Slashdot Mirror

Slashdot posts every single letter, lecture, and little throwaway statement Bill Gates in order to give the "M$"-bashers something to froth over.

Absolutely nothing new will be offered in the discussions for this article.

Meanwhile, Gentoo, Debian, GNU (twice!), and Gnome have all been hacked in the span of the last six months, and LinuxSecurity reports dozens of vulnerabilities for each distro every week alone.

It will always boil down to this--security as a criticism against Windows will always be something that's only valid to other Slashdotters. Most of the rest of the world doesn't see it that way, and the rational of us see it as an admin and user ignorance problem. When Slashdot posts articles with titles like "Another New Microsoft Hole" and it turns out to be a user-ran executable attachment worm (yes, this was a real article), or "Microsoft Violates Human Rights In China" simply because Windows is used by the government there (never mind that China has its own custom Linux distribution, but I doubt we'll ever see "OSS Violates Human Rights In China"), I can only shake my head and just wait for the next cool technology article.

Becuase that's why I first started coming to Slashdot--the cool tech news. Not "let's fill our daily quota of one 'bash M$' article per day." I used to go to K5 as an alternative because of the interesting tech articles that didn't get posted here, but at some point K5 became a liberal anti-Bush administration site. This place has become an anti-RIAA, anti-M$ site. I miss when there was no agenda other than being a cool site for nerds to get news on the latest Stallman lecture, Linux kernel technology, or programmer interview.

How is this new database any different from LinuxSecurity.com? That site tracks several hundred vulnerabilities a week for all the distros (yes, buffer overflows and exploits and everything...stuff Slashdot doesn't ever report!)

2. The OpenSSL holes recently were a null pointer dereferrence and a DoS - neither would lead to a compromise.

Remeber the openssl worm? Anything less than 0.9.6e is vulnerable. And they're using 0.9.5a????

Their versions of php and apache are both incredibly old (1.3.27 or 1.3.28 is current for apache, and PHP just released 5 RC1 with 4.3.x being current) - I hope they set up apache to lie about its versions.

My mail client (mutt) does not run under an account that has full access to the entire system. Instead, it runs as me, and cannot replace parts of the OS even if it wants to. So it can't do things like replace part of the TCP/IP stack

Wiring is cheap at this point in the building process. Pull some Cat5e and fiber and be done with it.

Or do you want to make it easier for your neighbors to spy on that nasty little pr0n habit you have? While those signals will have trouble getting from one corner of the house to the next (especially between floors) you can bet someone will be able to eavesdrop easily. Wireless security isn't very secure. Parabolic antenna not included. Quiet Ashcroft, I'm typing here...

Sorry, anyway. Wired is more secure, faster, and you can always add a wireless node or two for the laptop when doing non-sensitive browsing. I would firewall that connection from my LAN.
Don't want that cheezy windows laptop being a vector for attacks, eh?

> "Which is a moot point as everyone knows you don't get security holes in linux"

really? http://www.linuxsecurity.com/advisories/index.html

i develop cross-platform code for windows, linux and solaris so i am quite aware of many of these security issues. there is no such thing as a secure system; there are only secure admins

-- ng

The new SCO 10K is available. There are some interesting exhibits, as well. What is missing in the long list of exhibits are the Sun and Microsoft licenses. The Morgan Keegan letters are attached as exhibits, and there is an Independent Contractor Agreement with S2 Strategic Consulting. So where are the Sun and Microsoft licenses? Shouldn't they be listed in the SEC filing also? The 10K refers to limitations on the Microsoft license, but it doesn't explain what limitations it is referring to.

Could it be that S2 bought those licenses on behalf of Microsoft?

(I'm posting anon for several reasons)

What are you talking about? Linux has never suffered a buffer overflow.

What are you talking about? Linux has never suffered a buffer overflow.

Several. Someone even almost infected the kernel development tree itself through Bitkeeper.

Go to LinuxSecurity sometime and check out all the endless exploits that are announced for packages whose source code has been available for years.

Actually this has been covered on LinuxSecurity a while ago. And the implementation is apparently usable.

>If my usage of `reliable' is confusing, I am referring to a system which is designed to restrict the behaviour of user applications, such that they are protected from each other, and the system from them (e.g. an application cannot crash either another application or the system). MS-DOS would naturally not meet such a requirement (nor would Windows 3.1 or Windows 9x).

Well, that definition sounds agreeable, but my point was that these concepts of reliability and stability are relative to the end-user. No machine or operating system is perfect. NASA can tell you this. Think: quality control. There are those who need real-time systems with 0% downtime, those who need a fast computer that will number crunch for weeks, those who need a game machine for LAN parties, and those who need something to check their email or send/retrieve data from a database (ie. a dumb WYSE-60 terminal to scan your ID). In each of these cases, the end-user will describe their system as reliable or stable if the amount of time it is in a state that renders it unusable (lets call this "downtime") is tolerable by that end-user. In an ideal world, this downtime would be zero. However. if it is untolerable, then it is unreliable, and the user has a choice to lower their standards of tolerence or replace their machine with something that will be reliable. Hence, Win95 is reliable enough to install on a machine that will be deployed to a place where the users are very tolerant and it will only be used to browse the web.

>When saying it's relatively easy to design a reliable OS, what I I mean is that it is a well understood problem, with well understood solutions.

So in other words, its relatively easy to design a reliable OS if you stick with what you know. Then I guess most kernel developers don't understand buffer overflows and gaurding a function's return address, etc. since these problems are not fixed.lthough, even if you try to restrict the design of your OS to these well understood problems that have well understood solutions, it doesnt remove the fact that the problems that you don't understand still exist. Nor does it treat the well understood problems without well understood solutions. So this OS may SEEM reliable to the programmer because it deals with these well-understood problems, but in reality it is not reliable enough to handle the unknowns. In fact, "relatively easy" implies to me that these unknowns are unimportant, which makes me instantly think of your description of microsoft's design plan for Win9x. So according to microsoft, windows is reliable since they've restricted their designs to problems they understand which have solutions they understand. But for all we know, the coders at the time may have only known a dozen or so understandable problems, including: "how can we get an MSN icon onto the desktop?". Which brings us back to quality control...

>The existence of bugs does not mean a system is not a reliable design,
well....only if the severity of the bug is tolerable to the end-user.

>For the most part, applications will only be able to exploit the occasional bug in a reliable system if explicitly written to do so (e.g. viruses).
Here's a counterexample. Consider tcpdump running on FreeBSD (stable, no?). A little while back, there was a bug that allowed remote execution of code. Suppose that on the same network which the FreeBSD machine is listening to via tcpdump there is a networked print server (jetdirect). Now if someone is printing something in postscript to this print server and all of a sudden a bug in the print server starts reacting to the postscript code by broadcasting random packets, does the possibility not exist that these random packets could end up being the same ones that cause tcpdump to start executing some random code? Clearly this was not intentional, yet tc

The very fact that GNU/Linux naturally weeds out complete retards probably explains why there are not -- and will never be -- as many GNU/Linux exploits as there are Windows exploits.

I'm a little late responding to this thread, and I don't know if anyone will ever see this, but I wanted to respond anyway.

Basically, all I want to say is there are more Linux exploits than Windows exploits.

These worms and viruses you hear about are not Windows "exploits." They don't exploit any bug or flaw in the OS's code. It's not like MyDoom or SoBig or virtually any other variant sneak in through a hole in the WINSOCK TCP/IP stack or something (OK, CodeRed, you got me). They're almost always simply malicious executables, emailed to naive users. That's not an OS bug. That's not an "exploit." Granted, the fact that Outlook makes it so easy to instantly execute attachments certainly contributes to both the breadth and speed of the spread of these viruses, but that's neither an "exploit" of the OS, nor a flaw of the program. It's simply a bad design/usability decision that is difficult to undo without stirring up a PR hornet's nest.

Still don't believe me? Ask yourself this. How many true, honest-to-goodness Windows exploits have you ever heard about? I can only think of one (winnuke) off the top of my head. If you include IE (fair enough, as Microsoft so adamantly insisted that it is a core component of the OS), then I can think of a handful more (the masked redirect, the more recent file-extension trick), but still none that will allow an attacker to sneak into your machine and execute arbitrary code. The two bugs I mention above will simply trick a user into thinking they're on a particular website when they're not, or thinking they've downloaded a PDF when they've actually downloaded an .EXE. They still have to run the program, or the attacker is left out in the cold.

Contrast that with the genuine, honest to goodness exploits in Linux. At least every month or two, Slashdot posts a story about a new exploit found in this utility or that one, which can be used to gain root access to the machine. Root access to the machine! That's a helluvalot worse than redirecting someone to www.malicious.com when they think they're on ebay.com, don't you think?

Go ahead. Tell me I'm full of shit and that Linux is waaaaay more secure than Windows. Then go read this and eat crow.

I don't think I can recall one, single, legitimate exploit for Windows that will let me into an unsuspecting user's box and execute arbitrary code with superuser/administrator privileges. I'm sure there are a couple out there that have long been patched, but read that link I just gave you. The 15 "most recent" exploits there are barely a week old! And how many of them give you root access?

Linux has remote holes which can allow crackers into your system and do anything they want. While most (all?) of the known holes are usually quickly patched, how many have yet to be discovered? How many are introduced accidentally now and then, with every new/updated utility or kernel module?

I assert that it remote root exploits for Linux boxes are far, far more common than analogous exploits for Windows boxes.

Come on, this was a bad year, though everybody seems to pretend that nothing happened.

In the span of six months, GNU was hacked twice, and GNOME, Gentoo, and Debian were all breached. And according to Linux's dirty little secret, LinuxSecurity.com, dozens of new holes in OSS software are discovered every week.

Where is the Slashdot article on that?

What moron runs Outlook Express on his servers? How would things like "I Love You" affect a machine like that? Think a little before posting such gibberish.

Look at the number of patches released for Windows Server 2003 since release (what is it, TWO?) compared to the amount for each distro in a given week alone at LinuxSecurity.

Not flaming here, but you may be comparing apples to oranges. You are complaining that /. reports every active Microsoft worm while it is out there, actively infecting multiple computers, but does not report every vulnerability affecting Linux machines. Slashdot doesn't tend to report new vulnerabilities affecting Windows, unless it comes as something spectacular, such as 6 high risk holes announced at once.

If you're reading security sites, then you're "doing it right", and that's what you need to focus on. You. I run Jay's IPTables Firewall. I occasionally check LinuxSecurity, but instead I usually visit their Packetstorm mirror and try out some of the latest exploits against my various machines just to see if I'm vulnerable. I also check CERT weekly, NIPC's Cybernotes biweekly, D-Shield and Incidents.org biweekly, and update Nessus and check my firewall biweekly. I don't have any open ports, so I rarely check for updated Snort rules. I do check my MRTG reports about once a day to see if an inordinately high amount of traffic is flowing through my firewall. There's so much that everyone should do all the time, that there's hardly enough time to complain about how much focus a web site places on reporting one OS'es actively exploited holes vs another OS'es potential vulnerabilities. In the time to read this, you could have been reviewing the Top 75 security tools and seeing where they fit in your environment, even if your environment is your house.

The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc.

So why is this worth an entire headline? Shouldn't we at least wait until it's actually doing anything, or did Slashdot just want to get a new Microsoft worm article with a byline of "new-year-new-problems," despite sites like LinuxSecurity that list new vulnerabilities WEEKLY that Slashdot never reports?

And before anybody accuses me of being a Microsoft shill (you know who you are), I'm merely being the voice of opposition because I see so much groupthink here. I wish Slashdot was more rational and down the middle and objective, that's all. There is a genuine bias and propaganda going on against Microsoft, the RIAA, and so forth. Any inkling of a worm, no matter how minor and ineffective, gets breathlessly reported the minute it's submitted. Meanwhile, you never hear a thing about the faults of Linux security, except when they're forced to, like with the breaches of GNU/FSF, GNOME, Debian, and Gentoo, all within the span of six months or so.

They said the password was sniffed.

Try to shunt this off to a "weak password" all you want, but let's face facts here. A beloved Linux network was clobbered.

Yes, Virgina, Linux is not invincible. You have rootkits and exploits too. Just see Linuxsecurity sometime.

And, yes, it makes all the Linux loonies who rail on about Microsoft insecurities look like religious hypocrites.

Karma Bonus unchecked, because I don't expect this to be well-received by biased moderators.

Being labelled arrogant is maybe the worst thing someone can say to me. You hit a loaded point here. Whatever. But I maintain my point : Linux is more secure than Windows.

For viruses : go there

For vulnerabilities : go there, or there.
Again, crude attack figures does not mean anything. And vulnerabilities, in my opinion, does not mean much, for they cater to local overcomes.

Maybe a more interesting comparison would be to know how much money did the OSS and proprietary software worlds lost in the following of viruses, and vulnerabilities.

Regards,
Jdif

Suck on this, n00b.

KMail launches a Windows Virus using Wine (after displaying a similar warning as Microsoft Outlook does).

This isn't really a "bug" in KMail or Wine. It just shows that increased integration makes it easier to spread viruses, even on UNIX-like security models.

Uninstall the sendmail and BIND Solaris pacakges and the patches will stop trying to patch them. You could also install your custom software in /usr/local like everyone else

Umm webmin is just as secure as any ssl feature you serve.

And every Linux geek's favorite OpenSSL seems to be having such a wonderfully spotless security track record lately, eh?

I'll bite.

Where oh where is it written that the "Slackware way" is the official way?

It isn't written anywhere. It's one of those unwritten rules that everyone understands without having to carve it in rock or pen it to paper. By Linux the way it should be, he means that Slackware doesn't change things the developers decided on. A Gnu/Linux distribution is made up of a lot of different pieces of software. No one knows these individual pieces better than the people who wrote them. To go about madly patching half the system and placing libraries in places the developers' didn't intend them to be, distributions like RedHat show their arrogance. Frankly when the OpenSSH Portable team says there's a problem with a past version and I should upgrade, I take their word for it. I don't try to back-port a patch three or four minor versions because I don't know what may be different that many versions behind that might not play nice with my patch. I use Slackware in part because Pat has that same philosophy.

Red Hat is the one packaging things up and and making a "more complete" linux distro. Last time I checked when it came to admin tools Slackware was severely lacking. They also unlike distros like Red Hat are apt just to throw a bunch of standard linux packages together as opposed to Red Hat who is known to customizes at the source level to add needed performance or security improvements.

What planet have you been living on? Of course Slackware doesn't include those "gee-whiz ain't that nifty?" admin tools such as the numerous "/usr/sbin/redhat-*" tools. Those are provided by redhat as nothing more than a layer of abstraction. Slackware users abhor such layers like nature abhors a vacuum. Common editors, the binutils package, man pages, and google are all you should rely on to admin your boxen. At least, that's the SLackware philosophy. And for what it's worth, a good Slackware admin is worth any 10 RedHat wizard admins.

To say the Slack just focuses on stability and simpilcity as opposed to Red Hat who actually spends a ton of time and money on stability testing is misleading to say the least.

Then how come the RedHat machines I inherited at work crash? Ask anyone who uses both Slackware and RedHat which of the two is more stable.

When Red Hat patches as I mentioned just above its [sic] for a reason, and usually a good one. Slackware's lack of patches and "little things which make using linux easier" is really just a reflection that they don't have the manpower or money to add needed improvements which make the a distro perform better.

Well, I certainly doubt it's for a good reason.
RedHat advisories
Slackware advisories
Granted RedHat includes more software than Slackware, but look at how many times RedHat is vulnerable on a package that Slackware isn't. There can be no doubt in those cases that RedHat's either used a half-beta version of that software, or has poorly patched it, introducing a security vulnerability. As for performance, again ask anyone who uses both RedHat and Slackware which of the two performs better.

I didn't reply to slam Slackware...

No, you replied to troll. You obviously have no experience with Slackware, and thus aren't equiped to speak critically of it.

I'll bite.

Where oh where is it written that the "Slackware way" is the official way?

It isn't written anywhere. It's one of those unwritten rules that everyone understands without having to carve it in rock or pen it to paper. By Linux the way it should be, he means that Slackware doesn't change things the developers decided on. A Gnu/Linux distribution is made up of a lot of different pieces of software. No one knows these individual pieces better than the people who wrote them. To go about madly patching half the system and placing libraries in places the developers' didn't intend them to be, distributions like RedHat show their arrogance. Frankly when the OpenSSH Portable team says there's a problem with a past version and I should upgrade, I take their word for it. I don't try to back-port a patch three or four minor versions because I don't know what may be different that many versions behind that might not play nice with my patch. I use Slackware in part because Pat has that same philosophy.

Red Hat is the one packaging things up and and making a "more complete" linux distro. Last time I checked when it came to admin tools Slackware was severely lacking. They also unlike distros like Red Hat are apt just to throw a bunch of standard linux packages together as opposed to Red Hat who is known to customizes at the source level to add needed performance or security improvements.

What planet have you been living on? Of course Slackware doesn't include those "gee-whiz ain't that nifty?" admin tools such as the numerous "/usr/sbin/redhat-*" tools. Those are provided by redhat as nothing more than a layer of abstraction. Slackware users abhor such layers like nature abhors a vacuum. Common editors, the binutils package, man pages, and google are all you should rely on to admin your boxen. At least, that's the SLackware philosophy. And for what it's worth, a good Slackware admin is worth any 10 RedHat wizard admins.

To say the Slack just focuses on stability and simpilcity as opposed to Red Hat who actually spends a ton of time and money on stability testing is misleading to say the least.

Then how come the RedHat machines I inherited at work crash? Ask anyone who uses both Slackware and RedHat which of the two is more stable.

When Red Hat patches as I mentioned just above its [sic] for a reason, and usually a good one. Slackware's lack of patches and "little things which make using linux easier" is really just a reflection that they don't have the manpower or money to add needed improvements which make the a distro perform better.

Well, I certainly doubt it's for a good reason.
RedHat advisories
Slackware advisories
Granted RedHat includes more software than Slackware, but look at how many times RedHat is vulnerable on a package that Slackware isn't. There can be no doubt in those cases that RedHat's either used a half-beta version of that software, or has poorly patched it, introducing a security vulnerability. As for performance, again ask anyone who uses both RedHat and Slackware which of the two performs better.

I didn't reply to slam Slackware...

No, you replied to troll. You obviously have no experience with Slackware, and thus aren't equiped to speak critically of it.

Buffer overflows should not happen in the first place. In most languages, they are impossible. They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

Microsoft is moving to languages with managed types. If they had been using managed types all along, the overwhelming majority of Microsoft security holes would have never happened. In a few years, Microsoft software will be more secure than anything Open Source has to offer.

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes. They somehow overlook the countless exploits discovered in their own code (more than 500 in Debian over the past 4 years).

It is time for open source to wake up and start using better tools and better practices.

People simple need to learn how to secure their own damn machines.

Most security holes are caused by implementation flaws in the software, not by the way the system is configured. Granted, a user can configure their machine to reduce the number of potential holes, but that doesn't change the fact that there are probably hundreds of exposed security holes on their machine.

If you want more secure systems, developers need to use better practices. The most common security hole is a buffer overflow. Users won't know it exists, and even if they did, most users aren't capable of fixing it. Responsibility for this type of hole falls squarely on the developers.

OpenBSD is well regarded as one of the most secure systems in the world. It was extensively audited, yet it still had a remote root exploit. And what type of exploit was it? A buffer overflow!

Buffer overflows should not happen in the first place. They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

Microsoft is moving to languages with managed types. If they had been using managed types all along, the overwhelming majority of Microsoft security holes would have never happened.

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes. They somehow overlook the countless exploits discovered in their own code (more than 500 in Debian over the past 4 years).

It is time for open source to wake up and start using better tools and better practices.

A programming language is an interface between the machine and the programmer. If a language makes security holes nearly impossible to avoid, you need a better language.

If this were an interview with Linux Torvalds, and Linux had the marketshare Windows does, you all would be blaming people who didn't patch their programs and fix their holes.

But it's Microsoft Windows, so absolutely everything they do is wrong by default. The bias is sickening. At least be rational and level-headed about it.

Give Linux the marketshare Windows has and we'll see how many vulnerabilities crop up.

Think also that this effect has something to do with why these problems never seem to actually get *fixed*.

What clueless monkeys modded you up? The patch was out a whole month before. The government warned you TWICE to install it. Slashdot had an article about it, and it was reported everywhere. Windows Update shoved it up as a critical patch.

Windows is not more insecure than any other OS. It's just more widely used, and therefore, more widely abused. That's a fact, so you can stop your internal dialogue. Remember how GNU got hacked recently? That seems to have quietly slipped from people's minds. Also, all the corrupting 2.4.x series Linux kernels, including the "turkey" kernel that blasted ext3 filesystems. Check out Linux Security sometime.

*cracks knuckles*

No it isn't. Two introductory paragraphs talk about sendmail holes, and its inglorious history. Then the vast majority of the article talks about Postfix configuration.

Duh. That's what I was referring to.

Sendmail vulernabilities are the hooks, not the subject.

I know. And my point was that this article should really have been about the hole in sendmail, but instead, Slashdot covers it up by drilling home an alternative, just to drown out the news of the hole.

Sorry. I missed the Unix (Solaris, *BSD, OSX, Linux, etc) variations of SoBig, Blaster, Nachi, etc. I had no idea these recent worms attacked more than Microsoft infrastructure.

Apparently, you miss a lot of vulnerabilities. Blaster was patched already. As for SoBig, that's a user-transmitted worm. If everyone used Linux and an e-mail client, guess what? Stupid users would still run the attachments. Sorry to POP that bubble.

Or it could have had something to do with dates. Namely, the Sendmail exploit mentioned was published on March 3. This article has a Aug 21 date.

Interesting that Slashdot ignores it for so long.

But then - there's that really annoying Sendmail worm that hit everyone just after the Blaster/Nachie and SoBig combo caused so much ruckas. Thank gawd Slashdot and O'Reilly were there to cover it up with a well-timed article on installing and configuring Postfix.

No kidding; otherwise, we might have a headline about a hole in an Open Source app, and that wouldn't be consistent with the necessary string of "Microsoft holes" that Slashdot wants to drive page hits. Instead of a headline about a Sendmail hole, it's magically transformed into an informative article on Postfix. Nice! Hook, line, and sinker.

All it demonstrates is that large complex pieces of software are inherently more difficult to secure than smaller simpler ones.

What happens to this when it's Windows, and it's suddenly "WINDOWS WAS DESIGNED FROM THE BEGINNING WITHOUT SECURITY IN MIND!!1." You know, the standard hysterical absolutes.

Oh? You mean nothing is 100% secure? You mean Linux has more monthly than Windows? People need to get off their high horse and gain some perspective.

Windows still has 95+% marketshare. See how secure Linux is then.

For other ignorant readers like myself who read the above comment and either didn't know what those changes meant or started wondering whether his/her own systems were secure enough:

Securing Debian

What? 15 vulnerabilities in one week. They must be talking about some other Linux.

Man, this is a private and presitigious educational institute. There isn't money lying around for that

By that logic, SCO has no case. To most people, if it isn't Windows it doesn't exist.

They could throw out some nice, Judge-convincing BS like "We only made these files available via the 'FTP' program, which is only for highly advanced technical individuals such as corporate IT managers, for the convenience of our paying customers. It was not intended for download by unlicensed individuals, and in fact doing so constitutes hacking as per the terms of the DMCA..."

Unless reading security advisories from LinuxSecurity.com constitutes "hacking", I don't see that argument as particularily convincing. SCO posted the kernel on their FTP server May 9th. A Linux kernel developer told SCO about it a month ago. Links to the story were posted on many popular news sites. The code is still there.

Check out EnGarde Linux.

Also, LinuxSecurity.com is a very helpful and informative site.

until this happened: http://www.linuxsecurity.com/advisories/engarde_ad visory-3277.html.

Considering the security record of every product they ever made....why should we believe that 'trustworthy' computing will be any different? Because they said so? Please..

And through most of it's history UNIX was an extremely insecure operating system, just read any history of hacking (or cracking for all you ESR cumgobblers) and you'll see that UNIX boxen were always being compromised. Why? Because they were the biggest easy target just like nowadays M$ is the biggest easy target.

But many UNIX vendors eventually cleaned up their act and started putting out secure systems, it is not impossible that microsoft could do the same.

No UNIX is perfectly secure and neither will any MS product be, but they are stepping in the right direction. Maybe instead of chastitizing M$ you should work on securing open source products as they are becoming more and more tarrgets of hackers (or again, crackers for all you ESR cum gobbling fagghorx).

Bliss...

Your just another full of shit linux zealot, check this out:
The Linux Virus Writing HowTo...

(I realize the articles listed are 8-9 months old, but clearly the issue is still relevant.)

I'm unfortunately not running OE, as my DNS provider (UltraDNS) did not provide the capability to add KEY records to a zone at the time I went through the installation process. Not sure if they do so now; perhaps time to check! I'd be interested in discovering which DNS providers do or do not provide the ability to insert KEY records into zones.

LS: Supposing you had free time, what would you be doing with it?

Brian: I'd devote some time to helping out the Linux Security Module project. I hope to help port systrace to LSM next year. Currently it is a kernel patch, and I think the community would be served better in the long run by having it available as an LSM module, which would make it more accessible to those who fear kernel compilation.

And some day I hope to get around to turning some of the megs of perl code I've written over the years into well defined Perl modules for CPAN. Then I won't be the only one supporting this spaghetti code. ;-)

If I had infinite time, I'd learn to play the Hammered Dulcimer and French Horn. There's nothing in the world as musical as a well-played French Horn.

LS: In your opinion, what is the most interesting thing about Linux and Security?

Brian: The first thing is that, with Linux, security is a possibility. It is not an end point - you must constantly keep abreast of new attacks and revisit your security posture - but there is nothing that is unavailable to you if you want to look. Closed source systems can never offer this. By design, be it chosen for monetary reasons or to prevent competition, closed source products always hide details from the users and administrators that could be critical to understanding how thing function, and how they can be broken.

One of the beauties of Linux (and other open systems, such as *BSD) is that you can use them to boost the security of those closed source machines. By the liberal application of Linux machines throughout your infrastructure, you can keep those exploits-waiting-to-happen locked down where they can do less harm. For more of my ranting on this topic, see my article Linux is Securable -- I won't waste time rambling here.

What is most intriguing right now on the Linux horizon is the evolution of security controls. In the beginning, all you had to work with were file permissions. Root could do absolutely anything unchecked, and root access was required for some things such as binding low network ports or opening raw sockets, which meant use of set userid bits on programs, which frequently were broken to gain root access.

Next came capabilities, where each bit of root's power was defined in more specific terms. When determining if a process could bind port 80 originally you'd check to see if uid==0. Now you'd check if the process had the CAP_NET_BIND_SERVICE capability. In theory, you could now remove capabilities from the system - for example removing the ability to load kernel modules ever again, which is good for defending against malicious LKMs.

It goes on quite a bit - a good read.

...even those in the US. Clearly, the US Military, who does not directly control the policy decisions of foreign countries, would not employ a technology that it knows is defeatable by consumer devices commonly found overseas. I think this may be about exercising greater control over Wireless APs, which have been designated a "terrorist threat" when allowed to be public access.

Oh, except non-GUI email programs have problems too.

I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.

The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.

There is also compatability. Djbdns does not support certain zone transfer mechanisms. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)

I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.

However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.

Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.

With Redhat 7.x, Redhat began to ship with most default package configerations "secure by default".
Maybe it is time for all the distributions to consider shipping with external services such as Apache configured to run under chroot.
Eventualy dedicated servers will require a LSM/SE Linux type enviroment to run exposed services.

Or am I completely misreading this page?

Heh. I read a story about that three days ago (28th) on LinuxSecurity (the article is here). A copy of the site, in all its hacked-up glory, is also available here.

I'm kind of surprised, though. You'd think that three days would be enough time for RIAA's 1337 h4x0r5 to both (a) find the perpetrators and retaliate, and (b) fix their site!

At this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.

And for the developers out there, I think it's time to check over all of your current distributed source tarballs.