Slashdot Mirror

You keep on and on circumventing the simple fact that a virus can be contracted through an insecure service (not necessarily a part of the OS), an insecure application (not necessarily a part of the OS), and user interaction (not a part of the OS) among other methods.

That can't be correct. With Linux, for instance, a virus or a worm that infects a service or an application, perhaps through user interaction, can only succeed in infecting the rest of the OS if that service or application is running as root, which usually is not the case. In particular, normal users never have to run anything as root. Thus, when the service stops, or the user logs out, the virus or worm stops running as well. If we suspect something is wrong, the account in question can be deleted (perhaps replaced with a backup) and that would be the end of it. If Windows was anything like this secure, then we would not be having this conversation

100% wrong. The whole point of a security flaw is that you can exploit it to do something you were not supposed to be able to. See the latest Linux advisories here. Don't bother looking at the whole list -- just skim through the ones at the top intended for Debian. In the descriptions do you see the words "execution of arbitrary code", "privilege escalation", etc.? As the name suggests, the first type of flaw allows you to run any code you want (but in the context of the process you compromised). The second type gets you root. The combination means you own the box. This is true for all OSes. These flaws exist everywhere. Nothing is intrinsically secure or insecure. People write exploits for these flaws on Windows. They don't do it for Linux.

What do you think of ASLR / DEP / sandboxing/ Authenticode signing / etc are?

Linux doesn't have any of those features; they're not necessary (you're not really familiar with Linux, are you?). Only Windows seems to has them, and apparently they can be circumvented.

Unbelievable.
- ASLR and DEP do exist in Linux. It's your first line of defense against buffer overruns.
- Sandboxing does exist in Linux as well.
- Code signing does exist in Linux (that's not the full story on code-signing in Linux, but it'll do for the purpose of this conversation).
Did you just ask me if I'm familiar with Linux??? How can you be so wrong, about such basic things, and yet argue so much? This is unbearable. The worst part is that you're talking out of both sides of your mouth by first claiming that Linux is intrinsically secure, and then boldly stating that it does not have extremely key security measures that are expected at the kernel level.

We would not be running those machines if it were not for the X-ray scanners

Finally some context. As I asked many many posts ago (see the comment RE cash registers) what was the point of this example then? These are obviously fixed-function machines. It's like arguing with an indolent child...

Then you must be running a faster machine and/or more efficient AV software.

No to the speed thing. I use what my company provides. I do recommend 'efficient' AV software regardless. If you're running some piece-of-crap AV why give Windows shit about it?

Also, users have to remember to keep paying for their AV subscription fees

MSE is fee. MSE will be built in to Win8 for free. That was the point of TFA, to which you replied "who cares". Answer: obviously, you do.

You're confusing security and obscurity here. The net effect is the same tho

http://wiki.answers.com/Q/What_is_a_computer's_loopback_IP_address

(Look there, you'll see it's been answered as 127.0.0.1, as was stated in my init. posts here also (that 127.0.0.1 is the loopback adapter address)

This also backs it as well:

"127.0.0.1 is the loopback adapter address present in every TCP/IP-enabled computer which causes the computer to refer to itself without knowledge of its own name or address"

(Pertinent Quote above is from here -> http://www.linuxsecurity.com/content/view/112264/ in fact).

Heck, I suppose you can check the RFC's themselves even to further verify this, but I think that attempting to further "nitpick" my points on this will be fruitless on your parts guys (I've been into this area since the mid 1980's really on *NIX systems, & put up a lot about it for PC users since, oh, 1996-1997 or so, online on forums etc.)

APK

"This short paper will examine several discovered statistical irregularities
in functions used within the SecurID algorithm: the time
computation and final conversion routines. Where and how these irregularities
can be mitigated by usage and policy are explored."

http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdf

My point is just because it is encased in plastic does not mean that the number can not be determined.

- SR

Completely impossible if you use a One time Pad. If you use a secret key, and the display updates the code every 10 seconds, it is feasible that it would require the cracker to wait for several years or decades worth of data from the display in order to figure out what the secret key is.

Two months of output is enough to crack 10% of the SecurID tokens. http://www.cosic.esat.kuleuven.be/publications/article-118.ps. So definitely possible, but not very feasible as I stated.

you might be able to glitch the secure chip by playing with temperature, voltage, or cutting into the chip and injecting current to the IC itself while it is still running.

If you look at http://www.linuxsecurity.com/content/view/124176/2/, they simply sped the clock up and recorded all the possible outputs. In theory you could take a SecurID token, modify the clock long enough to spit out all the values and "wrap" around to the current time again.

How does one break out of chroot?

Third, if there is no root user defined within the chroot environment, no SUID binaries, no devices, and the daemon itself dropped root privileges right after calling chroot() call (like in the code below), breaking out of chroot appears to be impossible. In other words, if there is no way to gain root shell or perform actions that only root can usually perform (e.g. create devices, or access raw memory) breaking chroot is not clearly possible. Ideally, if the custom software uses chroot for security the sequence of calls should be:

chdir("/home/safedir");
chroot("/home/safedir");
setuid(500);

Keep in mind, that after these lines are executed there will be no way for the program to regain root privileges.

Chroot can clearly add to security if used correctly.

One automated way is to use Modular Syslog's hashed logging function:

http://ezine.daemonnews.org/200112/log_protection. html
http://www.softpanorama.org/Logs/log_management.sh tml
http://www2.corest.com/files/files/11/PEO.pdf
http://www.linuxsecurity.com/content/view/117280/5 0/

How does Microsoft Speech API ActiveX control remote buffer overflow exploit for WinXP SP2 translate to a Linux exploit?

Gladly! Check out the "exploits" section.

Here ya go! Let me know when you're finished, thanks!

Researchers in the Information Assurance Research Group of NSA worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS (http://www.cs.utah.edu/flux/dtos/). NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask (http://www.cs.utah.edu/flux/flask/). NSA has now integrated the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community.

I'll put out two links for you since you're either lying or just misinformed. Link 1

Link 2

Apache is one of the most hacked services right under Sendmail I believe. As for OS X security let's see how much we can learn by sniffing the traffic coming from the unit. By default Samba on OS X doesn't support session signing or encryption. Both features fully support under practically ever modern linux distro. Apache is by far the dominant web server and because of that it is more prone to attack. It's simple math. Its major progress over the past is that it is getting easier to configure and secure properly so it will become less prone to attack. Why does this sound familiar? hmmmm.....

At any rate, every platform has its vulnerabilities; OS X has its patches just like every other OS out there. I'm not sure what you mean about innate security since I believe both OS's can and more importantly are often secured.

As for viruses, I honestly haven't seen one do any damage to any of my end-users in years. Of course they run with limited access just like I do. The mechanism has been there for quite some time, on the order of 10-12 years so it's mighty confusing how people are still mentioning it.

I'll leave you with one more link Shows both sides fairly

Both platforms have their faults but spreading mis-information does no one any good.

(response from Safari user) *cough* Obtain an interactive shell through lynx *cough* Lynx NNTP vulerability *cough* Lynx CRLF injection*cough*

And named it postfix.

These Russian Hackers sure did.

In my opinion traditional NFS is not that secure, either against reading things "on the wire" or spoofing.

As another poster has mentioned you can export the filesystem on a client by client basis. As a "bad guy" you have to take over the identity of one of those trusted clients (steal the IP address). Tricky but not impossible.

The basic problem here is authenticating that the client really is the right client. IP addresses are not sufficient in this regard. For those that deem this necessary Secure NFS is key. (excuse the DES pun).

For the extra paranoid you can even tunnel the connection with SSH.

-ed

I think switching OSs is a less difficult proposition for someone who has time to read slashdot than picking up your family and moving is for someone who can barely feed his or her own kids.

Of course. But it's still not very helpful. The next time there's some Linux exploit in the wild, would your advice also be to switch operating system?

The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

<shameless plug>
I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
</shameless plug>

The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

<shameless plug>
I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
</shameless plug>

The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

<shameless plug>
I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
</shameless plug>

The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

<shameless plug>
I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
</shameless plug>

From the article: "Anthony Wing, manager of the anti-spam team at the ACMA, told ZDNet UK sister site ZDNet Australia that the application, which took "some months" to build, can identify computers physically located in Australia that are being used for "illicit reasons".

"[The application] identifies IP addresses that have been used for illicit reasons -- for example spamming," Wing said. "There are a range of sensors around that world that identify them. Those infected IP addresses are then fed to the relevant ISP. They know who their customers are so that can contact them... if the computer remains a threat to other Internet users, the ISPs may take steps under their acceptable use policy to disconnect the computer until the problem is resolved".

...The ISPs will then be responsible for contacting their customers and helping them disinfect their computers.

This is great, assuming that:

1. Hackers won't get a copy of this software and find ways of circumventing it.
2. "Illicit" computer operators aren't spoofing their IP addresses.
3. ISPs don't abuse the interpretation of the words "threat" or "acceptable use".
4. The process of "helping" users disinfect computers does not compromise user's privacy.

have seen just about every damn rootkit that actually works

Isn't that a contradiction?*

You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.

Homepage: Assessments -> RootKits

What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!

*Laugh, it was supposed to be a joke :-)

Oh, I forgot...

Yeah, you can run remote code on a *nix box.

For once, you're finally right! You can run remote code on a *nix box. GO to http://www.linuxsecurity.com/content/blogcategory/ 0/76/

and read about the hundreds of bugs that permit overflow attacks that lead to the execution of arbitrary code, whereupon with correct programming the box can reach out and execute anything else with at least the privilege level of the program that the exploit has supplanted. The exploit doesn't even have to be executable, it just has to be embedded in a processed data file.

*whine* but that's not what I ment! *whine*

Doesn't matter.

Remember that automated exploit that downloaded, installed, and ran the rootkit? Yep, that's remote code execution. Really. Whether it is a design feature or flaw, the problem is just as severe.

--

Yet again, none of this does anything to rebut my original post. Given your numbers for market share, it's perfectly possible to demonstrate why Windows is a much more valuable target for malware than Mac OS X or Linux, and the real world numbers for viruses and malware fall within the predictions of the model.

God I love watching people squirm like a stuck worm rather than admitting that you just might be right.

Oh, and just in case I might be wrong, just remember that I am in fact right because Al Gore invented the internet.

On your first point. The Windows VM is in no way horribly slow, in fact it's a very elegant VM, comparable to Java, although not as mature. VM's however, are bloated by definition compared to native code. Show me a substancially better VM out there than .NET. Java is good, and mature, but inferior in concept... and available on windows from the same primary vendor I might add which is not an advantage for Linux. The NT SMP has always been the best in the business, orders of magnitude faster than Linux until the 2.4 kernels. SMP reperation was the big push for 2.4 precicely because of how much NT kicked it's ass. The NTFS File system has no peer in security; it's the best, hands down, and not too shabby on speed either. I have no idea why you picked NT's strongest points as examples here. You could have chosen examples like GNU/Linux being leaps and bounds ahead in cluster support, standardization of code, small footprint, intelligent RAM allocation and file caching, HID responsiveness, a sane file locking strategy, better all around browsers, better interoperability, etc... but Net Stack, VM, SMP and File System are things that NT did right. Where Windows truely excels, however is the proliferation of highly polished workstation applications, ease of configuration and live updating. And games, but that's just the popularity of the platform speaking. there are many examples of linux security holes. Try being on the gentoo mailing list for a bit, you'll see how secure this "bullet proof" OS is. Security is an issue for everyone right now and open source is just as vulnerable. Windows gets targeted more than Linux because it controls much more of the machines out there making for a target rich environment. Recent reports have not shown OSS to be substantially more secure. You can however make an arguement that at least with OSS you have the chance to close the holes yourself or do your own code audits, which IMO is a very nice bonus. And as for your last point, my arguement was not in speed of development. Both OS's have been progressing rapidly. I simply said that just because MS approximates release dates and misses them does not, by itself, show development to be slower on Windows. Linux does not set dates at all, so it is an unfair comparison. And before you peg me for a windows enthusiast, I'm typing this on Firefox, from my gentoo workstation, mantained via CFEngine on my primary server, alongside my performance cluster of gentoo boxes, behind my Linux firewall. I've got 2 machines here (out of 18) that run Windows. 1 is a test machine I use to verify my products still work under Windows, and my girlfriend's laptop. I much prefer Linux, as it is a much more sane development environment and is perfect for all my clustering needs, and I happen to think it's the best OS out there for my uses. That doesn't mean that Windows isn't ahead in a few areas.

I really think Drupal will be the next Nuke. The XML-RPC thing isn't really their fault, it's a problem with a third-party library.

OK, geez, this is absurd. This software is crap. I was looking in google for the url to the "gain admin at signup" vulnerability (which I saw in Bugtraq in the last week or two and was the one I was originally refering to, not the XML-RPC one) and I came across another vulnerability at http://packetstorm.linuxsecurity.com/0506-advisori es/DRUPAL-SA-2005-002.txt which is also less than two weeks old which is basically "execute arbitrary code on remote system when comments are enabled". See what I mean? It's going to be one after another after another after another...

The main problem with Visual C++ buffer overflow protection is that is pretty much useless.

First, it is designed to protect against stack based buffer overflows, but can do nothing against heap based ones. I don't know if zlib's is a heap or a stack buffer overflow but stack overflows are becoming rare and I suspect the heap in this case.

Second, Microsoft's stack protection, which by the way is largely inspired by Stackguard, can be evaded without much fuzz. The protection relies on placing a so called "canary" value before RET address (address of the instruction to be executed after the function returns) and checking this memory location for modifications to detect eventual overflow attacks. The problem with Microsoft's implementation is that the user has can define a handler function that is called if such an overflow is detected. In some cases it is possible to modify the location to the function ( a variable called user_handler) so that it points to the buffer controlled by the attacker. Thus, overflow, detection, user function being called and attacker's code is executed. Ironic, isn't' it?

Here's a security advisory on this topic dating from 2002;
http://www.linuxsecurity.com/content/view/111652/1 51/

The problem with overflows is that the attacker is able to overwrite memory locations. Overwriting the RET address is the easiest way to go, but by no mean the only one. Any protection can and will be evaded by jumping between pointers and playing with pointer arithmetic. In the case of Heap overflows, I don't think that this kind of protection even exists.

Didn't slashdot run a story a while back about GPL being a price-fixing scheme? Aside from the inital buzz, I never heard any more about it. Is the GPL just kind of a social abstract to kick around, or is it really being enforced and used? I think FSF and the GPL are great ideas, but they're really more _ideas_ than anything else. The articles I found about GPL were mostly companies settling out of case before the case was heard.
How Much Is A Friend Worth?"

I also spotted the IF in "If there are any vulnerabilities in iPod". Come on peeps, this is a non-story, every piece of code in every service running has a huge great IF attached to it. What IF ssh has a buffer overflow bug!? Oh, I hear you say it could never have? Were you saying that in August 2003?. You can take it for granted bad code WILL be found in RSS streaming clients, and to integrate them into a system with high level privilages, and without years of testing is extremely foolish.

is lynx really safe?

http://www.linuxsecurity.com/content/view/102132/1 09/

http://www.kb.cert.org/vuls/id/297462, http://www.linuxsecurity.com/content/view/102413/1 10/

CAN-2004-1134 is a buffer overflow issue. The Mac is susceptible to buffer overflows.
Take e.g. the iSync issue. Apple doesn't go into details, but if you do a Google search on "isync vulnerability" you will find:
"The vulnerability is caused due to a boundary error in the handling of the "-v" and "-a" command line options. This can be exploited to cause a buffer overflow by supplying an overly long argument (over 4096 bytes). Successful exploitation allows execution of arbitrary code with the privileges of the mRouter application."
A proof of concept exploit can be found at. It opens a root shell.
When the PowerPC jumps to a subroutine, the return address is stored in the lr register. The first thing the prolog code in the subroutine does, is to put the address on the stack (freeing up the register for further function calls). So, a would-be hacker can overwrite the return address. For a description of how to take advantage of buffer overflows on the Mac, see "Smashing The Mac For Fun & Profit".

Of course, you conveniently ignored the "2.6.10 is looking much better" part as well as the fact that we are at 2.6.11.7 by now (which is incidentally rock-solid over here). I also seem to have heard a thing or two about FreeBSD 5.x problems and that many are sticking to 4.x for that reason. As fir Apple, they finally fixed a well-known, trivial root exploit last week which was discovered back in fscking January! Try again.

Only a person ignorant of the issues could claim that OS X is just as insecure as Windows.

There really isn't that much to distinguish modern operating systems. They all have integrated networking, more or less elaborate means of access control, a pretty GUI and some utility apps like a web browser and an email client. They're all written in C-derivative languages by people who've studied largely the same curriculum.

Microsoft has made some baffling mistakes wrt to the implementation of some of it's userland software, but has ultimately fixed all of them as far as I'm aware. On the other hand Apple doesn't seem to take privilege escalation very seriously.

But the proof is in the pudding, as they say. So where are the Mac viruses and worms?

A number of them have been mentioned by another poster in this thread.

Think about it for a second: your premise is that all OS's are equally exploitable?

No, I contend that Windows is subjected to the most attacks because it has the largest market share.

OS X is not "vaguely" based on "BSD-ish" origins.

The largest and most important parts of OS X don't derive from BSD. At it's lowest level, OS X runs a Mach kernel, which was originally developed at CMU. Quartz, Cocoa and Carbon are NEXT/Apple developments. The "BSD heritage" of OS X is mostly a syscall table and some commandline tools that nobody uses.

So the summary claims that Mac OS X is technically more secure than Windows. Then why has this well-known root exploit in iSync not been fixed even after several security updates and one system update, and despite that Apple has apparently been notified?

That worries me -- this bug is trivial to exploit from any user account (just compile and run). It smells like Microsoft-esque security practices.

FWIW, my temporary fix was to revoke the vulnerable file's setuid and execute permissions:

$ chmod 644 /System/Library/SyncServices/SymbianConduit.bundle /Contents/Resources/
mRouter

(Note: omit any spurious spaces and linebreaks Slashdots inserts here.)

And, oh, did I mention that your installation of AWStats is Vulnerable?

Well, now I did. Friendly warning

I pointed this out YEARS ago. I just don't understand why the updated winsock didn't get used in 2k when they overhauled the tcp stack. (and wow is that an old email addy. heh)

Slightly off-topic: LinuxSecurity shows the weekly security advisories for all distro software, including the BSDs (it's actually quite a lot).

...and his advancement of network security.

This will probably get modded flamebait, but I'd like to point out Theo doesn't exactly have an outstanding reputation in the security community.

"OpenBSD kernel: the first remotely exploitable kernel in history." -GOBBLES Security (defcon 2002)

...and his advancement of network security.

This will probably get modded flamebait, but I'd like to point out Theo doesn't exactly have an outstanding reputation in the security community.

"OpenBSD kernel: the first remotely exploitable kernel in history." -GOBBLES Security (defcon 2002)

But heresay and anecdotes aren't supposed to matter in a study. It doesn't matter what the niche audience of Slashdot's experiences are (yes, compared to the rest of the industry, this is but one of many niches with skewed viewpoints).

I haven't read about Unix/Linux worms on CNN, but there are plenty of vulnerabilities just the same, and besides, a lot more people use Windows than Linux so of course CNN will report Windows holes and not Linux. If Firefox had the marketshare IE has, you'd see its holes being reported on CNN.

Visit LinuxSecurity some time. Linux distros are as full as holes as anything else. Gentoo in particular has almost weekly lists of security announcements for its packages. And let's not forget the recent Linux kernel and Firefox vulnerabilities that have been reported here on Slashdot.

All I'm saying is, I'm detecting some prejudgmental bias that stems from a hatred for Microsoft and a need to best them in all ways. That is not the sign of a mature technical community and will only serve to make things even more insecure.

The worst thing to do in a security situation is to ignore criticism. Let's have Linux stand up to all criticism, and any that arise can be addressed quickly. THAT should be the advantage of Linux, because perfect flawlnessness will never be it. It's impossible.

After RTFMing, this problem has been known since August of last year

I RTFMed, too. Seems like vulnerability was fixed in August of last year by Gentoo, Red Hat, andMandrake.

Nothing compares MS security to that of the rest of the world better than seeing how they fix the same damn vulnerability. Let this be a lesson to you. Never astroturf with facts. A quality 'turf would have been to say: "Yes, but Linux has a history of at least three times as many security problems with PNG as Microsoft"

Most of those announcements deal with servers, which are in a whole other category than typical desktops, and vunerabilities that require physical access to the machine or an existing account. Like this advisory on how someone with physical access can crash the KDE screensaver, getting access to your session, and this one on how you can cause a buffer overflow in perl, allowing you to overwrite system files with debug logs. Go find some that can root a Linux box with a default installation.

witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month.

Wtf? That's because people have access to the code used in Linux distributions, and these bugs are getting fixed. Go read the advisories on that site you linked to, and see how many were posted by people looking for bugs to fix. Compare that to Windows, were nobody but Microsoft has access to the code, and its a known fact that Microsoft lets real, known vunerabilties sit unfixed for MONTHS, much less looking for bugs to fix. Do you work for Gardner or something?

People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.

You are easily amused. Only RMS is retentive enough to inisist that Linux is just the kernel, and the whole system is GNU/Linux.

Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on.

You bollocks. You think spyware is limited to C:\Windows and C:\Program Files?

Linux, on the other hand? Where do you look? /usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on.

No, they can't, because a regular user does not have write access to those directories. Seriously, have you ever used Linux? At all? Do you have any concept of priveledge speration? Aside from a users home folder, the only places they ususally have access to are /tmp and /var/tmp, and those get deleted upon restart.

If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems

How? Neither OS X or Linux has anything like Active X, which is the primary vehicle for installing spyware behind your back.

No one is saying that the alternatives to Windows are bulletproof, because they're not. But just because there are some vunerabilites, does not make them remotely equivilant to the stinking cesspool that is Windows. The problem is not popularity; Linux could have 100% marketshare and not have but a fraction of the serious problems that Windows has had, due to its massive design flaws, Microsoft's sloppy coding, and their refusal to fix vunerabilities until there is a serious crack in the wild, weeks or months after an advisory has been posted.

Most of those announcements deal with servers, which are in a whole other category than typical desktops, and vunerabilities that require physical access to the machine or an existing account. Like this advisory on how someone with physical access can crash the KDE screensaver, getting access to your session, and this one on how you can cause a buffer overflow in perl, allowing you to overwrite system files with debug logs. Go find some that can root a Linux box with a default installation.

witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month.

Wtf? That's because people have access to the code used in Linux distributions, and these bugs are getting fixed. Go read the advisories on that site you linked to, and see how many were posted by people looking for bugs to fix. Compare that to Windows, were nobody but Microsoft has access to the code, and its a known fact that Microsoft lets real, known vunerabilties sit unfixed for MONTHS, much less looking for bugs to fix. Do you work for Gardner or something?

People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.

You are easily amused. Only RMS is retentive enough to inisist that Linux is just the kernel, and the whole system is GNU/Linux.

Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on.

You bollocks. You think spyware is limited to C:\Windows and C:\Program Files?

Linux, on the other hand? Where do you look? /usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on.

No, they can't, because a regular user does not have write access to those directories. Seriously, have you ever used Linux? At all? Do you have any concept of priveledge speration? Aside from a users home folder, the only places they ususally have access to are /tmp and /var/tmp, and those get deleted upon restart.

If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems

How? Neither OS X or Linux has anything like Active X, which is the primary vehicle for installing spyware behind your back.

No one is saying that the alternatives to Windows are bulletproof, because they're not. But just because there are some vunerabilites, does not make them remotely equivilant to the stinking cesspool that is Windows. The problem is not popularity; Linux could have 100% marketshare and not have but a fraction of the serious problems that Windows has had, due to its massive design flaws, Microsoft's sloppy coding, and their refusal to fix vunerabilities until there is a serious crack in the wild, weeks or months after an advisory has been posted.

Most of those announcements deal with servers, which are in a whole other category than typical desktops, and vunerabilities that require physical access to the machine or an existing account. Like this advisory on how someone with physical access can crash the KDE screensaver, getting access to your session, and this one on how you can cause a buffer overflow in perl, allowing you to overwrite system files with debug logs. Go find some that can root a Linux box with a default installation.

witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month.

Wtf? That's because people have access to the code used in Linux distributions, and these bugs are getting fixed. Go read the advisories on that site you linked to, and see how many were posted by people looking for bugs to fix. Compare that to Windows, were nobody but Microsoft has access to the code, and its a known fact that Microsoft lets real, known vunerabilties sit unfixed for MONTHS, much less looking for bugs to fix. Do you work for Gardner or something?

People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.

You are easily amused. Only RMS is retentive enough to inisist that Linux is just the kernel, and the whole system is GNU/Linux.

Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on.

You bollocks. You think spyware is limited to C:\Windows and C:\Program Files?

Linux, on the other hand? Where do you look? /usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on.

No, they can't, because a regular user does not have write access to those directories. Seriously, have you ever used Linux? At all? Do you have any concept of priveledge speration? Aside from a users home folder, the only places they ususally have access to are /tmp and /var/tmp, and those get deleted upon restart.

If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems

How? Neither OS X or Linux has anything like Active X, which is the primary vehicle for installing spyware behind your back.

No one is saying that the alternatives to Windows are bulletproof, because they're not. But just because there are some vunerabilites, does not make them remotely equivilant to the stinking cesspool that is Windows. The problem is not popularity; Linux could have 100% marketshare and not have but a fraction of the serious problems that Windows has had, due to its massive design flaws, Microsoft's sloppy coding, and their refusal to fix vunerabilities until there is a serious crack in the wild, weeks or months after an advisory has been posted.

First thing--I disagree with the tactic of calling anything one disagrees with "FUD." If there was ever an overused term around here, that one would be it.

Second, Linux would most definitely have exploits galore. We've already seen outright kernel exploits and holes in the 2.6 series of kernels. I don't know about you, but I don't even remember there being a Windows security flaw that used the kernel. Go to LinuxSecurity and witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month. These advisories very rarely make Slashdot front page news.

And no, it's not an unfair comparison to put a Linux distro and a Windows install on the same level. Just because the Linux distro ships with more software doesn't matter. If someone buys Mandrake, uses the software it came with, and then gets exploited, that is an exploit of the Mandrake software distribution that they bought with their distro.

People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.

On a *nix based system, wiping out the home directory would usually fix you right up.

Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on. There aren't a lot of places. Linux, on the other hand? Where do you look? /usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on. Thankfully, most Linux users don't run as root, but there are still PLENTY of ways a program can exploit someone without needing root access. If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems, and you'd have fun exploring the entire UNIX filesystem hierarchy fishing it out, possibly even dealing with self-propagating shell scripts to keep moving it around. Fun for everyone.

Believe me, malicious software writers would find a way you haven't thought of to screw people. That's what they do.

Wouldn't it suck if the car were to unconditionally burst into flames unless you were sure to also purchase an extra $1000 in "safety features" and have them installed perfectly before ever attempting to drive it?

You criticize an analogy by following up with an even more irrational one. Windows doesn't set itself on fire. It's other people writing the programs that set it on fire--essentially, it's vandalism by others.

Also, it doesn't cost "$1000" to download free updates. Linux distros issue monthly patches all the time for their supplied apps and services (LinuxSecurity.com), much more than Windows ever did.

Get it now? You microsoft apologists should really get a clue.

Someone has a HUGE chip on their shoulder...take a breath. We're just talking about an operating system here. This entire article is flamebait, but hey, it got the required page hits for OSTG's ad clients. Hook, line...and sinker.

Great, so you can get quadrillions of improperly decoded versions and one good one, hidden in there somewhere. For any good encryption, I don't see how that helps much.

The machine knows that it found the plaintext because it looks like plaintext.

Basically, the longer the message is the less chance you have of finding a key that produces a reasonable but incorrect plaintext.

An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

LinuxSecurity keeps a running list of daily vulnerability announcements from all the distros. Just click on a distro and be amazed at all the buffer overruns, root exploits, code execution, and more that never get reported on this site.

"Three New Microsoft Bulletins?" Try 13 new Debian bulletins in the past week. Gentoo has announced 12 since last Sunday alone.

Why aren't these things announced like Microsoft bulletins are? Because Microsoft articles generate more page hits...which is great for the banner ads. They're using you guys.

This attitude of the flawless Linux is really, really dangerous, because Linux distros are just as ridden with software holes as Windows systems are accused of being, but you'd never know it if all you did was visit Slashdot...and we all know what a false sense of security leads to...

Of course, Slashdot shouldn't stop posting about Microsoft vulnerabilities. But snide comments like "security-is-number-one dept." make this place seem like a site of nothing but flamebait for Linux fanboys. There's more to security than just hating Microsoft and ignoring Linux security flaws.

I know I risk karma for this post, but I'm really shocked at the illogic and immaturity displayed on Slashdot, compared to when it began in the 90s. Laughing about Microsoft bulletins in some weird schadenfreude doesn't make the Linux kernel any less imperfect (see yesterday's article) or its distros (see LinuxSecurity any given day for pages of bulletins all collected together).