Reflecting on Linux Security in 2003 167
LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."
One thing's for sure.. (Score:1, Insightful)
Re:One thing's for sure.. (Score:1)
Ah. Little low on karma then?
Re:One thing's for sure.. (Score:5, Informative)
Take a look at the german MS advertisement [indymedia.org]
- no GUI for linux server on old hardware
- authentification with uncrypthed text as default
- no Kerberos support
- no smartcart authentification support
- no public key infrastructure with directory service
- no default cryptho file system
translated "the protection of sensitive business data can only partiell be done with Linux"
- bug fixes by "free will" contributors (may be okay for hobby applications, not for sensitive business data)
- few professional trained specialists
- Linux as a problem and cost trap
--- don't tell me this is FUD
Rebuttal to MS (Score:3, Insightful)
- SSH?
- No Microsoft proprietary Kerberos support. There's Kerberos, just not MS Kerberos.
- I'm pretty sure it's there, and if not, someone can whip it up quickly.
- Hmm... Samba, anyone?
- I thought most of them WERE crypto...
- The "free will" contributors do a better job and go through more of a review process than your patches, thank you very much
- That's just pure BS
- No. Initial cost i
Re:Rebuttal to MS (Score:2)
Re:Rebuttal to MS (Score:1)
Re:Rebuttal to MS (Score:2)
Re:Rebuttal to MS (Score:2)
Looking at the Windows page, most of it is likewise optional. However, poke around Security Tracker's site- you have a greater chance of getting r00ted with Linux (assuming all other things are equal), IMO.
Thats why, of course, computers need full-network security. Having a computer connecting to the internet without a firewall is lunacy, even for home users.
My point isnt to get into some OS penis-size arguement. It's to
Re:Rebuttal to MS (Score:2)
BTW, it looked like those were servi
Re:Rebuttal to MS (Score:2)
For example, there has to be somebody who did a side by side comparison of Windows 2000 (or XP) and Linux. Maybe they even have pretty bar charts showing operating speeds, Quake3 framerates, etc.
Much, much more credible and informative than the
Re:Rebuttal to MS (Score:2)
Re:Rebuttal to MS (Score:2)
Re:Rebuttal to MS (Score:2)
One other point, now that you bring it up; if Windows Home had seperate Admin and User accounts, what percentage of people do you thing would end up locked out of their computers? See, what you Linux guys cant accept is the fact that computers need to be used by non-computer experts. They dont want to remember two or more accounts, what account y
Oh, really? What about... (Score:2)
Don't troll if Linux has its flaws like any other operating system does.
It's been great (Score:2, Informative)
I haven't been r00t3d.
Sweet.
Re:It's been great (Score:3, Insightful)
Too bad Debain can't say the same thing
Sorry, couldn't resist. I'm a Debain user myself, and I think the wayt they handled the thing was very brave and honest.
Nice idea (?) (Score:5, Interesting)
Re:Nice idea (?) (Score:5, Insightful)
Re:Nice idea (?) (Score:1)
Re:Nice idea (?) (Score:5, Interesting)
I am not disagreeing, but there is an implied assumption in your post: that fixes are always available. A serious security issue will rapidly be fixed in any widely used open source product. With closed source products, provision of a fix is at the whim of the vendor, and serious security exposures can sometimes go months without a fix.
Re:Nice idea (?) (Score:2)
Re:Nice idea (?) (Score:3, Interesting)
What I was trying to say was that irregardless of whether or not the OS or application in question has source available or not, when a security problem is discovered involving one of those items, the fix should be written, tested and made freely available without expectation of renumeration. Especially in the case of OSS security fixes.
I don't mean to beat a dead horse here, but that's another advantage of open source: when security problems appear, the fixes for tho
Re:Nice idea (?) (Score:5, Interesting)
Forcing people to pay for security updates would be stupid IF it guaranteed the insecurity of a greater number of Internet-connected machines.
You are, of course, assuming that a smaller percentage of people will install the available patches if they have to pay - which is obviously true. You are also assuming that nobody will be lured to write a patch for an unsolved vulnerability by the thought of large piles of cash, which is obviously incorrect.
To put it another way, by limiting the price to zero, you will cause a shift in both the quantity demanded and the quantity supplied. When there is a shift in both, you can make no conclusions about the net effect on the equilibrium point.
In *general*, it would be quite silly to charge for a patch to Apache - but its easy to imagine a specific case (maybe a remote root exploit) where volunteers might be able to deliver a patch in 36 hours, but someone might be willing to pay for a patch delivered in 12 hours[1], even knowing that another 24 hours would give them a comparable patch for free.
In that situation, how could you possibly argue that banning payment (meaning there won't be any patch for the full 36 hours) possibly do any good? Or for an even better example, what about for a program so old and/or obscure it simply won't BE patched if someone doesn't pay?
[1]: Feel free to substitute your own times if it makes the example seem more realistic to you. Hours, days, weeks, minutes.
Re:Nice idea (?) (Score:1, Insightful)
Any patch on a GPLed software has to be under the GPL itself, and thus charging for it will be quite pointless: once someone has payed for it, he can redistribute it freely, including for free.
And since the patcher has to distribute the patch source, the patch can readily be included into the original source code...
So Hal Flynn's idea is not only discutable rearding the responsibility of the vendor, it is also legally incompatible with the free software licen
Re:Nice idea (?) (Score:2, Insightful)
Re:Nice idea (?) (Score:2)
We're not talking upgrades here, more like a recall.
There are aspects of the software industry that would be considered just plain daft, or even criminal, in any other.
KFG
Implications of this concept: (Score:5, Insightful)
The Patrician privatised everything.
I mean everything
All the usual goings on in a big city (eg crime) were arranged much like insurance is today (in our world).
Unfortunately (you knew I was going to say that).... The Fire Department got into the insurance business (have to raise money somehow) - specifically FIRE insurance.
This ended up with them having such pleasant conversations (amongst themselves) while walking down the main business streets.
My My. Such lovely Old Buildings. Wonderful WoodWork. Would be such a shame if one of them should catch fire. Would prolly burn most of the city down. Oh Dear! What a disgrace that would be.
Basically, in our world, most people recognise that such a situation (ie charging to fix something that you should not have broken in the first place) would very rapidly lead to (essentially) rampant wholesale uncontrolled extortion.
If a company were to charge you for security and other bug fixes, they would then have a strong financial incentive to produce shoddy bug ridden software and frequent updates.
Product quality would decrease, and administration overhead would increase.
It's the same issue with charging for software subscriptions. What is their incentive to produce another updated version with new features? After all they've already got your money.
A Software Subscription (with ALL updates FREE for 5 YEARS !!!!) does nothing more than make software updates come out once every 5 years.
Re:Implications of this concept: (Score:2)
Re:Nice idea (?) (Score:3, Informative)
Re:Nice idea (?) (Score:2)
That's not even a good troll. Actually, SecurityFocus is owned by Symantec Corporation [securityfocus.com]:
Best security fix in Linux: 'tar' (Score:5, Interesting)
1. Remove network cable (OR) Internet connection.
2. Boot from tomsrtbt
3. Mount backup partition(s)
4. Run simple restore script.
5. Reboot and enjoy!
Can any other OS do this, with off-the-OS tools?
-
Re:Best security fix in Linux: 'tar' (Score:4, Informative)
Re:Best security fix in Linux: 'tar' (Score:2)
In addition it can compile the rh9 src.rpm fine, but won't execute!
Arg, I think RHEL is a piece of junk. For anyone who runs a LAMP it's actually a better bet to use one of the rebuilds, unless you want to be in charge of building a whole slew of rpm's when errata comes out for mysql, etc.
Re:Best security fix in Linux: 'tar' (Score:1)
And what's the big deal with that?
ANY flavor of UNIX and many more os'es can do that.
By the way, it's very impractical - for example, I have fast enough changing information, multi-Gig sized and important on my box. It changes near fully in term of week.
PS. best solution for ANY PROBLEMS - 'universal Belkin patch'
sudo
cd
rm -R -P -f -v
PPS. It also checks your system for true UNIX compatibility!
Enjoy!
Re:Best security fix in Linux: 'tar' (Score:2)
I hope you don't keep those unmounted disks physically attached to the system. People have been lucky, because all worm writers to date have been kind-hearted enough not to zero out all of the systems' hard drives or flash their BIOSes. You have no guarantee that the next worm won't be written by a real asshole.
Probably even worse: a worm that quietly opens a back door to your system without you even knowing it. You could go run for months with your system tota
Re:Best security fix in Linux: 'tar' (Score:3, Insightful)
You could set up your backup script to md5sum or a similar mechanism to check files, but it still requires "situational awareness" to know what the differences are and why these diffs occurred. Most diffs a
Re:Best security fix in Linux: 'tar' (Score:5, Insightful)
Tar your way out of that.
Re:Best security fix in Linux: 'tar' (Score:2)
At least nobody claimed it was "objective" (Score:5, Insightful)
Oh boy! An article which takes 1 authors clearly subjective feelings, piles on the anecdotes, and pronounces evidentiary conclusions!
From reading this, it would appear that Gagne is pretty much what happens when you give a linux zealot some airtime. I'll comment on just a few things i got a kick out of:
At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."
but then we have
The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.
So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)
"Frankly, it seems incredible that this is even open to debate.
There's that objective analysis shining through. Definitely not the words of someone pushing a beleif as opposed to an argument :)
One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used
Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?
has nothing to do with Microsoft's market penetration.
riiiiiiiight. Let me tell you what. if windows update gets owned, you will hear about it in the papers, and on the news, etc. And it wont be because of the magnitude of the issue - because it happend to the FSF, Debian, _and_ Gentoo _first_. When something goes wrong with microsoft software, it hits the whole internet. It's a market share issue.
It doesn't hurt that at its very core, Linux is designed with security in mind.
What do the original UNIX authors have to say about designing UNIX from the ground up with security in mind ? A history of linux will show a few things, I think.
No need here for launching a security initiative after years of neglect."
Or, said another way - "not too much new ground to cover making a freeware clone of 25 years of operating system research!"
Despite the fact that I do not run a Microsoft computer in this office,
why am i listening to your opinion of MS software again ?
costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact
Really ? which documents ? Where are the documents that talk about how much money business MAKE by leveraging software - Microsoft software. If, overall, MS software is hurting business financially, why dont they go back to notebook paper ? Why not use linux ?
This article is pretty much a non-article.
Re:At least nobody claimed it was "objective" (Score:5, Insightful)
As for your points about ssh, yep they're security products, that's why the instant someone finds something wrong, it's important to broadcast that info far and wide. No-one (should, at least) expects the code to be perfect because it has an extra 'S' in the name. We do expect a careful approach to security, and an open one too. I don't believe you do yourself much credit with this argument - it's about ssh anyway, not Linux.
I doubt WU has been owned by anyone, but if it had been, the sensible approach to take would be for the perpetrator to contact MS and tell them they've just distributed X million 'delete-the-system' virii to their customers, and it'll cost 100 million dollars to get the 'undo' key... It would then all be dealt with quietly. Open source is
Simon.
Re:At least nobody claimed it was "objective" (Score:5, Informative)
'' I agree with you completely, and i work for microsoft
You could have mentioned that you are a MSFT employee in your impassioned defense of MSFT here. I have Box Toxen's ''Linux Security'' book, its pretty interesting. But your post seems to be a big ''we're all as bad as each other so ignore the fact I am evil'' astroturf.
Something you might want to chew on is the different value proposition of being given control of sources for software for free, vs being trained into a dependent monkey for whatever MSFT give you. Merry Christmas!
Re:At least nobody claimed it was "objective" (Score:2)
"Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)"
Is an "impassioned defense of MSFT"? Do you honestly think just because someone works for a company that they have no rights to opinions anymore?
The fact of the matter is, he is right. The article is *NOT* what it claims to be. It's not any kind of a
Re:At least nobody claimed it was "objective" (Score:2)
Re:everything that's wrong with slashdot.. (Score:2)
The difference is that each item of clothing and each bushel of grain requires a repeated amount of effort. But with open source, the first instance requires effort and each subsequent copy requires no effort at all.
To put it another way, if by sewing a single shirt I could clothe the world's homeless, and by growing a single bushel of wh
Re:everything that's wrong with slashdot.. (Score:2)
Even if it costed you your entire lifes work? And the lifes work of all your friends, co-workers, and thousands of their friends? Even when you have to figure out some way to pay your own bills, feed yourself,
Re:everything that's wrong with slashdot.. (Score:2)
But you and I both know that open-source developers are not starving, homeless, unclothed, unable to pay their bills. Strawman argument.
Re:everything that's wrong with slashdot.. (Score:2)
As was your original argument about feeding the world with one field of wheat. And yes, there are some developers that are largely "starving". While RMS seems to be making good money today, there were many years where he claimed to survive the entire year on only $3000.
Yet Bill Gates has billions of dollars of cash. We have IT CEOs flying around in private jets. Is t
Re:everything that's wrong with slashdot.. (Score:2)
It wasn't my original argument. You brought up the idea that open-source programmers should "also sew your own clothes and grow your own food". I pointed out the logical fallacy in your argument that software and material goods are not the same thing. I pointed out that the production c
Re:At least nobody claimed it was "objective" (Score:1)
So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)
I don't see a contradiction. Gagne is implying that most users will upgrade and manage patching there own systems. However, if you decide to stay with an older version (for whatever reason) you have access to the full source code and can either patch it yourself or hire someone to do so. How can you do that with MS w
Re:At least nobody claimed it was "objective" (Score:2)
Re:At least nobody claimed it was "objective" (Score:2, Interesting)
At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."
but then we have
The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go
Re:At least nobody claimed it was "objective" (Score:2, Interesting)
First
costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact
Really ? which documents ?
From 2001 - CNN Survey: Costs of computer security breaches soar
Second
With every year since the birth of Linux we've only seen improvements so I think there's only a bright future ahead.
I'd argue that with each year of Windows, we've only seen
Re:At least nobody claimed it was "objective" (Score:2, Interesting)
"We had warned the Justice Department and the court that removing all of those files would not result in a workable product, but that's what the DOJ demanded," Murray said.
To mean that IE was tied to the Kernel - I should have said "Tied to the fluff that they wrap together in a tangled mass of buggy code brought to us by the innovative thinkers at Microsoft"
Re:At least nobody claimed it was "objective" (Score:2, Interesting)
* UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
[/qoute]
Yes. Unix was created for the specific purpose of multiusering operating system. It was designed in a era were you had big mainframes with lots of little terminals and you shared everything.
The main difference between it and other OS designed in that era (and why it is still around) is that it is designed to be completely portable OS, thru the extensive use of C. Meaning tha
Re:At least nobody claimed it was "objective" (Score:3, Interesting)
I believe that the answer to this is, yes, it was multi-user from the beginning. Remember, UNIX was initially developed in an era when computers were physically large and so expensive that it was a basic assumption that more than one person would use the machine. It was also intended to be a time-sharing system, so was designed with the idea that more than one person would be using it at the
Re:At least nobody claimed it was "objective" (Score:2)
Uhh, no they didn't. At least in Gentoo's case it was a single independent mirror that got owned. The root servers were not compromised. Pay attention to the phrase independent mirror.
In the Debian incident there were 4 servers compromised but none were "root file distribution servers" in the sense of main/contrib/non-free. From the newsp
Re:At least nobody claimed it was "objective" (Score:2)
NT was designed with a solid security _architecture_, built with many cool security features. I handily admit that there was lots of bad code implementing those (and other) features, and some poor configuration decisions..
but the internals of the OS have always have an advanced security model as an instrinsic part since the beginning. Earlier, nobody cared (at MS at least) and the focus was on bringing forward dos
Security (Score:5, Insightful)
Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success. Now, I do not subscribe to the idea of thousands of users pouring over the source code and fixing security holes, but I will assert that the small number of users who actually contribute to the community do a fine job of it, and are extremely dedicated. What Open Source offers is the ability to pour over the code, even if most of us don't take advantage of this. M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard. You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$."
If I had to put my money down on which one was more secure, my money would go on Linux.
-dexterpexter
Re:Security (Score:5, Insightful)
do you have any substantiation of this ?
You may have heard something about software engineering, but if not, i'll tell you. The later you discover a bug, the more expensive it is.
Lets take some examples.
I think you get the idea. If a bug makes it out into the public, it will cost microsoft at least $100,000, at a minimum.
So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?
Re:Security (Score:5, Interesting)
Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?
Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.
Re:Security (Score:5, Insightful)
There most certainly is logic. I know because I've been in that situation. While I'm not a CEO and I'm not in the software industry, I have released a product with "bugs" which we'll try to work around or fix eventually. So I think I understand the desire to ship things before they're "ready".
It comes down to two simple words: market share. Every day, people are making decisions and buying products that serve their needs. If they're not buying your product, then they're buying your competitor's product. Moreover, if you don't have a relatively recent product, you start to lose mindshare. It's very possible to release a product so late that even though it's the best, no one cares anymore: they all bought a competitor's product and are locked in to it. So in a very real sense, every day you delay the release date is costing you money.
Thus, you need to balance the desire to ship a product with no bugs with the desire to have a product in the market now. And the way to choose when to do that is to balance the monetary costs and try to release the product when the cost is minimized.
Re:Security (Score:2)
One can say the same about many products, including Linux. We shouldn't have seen the kinds of problems we saw in the early 2.4 kernels. We shouldn't be seeing the kinds of problems from Sendmail, OpenSSH, wu-ftpd, and a host of other "usual suspects" either, but we do.
Open source tends to ship early and often just as much as closed source. We just hi
Re:Security (Score:5, Insightful)
Why? There is an unvoiced feeling among software managers that they had better get the product on the shelves by Christmas or their careers will suffer. In the extreme, they become yes-men, telling their bosses only what is pleasing, with no regard for the truth. Too many yes-men and the company crashes because top management is not aware of problems until it is too late to fix them.
The solution? Software product managers must have the intelligence to recognize when their product needs more time, and the courage to tell their superiors the bad news. To encourage that behavior, top management needs to be tolerant of bad news, and not limit the careers of their subordinates who bring it.
John Sauter (J_Sauter@Empire.Net)
Re:Security (Score:2)
Even more importantly, management needs to recognize bad news as input variables and nothing more. A lower manager shouldn't be making the decision whether to ship now or later; they should be able to openly pass accurate information upward to more appropriate decision makers.
A CEO may decide that software is too buggy to ship based on input from below, or he may decide to push the release date
Re:Security (Score:2)
Who makes the decision on whether to slip a product for quality reasons depends heavily on the size of the company. When I worked for Digital Equipment Corporation, we did not expect Ken Olsen to make those decisions. Generally, the tension was
Re:Security (Score:3, Insightful)
Re:Security (Score:5, Insightful)
In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user.
This is a simple result of the law of large numbers. If we assume "technological savvy" is normally distributed within the population then very small samples can have on average very high "savviness" rates. Once the sample size grows the average "savviness" goes down and approaches the mean (which in today's world is still quite low) asymptotically.
Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on.
And herein lies the problem of making blanket statements: yes, most people who are not experienced with computers do run Windows at home. Of course they're going to get infected with something! They lack the experience to mitigate risks and to know what they should never do. DOS didn't have one tenth of the complexity of the latest versions of Windows and stupid DOS users still got viruses all the time.
Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success.
I'm pretty sure a bunch of CS majors deriding SCO on /. won't help Linux kernel development all that much or attribute to any possible success.
M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard.
You are Eric S. Raymond and I claim my free-as-in-beer Tux merchandise.
You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)
Naturally, since you won't find the "Linux community" putting out any patches at all, ever. They're always put out by individuals or by companies/devteams that simply wish to produce the best possible product for their users.
If I had to put my money down on which one was more secure, my money would go on Linux.
The best way to keep you computer system secure is to make sure it's not run by idiots. How do you accomplish this? Make sure it's as complicated as possible[1]. For a long time Unix had this going for it, which means that Unix administrators had to have a lot experience coupled with knowledge and consequently would usually run a secure network.
By comparison, since "any idiot can run a MS network", then idiots were hired to run MS networks, with predictable results.
[1] The same principle actually works on a broader scale. Intrinsically hard topics tend to gather a more knowledgeable crowd while idiots flock to the easy topics like politics, religion and such. Which usually means that the level of discussion over political topics is far lower than that, say, for hard sciences.
Re:Security (Score:2, Insightful)
I am sure that the average Linux user was at some point technologically unsavvy, but you usually find that individuals who migrate from Windows to Linux are those users with at least some grasp on what they are doing. However, that does not change the end result, that being that the average Linux user probably has some idea of how to
SSH and SSL (Score:5, Funny)
Re:SSH and SSL (Score:1, Funny)
Your point?
Re:SSH and SSL (Score:3, Funny)
Re:SSH and SSL (Score:2, Funny)
SCO?
Re:SSH and SSL (Score:5, Interesting)
Well, I'd think that this is a Good Sign. The term "secure" doesn't really mean that no holes exist. That's hardly likely. What it really means is that no holes are known. Or, a hole was just discovered, and we're working furiously to fix it.
The fact that these patches came out really mean that the OpenSS[HL] crowd is 1) actively looking for problems, and 2) fixing them rapidly. In particular, they don't hide the problems behind a shield of secrecy, and they don't collect patches into sets to be released when the PR people decide it's appropriate.
If their patches taper off, it will be time to take a skeptical look, to make sure that people are still actively attacking the OpenSS* code and trying to poke holes. If this process stops, we should worry. If people are still studying and attacking the code, but failing to find holes, we'll know we're in good shape.
But we aren't quite there yet. So the patches are a Good Thing.
Re:SSH and SSL (Score:2)
Also, any exploits that are found/patched are pretty serious, if for no other reason then that they are part of SSH or SSL. (The same exploit in Solitare would not rate near the same level of attention.) When the bad guy
Re:SSH and SSL (Score:2)
Hoooeee!!! Hooray for linux! (Score:2, Insightful)
Short on facts (Score:2, Interesting)
It had a lot of verbiage but thats about all.
'Someone said this, someone said that, yada yada.'
Exactly how many holes were there? How many known of are still there? "Where's the beef?"
Check the spelin (Score:2)
That should be "ensures" not "insures".
Shame this advocate can't apply the principles himself - getting a peer review of the article should have picked up that simple mistake (assuming that his peers, at least, lernt gramer at skuwl)
Re:IP Theft and The Linux Community (Score:5, Informative)
http://www.tldp.org/HOWTO/mini/FDU/truetype.htm
Your link is bad, it should be
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other
Also, from the HOW-TO, "TrueType is a registered trademark of Apple Computer, Inc.", not Microsoft. I'm not sure if the 'Tahoma' font in particular is property of Microsoft.
Just thought that you should know.
Re:IP Theft and The Linux Community (Score:3, Informative)
Re:IP Theft and The Linux Community (Score:2)
And there is a certain subset (I forget the exact fonts) of Microsoft's proprietary fonts which are freely licensed for use by anyone who has a capability to use TrueType(TM) fonts in their OS. The collection is referred to as WebFonts, I believe, the licensing exists to encourage people to use the fonts on web pages (and by extension, to encourage use of Front Page), and the collection includes, Arial and i
Re:IP Theft and The Linux Community (Score:2, Insightful)
Oops .. s/Linux( community)+/Microsoft/ ..
Re:IP Theft and The Linux Community (Score:5, Insightful)
You say:
a step by step procedure for stealing the Microsoft fonts and installing them on Linux....
Then you link to http://corefonts.sourceforge.net/ [sourceforge.net]
Which has a copy of the microsoft licesne the fonts were obtained under:
Reproduction and Distribution. You may reproduce and distribute an unlimited number of copies of the SOFTWARE PRODUCT; provided that each copy shall be a true and complete copy, including all copyright and trademark notices.....
Re:IP Theft and The Linux Community (Score:1)
Hi Mr McBride, welcome to Slashdot :)
Re:IP Theft and The Linux Community (Score:3, Funny)
Why on earth any sane person would want to take a bitching game machine like X-box and ruin it by installing Linux is a mystery to me.
We know you don't understand.
Your lack of understanding doesn't cause us to lose any sleep, though. We're fine with it.
You sir are a troll. (Score:2)
Number 2) It's an xbox. You bought it, you can break it anyway you seem fit.
Number 2) Darl... is that you??
lol
Re:security (Score:1, Funny)
Re:security (Score:1, Offtopic)
Re:Head, meet Sand (Score:4, Interesting)
Note that many if not most of the vulnerable programs shown in your link to securitytracker.com are not related to the Linux kernel nor part of most Linux distributions. This makes for a potential "apples to oranges" comparison with Windows vulnerabilities.
Re:Head, meet Sand (Score:5, Interesting)
Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples. One can also argue that IIS is not really a Windows component, since it is an optional service. But thats the way they organize their site. If you dont like it, talk to Security Tracker; Im sure they would be happy to hear from you!
Re:Head, meet Sand (Score:2, Troll)
No, I *didn't* miss it. I'm on the BugTraq mailing list.
>Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples.
Without a direct comparison of the number of exploits for code that comes with the OS for both systems your statement is speculative at best.
>One can also
Re:Head, meet Sand (Score:3, Informative)
WebDAV depends on some code in ntdll.dll, and it looks like you can feed WebDAV goop that it happily uses to exploit the BO in ntdll.dll.
So, webdav is the attack vector to remotely get at a problem in ntdll.dll. it's not substantially different than php triggering a bug in kmalloc()
Re:Head, meet Sand (Score:3, Insightful)
Baloney. IIS comes on every Windows CD-ROM and is used by lots of Microsoft apps. And there's plenty of bugs that cross boundaries thanks to Microsoft's blurring the distinction between OS and application...like that WebDAV bug in ntdll.dll that was exploitable via IIS [microsoft.com].
Where to begin?
1. Just because it comes on the CD-Rom does not make it any less of an optional component. If I started ranking on security flaws on some of the obscure
Re:Head, meet Sand (Score:2)
Re:Head, meet Sand (Score:5, Insightful)
Security has to be achieved through firewalling, shutting off unnecessary services, keeping software up to date with the latest security-related patches, and some common sense on the part of the user. In my experience, a lot of Linux users are every bit as ignorant as their Windows counterparts when it comes to security. I know plenty of people who don't know what daemons are running on their computers, who don't keep their software updated, and who don't follow basic common-sense security procedures. Unfortunately, there's the perception among a lot of people that just running Linux makes them secure. They feel they don't need to bother with things such as firewalls, because they're invincible. Even among their Windows counterparts, firewalls are considered a necessary tool for security.
There's a basic competence needed to run Linux. Unfortunately, beyond that, many users are clueless when it comes to security.
Linux doesn't lend itself to many of the problems Windows does. But that's only part of being secure.
Linux distributions shouldn't come with lots and lots of services enabled by default. We complain at Microsoft because a lot of users have IIS running on their machines and just aren't aware of it. Many Linux distributions are just as guilty as Microsoft here.
If we want to make Linux more secure, we need to fix the two biggest vulnerabilities - the default settings of many Linux distributions and the user.
Re:Head, meet Sand (Score:2)
Yes, it is an unpleasant truth, but I hope you don't hold the mistaken belief that this idea is an original from Bill Gates. It's been common lore in the computer industry since before Microsoft came into being.
Re:Head, meet Sand (Score:5, Interesting)
Right, Check.
As for security, that would explain why my Linux boxes have for years been under constant attack from compromised Windows machines without incident.
Re:Head, meet Sand (Score:2, Interesting)
Re:Head, meet Sand (Score:2, Insightful)
is that the beauty of unemployment?
Re:Head, meet Sand (Score:2)
All that money, and you still cant afford a Slashdot account....