Slashdot Mirror

Once again, you have shown that you have comprehension troubles. If you have trouble comprehending English, I imagine C might be too much for you and that is why you are a one command admin.

Your argument is that Debian is easy to update and therefore the best for large networks. My argument is that any important Unix server or network, needs a good admin who will be proficient with any Unix. He won't need Debian because he can do as well or better with Unix tools regardless of whether he is using Debian or a BSD.

I never had DOS crash on me either.

DOS has crashed on me MANY times. What have you been doing all that time with DOS? Spending all your time in edit?

The REAL facts are that Linux has a MUCH larger testing and QA community, along with the further patching and fixing from distro vendors, so if you want to use code that's been really hammered on, Linux is a far better choice.

Look at how much more secure Linux is over the BSD's...

Debian Linux 2.x 56 advisories in 2003, 37 in 2002.

FreeBSD 4.x 24 advisories in 2003, 7 in 2002.

Debian 3.x 186 advisories in 2003, 62 in 2002 (55 so far for 2004).

FreeBSD 5.x 21 advisories in 2003 (6 so far for 2004).

NetBSD 1.x 19 advisories in 2003, 14 in 2002 (4 so far for 2004).

Then we come to security. I pointed out that Debian's update system is so, so much easier and simpler than FreeBSD's, which is critical in our business with thousands of machines.

If you need the ease of Debian, you are a failure.

"Do you not read the code changes that you're about to deploy to production systems?"

Eh? Of course! And that has NOTHING to do with the issue. I can check the changes and make sure everything's OK, and then roll-out updates quickly and simply. You know, just because you can binary update an OS, doesn't mean you never see the source.

So you assume the binary that you are about to deploy, came from the good source? Monkey see, monkey do.

So your point is redundant and irrelevant. In BOTH OSes you can read the code changes.

No, actually my point goes deeper than what you seem to be capable of seeing. My point is that you can't trust a binary unless you compile it yourself. If you compile it yourself, you can also deploy that binary, just as quickly as you could in Debian. If I had an important Debian server, I would compile patches.

There is a huge difference between reading code changes and being sure that the binary you have, only contains those changes. The fix for that is to compile it yourself.

But in one you have to mess around with downloading and patches, recompiling and installing altered binaries, and in the other it's typically a single command. Guess which one is more suitable for large deployments?

A large deployment, requires a team which includes a testing team who reads patch code, compiles it, tests it on a staging server and then deploys it gradually. They don't need Debian for that. They can do it with ANY Unix and that is my point.

They would NEVER just deploy a binary from a project (read any project) which has their servers compromised every now and then. I have taken care of some of the largest WAN's on Earth, including financial and edu. A one command admin who is too lazy to read patches, compile them, test, then deploy, would not be acceptable there. If you honestly think that Debian's one command updating offsets the burden of taking care of many machines, then you shouldn't be taking care of large networks.

I realise that you could have a Debian staging server and point apt to it, but if you are going to all that trouble, for a large network, then you don't need Debia

Once again, you have shown that you have comprehension troubles. If you have trouble comprehending English, I imagine C might be too much for you and that is why you are a one command admin.

Your argument is that Debian is easy to update and therefore the best for large networks. My argument is that any important Unix server or network, needs a good admin who will be proficient with any Unix. He won't need Debian because he can do as well or better with Unix tools regardless of whether he is using Debian or a BSD.

I never had DOS crash on me either.

DOS has crashed on me MANY times. What have you been doing all that time with DOS? Spending all your time in edit?

The REAL facts are that Linux has a MUCH larger testing and QA community, along with the further patching and fixing from distro vendors, so if you want to use code that's been really hammered on, Linux is a far better choice.

Look at how much more secure Linux is over the BSD's...

Debian Linux 2.x 56 advisories in 2003, 37 in 2002.

FreeBSD 4.x 24 advisories in 2003, 7 in 2002.

Debian 3.x 186 advisories in 2003, 62 in 2002 (55 so far for 2004).

FreeBSD 5.x 21 advisories in 2003 (6 so far for 2004).

NetBSD 1.x 19 advisories in 2003, 14 in 2002 (4 so far for 2004).

Then we come to security. I pointed out that Debian's update system is so, so much easier and simpler than FreeBSD's, which is critical in our business with thousands of machines.

If you need the ease of Debian, you are a failure.

"Do you not read the code changes that you're about to deploy to production systems?"

Eh? Of course! And that has NOTHING to do with the issue. I can check the changes and make sure everything's OK, and then roll-out updates quickly and simply. You know, just because you can binary update an OS, doesn't mean you never see the source.

So you assume the binary that you are about to deploy, came from the good source? Monkey see, monkey do.

So your point is redundant and irrelevant. In BOTH OSes you can read the code changes.

No, actually my point goes deeper than what you seem to be capable of seeing. My point is that you can't trust a binary unless you compile it yourself. If you compile it yourself, you can also deploy that binary, just as quickly as you could in Debian. If I had an important Debian server, I would compile patches.

There is a huge difference between reading code changes and being sure that the binary you have, only contains those changes. The fix for that is to compile it yourself.

But in one you have to mess around with downloading and patches, recompiling and installing altered binaries, and in the other it's typically a single command. Guess which one is more suitable for large deployments?

A large deployment, requires a team which includes a testing team who reads patch code, compiles it, tests it on a staging server and then deploys it gradually. They don't need Debian for that. They can do it with ANY Unix and that is my point.

They would NEVER just deploy a binary from a project (read any project) which has their servers compromised every now and then. I have taken care of some of the largest WAN's on Earth, including financial and edu. A one command admin who is too lazy to read patches, compile them, test, then deploy, would not be acceptable there. If you honestly think that Debian's one command updating offsets the burden of taking care of many machines, then you shouldn't be taking care of large networks.

I realise that you could have a Debian staging server and point apt to it, but if you are going to all that trouble, for a large network, then you don't need Debia

Once again, you have shown that you have comprehension troubles. If you have trouble comprehending English, I imagine C might be too much for you and that is why you are a one command admin.

Your argument is that Debian is easy to update and therefore the best for large networks. My argument is that any important Unix server or network, needs a good admin who will be proficient with any Unix. He won't need Debian because he can do as well or better with Unix tools regardless of whether he is using Debian or a BSD.

I never had DOS crash on me either.

DOS has crashed on me MANY times. What have you been doing all that time with DOS? Spending all your time in edit?

The REAL facts are that Linux has a MUCH larger testing and QA community, along with the further patching and fixing from distro vendors, so if you want to use code that's been really hammered on, Linux is a far better choice.

Look at how much more secure Linux is over the BSD's...

Debian Linux 2.x 56 advisories in 2003, 37 in 2002.

FreeBSD 4.x 24 advisories in 2003, 7 in 2002.

Debian 3.x 186 advisories in 2003, 62 in 2002 (55 so far for 2004).

FreeBSD 5.x 21 advisories in 2003 (6 so far for 2004).

NetBSD 1.x 19 advisories in 2003, 14 in 2002 (4 so far for 2004).

Then we come to security. I pointed out that Debian's update system is so, so much easier and simpler than FreeBSD's, which is critical in our business with thousands of machines.

If you need the ease of Debian, you are a failure.

"Do you not read the code changes that you're about to deploy to production systems?"

Eh? Of course! And that has NOTHING to do with the issue. I can check the changes and make sure everything's OK, and then roll-out updates quickly and simply. You know, just because you can binary update an OS, doesn't mean you never see the source.

So you assume the binary that you are about to deploy, came from the good source? Monkey see, monkey do.

So your point is redundant and irrelevant. In BOTH OSes you can read the code changes.

No, actually my point goes deeper than what you seem to be capable of seeing. My point is that you can't trust a binary unless you compile it yourself. If you compile it yourself, you can also deploy that binary, just as quickly as you could in Debian. If I had an important Debian server, I would compile patches.

There is a huge difference between reading code changes and being sure that the binary you have, only contains those changes. The fix for that is to compile it yourself.

But in one you have to mess around with downloading and patches, recompiling and installing altered binaries, and in the other it's typically a single command. Guess which one is more suitable for large deployments?

A large deployment, requires a team which includes a testing team who reads patch code, compiles it, tests it on a staging server and then deploys it gradually. They don't need Debian for that. They can do it with ANY Unix and that is my point.

They would NEVER just deploy a binary from a project (read any project) which has their servers compromised every now and then. I have taken care of some of the largest WAN's on Earth, including financial and edu. A one command admin who is too lazy to read patches, compile them, test, then deploy, would not be acceptable there. If you honestly think that Debian's one command updating offsets the burden of taking care of many machines, then you shouldn't be taking care of large networks.

I realise that you could have a Debian staging server and point apt to it, but if you are going to all that trouble, for a large network, then you don't need Debia

Once again, you have shown that you have comprehension troubles. If you have trouble comprehending English, I imagine C might be too much for you and that is why you are a one command admin.

Your argument is that Debian is easy to update and therefore the best for large networks. My argument is that any important Unix server or network, needs a good admin who will be proficient with any Unix. He won't need Debian because he can do as well or better with Unix tools regardless of whether he is using Debian or a BSD.

I never had DOS crash on me either.

DOS has crashed on me MANY times. What have you been doing all that time with DOS? Spending all your time in edit?

The REAL facts are that Linux has a MUCH larger testing and QA community, along with the further patching and fixing from distro vendors, so if you want to use code that's been really hammered on, Linux is a far better choice.

Look at how much more secure Linux is over the BSD's...

Debian Linux 2.x 56 advisories in 2003, 37 in 2002.

FreeBSD 4.x 24 advisories in 2003, 7 in 2002.

Debian 3.x 186 advisories in 2003, 62 in 2002 (55 so far for 2004).

FreeBSD 5.x 21 advisories in 2003 (6 so far for 2004).

NetBSD 1.x 19 advisories in 2003, 14 in 2002 (4 so far for 2004).

Then we come to security. I pointed out that Debian's update system is so, so much easier and simpler than FreeBSD's, which is critical in our business with thousands of machines.

If you need the ease of Debian, you are a failure.

"Do you not read the code changes that you're about to deploy to production systems?"

Eh? Of course! And that has NOTHING to do with the issue. I can check the changes and make sure everything's OK, and then roll-out updates quickly and simply. You know, just because you can binary update an OS, doesn't mean you never see the source.

So you assume the binary that you are about to deploy, came from the good source? Monkey see, monkey do.

So your point is redundant and irrelevant. In BOTH OSes you can read the code changes.

No, actually my point goes deeper than what you seem to be capable of seeing. My point is that you can't trust a binary unless you compile it yourself. If you compile it yourself, you can also deploy that binary, just as quickly as you could in Debian. If I had an important Debian server, I would compile patches.

There is a huge difference between reading code changes and being sure that the binary you have, only contains those changes. The fix for that is to compile it yourself.

But in one you have to mess around with downloading and patches, recompiling and installing altered binaries, and in the other it's typically a single command. Guess which one is more suitable for large deployments?

A large deployment, requires a team which includes a testing team who reads patch code, compiles it, tests it on a staging server and then deploys it gradually. They don't need Debian for that. They can do it with ANY Unix and that is my point.

They would NEVER just deploy a binary from a project (read any project) which has their servers compromised every now and then. I have taken care of some of the largest WAN's on Earth, including financial and edu. A one command admin who is too lazy to read patches, compile them, test, then deploy, would not be acceptable there. If you honestly think that Debian's one command updating offsets the burden of taking care of many machines, then you shouldn't be taking care of large networks.

I realise that you could have a Debian staging server and point apt to it, but if you are going to all that trouble, for a large network, then you don't need Debia

Once again, you have shown that you have comprehension troubles. If you have trouble comprehending English, I imagine C might be too much for you and that is why you are a one command admin.

Your argument is that Debian is easy to update and therefore the best for large networks. My argument is that any important Unix server or network, needs a good admin who will be proficient with any Unix. He won't need Debian because he can do as well or better with Unix tools regardless of whether he is using Debian or a BSD.

I never had DOS crash on me either.

DOS has crashed on me MANY times. What have you been doing all that time with DOS? Spending all your time in edit?

The REAL facts are that Linux has a MUCH larger testing and QA community, along with the further patching and fixing from distro vendors, so if you want to use code that's been really hammered on, Linux is a far better choice.

Look at how much more secure Linux is over the BSD's...

Debian Linux 2.x 56 advisories in 2003, 37 in 2002.

FreeBSD 4.x 24 advisories in 2003, 7 in 2002.

Debian 3.x 186 advisories in 2003, 62 in 2002 (55 so far for 2004).

FreeBSD 5.x 21 advisories in 2003 (6 so far for 2004).

NetBSD 1.x 19 advisories in 2003, 14 in 2002 (4 so far for 2004).

Then we come to security. I pointed out that Debian's update system is so, so much easier and simpler than FreeBSD's, which is critical in our business with thousands of machines.

If you need the ease of Debian, you are a failure.

"Do you not read the code changes that you're about to deploy to production systems?"

Eh? Of course! And that has NOTHING to do with the issue. I can check the changes and make sure everything's OK, and then roll-out updates quickly and simply. You know, just because you can binary update an OS, doesn't mean you never see the source.

So you assume the binary that you are about to deploy, came from the good source? Monkey see, monkey do.

So your point is redundant and irrelevant. In BOTH OSes you can read the code changes.

No, actually my point goes deeper than what you seem to be capable of seeing. My point is that you can't trust a binary unless you compile it yourself. If you compile it yourself, you can also deploy that binary, just as quickly as you could in Debian. If I had an important Debian server, I would compile patches.

There is a huge difference between reading code changes and being sure that the binary you have, only contains those changes. The fix for that is to compile it yourself.

But in one you have to mess around with downloading and patches, recompiling and installing altered binaries, and in the other it's typically a single command. Guess which one is more suitable for large deployments?

A large deployment, requires a team which includes a testing team who reads patch code, compiles it, tests it on a staging server and then deploys it gradually. They don't need Debian for that. They can do it with ANY Unix and that is my point.

They would NEVER just deploy a binary from a project (read any project) which has their servers compromised every now and then. I have taken care of some of the largest WAN's on Earth, including financial and edu. A one command admin who is too lazy to read patches, compile them, test, then deploy, would not be acceptable there. If you honestly think that Debian's one command updating offsets the burden of taking care of many machines, then you shouldn't be taking care of large networks.

I realise that you could have a Debian staging server and point apt to it, but if you are going to all that trouble, for a large network, then you don't need Debia

What you're missing is there will be a fix for this within 24-48 hours. If this was in windows the fix would be kept quiet for who knows how long and if the hole goes public then it would take 1+ months for MS to put out a fix.

How long did it take them to put out a fix for the IE URL Spoofing Vulnerability? Read up bud: IE URL Spoofing Vulnerability

Changelog:
2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.
2003-12-14: Microsoft has issued a knowledge base article concerning the issue. This also reports that version 5.x is affected.
2003-12-19: Scams mails exploiting the vulnerability are now circulating the Internet.
2004-02-02: Microsoft issues patches. Added CVE reference.

Almost 2 whole months for people to get exploites in the SPAM e-mail.

Monoculture or Diversity?

The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

Just the facts, Mam

I found it intriguing that, as the AP article mentioned:

"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

Missing the forest for the trees

Take a look at this, also from the AP article:

"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

Miopic Intelligence

Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

Monoculture or Diversity?

The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

Just the facts, Mam

I found it intriguing that, as the AP article mentioned:

"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

Missing the forest for the trees

Take a look at this, also from the AP article:

"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

Miopic Intelligence

Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

Monoculture or Diversity?

The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

Just the facts, Mam

I found it intriguing that, as the AP article mentioned:

"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

Missing the forest for the trees

Take a look at this, also from the AP article:

"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

Miopic Intelligence

Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

Monoculture or Diversity?

The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

Just the facts, Mam

I found it intriguing that, as the AP article mentioned:

"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

Missing the forest for the trees

Take a look at this, also from the AP article:

"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

Miopic Intelligence

Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

Monoculture or Diversity?

The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

Just the facts, Mam

I found it intriguing that, as the AP article mentioned:

"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

Missing the forest for the trees

Take a look at this, also from the AP article:

"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

Miopic Intelligence

Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

Monoculture or Diversity?

The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

Just the facts, Mam

I found it intriguing that, as the AP article mentioned:

"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

Missing the forest for the trees

Take a look at this, also from the AP article:

"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

Miopic Intelligence

Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

The Secunia list of products' vulnerabilites shows I made the right choice with Windows XP Home:

XP Home: 50 security advisories
RedHad 8: 140 security advisories
RedHat 9: 82 security advisories(they're getting better)
Debian 3.0: 276 security advisories
Gentoo 1.0: 194 security advisories
Mandrake 9.x: 158 security advisories

Actually, I'd rather run OS X (29 security advisories) but all the good games are for Windows.

And for the BSD is dying trolls, FreeBSD 5.x has 23 security advisories listed, OpenBSD 3.2 has 29 security advisories.

So you see, it is clear from the numbers I've taken from a single source (a company I know nothing about), I have proven that you should dump Linux and move to Windows XP Home, OS X, or BSD. Don't hate the author of the article...hate your hole-filled bug-ridden trap-laden OS.

I could no longer live with the serious and unpatched security flaws in IE. I thought the URL spoofing flaw was terrible. Then it was followed up with a file extension spoofing flaw. This basically meant that I couldn't trust IE to correctly show me what site I was visiting or what kind of file I was opening!

Yes, a patch was finally issued for the URL flaw, but the fix was criticized by people like Russ Cooper for not going far enough.

I am finding Firefox on Windows XP to be excellent so far. It was a minor pain to reinstall support for Macromedia Flash, Shockwave, etc. but my QuickTime and Acrobat plugins just continued to work. What pleases me most is that web pages are loading noticeably faster in Firefox. I have heard this claim made my many new browsers over the years but this is the first time I have ever actually perceived a difference.

I also like that downloads seem to start immediately in the background as soon as a link is clicked on. With IE, when I click on a download nothing starts transferring until I browse to a location to save the file, choose a filename (perhaps) and then click OK. In Firefox, I am sometimes surprised to find that my download is completed by the time I have finished choosing a location for the file!

It is not advisable to completely abandon IE on Windows, however. Firefox won't work for grabbing updates from windowsupdate.com.

I could no longer live with the serious and unpatched security flaws in IE. I thought the URL spoofing flaw was terrible. Then it was followed up with a file extension spoofing flaw. This basically meant that I couldn't trust IE to correctly show me what site I was visiting or what kind of file I was opening!

Yes, a patch was finally issued for the URL flaw, but the fix was criticized by people like Russ Cooper for not going far enough.

I am finding Firefox on Windows XP to be excellent so far. It was a minor pain to reinstall support for Macromedia Flash, Shockwave, etc. but my QuickTime and Acrobat plugins just continued to work. What pleases me most is that web pages are loading noticeably faster in Firefox. I have heard this claim made my many new browsers over the years but this is the first time I have ever actually perceived a difference.

I also like that downloads seem to start immediately in the background as soon as a link is clicked on. With IE, when I click on a download nothing starts transferring until I browse to a location to save the file, choose a filename (perhaps) and then click OK. In Firefox, I am sometimes surprised to find that my download is completed by the time I have finished choosing a location for the file!

It is not advisable to completely abandon IE on Windows, however. Firefox won't work for grabbing updates from windowsupdate.com.

For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.

When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.


Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.

This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.

Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
(Though clicking the link on that page will fail with the above described error page)

No, it is you who are wrong: the bug has been fixed in Mozilla (I tested). Is the latest version of IE still vulnerable?

Wrong. The bug does exist in other browsers, specifically Mozilla. Try it for yourself

The URL spoofing exploit also exists in Mozilla

bzzt - wrong. It existed only partially. The status bar would display the URL incorrectly, however the address bar always correctly displayed the full URL. There was a patch for this the same day that it was discovered Mozilla was partially affected, and an improved fix has since been checked in to all major Mozilla variants. Mozilla 1.6 is fixed, as will be Firebird 0.8 (due any day now).

Check to see if your browser is vulnerable at the Secunia Adddress Bar Spoofing test page.

I was trying the DEMO PAGE, and noticed a minor work-around. The article says to save the file to disk before believing what it claims to be, which is sound advice, but you don't have to get that far to see something is wrong. As soon as you click on the link a "File Download" dialog is presented asking what to do with it. If you click on Open, based on the fake file extension displayed... your're screwed. If you click on Save, the next dialog box shows the true file type in the "Save as type" box.

Here's a safe demo of the exploit.

A little demo for those still using IE...

As for this particular problem, as always Bashdork makes it seem like the end of the world, front and center. Check the other responses on this article - Mozilla is also vulnerable. I'm running Mozilla 1.6a (2003110515) and I see the "http://www.microsoft.com/" URL on the Secunia spoof page. This kind of puts it in perspective, eh?

Mozilla is an excellent browser, that's for sure. But it is what it is because IE4 raised the bar so high (compared to NSN) that there was really nowhere to go. I personally use both, and I'm glad that Mozilla is (finally) giving IE a run for its money. But to go from embarrassed silence to this... well, as so many other areas where open source had to play catch up, the FUD tends to convey the idea that Microsoft has always produced non-functional "crap" and everyone else has been running circles around them forever.

Very funny. Oh, and the "economy cereal" thing? Brilliant. I've heard the same thing said about Mozilla (albeit with a different angle), with its 40-second load times and cluncky one-size-fits-all non standard GUI. Not that I'd agree though. But hey, don't let that put a dent in your superb flaming skillz.

And let's see how long it takes for the Mozilla folks to patch this one. And of course, for all those people running older builds to actually download and install.

Click Here to Perform Test!


Lets see how slashdot parses this. :P

Go to this page for a demonstration without using javascript or a button!

damn. there's another square character in front of %00 which I guess I cannot post, that's why it doesn't work. The best way to test it is to go to Secunia then view the code for the page on Notepad and copy and paste the URL exactly as they have it

test here for great courage!

These security problems were publically known in September.

What was released recently was sample exploit code.

If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.

The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.

I like this release.

Disable Active Scripting and find an alternative to IE ("use another product"). Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.

I do find that people are starting to be a lot more receptive towards MS-alternatives, especially when the mass media is now jumping on the bandwagon as well. Now techies find themselves explaining their choice of MS over and over again, to hype-induced managers.

There was an exploit to PDFs a few years ago. So technically MS is correct to disable it from auto launching (on a VERY thin technicality)

Please have a look at the free Cassandra system:
https://cassandra.cerias.purdue.edu
You can create any number of profiles, and you get emails daily about new CVE entries in ICAT (icat.nist.gov) or Secunia advisories (Secunia) that relate to the software or keywords you select.
You can use the freeware KeyAudit to scan your systems:
Windows KeyAudit: http://www.sassafras.com/restricted/keyaudit/keyau dit.exe
Mac KeyAudit: http://www.sassafras.com/restricted/keyaudit/keyau dit.sit

Sassafras just stopped maintaining KeyAudit, so I'm looking for an alternative application scanner to replace KeyAudit, as well as a Linux/UNIX equivalent (I'm the author of Cassandra).

I'm aware that it's not perfect, and the html and presentations are rather basic. However, it's free, it has been working for a few years now, and I'm listening for suggestions and open to criticism. I'll try to improve it as time allows.
Cheers
Pascal Meunier

OpenSSH buffer_append_space() Error May Let Remote Users Execute Arbitrary Code and OpenSSH "buffer_append_space()" Vulnerability

People should just use some of the great security sites out there. E.g. SecurityFocus or Secunia. Both have a large vulnerability database and mailing list with all the latest vulnerability information.

"I don't recall ever having to install "CRITICAL SECURITY UPDATES" for Mozilla because of some worm going around." Please give me your IP addy. Check this out: one, two, three. I can go on if you want...

Access sucks. So spake the wise Seth. Why? Please grace us with your obviously paramount knowledge of everything software related. And what, pray tell, is the Open Source alternative? Text files indexed through a bunch of perl scripts outputting LaTEX? Sure.

But you go on, saying Honestly, LaTeX has been superior to that piece of closed-source crapware for 15 years. It appears to me that, frankly, you have no clue what Word is since you insist on comparing it to Latex.

Finally, please grow up and stop writing "Micro$oft". It is idiotic. Trust me on that.

The tragic part is that Microsoft posted the patch almost a month ago:

Assuming that the patch works, that is. This advisory suggests that the W2K version of the patch may not fully fix the problem.

After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

List: linux-kernel
Subject: Route cache performance under stress
From: Florian Weimer <fw () deneb ! enyo ! de>
Date: 2003-04-05 16:37:43
Please read the following paper:

<http://www.cs.rice.edu/~scrosby/tr/HashAttack.pdf >

Then look at the 2.4 route cache implementation.

Short summary: It is possible to freeze machines with 1 GB of RAM and more with a stream of 400 packets per second with carefully chosen source addresses. Not good.

Reading the paper which begins with "We present a new class of ..." it sounds like these students discovered a new concept from nowhere.
Maybe their genius has been triggered by the recent advisory about a DOS exploiting hash collisions in netfilter.
They analyzed some softwares but no word about this known vulnerability. Still a good summary but not a discovery.

Otherwise, you'd be vulnerable to root exploits, which might not be the happiest moment of your security career.

Snort 2.0 is apparently not vulnerable to this exploit.

Good heads-up, though.

One May 9, Secunia released an advisory entitled Apple Safari and Konqueror Embedded Common Name Verification Vulnerability. The summary is, "Apple Safari and Konqueror Embedded fails to validate the Common Name of a SSL certificate. This makes it possible to spoof SSL sites, so that users can't trust the authenticity of a SSL website." They also add, "NOTE: This does not affect the ordinary version of Konqueror."

One May 9, Secunia released an advisory entitled Apple Safari and Konqueror Embedded Common Name Verification Vulnerability. The summary is, "Apple Safari and Konqueror Embedded fails to validate the Common Name of a SSL certificate. This makes it possible to spoof SSL sites, so that users can't trust the authenticity of a SSL website." They also add, "NOTE: This does not affect the ordinary version of Konqueror."