crappy
> >looking font.
>
> This isn't true in general for postscript or truetype scalable
> fonts. You either have poor quality outlines, low video resolution
> or you are thinking of rescaling bitmap fonts. They should
> rasterize to match whatever pixel size you have. You do have
> to throw some extra resolution at X to make the fonts as nice
> as MS windows with antialiasing but the scaling works fine.
> I haven't fiddled with it much but it looks like the RH 6.2
> distribution font server rebuilds its list automatically at
> startup so you should be able to just drop new fonts in the
> directory and restart it.
i tried the microsoft windows truetype fonts.
andale and courier new look ok per se. both leave little specs after
them. somehow X doesn't clean up after the fonts. courier new was
worse in this regard than andale.
--
J o h a n K u l l s t a m
[[EMAIL PROTECTED]]
Don't Fear the Penguin!
------------------------------
Date: Wed, 17 May 2000 18:52:38 -0400
From: Gary Hallock <[EMAIL PROTECTED]>
Subject: Re: progamming models, unix vs Windows
JEDIDIAH wrote:
> On Wed, 17 May 2000 20:13:31 GMT, Pete Goodwin
><[EMAIL PROTECTED]> wrote:
>
>
> >I must have missed something here - Linux still seemed to have
> >configuration spread all over the place.
>
> Only if you consider /etc and $HOME 'all over the place'.
>
> --
>
Linux (and Unix in general) does make is easy for backup. I just backup /etc and
/home.
Everything else can be restored from the installation disk plus a disk I keep of all
the RPMs I
have downloaded. The only exception I am aware of is /var/spool/lpd. I never have
understood why printer configuration is kept here instead of /etc. When I install a
new
version of Linux, I just backup /etc and /var/spool/lpd since /home is on a separate
partition
that won't be touched by the installation process.
Gary
------------------------------
From: Marty <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.unix.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy
Subject: Re: HUMOR: CSMA has the Tholenbot... we should have the Templetonbot.
Date: Wed, 17 May 2000 22:57:06 GMT
Eric Templetonbot wrote (using a pseudotholen again):
>
> In article <3922db3e$[EMAIL PROTECTED]>, "Brian Lewis"
> <[EMAIL PROTECTED]> wrote:
>
> > "tholenbot" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > In article <[EMAIL PROTECTED]>, Marty <[EMAIL PROTECTED]>
> > > wrote:
> > >
> > > > Eric Bennett wrote (using a pseudotholen again):
> > > > >
> > > > > In article <8fk3j9$8g4$[EMAIL PROTECTED]>, "Stephen S. Edwards
> > > > > II" <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > > > If anyone on USENET ever wishes to emulate Templeton, as
> > > > > > some seem take great pride and joy in emulating Dave Tholen
> > > > > > (whom I know nothing of, outside of the opinions of others),
> > > > > > just simply follow these steps:
> > > > >
> > > > > Illogical. The true home of the tholenbot is comp.os.os2.advocacy.
> > > >
> > > > Incorrect. How typical.
> > >
> > > Evidence, please.
> >
> > $19.95 please (shipping and handling fees.)
>
> Jumping into a discussion, again, Brian?
See what he means?
> > > > Tholenbot always picks the right newsgroup for the
> > > > job. Sometimes that is COOA.
> > >
> > > The right "newsgroup"? How rich!
> >
> > On what basis do you claim that the "newsgroup" is "rich"?
>
> Taking jumping into discussion lessons from Curtis Bass again, Brian?
I see you failed to answer the question.
> How predictable.
How ironic.
> > > > At least you made no attempt to conceal your own misinformation.
> > >
> > > What alleged "misinformation"?
> >
> > Why, don't you know?
>
> I see that,
What you see is irrelevant, especially given your dirty glasses.
> in typical Brian "I Don't Answer the Question" Lewis
> fashion, you didn't answer the question.
How ironic, coming from someone who, in a typical Brian "I Don't Answer the
Question" Lewis fashion, failed to answer the question.
> > > > > On what basis do you claim that the lunatic is "on the grass"?
> > > >
> > > > Ask your grasshopper
> > >
> > > The grasshopper is in my head.
> >
> > What alleged "head"?
>
> If you hadn't jumped into the discussion,
The key word is "if".
> you would have recognized the correct head.
You are presupposing that he has "jumped into the discussion".
> > > On what basis do you claim that the lunatic is "on the grass"?
> >
> > Illogical.
>
> Yet again you fail to answer the question.
How ironic, coming from someone who yet again failed to answer the question.
> Of course, that is to be expected, coming from you.
As your illogic is to be expected, coming from you.
> Prove that there must be fifty ways to leave your lover, if you think you can.
How ironic, coming from someone who just "slipped out the back, Jack".
------------------------------
Date: Wed, 17 May 2000 19:06:12 -0400
From: Clueless Bozo <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc
Subject: Re: German Govt says Microsoft a security risk
It's all semantics. If any government decides to bust your balls, your ball
are busted unless you have the necessary resources to fight 'em.
CB
------------------------------
From: "Raul Valero" <[EMAIL PROTECTED]>
Subject: Question
Date: Wed, 17 May 2000 22:57:27 GMT
What does prevent Microsoft selling its own Linux distribution with
integrated browser (may even be IE), bonus packages (like Office)
and a propietary installed (as most distros do) ? Then, wouldn't this
be as monopolistic as Windows ? Just asking for opinion.
------------------------------
From: [EMAIL PROTECTED] (Rob S. Wolfram)
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Microsoft finally gets the idea... almost
Date: 17 May 2000 23:11:55 GMT
Reply-To: [EMAIL PROTECTED]
R.E.Ballard ( Rex Ballard ) <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>> What we (the *nix advocates) have been saying all along is that the
>> Outlook's behaviour (launch executable content from the mail client)
>> posed serious security risks, as proven by the impact of the ILOVEYOU
>> worm. We also stated that this is nothing new, these risks have been
>> warned for since rfc1341.
>
>Actually, this has been a concern ever since the first
>use of "shar" files back in the 1980s. Users were
>encouraged to "cut here" and then run the remaining file
>through a shell script which would then unpack uuencoded
>compressed files, and then execute them.
I think that's a complete different subject. Pulling the "shar" example
to the extreme, I could social engineer somewone to get some specific
source code from the Web, edit a Makefile, compile the code and run it.
And that code should blow the system to smithereens.
In case of executable content in email, the environment is set by the
email client, not the user. Your example is more comparable to
requesting me to pipe a perl attachment through perl myself.
>This was not significantly different from the Morris Internet
>Worm of 1987. Since that time, the use of automagically excuted
>scripts has been strongly discouraged.
Morris' worm had nothing to do with the automatic execution of a script.
It used three ways to spread, nameley a security breach in Sendmail
which allowed a DEBUG command and which would interpret these commands,
a gets() buffer overflow in fingerd and a dictionary attach using rexec.
I really don't see the comparison with requesting a user to execute a
hostile shell script.
>> Still Erik Funkenbusch felt the need to "relativate" (sorry, English
>> is not my native tongue) the behaviour as: not being Windows specific
>> and
>
>Actually, Erik is right. The UNIX community had problems with
>people downloading binary files that had what we now call viruses
>in them, and executing them. In some cases, the shar script would
>even remove all traces of itself.
The difference is that Erik uses this as an excuse, which is misplaced.
Executing email content seems to be possible with non-Windows MUAs (I've
been told that dtmail can execute shell scripts) but it certainly is not
common practice in Unix. Using the mailcap facility is. On Windows this
behaviour /is/ common practice (at least for Outlook Express, Pegasus
and Eudora).
>A particularly nasty one was to set up routing loops using aliases.
This is still possible (via .forward) but most MTAs these days drop the
mail after reaching a treshold. Sendmail surly does.
>> Still, it seems that Microsoft has finally seen the light on this
>> one. They are patching Outlook to not launch executable content
>> anymore
>
>It's about time! Microsoft has been bitten by three viruses
>that were based on the simple fact that Outlook would open
>attachments and execute the interpreter or executablee without
>providing insight to the content.
At least 4, ILOVEYOU, Melissa, ExploreZip and Happy99. It might just as
well have been more than these.
>> Not only will you be prevented to launch a dangerous attachment, you
>> are completely rejected access to it. You don't have to be a
>> psychology guru to understand that this will be considered a major
>> hindrance and thus not be installed by many Outlook users. This might
>> well mean that we get back to square 1.
>
>The problem with e-mail attachements is that e-mail can be faked.
>By forcing a would-be virus circulator to provide a link to the
>questionable content, and to provide it in a format that can be
>unwrapped using ZIP, as opposed to what appears to be self-extracting
>zip (exe) files, you have a means for tracing the content back
>to a verifiable source. e-mail is so prone to aliasing, redirection,
>and spoofing, that it should be considered to be from "anonymous
>hacker".
By not executing the content from the MUA but forcing it to be saved
first, you reduce the risk to "social engineering" cases. This is
clearly a lot better than playing some NetNanny and refusing the user to
even /view/ the attachment. Such "security patch" will be removed by the
user. It just that simple.
>> I think people should be able to /view/ executable
>> content (as far as it is viewable)
>
>bad idea. Better to detach it to a file, examine it with a
>debugger or binary file examiner, or the appropriate text editor,
>than to hap-hazardly begin executing a script that may do anything
>from ship your password to your competitors all the way to
>reformatting your hard drive.
I've been able to view perl scripts from Mutt without being at risk
anytime. I *did* say /view/.
>> from the mail client, but not launch it from there.
>
>Therin lies the rub. One of the advantages to object oriented
>systems is that the reader is associated to the content. But
>since the nature of a viewer is to cause a file to be displayed,
>one must assume that a script file will be displayed by executing
>the script.
So in fact we're saying the same thing? If I double-click on
LOVE-LETTER-FOR-YOU.TXT.vbs from within the email client, I expect to
see it in Notepad or Wordpad. I do not expect it to execute, but I /do/
expect to be able to see it in Notepad or save it to disk. I don't need
the NetNanny in Redmond to tell me that any .vbs content is too
dangerous for me to even see in Notepad.
>> They should also be able to save the attachment
>> and still lanch it from a shell.
>
>maybe by adding a warning message as you are about to detach
>the file - you can add the "step ladder warnings" - "THIS FILE
>MAY CONTAIN CONTENT THAT COULD DAMAGE YOUR COMPUTER AND THE COMPUTERS
>OF MANY OTHERS IN YOUR ORGANIZATION, PLEASE REVIEW THE SOURCE CODE
>CAREFULLY BEFORE EXECUTING, EVEN THEN, THE USER EXECUTES THIS FILE
>AT THEIR OWN RISK.
Where do you draw the line? Should /every/ executable on the system warn
me of a potential danger first and request my input before starting up?
>Unfortunately, users who know what they are doing
>fall into two catagoories:
>
> Those who really know what they are doing and wouldn't assume
> the risks and responsibilities of doing the open.
>
> Those who think they know what they are doing, but are stupid
> enough to permit themselves to open executables and scripts
> without examining the source code.
Yes, but the latter ones could also download a zipfile from some
website, unpack it and run the hostile code within. Should Microsoft
also forbid access to Website because you could possibly download
hostile code? I think not.
Cheers,
Rob
--
Rob S. Wolfram <[EMAIL PROTECTED]> PGP 0x07606049 GPG 0xD61A655D
Linux is obsolete
-- Andrew Tanenbaum
------------------------------
From: mlw <[EMAIL PROTECTED]>
Subject: Re: Beowulf
Date: Wed, 17 May 2000 19:19:48 -0400
DeAnn Iwan wrote:
>
> mlw wrote:
> >
>
> > > * allows each user to specify a virtual machine from the nodes running
> > > pvm
> > I'm not sure what you mean by this.
> >
>
> Once you've enabled PVM, each user/program started can be configured
> with a different subset of the available nodes (cpus that you have login
> permission and PVM configured). So you can start one job with 8 of 16
> nodes in a "tight" cluster, you can start another on your workstation
> with the local supercomputer as part of the virtual machine, etc. If
> you take a look at the online manual, that may make it more clear.
I suspected that this what was meant, but I did not want to assume. MPI
does this as well.
> That's where the "virtual" in virtual machine comes from, I guess.
> (www.netlib.org/pvm3/book/pvm-book.html (PVM: Parallel Virtual Machine,
> A User?s Guide and Tutorial for Networked Parallel Computing) As long
> as a networked machine has a version of PVM ported to it, it can become
> part of some user/job's virtual parallel machine. I don't know if MPI
> does this or not.
>
> PVM also supports NT, if you have NT users who want to be a part of
> the machine.
>
> PVM transfers data by a combination of UDP and TCP/IP. So it has a
> higher overhead than a more specialized protocol.
>
> Try the PVM newsgroup for better information on PVM
> (comp.parallel.pvm)
--
Mohawk Software
Windows 9x, Windows NT, UNIX, Linux. Applications, drivers, support.
Visit http://www.mohawksoft.com
"We've got a blind date with destiny, and it looks like she ordered the
lobster"
------------------------------
From: [EMAIL PROTECTED] (Bastian)
Subject: Re: Question
Date: 17 May 2000 23:27:13 GMT
On Wed, 17 May 2000 22:57:27 GMT, Raul Valero wrote:
>What does prevent Microsoft selling its own Linux distribution with
>integrated browser (may even be IE), bonus packages (like Office)
>and a propietary installed (as most distros do) ? Then, wouldn't this
>be as monopolistic as Windows ? Just asking for opinion.
One word: strategy. Well, and another one: greed.
If M$ sells Linux, they decrease the amount of Windoze and NT copies
sold, which they certainly wouldn't want to be compensated by good
Linux sales, as they have all power over their own OS's.
Moroever, if the users got the taste of how fast Linux is and how
well it works, they'll sooner or later go to a cheaper alternative
instead of buying the expensive M$ Linux. M$ would have lost them
twice: first as Windoze users and second as M$ customers.
By the way, M$ would be forced to sell Office as a separate product,
ie. not bundled with the OS (or even exclusively running on let's
call it "Lindoze"). If M$ Office becomes available for Linux, it's
going to become even more commonly used.
It would never be monopolistic (like Windoze), because you can go
into a store and buy a burned Linux CD (which would certainly be
compatible with Lindoze) for virtually nothing. There's a huge amount
of competitors.
Bastian
------------------------------
From: "Colin R. Day" <[EMAIL PROTECTED]>
Subject: Re: Ten Reasons Why Syphon Sucks
Date: Wed, 17 May 2000 23:33:30 +0000
mlw wrote:
> Raul Valero wrote:
> >
> > > Neither is IE.
> >
> > Tell its faults assuming it runs under as GNU/Linux stable OS, like
> > Windows NT or Windows 2000. Do not say underlaying system faults
> > are IE faults and tell us several of them. I am not advocating Microsoft,
> > just haven't found a better browser than IE.
>
> But M$ claims that IE is part of the OS, as such, faults in IE must be
> faults in the OS, according to M$. If, however, you insist that IE
> faults are not OS faults because IE is not part of the OS, then you
> should be mad as hell at M$ because you know M$ is lying to you, the
> government, the courts, and the American people, and you should boycott
> M$ out of principle. (Unless of course you have no sense of honor and/or
> patriotism)
>
Hmm, according to his email address, Senor Valero is from Spain, so his
patriotism isn't at stake.
>
> --
> Mohawk Software
> Windows 9x, Windows NT, UNIX, Linux. Applications, drivers, support.
> Visit http://www.mohawksoft.com
> "We've got a blind date with destiny, and it looks like she ordered the
> lobster"
Colin Day
------------------------------
From: Brian Langenberger <[EMAIL PROTECTED]>
Subject: Re: Question
Date: 17 May 2000 23:37:07 GMT
Raul Valero <[EMAIL PROTECTED]> wrote:
: What does prevent Microsoft selling its own Linux distribution with
: integrated browser (may even be IE), bonus packages (like Office)
: and a propietary installed (as most distros do) ?
Nothing - depending on what you mean.
: Then, wouldn't this
: be as monopolistic as Windows ? Just asking for opinion.
If IE is "integrated" into Linux to the point where the
two cannot be separated (some sort of kernel module, perhaps?),
Microsoft would be required to publish the source for it
under terms of the GPL. If IE is a separate entity, there's
nothing preventing anyone from using it under a different
brand of Linux - thus eliminating the monopoly situation.
Much like WordPerfect will run under non-Corel Linux.
Microsoft is free to build their own Linux distribution
(AFAIK...Linus even encouraged it at one point), but the
nature of the OS prevents them from using it as a lever
to crowd out other competition. In fact, no single
entity - not even Linus - can monopolize the Linux OS
by the virtue that anyone can access its source,
make changes to it, and redistribute it without
further restriction under the GPL.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
