The thought of moving to Microsoft Vista has put many Windows users into a panic, writes Ubuntu Linux user and IT pro Fred Marsico, the chief technology officer of Quantum Mechanics R&D in Corvallis, Ore., in this guest blog post.

In trade mags and blogs, I have read about the Vista-versus-Linux issue, and it’s now my turn to say something.

Since December, I have used Ubuntu Desktop. Aside from the fact that I have no virus warnings, no malware and no bots downloading themselves, it has been business as usual. I use Open Office and have no problems with reading and writing MS Office documents. My old Windows Me PC would not let me do that with a new version of MS Office, and of course that meant upgrading to XP as a prerequisite before installing Office. Total cost would have been about $300.

My wife has an older HP notebook running Windows XP Media Center. I chuckle as she reboots each time she gets an update or adds and removes programs. I have been running nonstop with only one required restart for a patch to the Linux kernel.

I read all of these horror stories about Vista on the blogs and comments on many sites about the same. I also see many intentionally derogatory messages posted by Windows users on the open source sites. According to them, Linux is for geeks; “normal” people don’t need to constantly tweak settings and such, as Windows is “automated.” This means that all of Windows software installs without much intervention.

In an honest comparison, it is true that Linux would greatly benefit from an Install Shield application that would make software installs and removal ubiquitous, but I also remember when Windows users complained about the same things.

Another point to ponder is that most of the back-end computers handling banking and ATMs are running Linux. And regarding security, if the banks trust Linux, we should have no problem doing so too.

With faster and multiple-core processors used today, I would have thought that Vista would have been written from the ground up with optimization in mind. With the hefty hardware requirements, it seems Vista is now the most bloated version Microsoft has rolled out to date. Just because I have 2 GB DDR RAM and a 100 GB HDD does not mean that I want my OS to hog most of them. I thought it would make having several applications running concurrently faster, and cause less hangs and crashes.

With the end of the software’s service life rapidly approaching, Windows XP users are panicked. They dread the thought of moving to Vista . Many are starting to look at the Mac OS or Linux as an alternative. Perhaps Bill Gates stepped down because he could foretell the future, and it begins to look like Microsoft is faltering.

With the state of affairs as it is, software developers should move to open source in droves. They can still write proprietary code, and can still sell it at retailers and online.

They just won’t have to pay homage to Microsoft. Monopoly software is dead; long live open source!

This blog was contributed by SearchEnterpriseLinux.com expert Sander van Vugt.

At Novell Inc.’s annual BrainShare user conference in Salt Lake City, I talked to Guy Lunardi, one of the most important guys behind Novell’s SUSE Linux Enterprise Desktop (SLED). I had one pressing question for him. I showed him my new Dell XPS laptop, which has a lot of fancy stuff and runs out of factory Windows Vista (since that is the only OS that will allow me to use all the fancy stuff). So I asked him, “When will I install SUSE Linux on that?”

He responded, “Sander, if you go to a shop, buy a Vista DVD and install it on your laptop, do you think it will all work?” The answer was of course not.

When you introduce new hardware, one of the major issues is driver support. “Currently we are talking a lot with the people that develop the devices that are in these new computers to make sure that Linux drivers will be available,” Lunardi explained. “We help them wherever we can and it’s only getting better. It helps that we have some major customers like the Peugeot car manufacturer in France that demand specific functionality. They ask [for] a feature, we’ll make sure they get it and the result of all the effort will be in our new software.”

So there have been lots of developments recently. As a result, when it comes out later this year, openSUSE 11 will be as good as Windows Vista in supporting devices. “But,” Lunardi assured me, “you’ll always have to complete the installation of your operating system by downloading and installing additional drivers. That’s the case for Linux, [just] as it is the case for Windows.”

Fair enough. I’ll give it a try when openSUSE 11 comes out.

We have good news for those awaiting the next version of Ubuntu Linux. The next version for the Ubuntu 8 platform, alpha release 4, is to be relased on January 31, 2008, and the list of bugs is getting smaller every day. Some of the new features for alpha 4 include using Firefox beta 3 as a browser which has some new visual effects and functional features. The alpha 3 website will link to alpha 4 when the version is available. Canonical does not offer support services for the beta releases (but you probably already know that.)

Look for a release candidate in April 2008 for Ubuntu server version 8. 

The first alpha release from the growingly popular Ubuntu Linux is now available. The build is clearly marked as a not ready for prime time player, but offers a sneak peak at the next release, 8.04, expected in April 2008. You can also publicly contribute to the bug tracking mechanism should you choose.  I installed the alpha release, Hardy Heron Alpha-1 which was generally indistinguishable from other Ubuntu releases, namely the gutsy 7.10 release.

Some takeaway notes about this alpha release are that it includes Xorg 7.3 for the X Window System manager and pulls in some Debian changes as well.  It uses kernel 2.6.22, which is the same as gutsy 7.10.  Comparatively, Red Hat Enterprise Linux 5.1 is on the 2.6.18 kernel and Novell Suse is on the 2.6.16.21 kernel.  If you use Ubuntu 8.04 Server, keep in mind that packages may detect a newer version of the kernel and want to recompile.  A good example is VMWare tools for guest operating systems. 

Canonical Ltd. does not support the alpha releases of Ubuntu, which is to be expected.   When 8.04 is released after the community development process is complete, Canonical will support the end-state product.

More information about the Ubuntu release can be found at:  http://www.ubuntu.com/testing/hardy/alpha1

Samba release manage Jerry Carter once told me that the majority of “bugs” in Samba that get reported by users are actually misconfigurations of that user’s system, or a problem with Microsoft Windows, and are not the fault of Samba.

In one of the rare tips I’ve written for SearchEnterpriseLinux.com, Carter said the next time a user comes knocking on your door with an Access Denied error message and blames it on Samba, tell them to slow down. Most of the time, it’s not Samba’s fault, he said. “Our motto is ‘Bug for bug, feature for feature, we are completely compatible with Microsoft Windows,'’ Carter said.

However, Carter also said that if there was a legitimate bug, the Samba team had no problem admitting it existed and working post haste to get it resolved. Today, the Samba team reported a security issue with Samba’s code, as well as a patch to fix it.

Description
===========

Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the “wins support” parameter has been enabled in smb.conf.

Patch Availability
==================

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.0.27 has been issued as a security release to correct the defect.

Workaround
==========

Samba administrators may avoid this security issue by disabling the “wins support” feature in the hosts smb.conf file.

Credits
=======

This vulnerability was reported to Samba developers by Alin Rad Pop, Secunia Research.

The time line is as follows:

• Oct 30, 2007: Initial report to security@samba.org.
• Oct 30, 2007: First response from Samba developers confirming the bug along with a proposed patch.
• Nov 15, 2007: Public security advisory to be made available.

“Our Code, Our Bugs, Our Responsibility.” – The Samba Team

Fresh from the yesterday’s news file, BIND 9.4.2b1 is now available for download. This is a maintenance release candidate for BIND 9.4, but if you are upgrading from BIND 9.4.2rc1 the BIND developer team strongly encourages you to please see the README file before doing anything.

BIND 9.4.2rc2 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.4.2rc2/bind-9.4.2rc2.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4.2rc2/bind-9.4.2rc2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/bind-9.4.2rc2.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/bind-9.4.2rc2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is available at

http://www.isc.org/about/openpgp/pgpkey2006.txt

A binary kit for Windows 2000, Windows XP and Window 2003 is at:

ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.zip
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.2rc2/BIND9.4.2rc2.debug.zip.sha512.asc

There were also a number of bug fixes, which can be dissected and perused at the BIND homepage.

There are a couple of BIND notifications and updates this morning that I thought I’d share with you. The first is a security notification from the Internet Systems Consortium, which oversees the BIND project.

I. Description: ISC (Internet Systems Consortium) BIND 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.

This bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers.

From the ISC Bind security page:

“The DNS query id generation is vulnerable to analysis which provides a high chance of guessing the next query id. This can be used to perform cache poisoning by an attacker.”

All users are encouraged to upgrade (see below — jack)

II. Impact: A remote attacker could predict DNS query IDs and respond with arbitrary answers, thus poisoning DNS caches.

III. Solution: Upgrade or Patch

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that can be applied to BIND 8.4.7.

The more definitive solution is to upgrade to BIND 9. BIND 8 is being declared “end of life” by ISC due to multiple architectural issues. Please see ISC’s website at www.isc.org/sw/bind/bind8-eol.php for additional information and tools. Note that BIND 8.x.x is End of Life as of August 2007.

On that lat note, we have an end of life update (re: 2008 ) from ISC about BIND 8.

Due to the continuing level of effort required to support BIND 8, ISC has decided to change the status of BIND 8 to ‘end of life’.

ISC strongly encourages users who depend on BIND 8 to migrate to BIND 9 as soon as possible.

It’s never easy to retire a product. The security issues of BIND 8 are many, and 7 years after the release of BIND 9, ISC must devote our efforts to maintaining and enhancing the current version. BIND 9 was always intended as a replacement for BIND 8, thus there are no more BIND 8 releases planned beyond 8.4.7-P1, being released today.

Please see ISC’s website at http://www.isc.org/sw/bind/bind8-eol.php for additional information and migration tools.

According to the BIND mailing list, the Internet Systems Consortium (ISC) is making a minor change to the way it numbers BIND releases as a way to simplify the upgrade process for our users. More information from that mailing list email follows.

The current BIND version numbering scheme consists of three part numbers.

Current Release 9.4.1:

• 9 - an architecture number,
• .4 - a major release number, and
• .1 - a minor release number.

Within the BIND 9 architecture series, major releases can and usually do include “feature” changes (new functionality, new named.conf syntax, etc). Minor releases do not include feature changes, only bugfixes.

Minor releases fall into 2 categories: Security releases and roll-up bugfix releases.

1) Security releases generally consist of the absolute minimum necessary change from the previous release making it easier for users to upgrade quickly, as security releases are usually time critical.

2) Roll-up bugfix releases include whatever bugfixes have accumulated since the last release, and can include a large number of changes. Most of these changes are usually relatively small but the volume of new code in a roll-up bugfix release is generally much larger than in a security release.

Many organizations that use BIND code have rules of one kind or another about how often they can upgrade to new releases from vendors, so unscheduled releases are problematic. The current version numbering scheme also makes it hard for users who have not been following closely to tell the difference between security releases and roll-up bugfix releases.

To facilitate the upgrade process, the ISC and BIND community will begin calling security releases “patch” versions. Version numbers for patched releases will include the same three part version number with an appended patch number (Thus, the first patch to BIND 9.4.1 would be numbered BIND 9.4.1p1).

Security patches will be released both as patches and also as tarballs. Security patches will generally be the minimal change necessary to fix the security problem, so that users whose code vetting process requires them to read every new or changed line of code will be able to incorporate security-related bugfixes quickly.

Roll-up bugfix releases will continue as before as minor releases under the old version numbering scheme. Additionally, roll-up bugfix releases will include any security patches since the previous full release. For example, BIND 9.4.2 would include whatever patches were in BIND 9.4.1p1.

“We realize that any change to the version numbering of an existing product creates a certain amount of angst and confusion, but we think and hope that this revised version numbering scheme will be better for our users in the long run. Thank you for your patience and continued support,” the mailing said.