22nd > February > 2002 Archive

Checkout the OS-free PCs at walmart.com

We are indebted to CNET for the news that walmart.com is to experiment with selling PCs without operating systems i.e. a whole lot cheaper than their Windows-loaded counterparts. The arch-discounter is offering nine (own-brand?)Microtel PCs for sale online, with prices - sans monitor, as well as OS - ranging from a bargain basement $399 for 1GHz Duron and Celeron models, all the way up to $868.74 for a 2GHz P4 replete with 256MB of SDRAM. The idea of the Windows-free promo is to attract tech- savvy custom at a time when consumer PC sales are flatter than a flat pancake. The idea is that buyers can install their own operating system - maybe open source, maybe a license from an dead PC (but make sure you have all the documentation, folks). The risk is that Wal-Mart's mass-market demographic will buy OS-naked PCs only to discover to their chagrin that they have to shell out buckaroos for WindowsXP - at retail prices. This what Steve Baker, a analyst quoted by CNET reckons, anyhow. Also, he thinks that tech-savvy customers shun walmart.com in favour of more geek-friendly online retailers. Wal-Mart is now officially the world's biggest company by revenues, overtaking Exxon for the first time in 2001. Geeks shop there, surely, along with the rest of America, a substantial swathe of the UK, and a hefty (but unprofitable) slice of Germany. In our opinion, tech-savvy does not = overclocking, self-building power user, necessarily, certainly not on every occasion. There's the children, the inlaws, the neighbours who ask Mr. Tech Savvy what PC can they buy for $600 or less, and could he(it's probably a he) help them get it started? And geeks who want cheap new machines, not necessarily for themselves, will find their way to walmart.com, maybe through price comparison engines, maybe through word of mouth, maybe through in-store flyers, maybe through the link above. And when they get their OS-naked PCs what will they do next? Our guess is that the majority will load them up with pirate versions of Windows, as opposed to Linux distros. Selling PCs without their operating systems, particularly at the retail level, is a great no-no, so far as Microsoft is concerned. It knows that it has probably lost the sale forever - certainly for the life of that escaped PC. MS can easily keep its major PC vendors in line, and it can by carrot and stick, keep the vast majority of smaller system builders from straying too far from the pre-loaded OEM OS fold. WalMart is a different matter: Microsoft will have to be really, really nice if it is to persuade the shopping monster to change its mind, should this OS-free PC zone prove successful. ®
Drew Cullen, 22 Feb 2002

US Air traffic safe from hackers – FAA

Computer security weaknesses in the U.S. air traffic control network that have dogged the Federal Aviation Administration since 1998 have been substantially closed, the FAA's CIO said Thursday, but the agency needs more funding to continue the effort. "I think we've made a lot of progress in the last couple of years," said Daniel Mehan, speaking on a panel at the RSA Conference in San Jose, Calif. "I think, for example, it is safe to fly... But we can not continue it without getting substantial aid from the administration and Congress." The FAA was criticized in a September, 2000, GAO report for not performing background checks on IT contractors, failing to install intrusion detection systems, and not performing adequate risk assessments and penetration tests on agency systems. It was the third time in as many years that the agency had flunked an audit by Congress' investigative arm. "Until FAA addresses the pervasive weaknesses in its computer security program, its critical information systems will remain at increased risk of intrusion and attack, and its aviation operations will remain at risk," the 2000 report concluded. Mehan outlined the FAA's current cyber security practices, which include maintaining redundant systems, seperating administrative networks from control networks, and using "firebreaks" as a hedge against viruses and worms that might get into an internal network. "At FAA we believe in layers of protection," said Mehan. "So you contain any attack in certain parts, and then use redundancy as a backup." The FAA update offered a grounded moment in a panel that brought together five lawmakers and government officials to ponder a question that could have been ripped from a supermarket tabloid: "Which is the greatest threat to our well-being: intercontinental nuclear missiles or cyber terrorism?" That question went unanswered, but some on the panel seemed to favor the latter. "Certainly intercontinental missiles are an issue," said Rep. Mike Honda (D-CA). "But I think that we have infrastructure ways to protect ourselves... Whereas cyber terrorism, I question how much knowledge and protection we have." "Clearly, the threat is real," said Rep. Zoe Lofgren (D-CA). "Following September 11, Osama bin Laden reportedly spoke of attacking U.S. computers." The session continued the theme struck by the conference's opening keynote Tuesday, when White House cyber security czar Richard Clarke urged industry to spend more money on information security, lest America's enemies launch devastating cyber attacks on the electric power grid, telecommunications networks and air traffic control systems -- all of which he said relied on the Internet. Panelists unanimously expressed support for the White House's belief in terrorist hackers, though Mehan -- perhaps unwittingly -- contradicted one of Clarke's assertions. "Our air traffic does not use the Internet," he said. © 2002 SecurityFocus.com, all rights reserved.
Kevin Poulsen, 22 Feb 2002

Most SNMP vulns quietly lurking

It's been over a week since CERT released a seemingly endless list of devices and software products containing SNMP vulnerabilities discovered by Finnish University of Oulu researchers, and to date very little bad has happened, no doubt to the disappointment of most news agencies. As the story drops off the media radar screen, it's important to keep in mind that threats to your system can't be measured by the amount of mainstream press coverage they receive. The PROTOS auditing suite developed by the Finnish researchers has been available for download at least since the original CERT advisory, and possibly longer. This means that while things are quiet, there's no question that industrious members of the blackhat development community are using it to advantage. For example, the PROTOS tool doesn't include a buffer overflow exploit, but researchers working with SANS were able to come up with a working buffer overflow to get root access to several versions of Linux in about two hours, Counterpane Security Architect Tina Bird remarked receltly. "It's safe to say that they're not the only people who were able to do that," she added wryly. Linux and Solaris are definitely vulnerable to root access exploits, primarily via buffer overflows. But this won't always be easy to detect. "Most messages in SNMP manager logs indicate test cases that don't jam the system up, but don't fit what the listener is expecting. It [merely] creates an error message that it can't understand the data," Bird says. "An attacker who actually knows which test cases are causing the problem is going to write an exploit that only uses those. He's not going to take the system down." For this reason there may be serious SNMP attacks that go unnoticed for some time, until everyone gets accustomed to looking for the signs. "One of the problems with system monitoring is that it's generally much easier to see attacks that fail than it is to see attacks that succeed," Bird notes. Another useful tip from Counterpane: if SNMP is disabled on Solaris and the system is subsequently patched, it's possible that the patch will re-enable it, so this has to be checked. There's another free SNMP scanner available, called SNScan from Foundstone. It will take lists of IPs, but apparently not machine names. It also runs only on Windows, like SNMPing from SANS. Both tools will scan a wide range of equipment, however. Again, the best single source of information and links to vendor bulletins is the CERT advisory, which has been updated over forty times since it was created last week. ® Related stories SNMP exploit causes printers to jam Why your vendor has no SNMP fix Scanning for SNMP vulnerabilities The SNMP fiasco: steps you need to take Serious network security holes surface
Thomas C Greene, 22 Feb 2002

Three new MS security holes – two nasty

First up, the mildest of the three. Microsoft XML Core Services (MSXML) may ignore IE security zone settings during a request for data from a Web site, meaning that an attacker could request data from the user's local drive. It would be necessary for the attacker to know the path to the file being sought, and he would have only read privileges. HTML e-mail seems not to be vulnerable to this sort of attack. The hole exists in the XMLHTTP ActiveX control, which "allows Web pages to send and receive XML data via HTTP operations such as POST, GET, and PUT." Supposedly there are security mechanisms to prevent abuse, but they're obviously not quite comprehensive. This affects XML versions 2.6, 3.0, and 4.0, and means that SQL Server 2K, Win-XP and IE6 are vulnerable. The patch is available via Windows Update. Further details may be found in the MS bulletin. Next, we have a defective ISAPI filter in Commerce Server 2000 which can lead to a root compromise. The so-called AuthFilter, which suports several types of authentication, contains an unchecked buffer. Those who have deployed the URLScan tool successfully will not be vulnerable to root compromise, but are still vulnerable to DoS attacks. The vulnerability does not affect IIS; it exists in an added 'feature' in Commerce Server only. Users may consult the MS bulletin for further details here, and obtain the patch here. Finally, and worst of all, we have a little problem with VBscript in Internet Explorer 5.01, 5.5, and 6.0 which could allow an attacker to read files on a victim's local drive, or eavesdrop on his browsing session. The defect essentially allows scripts in one domain to access the contents of another domain in a frame, the MS bulletin explains. This could enable an attacker to glean personal information like login names and passwords, and credit card details. It's also possible for an attacker to exploit this hole with HTML e-mail. Since MS won't let you switch off HTML rendering in Outlook and Outlook Express (the spam lobby won't allow it), you'll just have to activate Windows Update and fix your browser, which will in turn fix your e-mail client. Those using IE 5.01 SP2 can only get relief with Win-2K service packs and security roll-up packages. Those with IE versons earlier than 5.01 SP2 are completely out of luck. You'll have to upgrade. How about to Linux? ®
Thomas C Greene, 22 Feb 2002

NTL Sells Aussie unit for $442m

NTL Inc, the debt-laden cable operator, is to sell its Australian business to the Macquarie Bank for $442m cash, eliminating $118m of bank debt from its balance sheet and allowing the company to focus on the European market. NTL Australia's network passes 98% of the country's population, and generated $62m revenue and $27m EBITDA in 2001. The unit also owns a 51% stake in NTLT, a microwave network carrier operated on the east coast of Australia with joint venture partners WIN Television and Southern Cross Broadcasting. The transaction is believed to be a part of NTL's commitment to restructure the $17bn of debt it currently labors under. Early this month, the company hired Credit Suisse First Boston, JPMorgan and Morgan Stanley to help it sort out its balance sheet. Among the possible saviors being touted in the financial press are a debt-for-equity swap, a merger with rival Telewest Communications Plc or investment from Telewest parent Liberty Media Corp. © ComputerWire.com. All rights reserved.
ComputerWire, 22 Feb 2002

V21 to hand cash to Barnardo's

The boss of Surrey-based ISP V21 has pledged to donate cash to children’s charity Barnardo’s. Steve Kaye wouldn't say exactly how much money would be handed over but it's understood that it could run into a four figure sum. "We’re talking thousands, not hundreds," he said. Confirmation of Mr Kaye’s generosity should draw a line under a bitter row that has erupted on ISPReview bulletin board. Almost two weeks ago someone using the moniker "Elmer_Fudd" asked Mr Kaye how much cash he had given to Barnardo’s. Elmer pointed to story published by Computeractive last year in which V21 said it would "donate 10p to the Barnardo's charity for every new user it signs up". Keen to know more, Elmer asked: "Could you please tell us how much Barnardo's actually got from V21?" Mr Kaye refused to say and replied: "The deal between V21 and Barnardo's has nothing to do with any one apart from the two parties involved." However, his refusal to say how much had been donated only served to increase pressure on V21 to reveal the extent of its generosity. Those pressing for an answer have contacted Barnardo’s and even emailed politicians in a bid to get an answer. A spokeswoman for Barnardo’s told The Register that she was aware of the donation but didn't know how much was involved. "We're definitely expecting a sum of money," she said. ®
Tim Richardson, 22 Feb 2002

Sun goes after Windows NT base With Cobalt servers

Sun Microsystems this week announced a program to convince customers using Intel-based servers running Microsoft Windows NT to support infrastructure workloads such as web serving to move to its Linux-based Cobalt RaQ or Qube server appliances, Timothy Prickett Morgan writes. Sun hopes to tap into a large customer base, accounting for - possibly - millions of installed servers running Windows NT, which does not necessarily want to move to Windows 2000 Server or Advanced Server, much less future Windows Server.NET releases. Microsoft retired Windows NT Server 4.0 Enterprise Edition and its Client Access licenses last October, and stopped selling regular editions of Windows NT Server 4.0 in November. While there are several loopholes which allow customers to buy Windows 2000, downgrade to Windows NT, and then upgrade at some future time to Windows 2000, this is probably too much of a hassle for a lot of companies to contemplate, especially now that they are several years more experienced with Web technologies. Sun is counting on the simplicity of the Cobalt server appliances to be attractive to NT shops, and seems to think that this alone will give it some business. (Sun sold 100,000 Cobalt servers last year, which is a pretty good number, even by Wintel standards.) But Sun isn't counting on the appeal of simple appliances with a streamlined Linux operating system over a general purpose Windows operating system - and one that is often the victim of viruses and other kinds of attacks from hackers - to get prospective customers' attention. At the end of February, Sun will launch an NT Upgrade Campaign that will run until June 30 - the end of Sun's fiscal 2002 year - that will give customers discounts of up to 20% on Cobalt RaQ and Qube appliances if they make the jump from NT-based servers. The NT Upgrade Campaign will offer discounts on Cobalt RaQ XTR appliances, which come with an 850MHz X86-compatible processor, 256 MB of memory, and 60GB of disk capacity. This machine costs $3,299. Discounts will also be available for the Cobalt RaQ 4i, a more modest machine with a 450MHz processor and 20GB of disk, that sells for $1,749 and the RaQ 4r, which is the same machine with 40GB of disk that sells for $2,199. As the name suggests, these RaQ servers are rack-mounted servers that come equipped with Linux and Apache web servers and other popular infrastructure programs. The Qube servers are designed for regular companies, not service providers, and are used as Internet and intranet web servers. The Business Edition of the Qube server costs $1,499 and has a 300MHz X86-compatible processor, 64 MB of memory, and 40 GB of disk capacity. It comes with a Sendmail email server, an Apache web server, and a web caching server. The machine also has the Interbase 6, MySQL and Postgres open source databases preinstalled. The Professional Edition of the Qube server has a 450MHz processor, 128MB of memory, and mirrored 40GB disks; it sells for $2,099. For most customers, the cost of the Cobalt solution, including hardware, will be less than the cost of buying new Intel hardware and upgrading to Windows 2000 from Windows NT. © ComputerWire.com. All rights reserved.
ComputerWire, 22 Feb 2002

CA cans updates for free personal AV package

Computer Associates (CA) is to cease providing updates for its free InoculateIT Personal Edition (IPE) anti-virus software on May 15. CA stopped taking on new users for IPE in June last year and replaced it with the eTrust EZ Antivirus subscription service; at the time it advised users that support was to be continued at no cost for existing users of IPE who chose not to migrate. In breaking this undertaking CA argues that viral activity on the Internet has made IPE obsolete. Nothing to do with cost, then? To sweeten the pill for users considering a move from IPZ to eTrust EZ Antivirus, CA offers the product for $9.95 with an annual renewal charge of $9.95 (half the normal price in both cases). In more expansive times, several AV vendors offered cut-down AV packages free to personal users. CA's IPE was the best known of these packages. The number of such free packages has fallen, but there are still a fair few left, Reg readers inform us. Grisoft's AVG AntiVirus is Windows XP compatible and is recommended by many of you. Trend Antivirus also does a free online scanning service for home users. AntiVir personal edition was also mentioned in dispatches, as is ActiveScan from Panda Software. ® External links CA's announces death of InoculateIT Personal Edition
John Leyden, 22 Feb 2002

Compaq pumps up AlphaServer 4-way benchmarks

Unix server vendors just love benchmarks, which means, we guess that their corporate clients think they're pretty important to. Compaq is no exception, even as its own Alpha CPU platform begins the slow fade into oblivion. Yesterday, the company issued a press release proclaiming that all-important TPC-C benchmark score for a 4-way AlpaServer ES45 - a record for the four-processor class. Better still, the configuration sets a new price/performance for all UNIX systems, we are informed. The test system incorporates 4 1GHz Alpha CPUs and Tru64 Unix. It ran Oractestle9i Enterprise Edition for Tru64 UNIX and hit 50,117tpmC (transactions per minute). This equates to a price/performance figure of $15.24/tpmC. You can find out more about the benchmarks here. Compaq has a tricky transition to pull-off - it is committed to converting customers from Alpha to Intel Itanium. But get it wrong, and customers will simply go elsewhere - to IBM, Sun and HP. There is no question about the technical stability of the Alpha platform, or about its competitive price/performance(although it will be interesting to see how the Unix server vendors will fare on this criterion, once Intel's McKinley, the latest, and soon-to-launch iteration of the Itanium, and Hammer, AMD's not-quite- so-soon to launch 64-bit platform, start rocking). Compaq's problem is one of perception: this is why it so keen to promote performance improvements and customer wins for the Alpha platform. To this end it names the Pittsburgh Supercomputing Center as a trophy client. This site clusters 760 ES45 units using 3,000+ Alpha CPUs integrated into one bloody big system, Compaq has also wheeled out our chum, Terry Shannon, publisher of Shannon Knows Compaq, the estimable US-based industry newsletter, for a helpful spin on the capability of the AlphaServer ES45. From him we learn that this Compaq box is suitable both for rapidly processing computationally-intensive applications and for specialised systems to analyse data. Many other vendors, by contrast, concentrate on systems optimised for one or other role. Compaq Alphaserver systems consistently fulfil both needs better than the competition, according to Terry. ®
Drew Cullen, 22 Feb 2002

TUPE or not TUPE, that is not the question

Computacenter and BT fall foul of TUPE? Contrary to the claim in the article, BT has followed the requirements under TUPE. An informal discussion about this work area took place between BT and senior union officials in the middle of last year and the option of becoming involved in a deal of this kind was never removed from our agenda. At the end of September 2001, BT issued a 'commercially confidential' Invitation to Tender, for proposals to provide managed desktop services, currently being carried out internally within BT. A number of parties expressed interest and, following a review of proposals, an initial preferred supplier was identified late in December 2001. BT met the unions, in advance of the announcement that we would be going ahead with the partnership with Computacenter, on 22 January 2002. The formal announcement was made on 30 January 2002. The timing of our consultations with the unions in this case is consistent with our approach in previous exercises of this type, with early informal advice of the activities being considered for outsourcing followed by a widening of the interest group, including the unions, when a viable approach is developed and a partner identified. In BT Retail, we firmly believe we are complying with all legislative requirements for the proposed transfer and will ensure we continue to do so despite the CWU’s current stance of balloting for industrial action. We have confirmed in writing to the unions that we will abide by Regulation 10 of the Transfer of Undertakings (Protection of Employment) Regulations 1981, which places an obligation on employers to consult with the recognised trade unions long enough before transfer to enable meaningful consultation to take place. We have set demanding timescales but have told the unions at our many meetings that we will not finalise the transfer until we have met our obligations under TUPE. We believe this can be best achieved through constructive dialogue and the removal of the CWU's threat of industrial action. BT Retail values its relationship with the unions and our people and we have dealt constructively and successfully with the CWU on a number of TUPE transfers across the BT Group. We are confident we will be in a position to meet all of our obligations under the legislation. We have now met the unions several times and have arranged a series of further meetings with the unions and Computacenter over the next few weeks in advance of the transfer. In moving forward BT Retail's transformation activities, we will continue to have discussions and consultations with the unions on the people implications. The unions play a vital role and we will continue to have open discussions with them and seek to reach agreement in every way we can. ®
BT, 22 Feb 2002

Beware the bogus domain sellers

Punters are warned to be on their guard against dodgy domain name sales tactics. Some unscrupulous sales people are calling up companies and individuals whose domains names are nearing renewal and trying to pester them to renew them on the spot. Others are being cold-called and told that someone is trying to register their domain name and they should snap it up there and then. In both cases punters are warned they could lose their domains if they don't cough up there and then. "Such calls are, frankly, highly suspicious," said Lesley Cowley, deputy MD of Nominet UK the national Registry for all domain names ending .uk. "If you want a domain name, whether for use now or in the future, shop around to find an ISP who will register and look after it for you at a price you are willing to pay. "The market is very competitive, with plenty of choice - you don't need to be bounced into accepting an offer made in an unsolicited telephone call," said Cowley. So there. Don’t say you ain't been warned. ®
Tim Richardson, 22 Feb 2002