|June 2000||Search||Submit Article||Contact Us||Join Us||Merchandise|
On the 5th of May I went into my office and started to read the 400-odd mail messages that had arrived overnight. One of them was obviously spam, judging by the title:
193 04-05-2000 Lennart Blomstrom To 'E-mail' ( 204) ILOVEYOU
It was clear from the gratuitous quotes around the To: name that this message was sent with a Microsoft MUA, but I was intrigued, so I took a look. What I got was:
[-- Attachment #1 --] [-- Type: text/plain, Encoding: 7bit, Size: 0.1K --] kindly check the attached LOVELETTER coming from me. [-- Attachment #2: LOVE-LETTER-FOR-YOU.TXT.vbs --] [-- Type: application/octet-stream, Encoding: quoted-printable, Size: 11K --] [-- application/octet-stream is unsupported (use 'v' to view this part) --]
This was a message in two parts: the first attachment was a single line of plain text just pointing to the second attachment, which was of unknown type: application/octet-stream is just a catchall for any kind of data which doesn't have its own name, so you have to know what you're getting. Even Microsoft has specific application subtypes, such as application/msword, which describe the format of the data in the attachment. Oh well, I took a look at the attachment. It certainly wasn't a letter:
rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / email@example.com / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAllm ain() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting (etc)
But what is this stuff? It's obviously some obscure kind of programming language. I suppose the name ending in .vbs might say something to Microsoft systems, but it shouldn't: that information should be in the Content-Type: header.
Of course, the idea of actually executing this unknown program is ridiculous. We went through all that over a decade ago, when Robert T. Morris, Jr. let loose the famous Internet Worm and took down a whole lot of BSD systems. We hadn't paid much attention to security up till then, but we certainly did in the aftermath. Now, ten years later, it appears that people still haven't learnt. We have three major problems:
Microsoft actively encourages people to transmit executable programs. Sure, we can do that in UNIX as well, but we don't. That's not because UNIX runs on multiple platforms: more and more programs are being written in interpretative languages such as perl and tcl, and if this worm had been written in one of these languages, it would have the potential to damage UNIX systems as well as Microsoft systems. The real reason we don't transmit executable programs is that the whole idea is such a security risk that it seems completely absurd.
Microsoft has done nothing to protect systems. This isn't the first time that a massive security breach has been propagated by e-mail, yet their systems don't have any concept of security, the program can do whatever it wants. If I were designing an execution environment for executable mail attachments, I'd put it in its own directory and chroot it there, so that it couldn't access the rest of the system.
Users haven't learnt either. I heard that one British publisher has apparently lost all its image data, which was stored on disk. What would they have done if the disk had failed? This seems to be a general problem with Microsoft users: they don't make backups.
This message caused damage comparable in magnitude to Bill Gates' personal fortune. Who's to blame? Not really the perpetrator. We know how to stop this damage. In the UNIX world, we stopped it a decade ago. Microsoft knows about the dangers, but has done nothing to stop it.
It's a pity that the press didn't see this. I haven't heard a single mention in the press that the vendor of the software might be to blame. Even so, though, it makes the man in the street more aware of security issues, and that can only be to the benefit of secure operating systems.
On a different topic, I've been doing some work on describing the differences between BSD and Linux lately. Given the similarity between the systems, it's not surprising that people keep asking what the differences are. Here's the current state of a document I'm writing on the subject.
Any comparison has to be subjective, but I'm trying to be fair to everybody here. If you find something incorrect or disadvantageous to any side, including Linux, please let me know.
In the open source world, the word Linux is almost synonymous with Operating System, but it's not the only open source "UNIX" operating system. According to the Internet Operating System Counter, as of April 1999 31.3% of the world's network connected machines run Linux. 14.6% run BSD UNIX. Some of the world's largest web operations, such as Yahoo!, run BSD. The world's busiest ftp server, ftp.cdrom.com, uses BSD to transfer 1.4 TB of data a day. Even Microsoft's flagship Hotmail service runs BSD. Clearly this is not a niche market: BSD is a well-kept secret.
So what's the secret? Why isn't BSD better known? This white paper addresses these and other questions:
Throughout this paper, differences between BSD and Linux will be noted in italic font.
BSD stands for "Berkeley Software Distribution". It is the name of distributions of source code from the University of California, Berkeley, which were originally extensions to AT&T's Research UNIX operating system. Several open source operating system projects are based on a release of this source code known as 4.4BSD-Lite. In addition, they comprise a number of packages from other Open Source projects, including notably the GNU project. The overall operating system comprises:
The BSD kernel, which handles process scheduling, memory management, symmetric multi-processing (SMP), device drivers, etc.
Unlike the Linux kernel, there are several different BSD kernels with differing capabilities.
The C library, the base API for the system.
The BSD C library is based on code from Berkeley, not the GNU project.
Utilities such as shells, file utilities, compilers and linkers.
Some of the utilities are derived from the GNU project, others are not.
The X Window system, which handles graphical display
The X Window system used in most versions of BSD is maintained by a separate project, the XFree86 project. This is the same code as Linux uses. BSD does not normally specify a "graphical desktop" such as GNOME or KDE, though these are available.
Many other programs and utilities
The BSD operating systems are not clones, but open source derivatives of AT&T's Research UNIX operating system, which is also the ancestor of the modern UNIX System V. This may surprise you. How could that happen when AT&T has never released its code as open source?
It's true that AT&T UNIX is not open source, and in a copyright sense BSD is very definitely not UNIX, but on the other hand, AT&T has imported sources from other projects, noticeably the Computer Sciences Research Group of the University of California in Berkeley, CA. Starting in 1976, the CSRG started releasing tapes of their software, calling them Berkeley Software Distribution or BSD.
Initial BSD releases consisted mainly of user programs, but that changed dramatically when the CSRG landed a contract with the Defense Advanced Projects Research Agency (DARPA) to upgrade the communications protocols on their network, ARPANET. The new protocols were known as the Internet Protocols, later TCP/IP after the most important protocols. The first widely distributed implementation was part of 4.2BSD, in 1982.
In the course of the 1980s, a number of new workstation companies sprang up. Many preferred to license UNIX rather than developing operating systems for themselves. In particular, Sun Microsystems licensed UNIX and implemented a version of 4.2BSD, which they called SunOS. When AT&T themselves were allowed to sell UNIX commercially, they started with a somewhat bare-bones implementation called System III, to be quickly followed by System V. The System V code base did not include networking, so all implementions included additional software from the BSD, including the TCP/IP software, but also utilities such as the csh shell and the vi editor. Collectively, these enhancements were known as the Berkeley Extensions.
The BSD tapes contained AT&T source code and thus required a UNIX source license. By 1990, the CSRG's funding was running out, and it faced closure. Some members of the group decided to release the BSD code, which was Open Source, without the AT&T proprietary code. This finally happened with the Networking Tape 2, usually known as Net/2. Net/2 was not a complete operating system: about 20% of the kernel code was missing. One of the CSRG members, William F. Jolitz, wrote the remaining code and released it in early 1992 as 386BSD. At the same time, another group of ex-CSRG members formed a commercial company called Berkeley Software Design Inc. and released a beta version of an operating system called BSD/386, which was based on the same sources. The name of the operating system has since changed to BSD/OS.
386BSD never became a stable operating system. Instead, two other projects
split off from it in 1993: NetBSD and FreeBSD. The two projects originally diverged
due to differences in patience waiting for improvements to 386BSD: the NetBSD
people started early in the year, and the first version of FreeBSD wasn't ready
until the end of the year. In the meantime, the code base had diverged
sufficiently to make it difficult to merge. In addition, the projects had
different aims, as we'll see below. In 1996, a further project, OpenBSD, split off from NetBSD.
One detail that the lawsuit did clarify is the naming: in the 1980s, BSD was
known as "BSD UNIX". With the elimination of the last vestige of AT&T code
from BSD, it also lost the right to the name UNIX. Thus you will see references
in book titles to "the 4.3BSD UNIX operating system" and "the 4.4BSD
Why isn't BSD better known?
For a number of reasons, BSD is relatively unknown:
Comparing BSD and Linux
One detail that the lawsuit did clarify is the naming: in the 1980s, BSD was known as "BSD UNIX". With the elimination of the last vestige of AT&T code from BSD, it also lost the right to the name UNIX. Thus you will see references in book titles to "the 4.3BSD UNIX operating system" and "the 4.4BSD operating system"
So what's really the difference between, say, Debian Linux and FreeBSD? For the average user, the difference is surprisingly small: Both are UNIX-like operating systems. Both are developed by non-commercial projects (this doesn't apply to many other Linux distributions, of course). In the following section, we'll look at BSD and compare it to Linux. The description applies most closely to FreeBSD, which accounts for an estimated 80% of the BSD installations, but the differences from NetBSD and OpenBSD are small. Specifically, we'll look at the following questions:
No one person or corporation owns BSD. It is created and distributed by a community of highly technical and committed contributors all over the world. Some of the components of BSD are Open Source projects managed by a different project maintainer.How is BSD developed and updated?
The BSD kernels are developed and updated following the Open Source development model. Each project maintains a publicly accessible source tree under the Concurrent Versions System (CVS), which contains all source files for the project, including documentation and other incidental files. CVS allows users to check out any desired version of the system.
A large number of developers worldwide contribute to improvements to BSD. They are divided into three kinds:
Contributors write code or documentation. They are not permitted to commit (add code) directly to the source tree. In order for their code to be included in the system, it must be reviewed and checked in by a registered developer, known as a committer.
Committers are developers with write access to the source tree. In order to become a committer, an individual must show ability in the area in which he is active. Some committers have access to the complete source tree, others are restricted to certain parts: for example, documentation maintainers normally do not have access to the kernel sources.
It is at the individual committer's discretion whether he should obtain authority before committing changes to the source tree. In general, an experienced committer may make changes which are obviously correct without obtaining consensus. For example, a documentation project committer may correct typographical or grammatical errors without review. On the other hand, developers making far-reaching or complicated changes are expected to submit their changes for review before committing them. In extreme cases, a core team member with a function such as Principal Architect may order that changes be removed from the tree, a process known as backing out. All committers receive mail describing each individual commit, so it is not possible to commit secretly.
Core team In addition, FreeBSD and NetBSD have a core team which manages the project. The core teams developed in the course of the projects, and their role is not always well-defined. It is not necessary to be a developer in order to be a core team member, though it is normal. The rules for the core team vary from one project to the other, but in general they have more say in the direction of the project than non-core team members have.
No one person controls the content of the system. In practice, this difference is overrated, since the Chief Architect can require that code be backed out, and even in the Linux project several people are permitted to make changes.
On the other hand, there is a central repository, a single place where you can find the entire operating system sources, including all older versions.
BSD projects maintain the entire "Operating System", not only the kernel. This distinction is only marginally useful: neither BSD nor Linux is useful without applications. The applications used under BSD are frequently the same as the applications used under Linux.
As a result of the formalized maintenance of a single CVS source tree, BSD development is clear, and it is possible to access any version of the system by release number or by date. CVS also allows incremental updates to the system: for example, the FreeBSD is updated about 100 times a day. Most of these changes are small.
Each BSD project provides the system in three different "releases". As with Linux, releases are assigned a number such as 1.4.1 or 3.5. In addition, the version number has a suffix indicating its purpose:
The development version of the system is called CURRENT. FreeBSD assigns a number to CURRENT, for example FreeBSD 5.0-CURRENT. NetBSD uses a slightly different naming scheme and appends a single-letter suffix which indicates changes in the internal interfaces, for example NetBSD 1.4.3G. OpenBSD does not assign a number ("OpenBSD-current"). All new development on the system goes into this branch.
At regular intervals, between two and four times a year, the projects bring out a RELEASE version of the system, which is available on CD-ROM and for free download from ftp sites, for example OpenBSD 2.6-RELEASE or NetBSD 1.4-RELEASE. The RELEASE version is intended for end users and is the normal version of the system. NetBSD also provides patch releases with a third digit, for example NetBSD 1.4.2.
As bugs are found in a RELEASE version, they are fixed, and the fixes are added to the CVS tree. In FreeBSD, the resultant version is called the STABLE version, while in NetBSD and OpenBSD it continues to be called the RELEASE version. Smaller new features can also be added to this branch after a period of test in the CURRENT branch.
What versions of BSD are available?
In contrast to the numerous Linux distributions, there are only three open source BSDs. Each BSD project maintains its own source tree and its own kernel. In practice, though, there appear to be fewer divergences between the userland code of the projects than there is in Linux.
It's difficult to categorize the goals of each project: the differences are very subjective. Basically,
FreeBSD aims for high performance and ease of use by end users, and is a favourite of web content providers. It run on PCs and Compaq's Alpha processors. The FreeBSD project has significantly more users than the other projects.
NetBSD aims for maximum portability: "of course it runs NetBSD". It runs on machines from palmtops to large servers, and has even been used on NASA space missions. It is a particularly good choice for running on old non-Intel hardware.
OpenBSD aims for security and code purity: it uses a combination of the open source concept and rigorous code reviews to create a system which is demonstrably correct, making it the choice of security-conscious organizations such as banks, stock exchanges and US Government departments. Like NetBSD, it runs on a number of platforms.
There are also two additional BSD operating systems which are not open source, BSD/OS and Apple's Mac OS X:
BSD/OS is the oldest of the 4.4BSD derivatives. It is not open source, though source code licenses are available at relatively low cost. It resembles FreeBSD in many ways.
Mac OS X is the latest version of the operating system for Apple Computer Inc.'s Macintosh line. Unlike the rest of the operating system, the kernel is open source. As part of this development, key Apple developers have commit access to the FreeBSD source tree.
How does the BSD license differ from the GNU Public license?
Linux is available under the GNU General Public License (GPL), which is designed to eliminate closed source software. In particular, any derivative work of a product released under the GPL must also be supplied with source code if requested. By contrast, the BSD license is less restrictive: binary-only distributions are allowed. This is particularly attractive for embedded applications.
What else should I know?
Since fewer applications are available for BSD than Linux, the BSD developers created a Linux compatibility package, which allows Linux programs to run under BSD. The package includes both kernel modifications, in order to correctly perform Linux system calls, and Linux compatibility files such as the C library. There is no noticeable difference in execution speed between a Linux application running on a Linux machine and a Linux application running on a BSD machine of the same speed.
The "all from one supplier" nature of BSD means that upgrades are much easier to handle than is frequently the case with Linux. BSD handles library version upgrades by providing compatibility modules for earlier library versions, so it is possible to run binaries which are several years old with no problems.
Which should I use, BSD or Linux?
What does this all mean in practice? Who should use BSD, who should use Linux?
This is a very difficult question to answer. Here are some guidelines:
"If it ain't broke, don't fix it": If you already use an open source operating system, and you are happy with it, there's probably no good reason to change.
BSD systems, in particular FreeBSD, can have notably higher performance than Linux. But this isn't across the board. In many cases, there is little or no difference in performance. In some cases, Linux may perform better than FreeBSD.
In general, BSD systems have a better reputation for reliability, mainly as a result of the more mature code base.
As we saw above, the BSD license may be more attractive than the GPL.
BSD can execute Linux code, while Linux can't execute BSD code. As a result, more software is available for BSD than for Linux.
If you're particularly security conscious, OpenBSD is the only game in town.
Who provides support, service, and training for BSD?
BSDI have always supported BSD/OS, and they have recently announced support contracts for FreeBSD.
In addition, each of the projects has a list of consultants for hire: FreeBSD, NetBSD and OpenBSD.
Whatever Happened to BSD?
Keith Bostic on the BSD tradition.
A new thorn in Microsoft's side?
BSD's Big Break?
Three Unixlike systems may be better than Linux.
BSD a better OS than Linux?
The legend of BSD
Getting to know OpenBSD
and Implementation of the 4.4BSD Operating System
The Complete FreeBSD
Building Linux and OpenBSD Firewalls