"We don't need cheaper security, we need better security," O'Dowd Repeats

"Several other proprietary operating system vendors have also committed to certifying their operating systems to EAL 7, but Linux has only achieved EAL 2. Even Microsoft Windows has achieved EAL 4."

Dan O'Dowd, founder and CEO of Green Hills Software, April 19, 2004

Yankee Group Report Uncovers "Linux Pessimism"

"[L]ast week, Yankee Group, a Boston-based consultancy owned by Reuters PLC, asked a tough question: how much does it really cost to migrate from Microsoft to Linux? In a survey of 1,000 information technology administrators and corporate executives around the world, the obvious technical merits of Linux were not deemed to be strong enough to overcome the financial costs involved in migration, especially for large enterprises. At best, the study said, smaller companies — 5,000 or fewer employees — would save more money with Linux than with Unix or Microsoft systems. The costs of migration come primarily from shifting the architecture from Microsoft to Linux.

But the (increasingly pessimistic) executives in the survey are chary of the changeover because they see a growing number of security threats against Linux, and they are put off by the high salaries that are required by experienced Linux administrators, who are few and in high demand. Many applications run happily on Linux, the survey found, but executives remain unconvinced that they are all mature enough to handle corporate needs."

Toronto Globe & Mail, April 15, 2004

Buffer Overflow in ISO9660 File System Component of Linux Kernel

"The Linux kernel performs no length checking on symbolic links stored on an ISO9660 file system, allowing a malformed CD to perform an arbitrary length overflow in kernel memory.

Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge' extension to the standard format. The vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO file system, or attempting to access a file via a malformed symlink on such a file system. Many distributions allow local users to mount CDs, which makes them potentially vulnerable to local elevation attacks.

In order to exploit this vulnerability, an attacker must be able to mount a maliciously constructed file system."

iDEFENSE Security Advisory, April 14, 2004

IBM Helps Bring Linux to e-Government in India

"The National Institute of Smart Government (NISG) and IBM India have signed a Memorandum of Understanding (MOU) to promote e-Governance at the national level. IBM will share with NISG its e-Governance Framework, which is based on platform independent, open source and open standards technologies including Linux. The Framework, which IBM developed as a result of numerous engagements with governments around the world, combines IBM's services, offerings, research and experience."

Sify.com, India, April 17, 2004

"Backporting" Isn't Good, Says SUSE's Juergen Geck

"SUSE's chief technology officer said he believes the practice of "backporting" features from the 2.6 Linux kernel into older versions is a "bad thing" because it interferes with standardization of the open source operating system.  During a keynote address at the Real World Linux Conference...Juergen Geck also chided industry players to avoid practices that could further fragment open source standardization efforts.

Geck's comments came just weeks after Novell, SUSE's parent company, offered its YaST (Yet another Setup Tool) systems management tools to the open source community under the widely used General Public License. The move was seen as a bid to improve SUSE's own competitive position - and market position - against its rival, number one Linux distributor Red Hat."

Reported at InternetNews.com, April 16, 2004

• Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's Security Stunt