Slashdot Mirror

Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article.

Insightful my ass! This relativist "all views are equally valid" philosophy you've fallen into (along with the main stream media) is complete BS.

Nothing is perfect, and you should use the right tool for the right job (games == XP, work == Linux for me), for sure, but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there. That doesn't mean that Linux or OSX is perfectly secure, but they're much better than any MS product. Whether you measure it by dollar cost to companies, or number of actual (not theoretical) exploits, MS products are more insecure than any *nix. Don't you even remember the millions of USD damage viruses and worms caused last year on MS systems alone?

The truth of the matter is that Linux is by default, even without hardening, vastly more secure than XP. And the security gap is increasing, not decreasing.

If you mean the grsecurity nonsense on ./ yesterday, the only story there is about some big-mouth egotist sounding off and the desperate MS apologists eagerly believing what they want to believe. See this and this .

In case you were also thinking about the uselib ./ nonsense of Jan 07th (here), Fedora core 2 had the patched kernel available on Jan 03. The public announcement of the problem was after it was fixed and had made it way into distribution updates (unless I'm totally misreading the changelogs). Wasn't the advisory this MS update fixes was released months ago. Bit of a difference perhaps?

At least it's not in the kernel...

I've seen plenty of weird things in Linux distros, like privilege escalation in MPlayer. MPlayer, a video player! People really need to start paying attention to LinuxSecurity and witness all the monthly vulnerabilities for their distros. They rarely get mentioned on Slashdot (for whatever reason).

Random sampling from Gentoo's advisory list:

Gentoo: HylaFAX hfaxd unauthorized login vulnerability
Date: Tuesday, 11 January 2005
HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.

Gentoo: o3read Buffer overflow during file conversion
Date: Tuesday, 11 January 2005
A buffer overflow in o3read allows an attacker to execute arbitrary code by way of a specially crafted XML file.

Gentoo: imlib2 Buffer overflows in image decoding
Date: Tuesday, 11 January 2005
Multiple overflows have been found in the imlib2 library image decoding routines, potentially allowing the execution of arbitrary code.

Gentoo: Kpdf, Koffice More vulnerabilities in included Xpdf

Date: Tuesday, 11 January 2005
KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code if a user is enticed to view a malicious PDF file. ...and these were announced on one day! Notice Slashdot is silent.

Actually, it's a pointless comparison because Linux is just a kernel while Windows is a kernel (and a very good one), a HAL, a GUI subsystem, various system libraries, various applications that use them, etc.

I will say, however, that taking the average monthly vulnerabilities for any given Linux distro + kernel and comparing to Windows yields surprising results. About the same ore more vulnerabilities exist in Linux distro apps than on a typical Windows installation. See http://www.linuxsecurity.com/advisories and compare for yourself.

The point is that we're all humans making software, so we're all prone to the same mistakes. Both systems are inherently insecure to the same degree, but Windows is used so much more that holes are widely reported.

You complain when trolls pop up and say "Ha ha!" to Linux vulnerabilities, but look at a Windows vulnerability article on Slashdot sometime and you'll find 90% of the discussion follows those very lines. Some people genuinely enjoy Microsoft technology and use it daily, so it's a little healthy schadenfreude when it's pointed out that, hey, Linux isn't the 100% flawless Golden Warrior it's made out to be. It's a dangerous mindset to have anyway--it makes you overlook things. Which seems to be the case in this LWN article.

So where are all the reports on Linux security vulnerabilities?

Funny how they're NEVER, EVER reported.

Linux security patches

Even the almighty Linux has security issues that require patching. *GASP*

The advisories are amalgamated at LinuxSecurity.

I am assuming by jails, you are speaking about chroot jails. If that is the case, this article may help you to break free of your ignorance about the support that Linux systems have for this device:

http://www.linuxsecurity.com/feature_stories/featu re_story-99.html

If not, there's nothing for you to see here..

I do entirely agree with your point about *BSD though - why on earth would anyone think it's a good idea to kill something else, just because what they use they like better? That's an attitude that smacks of the worst arrogance and ignorance combined. It's the same as all the 1337 k1dd135 clamoring about killing off the evil and abominable M$ Winblows. It will die on its own, as more and more people realize that it is not meeting their needs. It doesn't need some grand champion to come along and destroy it.

holy shit, and that's just for RH!!

With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.

The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.

On the other hand, I wonder why things like these for soem reason never get posted.

_Most_ programmers with any measurable breadth can sit back and shake their head. Sorry!

I completely agree that most programmers still agree with your point of view. That's why so much software is still full of security holes, crashes so frequently, requires hundreds of megabytes of memory, and misses so many deadlines.

struggling to grip with a wide variety of blindlingly obvious fact.

Yes, the facts are blindingly obvious.

Linux had similar issue

Or is it ok since it was a linux thing???

the senseless biased story leadins/bashing-baits/troll-foods/zeelot-baits are getting to be a joke. Lets try sticking to worthy IT news item and constructive critique...could be a good thing to have a lot of people actualy HELPING the non IT that visit slashdot, instead of filling their minds full of FUD. ...just a rational thought, ignore it if you can't handle such a thing...

http://www.linuxsecurity.com/docs/harden-doc/html/ securing-debian-howto/ Are Javier Fernández-Sanguino Peña and/or Alexander Reelsen involved in Debian Hardened?

I've seen a number of posts stating the XOR is unbreakable. Hopefully they're just joking and didn't get modded as such, because I've read in several places that XOR sucks. A quick Google revealed the following.

Hack-FAQ

And I quote: XOR encryption is trivially simply to implement and equally trivial to break. XOR encryption should not be utilized for any data which you would want to protect.

I could go grab my Applied Cryptography book and make sure, but it's out of arms reach right now.

The main problem these days is having a non-trusted machine on your lan that calls home.

For more, see this article .

For Linux users, I highly recommend Linux Security to keep up on current advisories.

We can all sleep better now.

We can all sleep better now.

Since a BT keyboard tends to remain in the same general location, and a malicious listener can be a considerable distance away undetected, spending even a few days to crack the encryption is entirely reasonable. Wardriving tools for BT exist in the wild.

It's not as easy (or even possible in most cases) to add additional layers of strong encryption to BT as it is for WiFi. So while WiFi can also be cracked, cracking a transported VPN isn't currently feasible. BT has no such option, and once cracked anything typed (userid, password, bank account numbers, PINs, private correspondence, etc.) are easily read, in real-time.

If everyone switched to another specific lock for your car, it would get broken into as much as the other did.

Linux distributions have their security flaws too. Just because they're not ever reported on Slashdot doesn't mean they're not out there. Give Linux and its applications the amazingly widespread usage of Windows and you'll see just as many fuck-ups coming out.

The difference, and the source of valid criticism, is the speed at which Microsoft addresses these issues. But to be fair, it looks like they have been pouring their resources into SP2 and making something rock-solid. We should at least applaud them for that. This should be a mature community and not an anti-"M$" bashing crew.

And this is why I use linux.

And this is why I just read the newspaper.

And this is why I just sit in my room all day.

And this is why I'm back here at the computer reading Slashdot.

(from a quick read of some web searching...) WPA (the precursor of 802.11i) used RC4 with a per-packet key transmorgifier called TKIP and authenticated both peers using either Extensible Authentication Protocol (EAP - useful in coprorate contexts with RADIUS or NT-Domain password servers) or Preshared Key (PSK - useful in home contexts where not password servers are available). 802.11i (seems to... quick read equivocation) add the option of replacing RC4-TKIP with AES-CCMP but the peer authentications (your choice of EAP or PSK) remain unchanged. This CCMP mode of AES keeps the temporal key and integrity features of RC4-TKIP but is (assumed to be) stronger encryption. Both encryption options, RC4-TKIP and AES-CCMP, require an intial key (same on both peers). Where this initial key comes from is an application layer decision and is beyond the scope of 802.11i.

All it takes is someone to exploit any of the kinds of exploits and flaws listed at Linux Security. What's that? You actually believed Linux was magically secure from everything just because it has things like permissions? Give me a fucking break. That website lists all the weekly security flaws Slashdot never, ever reports on which would be taken up by every random script and e-mail attachment out there.

There is a myriad of ways of getting into a Linux system like that, and you better believe people would find them out if Linux ever got more than 1% usage based on Google Zeitgeist (in comparison, OS X has 5%). Consider a wide user base to be one big beta test. In that sense, it's not surprising Windows holes have been found and subsequently patched. You might even make the argument that because Windows has been so much more aggressively tested, it might be less of a risk than if Linux suddenly had that market share overnight.

If Linux is this golden child of security, how is it GNU, GNOME, Debian, Gentoo, Savannah, and more were all hacked last year in the span of six months? Oh, I forgot, we've swept all that under the rug around here.

Hell, you think that kernel exploit that got patched a week ago wouldn't already be making the rounds right now? Normal users wouldn't be upgrading their "kernel" like Linux geeks do. Look at how many people already don't run Automatic Updates under XP.

Sorry, but you're full of shit.

I wish they had listened and taken security seriously years earlier. Those of use "in the know" have complained about poor coding in MS products for decades.

Linuxsecurity Advisories

That's what I want them to do. It's going to take years before it make a significant difference.

Not really. Once Longhorn is released and everything under the sun is running under managed code (even Linux apps via Mono), you'll see a difference. Not that it will change the minds of biased Slashdot zealots who treat operating systems like penis size contests, but the rest of us who are rational will appreciate the new technology.

It also blocks scripts, screensavers, and many other executable formats, by default. This is pure FUD.

The problem has absolutely jack-shit to do with Outlook. It's people not patching or just running random executables they specifically allow into their Inbox.

I know we all spurge on our screens at the chance to bash Microsoft in any way possible, but let's be rational here.

In order for Linux to have the same infection rate as Windows, Linux would have to have the same (or similar) flaws. For example, the same email client installed, by default, upon every Linux machine and that email client would have to run executable content.

No, Mr. Security Expert, it would not. The same e-mail client isn't necessary, all that's necessary is getting enough people to run executables or whatever that exploit something. I'm sorry, but Linux distros aren't without their weekly exploits and buffer overruns either. MPlayer has had executable overflows before. A freaking media player! But you never see that reported on Slashdot, because OSDN has an agenda, and this place is completely biased (and as a result pumps out closed-minded Linux zealots by the pound).

Here's an example. Grab the latest copy of WindowsXP, run it without anti-virus software. Why is WindowsXP still vulnerable to the same viruses that Windows95 was?

Because of backwards-compatible libraries? Think a little.

Oh, that's right, this place has a complete anti-Microsoft agenda, despite security holes buffer overruns in Linux distributions announced weekly.

What a surprise it wasn't mentioned that this was patched months ago, right?

This vulnerability is the LSASS Buffer Overrun Vulnerability, already patched way back on April 13. Slashdot probably had at least two or three articles on it back then as well if you wanna do a search for "sasser."

If you haven't patched after two months, you're just the same as all those people who got hit with Blaster, which was also already patched beforehand. Linux distros issue security patches for their vulnerabilities weekly and nobody complains, but when Microsoft releases a patch, suddenly it's this huge issue to run a tiny executable that plugs security flaws, and then people bitch at Windows two months later when a virus comes out to exploit it...

Just saying. How can one criticize their security if they won't apply their security patches? Almost all major software is gonna require a patch eventually. I don't get this steadfast need to avoid patching Windows boxes while freely recompiling Linux kernels on a whim for production servers when a minor point release comes out.

It's only natural that Microsoft would want to call attention to all of these security problems with applications which can run on linux- such as this one!

link

One to take over a running server, and one to elevate to root

In many cases a worm could start spreading without first gaining root priveleges. AFAIR the slapper worm worked like that. But it doesn't do much harm. You can just shut down the vulnurable server and kill the worm process to clean your system. Of course you also have to install the patch before starting the server again.

they seem to have trouble keeping copies of them on the shelf.

Yeah, with the security vulnerability risks they keep shipping them back to the manufacturers, hoping to get that 2.16.3-01 replaced with 2.16.3-04.

Seriously, how many families do you know that have bought a boxed Linux distro off CompUSA/BestBuy/CircuitCity?

Not true at all. People have been able to do this for years with tcpkill (another) and it does not require sniffing the ISN.

• Mutt
• Pine
• Mozilla
• imap-2002b Pine , Evolution, Mozilla, Eudora via imap

• Mutt
• Pine
• Mozilla
• imap-2002b Pine , Evolution, Mozilla, Eudora via imap

Why not just mod me up instead? I provide links!

Searching through past advisories is also fun. Make sure all your Linux "boxen" are properly patched. Who knows, maybe one day you'll actually be popular and we'll all laugh whenever another exploit is published.

LinuxSecurity.com Advisories. It gives you the last 15 advisories (right now it's 15 in the past three days!), and you can click on each distro, including the BSDs, and get archived advisories for each one. Very useful, complete with links to the actual bulletins.

Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."

I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on... :P

LinuxSecurity lists the following vulnerabilities across all distros, just the last fifteen advisories (15!):

4/13/2004 9:06 - Conectiva: squid Conectiva: 'squid' ACL bypass vulnerability
This update fixes a vulnerability that allows a malicious user to bypass url_regex ACLs by using a specially crafted URL.

4/12/2004 9:05 - Conectiva: mod_python Conectiva: 'mod_python' DoS
This update fixes a remote denial of service vulnerabiliy in Apache web-servers which have mod_python enabled.

4/9/2004 15:18 - Mandrake: ipsec-tools Signature non-verification vulnerability
Racoon does not verify the RSA signature during phase one of a connection using either main or aggressive mode. Only the certificate of the client is verified, the certificate is not used to verify the client's signature.

4/9/2004 15:15 - Gentoo: Scorched 3D Format string attack vulnerability
Scorched 3D is vulnerable to a format string attack in the chat box that leads to Denial of Service on the game server and possibly allows execution of arbitrary code.

4/9/2004 15:14 - Gentoo: pwlib Multiple vulnerabilities
Multiple vulnerabilites have been found in pwlib that may lead to a remote denial of service or buffer overflow attack.

4/9/2004 15:13 - Gentoo: iproute Denial of service vulnerability
The iproute package allows local users to cause a denial of service.

4/9/2004 15:07 - Gentoo: Heimdal Cross-realm scripting vulnerability
Heimdal contains cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.

4/9/2004 9:08 - Gentoo: scorched3d Gentoo: 'Scorched 3D' vulnerability
Scorched 3D (build 36.2 and before) does not properly check the text entered in the Chat box (T key).

4/8/2004 12:34 - Gentoo: Automake Symbolic link vulnerability
Automake may be vulnerable to a symbolic link attack which may allow an attacker to modify data or elevate their privileges.

4/7/2004 16:27 - Gentoo: ClamAV Denial of service vulnerability
ClamAV is vulnerable to a denial of service attack when processing certain RAR archives.

4/7/2004 14:04 - Gentoo: util-linux Information leak vulnerability
Due to a pointer error, the 'login' program might leak sensitive information.

4/7/2004 11:19 - Gentoo: ipsec-tools Key non-verification vulnerability
racoon (a utility in the ipsec-tools package) does not verify digital signatures on Phase1 packets.

4/7/2004 10:27 - Turbolinux: apache/httpd/libxml2/mod_python Multiple vulnerabilities
Many fixes for buffer overflows and DOS attacks.

4/7/2004 10:25 - Mandrake: fileutils/coreutils Denial of service vulnerability
'ls' can be made to segfault upon listing directories with large numbers of files on an amd64 platform.

4/7/2004 10:24 - Gentoo: sysstat Multiple vulnerabilities
Multiple vulnerabilities may allow an attacker to execute arbitrary code or overwrite arbitrary files.

Of course, you never see a single bit of any of it ever mentioned on Slashdot, even though new advisories come out almost every single day. But three new Windows vulnerabilities after months of no new needed updates on Windows Update becomes front page news on Slashdot.

As opposed to the endless list of problems with free software?

If you agree with any of this, feel free to repost it in the future.

* If "Linux" just refers to the kernel and not the operating system, how can "FreeBSD" refer to the operating system (userland tools, standard libraries, etc.) and not just the kernel? Face it, "GNU/Linux" looks and sounds ridiculous.

* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.

* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?

* OSDN-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk about.

* Speaking of OSDN--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with OSDN, it's a-okay.

* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.

* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.

* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.

* Slashdot editors are abusive. We all remember The Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all the more bizarre.

* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to gang up and knock you down into oblivion.

* Somehow, user-ran executables are always a "New Microsoft Hole" (actual article headline). Meanwhile, LinuxSecurity posts weekly security advisories for all the Linux distributions. You never, ever, EVER see any of these mentioned on Slashdot--bizarre things like arbitrary code execution via MPlayer.

* Microsoft is supposed to be some sort of non-innovative rip-off artist. Meanwhile, the same people posting those comments do it through KDE with taskbars, sidepanels, start menus, similar print dialogs, and an integrated web/filesystem browser. Effectively ripping people off then criticizing those who came up with the ideas

If you agree with any of this, feel free to repost it in the future.

* If "Linux" just refers to the kernel and not the operating system, how can "FreeBSD" refer to the operating system (userland tools, standard libraries, etc.) and not just the kernel? Face it, "GNU/Linux" looks and sounds ridiculous.

* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.

* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?

* OSDN-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk about.

* Speaking of OSDN--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with OSDN, it's a-okay.

* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.

* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.

* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.

* Slashdot editors are abusive. We all remember The Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all the more bizarre.

* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to gang up and knock you down into oblivion.

* Somehow, user-ran executables are always a "New Microsoft Hole" (actual article headline). Meanwhile, LinuxSecurity posts weekly security advisories for all the Linux distributions. You never, ever, EVER see any of these mentioned on Slashdot--bizarre things like arbitrary code execution via MPlayer.

* Microsoft is supposed to be some sort of non-innovative rip-off artist. Meanwhile, the same people posting those comments do it through KDE with taskbars, sidepanels, start menus, similar print dialogs, and an integrated web/filesystem browser. Slashdotters--ripping people off then criticizing those who came up with the ide

If you agree with any of this, feel free to repost it endlessly!

* If "Linux" just refers to the kernel and not the operating system, how can "FreeBSD" refer to the operating system (userland tools, standard libraries, etc.) and not just the kernel? Face it, "GNU/Linux" looks and sounds ridiculous.

* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.

* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?

* OSDN-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk about.

* Speaking of OSDN--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with OSDN, it's a-okay.

* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.

* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.

* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.

* Slashdot editors are abusive. We all remember The Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all the more bizarre.

* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to gang up and knock you down into oblivion.

* Somehow, user-ran executables are always a "New Microsoft Hole" (actual article headline). Meanwhile, LinuxSecurity posts weekly security advisories for all the Linux distributions. You never, ever, EVER see any of these mentioned on Slashdot--bizarre things like arbitrary code execution via MPlayer.

* Microsoft is supposed to be some sort of non-innovative rip-off artist. Meanwhile, the same people posting those comments do it through KDE with taskbars, sidepanels, start menus, similar print dialogs, and an integrated web/filesystem browser. Slashdotters--ripping people off then criticizing those who came up with the ideas i

You guys keep getting your own projects hacked. Savannah, Gnome, Debian, Gentoo, and GNU--twice. This is why the non-Slashdot world (i.e., the real world) laughs at you as you foam at the mouth over "M$" and their alleged bad security. Meanwhile, you have to update MPlayer to avoid the latest arbitrary code exploit. What? You don't know what I'm talking about? Oh, that's right, because Slashdot doesn't report on the endless vulnerabilities that are constantly announced across all the distros. You guys let Slashdot spoonfeed your mindset to you, and suddenly you think the entire world cares about things like the RIAA and "M$." Sorry, it's just you.

If you agree with any of this, feel free to repost it endlessly!

* If "Linux" just refers to the kernel and not the operating system, how can "FreeBSD" refer to the operating system (userland tools, standard libraries, etc.) and not just the kernel? Face it, "GNU/Linux" looks and sounds ridiculous.

* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.

* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?

* OSDN-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk about.

* Speaking of OSDN--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with OSDN, it's a-okay.

* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.

* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.

* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.

* Slashdot editors are abusive. We all remember The Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all the more bizarre.

* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to gang up and knock you down into oblivion.

* Somehow, user-ran executables are always a "New Microsoft Hole" (actual article headline). Meanwhile, LinuxSecurity posts weekly security advisories for all the Linux distributions. You never, ever, EVER see any of these mentioned on Slashdot--bizarre things like arbitrary code execution via MPlayer.

* Microsoft is supposed to be some sort of non-innovative rip-off artist. Meanwhile, the same people posting those comments do it through KDE with taskbars, sidepanels, start menus, similar print dialogs, and an integrated web/filesystem browser. Slashdotters--ripping people off then criticizing those who came up with the ideas i

If you agree with any of this, feel free to repost it endlessly!

* If "Linux" just refers to the kernel and not the operating system, how can "FreeBSD" refer to the operating system (userland tools, standard libraries, etc.) and not just the kernel? Face it, "GNU/Linux" looks and sounds ridiculous.

* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.

* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?

* OSDN-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk about.

* Speaking of OSDN--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with OSDN, it's a-okay.

* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche
opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.

* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.

* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.

* Slashdot editors are abusive. We all remember the Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all even more bizarre.

* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to gang up and knock you down into oblivion.

* Somehow, user-ran executables are always a "New Microsoft Hole" (actual article headline). Meanwhile, LinuxSecurity posts weekly security advisories for all the Linux distributions. You never, ever, EVER see
any of these mentioned on Slashdot--bizarre things like arbitrary code execution via MPlayer.

* Microsoft is supposed to be some sort of non-innovative rip-off artist. Meanwhile, the same people posting those comments do it through KDE with taskbars, sidepanels, start menus, similar print dialogs, and an integrated
web/filesystem browser. Slashdotters--ripping people off then criticizing those who came up with t

If you agree with any of this, feel free to repost it endlessly!

* If "Linux" just refers to the kernel and not the operating system, how can "FreeBSD" refer to the operating system (userland tools, standard libraries, etc.) and not just the kernel? Face it, "GNU/Linux" looks and sounds ridiculous.

* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.

* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?

* OSDN-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk about.

* Speaking of OSDN--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with OSDN, it's a-okay.

* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.

* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.

* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.

* Slashdot editors are abusive. We all remember The Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all even more bizarre.

* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to gang up and knock you down into oblivion.

* Somehow, user-ran executables are always a "New Microsoft Hole" (actual article headline). Meanwhile, LinuxSecurity posts weekly security advisories for all the Linux distributions. You never, ever, EVER see any of these mentioned on Slashdot--bizarre things like arbitrary code execution via MPlayer.

* Microsoft is supposed to be some sort of non-innovative rip-off artist. Meanwhile, the same people posting those comments do it through KDE with taskbars, sidepanels, start menus, similar print dialogs, and an integrated web/filesystem browser. Slashdotters--ripping people off then criticizing those who came up with the ideas

After all, Linux never has viruses, worms, or exploits. No security flaws whatsoever.

Never mind Gentoo, Gnome, Debian, and GNU all being hacked within the span of six months. Linux would never be targetted. Let's just randomly suggest to people that they give up all their software, hardware support, and so on and just "try Linux," because setting up Linux is always as easy as telling them to. Who knows why entire doc HOWTO sites are set up for it.

I expect the usual defensive responses to this article. Hell, the summary itself was biased--"usual FUD." Heaven forbid someone outside the little niche world of Slashdot (i.e., the real world) raise security concerns about Linux, like OSS is some sort of unstoppable secure force. Hell, I just visited Gentoo.org and there are things like remote buffer exploits in MPlayer that allow arbitrary code to be run. Things like that never get mentioned on Slashdot, though.

Check out LinuxSecurity's security advisories for weekly Linux distro security advisories--all the buffer overflows and exploits you thought only Windows had. And let's not forget the hacking of GNOME, Debian, Gentoo, and GNU (twice!).

All I'm saying is it's stupid to get all reactive over someone just questioning the 100% secure reputation that OSS is given by fanboys. In the real world, they do that.

Here is a list of WEEKLY security vulnerabilities in all Linux distributions.

Do you ever see any of them mentioned on Slashdot? Of course not. That's because it would reveal to people that operating systems are not perfect and never will be--and the fact that this is the first Slashdot "vulnerability" article on Windows in quite a while now is a feat considering Windows' massive marketshare and usage. I'm sure the editor was just dying to get it posted since it's been a little while. Meanwhile, the Linuxsecurity site shows that Linux distros have multiple security advisories every week.

Point? No point other than to point it out. No problem with Slashdot reporting these things, but pretending there's no agenda behind it--especially considering Slashdot is owned by a Linux company for whom it is in the best interest of to post "news stories" that happen to dump on competitors--is being purposely naive.

This has to be one of the most flagrant trolls I've seen in a while.

LinunxSecurity lists weekly security advisories for all the distros--buffer overflows, exploits, and all around security flaws that never get reported around these parts.

Hope that doesn't "surprise" you since it's not Windows software. Yes, believe it or not, OSS software is not somehow magically perfect simply because it's compiled for Linux via gcc rather than for Windows via Visual Studio...programmers are programmers.

Unless the said virus/worm/compromise is using a remotely
exploitable buffer overlow or locally explotable programming
errors in say: apache , OpenSSL , or sudo
some times is even trivial for the attacker to
take over ....