Slashdot Mirror

I made the mistake of installing Sarge thinking that it was only a couple months away from release--that was last year...and I have to pin Testing with Unstable branch just to get all the security updates in a timely fashion--it defeats the purpose using Debian as a server...

Man, what's your problem? You are preferring over unsupported distro of another. Debian Sarge is reliable and secure for most purposes and has been for a while. I have not seen a show stopping bug in ages. It has been (almost I have to admit) feature frozen for quite some time now and everything that's coming in are either security or bug fixes. Compare that to Centos (or Whitebox or Tao or whatever the RHEL clone of the day is), which is basically a rebuild of RHEL sources. Fixes are lagging behind the official distro.

Pinning Sarge and Unstable on a server to get security updates, now where did you get this idea from?

Besides, you might be interested in comparing this with this.

No wonder you are posting AC ;-)

I don't think that Mozilla is exactly a model for security. At my company, we've had to deploy three complete updates since the release of Firefox 1.0.

Compared to Internet Exploiter (IE), i'd say its exponentially more secure.

Just check out http://secunia.org/ for a comparison of Internet Explorer and Firefox.

Internet Explorer (versions 5.0 to 6.0):

-Found: 138 Secunia Security Advisories
-Found: 2257 Viruses

Mozilla Firefox (versions 0.x to current 1.0.3)

-Found: 39 Secunia Security Advisories
-Found: 7 Viruses

Of course, IE is far from a model citizen, but IE6-SP2 is much better, and *security* is the focus of IE7 according to the developers.

I wonder how many people actually upgrade to SP2? I know I havent, and I probably won't until I'm positive it wont break any of my games/apps.

I don't think that Mozilla is exactly a model for security. At my company, we've had to deploy three complete updates since the release of Firefox 1.0.

Compared to Internet Exploiter (IE), i'd say its exponentially more secure.

Just check out http://secunia.org/ for a comparison of Internet Explorer and Firefox.

Internet Explorer (versions 5.0 to 6.0):

-Found: 138 Secunia Security Advisories
-Found: 2257 Viruses

Mozilla Firefox (versions 0.x to current 1.0.3)

-Found: 39 Secunia Security Advisories
-Found: 7 Viruses

Of course, IE is far from a model citizen, but IE6-SP2 is much better, and *security* is the focus of IE7 according to the developers.

I wonder how many people actually upgrade to SP2? I know I havent, and I probably won't until I'm positive it wont break any of my games/apps.

Opera 8 works really well. I haven't had any issues so far. The speed seems on par with Firefox.

One impressive point is that Opera stays up on their security patches. Version 7.0 only had 35 issues since 2002 and they were all patched relatively quickly.

My best understanding is that Mr. Langa is not technically qualified to judge security vulnerabilities. Any judgement of security vulnerabilities depends on an intimate knowledge of the difficulty of exploiting the vulnerabilities, and the chance that the exploit will seriously compromise a system. I've never seen any indication that Mr. Langa has programming ability.

Microsoft Internet Explorer is the buggiest widely used software I've ever known. In one two-year period, there were 57 serious vulnerabilities in the most recent versions of IE. The link above lists 117 vulnerabilities of all kinds at present.

Langa's free LangaList and the paid version with 20% more content, LangaList Plus can sometimes be useful if you must administer Windows computers.

The $11 per year paid edition is supposed to be free of advertising, but it is perhaps 25% advertising. The paid edition advertises the LangaList extensively, Langa's favorite charities, and his sense of humor. In the most recent edition of the paid version, 4 of the 13 articles are his personal advertising, and not related to Windows computer issues.

Often links in the LangaList lead to articles in magazines for which Mr. Langa is a paid writer. So, part of his advertising is for publications for which he writes.

The LangaList is often somewhat lacking in considered content. Sometimes he just links to Google searches.

The content of the LangaList is partly written by readers. Typically, the letters to Fred that are quoted begin something like this: "Fred, you are my hero. All other newsletters are terrible, yours is wonderful. I have been a paid subscriber for years." So, typically, the first sentence of the letters written by readers is advertising, also.

The result is that Mr. Langa makes his paid subscribers wade through a lot of material not relevant to Windows.

People who are knowledgeable about computers usually have no idea how complicated it is to do marketing, and their lack of knowledge shows in every attempt. Mr. Langa is embarrassingly lacking in marketing insight.

Mr. Langa has a history of finding fault with Linux. Perhaps this is another novice marketing attempt. Perhaps he does not want to lose subscribers because they converted to Linux. I've never seen any indication that he is qualified to judge the quality of operating systems.

The LangaList often passes on recommendations from readers about free software apparently without sufficient testing. As far as I'm aware, there have been no problems with this, but how would someone discover this if Mr. Langa did not write about it? It seems possible that the LangaList could spread problem software to its readers.

Compare IE and Firefox security with Safari:
http://secunia.com/product/1543/

- Open source engine
- Less vulnerabilities discovered
- ZERO Unpatched Vulnerabilities

This says it all. Not only has Firefox had 1/7 the vulnerabilities of IE, but those that it did have were patched quicker and were of less severity in most cases.
Regards,
Steve

This says it all. Not only has Firefox had 1/7 the vulnerabilities of IE, but those that it did have were patched quicker and were of less severity in most cases.
Regards,
Steve

Seriously now. If Firefox had done worse than IE6 in this test it would have made the front pages of every tech news site this side of Uranus

Seriously. Slashdot editors will systematically post any negative news about Microsoft (or, if they're positive, spin them negatively) and will quietly ignore many negative news about open source issues. See for example the recent Mozilla vulnerability discovered by Secunia. It was published by the Register, CNET and many others. The Slashdot editors didn't find it worth posting.

"As a customer Apache is so much better than IIS that there is no comparison. First it's free. Second it is more secure. "

There may be some reasons to prefer Apache over IIS but security is not one of them. Since 2003, IIS 6.0 has had exactly 3 security adviseries verses Apache's 22 in the same time period:
IIS6 adviseries http://secunia.com/product/1438/
Apache 2.0 adviseries: http://secunia.com/product/73/

"As a customer Apache is so much better than IIS that there is no comparison. First it's free. Second it is more secure. "

There may be some reasons to prefer Apache over IIS but security is not one of them. Since 2003, IIS 6.0 has had exactly 3 security adviseries verses Apache's 22 in the same time period:
IIS6 adviseries http://secunia.com/product/1438/
Apache 2.0 adviseries: http://secunia.com/product/73/

No way in hell you say?

let's keep it to the facts.
I'm a big fan of Secunia, the only site i know that offers a page of unpatched known holes for each software.
And i can tell you that IE has always more Highly Critical unpatched known holes than Firefox:
IE holes
Firefox holes

let's keep it to the facts.
I'm a big fan of Secunia, the only site i know that offers a page of unpatched known holes for each software.
And i can tell you that IE has always more Highly Critical unpatched known holes than Firefox:
IE holes
Firefox holes

see http://secunia.com/multiple_browsers_idn_spoofing_ test/

Yeah, just like what happened to Apache becuase it has a bigger market share than IIS, right?

Yeah, just like what happened to Apache becuase it has a bigger market share than IIS, right?

http://secunia.com/multiple_browsers_idn_spoofing_ test/

FreeBSD 4.x (Not Critical)

Booya! That's my OS!

Linux Kernel 2.6.x (Moderately critical)

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

In related news, [insert MS joke regarding costing too much and not being nearly as secure].

If you look at EDS's 5y share price graph, something bad happened to it in 2002 and it hasn't really done all that great since.

I guess it's trying to drum up some free publicity -- and -- like Secunia making pronouncements that OS X is less secure than XP (despite the fact that its own published results indicate no such thing) it never hurts to loudly claim something contrary to common wisdom to get some press (or at least get Slashdotted).

You're comparing apples and oranges here. On the one hand, you're turning on lots of services.

Not necessarily. If I answer a few questions properly during a Red Hat install, a lot of questionable services (BIND, SMTP, FTP, SAMBA) could be already on without a user having to do much of anything post-install, just like Windows. Not that there's anything to fear from BIND or Sendmail, of course, since none of these apps have every had any security faults, rootkits, or other exploits, right? Yeah, I thought so.

If you so much as open a single port - say, port 80 to a copy of Apache running on that Windows machine (you'd not be so foolish as to use IIS, after all), your machine can be DOSsed silly.

Very true. And if I open up a single port on Linux and I'm running a version of Apache with a known DDoS exploit (such as any of these, two of which remain unpatched) I can get identical results. And in some cases you don't even need to open a port because 2.6 has more than a few kernel exploits available (36 to date, with 15 remaining unpatched) that can cause everything from privilege escalation to DDoS. Where's your moral indignation now? Or has it been dampened somewhat by the fact that you'd have to sling mud objectively?

No, this is not only really bad, but it's also really, really stupid.

OSS programmers can be lumped into this same category, as they have made and continue to make many of the same mistakes. Again, I'm not saying Microsoft is above criticism here -- far from it. Call them on the carpet, nail them to the wall, whatever you want. But if we're going to scream at Microsoft for making stupid programming mistakes, we have to be willing to do the same for OSS. Funny how the latter half of that argument never seems to materialize on a so-called "enlightened" site like Slashdot.

You're comparing apples and oranges here. On the one hand, you're turning on lots of services.

Not necessarily. If I answer a few questions properly during a Red Hat install, a lot of questionable services (BIND, SMTP, FTP, SAMBA) could be already on without a user having to do much of anything post-install, just like Windows. Not that there's anything to fear from BIND or Sendmail, of course, since none of these apps have every had any security faults, rootkits, or other exploits, right? Yeah, I thought so.

If you so much as open a single port - say, port 80 to a copy of Apache running on that Windows machine (you'd not be so foolish as to use IIS, after all), your machine can be DOSsed silly.

Very true. And if I open up a single port on Linux and I'm running a version of Apache with a known DDoS exploit (such as any of these, two of which remain unpatched) I can get identical results. And in some cases you don't even need to open a port because 2.6 has more than a few kernel exploits available (36 to date, with 15 remaining unpatched) that can cause everything from privilege escalation to DDoS. Where's your moral indignation now? Or has it been dampened somewhat by the fact that you'd have to sling mud objectively?

No, this is not only really bad, but it's also really, really stupid.

OSS programmers can be lumped into this same category, as they have made and continue to make many of the same mistakes. Again, I'm not saying Microsoft is above criticism here -- far from it. Call them on the carpet, nail them to the wall, whatever you want. But if we're going to scream at Microsoft for making stupid programming mistakes, we have to be willing to do the same for OSS. Funny how the latter half of that argument never seems to materialize on a so-called "enlightened" site like Slashdot.

Hmm, your link isn't pointing anywhere but Slashdot. I assume you were aiming for Secunia's page. Interestingly, no Secunia advisory for Firefox 1.x has gone past "Moderately critical" -- 3 on a scale of 1 to 5 -- and those are all either fixed or partially fixed.

The vulnerabilites labeled as unpatched are all described as "less critical":

Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting
Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability

The partial fixes are all spoofing-related.

Hmm, your link isn't pointing anywhere but Slashdot. I assume you were aiming for Secunia's page. Interestingly, no Secunia advisory for Firefox 1.x has gone past "Moderately critical" -- 3 on a scale of 1 to 5 -- and those are all either fixed or partially fixed.

The vulnerabilites labeled as unpatched are all described as "less critical":

Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting
Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability

The partial fixes are all spoofing-related.

Hmm, your link isn't pointing anywhere but Slashdot. I assume you were aiming for Secunia's page. Interestingly, no Secunia advisory for Firefox 1.x has gone past "Moderately critical" -- 3 on a scale of 1 to 5 -- and those are all either fixed or partially fixed.

The vulnerabilites labeled as unpatched are all described as "less critical":

Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting
Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability

The partial fixes are all spoofing-related.

Hmm, your link isn't pointing anywhere but Slashdot. I assume you were aiming for Secunia's page. Interestingly, no Secunia advisory for Firefox 1.x has gone past "Moderately critical" -- 3 on a scale of 1 to 5 -- and those are all either fixed or partially fixed.

The vulnerabilites labeled as unpatched are all described as "less critical":

Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting
Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability

The partial fixes are all spoofing-related.

remember that it uses Internet Explorer, which contains more than some vulnerabilities

Of course, here is their vulnerability report for IE 6 as a comparison. If you want airtight browser security, just use Dillo.

• vulnerabilities discovered; reported to mozilla.org
  
• they sit for a while
  
• eventually fixed and go into the next release
  
• after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
  
• Secunia sees them and posts info on same advisories
  
• people see Secunia with Mozilla vulnerabilities
  

1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
   
2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
   
3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
   

If you have firefox 1.01 installed you have nothing to worry about.

No, there are security advisories for firefox 1.01, like this one.

And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.

If you have firefox 1.01 installed you have nothing to worry about.

No, there are security advisories for firefox 1.01, like this one.

And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.

oh really?

And that's a whole OS with an enterprise level database used by the largest institutions on earth.

oh really?

And that's a whole OS with an enterprise level database used by the largest institutions on earth.

Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.

If you're gonna put your system on a direct connection to the internet, you should use a secure operating system. And implicitly, if you want that operating system to go more than 2 months between r007ings, you should lock it down.

Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.

Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.

For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6, or SQL Server - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.

It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.

Well, off to overdose on the Numa Numa Dance...

If you're gonna put your system on a direct connection to the internet, you should use a secure operating system. And implicitly, if you want that operating system to go more than 2 months between r007ings, you should lock it down.

Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.

Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.

For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6, or SQL Server - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.

It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.

Well, off to overdose on the Numa Numa Dance...

Apparently the Linux version of Firefox received quick "hotfixes" for the variety of security flaws that cropped up in Firefox 1.0, but the Mac version, at least, did not receive a single security update until today with this release, and it appears that there are still some remaining old and unfixed security flaws. The oldest being from August and September of 2004. While still much better than Internet Explorer, it doesn't make for a particularly stellar security patching record by any means. Not on the Mac anyway. Did the Windows version receive timely "hotfixes" for these flaws? What about the remaining unpatched flaws? To be fair, they did fix the IDN flaw quicker than Apple, which has yet to release a fix for their Safari?, but that's a first.

Apparently the Linux version of Firefox received quick "hotfixes" for the variety of security flaws that cropped up in Firefox 1.0, but the Mac version, at least, did not receive a single security update until today with this release, and it appears that there are still some remaining old and unfixed security flaws. The oldest being from August and September of 2004. While still much better than Internet Explorer, it doesn't make for a particularly stellar security patching record by any means. Not on the Mac anyway. Did the Windows version receive timely "hotfixes" for these flaws? What about the remaining unpatched flaws? To be fair, they did fix the IDN flaw quicker than Apple, which has yet to release a fix for their Safari?, but that's a first.