Slashdot Mirror

← Back to Domains

Domain: securityfocus.com

Stories and comments across the archive that link to securityfocus.com.

Comments · 2,651

  1. Great, but . . . by hardburn · · Score: 2 · on Tripwire Goes Open Source

    Is there anything Tripwire can do that can't be done by a few shell scripts, a crontab, and the md5sum program? I mention this specificly because of a Secrurity Focus article that mentions this (Section 8. Tripwires).


    ------

  2. Re:What's the right right? by f5426 · · Score: 1 · on Carnivore In Living Color
    Everytime you reinstall an operating system write 0's to the entire HD first

    Good start, but definitely not sufficient. You can find tools for secure deletion at secutiryfocus

    http://www.securityfocus.com/templates/tools_categ ory.html?category=73

    Cheers,

    --fred

  3. Moderators! Ease off the crack! by Tim · · Score: 2 · on Excite@Home Claims Broadband 'Safe'

    Who the heck moderated this thing up as Informative? It has one link!! To a well-known OS's website, no less!

    Here, I'll be more informative:

    Linux.com
    Linux Kernel
    Computer Emergency Response Team (CERT)
    Securityfocus.com

    Woo-hoo! Now I'll just kick back, relax, and watch the karma roll in...

  4. Re:Windows 98 security by nchip · · Score: 2 · on Excite@Home Claims Broadband 'Safe'

    This is a nice example of window security is the following worm. Or how about password passing? The only reason windows machines aren't cracked so often is that are not so easy to use remotly as Unixen. Windows 2000 is about to change this....

  5. The FBI has already lied about Carnivore by ras_b · · Score: 2 · on Answers from Carnivore Reviewer Henry H. Perrit, Jr.

    what i don't understand is why it hasn't been a big deal that it has already been proven that Carnivore does more than the fbi said. according to this article at securityfocus, Carnivore not only sniffs email, but it can also reconstruct web pages a user views. isn't the whole point of the review to make sure that it doesn't do more than the fbi says (and doesn't violate our rights)?

    i'm sure after the review even more lies will come out. even if that happens, is there anything we can do about it? so they lied about what it does, they will still try to prove that it's within the boundaries of the law.

  6. Think twice before doing busisness with E*Trade by slams · · Score: 1 · on E*Trade Loses Red Hat IPO Arbitration Claim

    Anyone who is planning to do business with E*Trade or is involved with E*Trade should think twice.

    After the reading the post and remembering a security incident not to long ago about E*Trade, one should investigate whether dealing with E*Trade is a wise thing to do.

  7. Looking in the wrong places by v4mpyr · · Score: 3 · on Can We Effectively Scan For E-Mail Viruses?

    If you want a security tool check SecurityFocus. They have all kinds of neat toys that actually work.

    --

  8. CERT is useless nowadays by rwm311 · · Score: 3 · on CERT And Vulnerability Disclosure
    I've been working for a Linux security company for the past few months, and was pretty much on top of security before that. I can honestly tell you that to me CERT looks like a joke.

    1) CERT is way behind anybody else

    They issued an advisory about wu-ftpd and rpc.statd in July or August when exploits, and proof of concepts, were on bugtraq in late May.

    2) CERT has turned into a laughing stock.

    The funniest thing I think I've seen in a long time is Jamie Rishaw's mock advisory about the Sony Aibo. This is just a slap in the face of CERT.

    I'm not mocking the concept... an entity such as CERT serves a very big purpose. Being associated with the SEI one would think a much more active one. However since white hats are just as skilled as the black hats it doesn't take somebody at the SEI to write an exploit. By the time they do, somebody has already posted it to bugtraq or it's already out in the wild.

    Just my $.02.

  9. More DoS attacks for the Aibo then...... by molda · · Score: 1 · on Sony To Release New Pet Robot By Year's End
    saw this ages ago, Sony Aibo liable to DoS

    made me laugh anyway

  10. Erm.. the 17-july bug is patched on july 17th by Otis_INF · · Score: 5 · on White Hats Take NASDAQ Through MS IIS Hole
    Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17. Erm, the bug (in IIS4 and IIS5) was patched on July 17th, and if I interpret the text correctly, that's THE SAME DAY as the bug was posted on bugtraq. If you look up the vulnerability on bugtraq you'll see the patches are already available. Check also:

    ht tp: //www.microsoft.com/NTWorkstation/downloads/Critic al/q267559/default.asp

    or bugtraq's page on this bug and the solutions:

    http: //w ww.securityfocus.com/frames/?content=/vdb/bottom.h tml%3Fvid%3D1488

    Now.. slashdot.. tell me... do you have a problem with a certain company or something? because the 'news' seem to get a little shakey in the 'correctness' area. :)
    --

  11. Recent 'Security Jobs Thread' by rwm311 · · Score: 1 · on Work Options In The U.S. When Student Visas Expire?
    I do not have much knowledge on this subject, but there was recently a pretty informative thread on sec uri tyjobs, a mailing list run by Security Focus about all of this.

    In order to look at the archives you have to deal with their absoutely _ANNOYING_ method of keeping you wrapped in their frames, so this URL will look pretty ugly, but you can find them at: http://www.s ecu rityfocus.com/frames/?content=/templates/archive.p ike%3Fend%3D2000-09-30%26list%3D77%26sta rt%3D2000-09-24%26threads%3D0%26%26_ref%3D10534417 63.

    After reading the thread I think the general concensus was to get married and get a green card :). Crispan Cowan even used the example of the movie as a not-so-far-from-life situation.

    Cheers,
    Ryan

  12. Recent 'Security Jobs Thread' by rwm311 · · Score: 1 · on Work Options In The U.S. When Student Visas Expire?
    I do not have much knowledge on this subject, but there was recently a pretty informative thread on sec uri tyjobs, a mailing list run by Security Focus about all of this.

    In order to look at the archives you have to deal with their absoutely _ANNOYING_ method of keeping you wrapped in their frames, so this URL will look pretty ugly, but you can find them at: http://www.s ecu rityfocus.com/frames/?content=/templates/archive.p ike%3Fend%3D2000-09-30%26list%3D77%26sta rt%3D2000-09-24%26threads%3D0%26%26_ref%3D10534417 63.

    After reading the thread I think the general concensus was to get married and get a green card :). Crispan Cowan even used the example of the movie as a not-so-far-from-life situation.

    Cheers,
    Ryan

  13. Recent 'Security Jobs Thread' by rwm311 · · Score: 1 · on Work Options In The U.S. When Student Visas Expire?
    I do not have much knowledge on this subject, but there was recently a pretty informative thread on sec uri tyjobs, a mailing list run by Security Focus about all of this.

    In order to look at the archives you have to deal with their absoutely _ANNOYING_ method of keeping you wrapped in their frames, so this URL will look pretty ugly, but you can find them at: http://www.s ecu rityfocus.com/frames/?content=/templates/archive.p ike%3Fend%3D2000-09-30%26list%3D77%26sta rt%3D2000-09-24%26threads%3D0%26%26_ref%3D10534417 63.

    After reading the thread I think the general concensus was to get married and get a green card :). Crispan Cowan even used the example of the movie as a not-so-far-from-life situation.

    Cheers,
    Ryan

  14. Re:Mainstream v. subculture by Signal+11 · · Score: 1 · on 2 Views of Hackers
    The "very small number" refers to the number of people who were openly gay when the term was introduced.

    Irrelevant. If they found it offensive, they would have said it by now - black people didn't used to be offended by being called "niggers", but they are now, and it's being changed. How many people were protesting when it was first introduced is irrelevant.

    Exactly my point. Thank you for agreeing. The definition was changed.

    Don't get so ahead of yourself.. it says "depreciated" not changed. From the dictionary...

    depreciate (d-prsh-t)
    v. depreciated, depreciating, depreciates. v. tr.
    To lessen the price or value of. To think or speak of as being of little worth; belittle. See Synonyms at deprecate.
    v. intr. To diminish in price or value.

    Nothing here says anything about "changing" the definition, only a note saying that this is an uncommon definition of hack and is (or should be!) little used.

    I know a teenager or early twentysomething like yourself might find this hard to believe, but 1996 is quite recent. 1990 is also quite recent.

    First, age is irrelevant and you are being discriminatory and elitist by saying that my age somehow has a relationship to my ability to argue. But if you must argue the point about age, I'd like to point out that, almost exclusively, the progress in the computer technology sector has been coming from the people you just belittled. Anecdotal evidence - companies are discriminating against old people severely because of the widespread perception (fact?) that they are not as productive as their younger counterparts. [Source: FACEI] Second, wake up. This is the internet - 3 months of "internet history" is about 5 years of "real world" history right now. We're operating under a constant acceleration caused by technology advancement. If you think 5 years ago is "recent", remember that 5 years ago, e-commerce didn't exist, Linux had only been around for a few months in a usable form, and the "web" was still a morass of pasty grey webpages and broken HTML. Slashdot got maybe 10 hits a day, and IPO was just another word.

    The "old" definition backs up the media.

    I beg to differ, according to my research, hacker originally meant "someone who makes furniture with an axe". That's the "old" definition. As early as the 1960's, the term "hacker" was rechristianed to the definition in the Jargon File. Had you done some preliminary research, you would have discovered that this is where the derivatives "sports hacker" and whatnot came from - it was first used by the computer industry and then started spreading into normal use. That is, until the media misinterpreted it by equating computer enthusiast with computer criminal.

    The media will generally call you what you call yourself.

    There's about 20,000 people on BugTraq who would like to talk to you about that, as well as a few "hacker" organizations like these guys.

    I'm going to stop replying now, as you seem to be intent on chasing your tail and offering little or nothing in the way of new insight on the matter. There's nothing new to discuss here.

    --

  15. Great Links: by \\x/hite+\\/ampire · · Score: 3 · on Certifying Software As Secure?

    Network Security Library

    Common Vulnerabilities and Exposures

    SecurityFocus

    You can find everything you want to know (and more) at these sites.

  16. Security problems at other financial web sites. by Jello7 · · Score: 1 · on Internet Banking Security Hole
    This is not the only recent security problem in the financial services industry. Check the "E*TRADE Usernames and Passwords Remotely Recoverable" problem on Bugtraq at www.securityfocus.com.

    Lucky for me, I keep all my cash stashed in a tin can under my mattress. I also have a sock for a safety deposit box.

  17. Linux Certifications:The Microsoftization of Linux by Kletus+Cassidy · · Score: 1 · on Linux Certification Roundup

    The more I read about Linux certifications the more disturbed I get.

    As if we don't have enough to worry about with boneheaded MSCEs who crammed just enough to pass their multiple choice tests becoming system admins, we now have to deal Linux admins who will soon be "Red Hat certified". Am I the only one that is disturbed by Red Hat's Microsoft-like tactics such as their so called "Red Hat network" which is a pay service less functional than Debian's apt-get and a cron job?

    Soon we'll have Linux administrators who are completely clueless outside the Red Hat sandbox, who cannot do the more intricate tasks that *nix administrators need to perform without handholding. This is especially frightening when one realizes Red Hat is the most insecure Linux distro out there.

  18. Cloudy future for SecurityFocus by Animats · · Score: 1 · on "Cloudy Future" For CueCat
    SecurityFocus is trapping clicks on external links in their articles and forcing them to route through SecurityFocus. One of the links in the article reads http://www.securityfocus.com/external/http://oss.l ineo.com/cuecat/, which allows SecurityFocus to track what its readers are clicking on.

    Some other major site tried that a few months back, and was embarassed into stopping. Now SecurityFocus is doing it.

  19. My God, it's full of URLs by sulli · · Score: 2 · on "Cloudy Future" For CueCat
    I've always hated SecurityFocus. Very slow to load and hard to read.

    This link, http://www.securityfocus.com/news/89, led to no fewer than fourteen URLs:

    http://www.securityfocus.com/frames/ad.html?group= secnews
    http://www.securityfocus.com/focus/home/menu.html? &_ref=19861971
    http://www.securityfocus.com/templates/article.htm l?id=89&_ref=19861971
    http://www.securityfocus.com/frames/logo.html?&_re f=19861971
    http://www.securityfocus.com/frames/upper_left.htm l?&_ref=19861971
    http://www.securityfocus.com/frames/left_edge.html ?&_ref=19861971
    http://www.securityfocus.com/frames/lower_left.htm l?&_ref=19861971
    http://www.securityfocus.com/frames/right_edge.htm l?&_ref=19861971
    http://www.securityfocus.com/frames/upper_edge.htm l?&_ref=19861971
    http://www.securityfocus.com/frames/top.html?focus =home&_ref=19861971
    http://www.securityfocus.com/frames/upper_right.ht ml?&_ref=19861971
    http://www.securityfocus.com/frames/lower_edge.htm l?&_ref=19861971
    http://www.securityfocus.com/frames/ad.html?group= home&_ref=19861971
    http://www.securityfocus.com/frames/lower_right.ht ml?&_ref=19861971

    Someone tell these guys to read some basic web design docs. (You can't even link to a printable text-only version!)

    sulli

  20. Re:Where can we report compromised computers? by LiNT_ · · Score: 1 · on Crackers Preparing Massive DDoS?
    You can try the incidents mailing list at security focus. I just recently subscribed myself but there is some pretty interesting information on there.

    Incidents Mailing List FAQ

    LiNT

  21. Re:Security != "security_from_script_kiddies" by G27+Radio · · Score: 3 · on Making Your Linux Box Secure

    The cloaking article says "they can't crack what they can't find"... and sadly I think it's very true. My home small network has a firewall with only ssh2 open. I get portscanned about 3 times a day. I think my setting is pretty secure, but I might always have a security hole somewhere. However, script kiddies will not bother with my computer because so many others are fully open.

    I get scanned that many times an hour at times (probably because people know my subnet is all cablemodems.) One day I decided to run nmap on the IP's as they scanned me. On about the third IP address I that nmapped I found an open port 139. So for kicks I connected to it with a null login and password from an Win2k box I was testing. His entire C: drive, CDROM, and CDR were wide open. How convenient of him to leave a guest account for the people he scanned to find out more about him. I got bored fast (sharing over tcpip was way slow) so I didn't bother to read through his homework, but I did download a photo of him and his mother. I should've mailed it back to him from a hotmail account and told him he's an idiot. Disclaimer: Before you even think about trying this yourself, consider that the machine may be a honeypot owned by a hacker. Documents and executables may contain trojans.

    Considering how quickly I got scanned by a script kiddie whose own system was wide open, I have to wonder is this the average skill level of a script kiddie?

    There is an excellent radio show available online called Info.sec.radio. It's available on SecurityFocus.com under the Audio/Visual Media section. They do a one hour show every two weeks. They've got some cool interviews: the RCMP officer that busted the welsh hacker, and most recently Kevin Mitnick himself. They also have done a feature on Hacking Through the Ages which is a historical perspective on hacking. Every show they do a segment on new vulnerabilities.

    I wasn't expecting much but now I'm addicted. They do an excellent job of providing a lot of information quickly. I think what suprised me the most was that the show moves quickly and is not boring at all. If you have any interest in securing/cracking systems you'll be glad you checked it out (IMO).

    Requires Realaudio :|

    numb

  22. Cancel My Subscription to Bugtraq by Andrew+Dvorak · · Score: 2 · on IE "Persistence" Tracks Without Warning

    It seems that everytime some minimal flaw in a Microsoft product ignites the idea that much shame should be dropped upon the Redmonian company. Companies don't make mistakes, people do. Companies are made of people.. I am up to betting that developers of Linux and related software products have even introduced far more serious bugs.

    anyways .. I'd prefer that Slashdot not obsolete my bugtraq subscription. We have already established that MSIE is introduced 5 bugs for every 1 fixed.. let it be .. and REMEMBER THE ALAMO! (i mean Bugtraq: http://www.securityfocus.com/ TOAST: Here's to hoping for the re-purification of Slashdot -- like in the past!

    Anybody else getting the impression that there must not be too much newsworthy submissions in the queue causing Slashdot to resort to such posts as this? Has computing has gotten to the point that many topics are better understood by the "general public" for the niche that Slashdot once filled?

    <constructive editorialism!/>


  23. Re:Agreement from Alan Cox by The+Pim · · Score: 1 · on Is Netscape's Code Falling Apart At The Seams?
    I'm gonna have to play devils advocate here, because I see lots and lots of references to how awful Windows NT's security is, yet no specific examples.

    You really should read BUGTRAQ (or, if you can put up with the somewhat lower level of discourse, NTBUGTRAQ). I don't know NT well, but I believe that this recent vulnerability gives a local user admin-level privilege. For remote root, the IIS buffer overflow found by EEye some months ago comes to mind.

    But go browse security focus yourself.

  24. Re:Agreement from Alan Cox by The+Pim · · Score: 1 · on Is Netscape's Code Falling Apart At The Seams?
    I'm gonna have to play devils advocate here, because I see lots and lots of references to how awful Windows NT's security is, yet no specific examples.

    You really should read BUGTRAQ (or, if you can put up with the somewhat lower level of discourse, NTBUGTRAQ). I don't know NT well, but I believe that this recent vulnerability gives a local user admin-level privilege. For remote root, the IIS buffer overflow found by EEye some months ago comes to mind.

    But go browse security focus yourself.

  25. Re:XPCOM/COM doesn't equal security holes by platypus · · Score: 2 · on Is Netscape's Code Falling Apart At The Seams?

    And there's another interesting problem with that infamous "runas". It's directly related to COM, and it shows that it's not easy to get an intuitive view for the user concerning the security of these "components".
    You can read about it here. Especially interesting is David Leblancs mail and that of Russ.
    Where do you draw the border when _elevating_ rights with runas (for instance installing something from ms which nowadays often automagically involves Internet Explorer _and_ requires Administrator privileges).

  26. Handy Solaris Code by mholve · · Score: 1 · on Various *nix OSes Open To Format String Attacks

    Try this code for Solaris...

  27. Re:Similar exploit in a popular IRC client. by stevey · · Score: 2 · on Various *nix OSes Open To Format String Attacks

    Is there a reasonable article around on this which explains more about the problem and it's concepts as well as how proper and careful coding can avoid it? :/

    The best introduction is Pascal Bourchariene's original paper on writing Format exploits .. its probably available all over the web .. theres a copy here, for example.

    This paper is to format string bugs what Aleph One's "Smashing the stack for fun and profit" is to buffer overflows.


    Steve
    ---
  28. Re:Taint mode solves this problem by stevey · · Score: 1 · on Various *nix OSes Open To Format String Attacks

    Perl's 'taint mode' solves this problem very well

    But only if you're running the latest Perl - otherwise you're wide open to a lovely exploit which gives instant root access:

    Go Here for details ...


    Steve
    ---
  29. Re:Not new -- and can be stopped by the compiler by ryanr · · Score: 3 · on Various *nix OSes Open To Format String Attacks

    I'm not sure why you would point that out in this context. Crispin (leader of the Stackguard project) makes no claim to being BO-proof, and Stackguard doesn't even address format string problems.

    Check out the thread on vuln-dev here

  30. Re: Wait, it's both! by docwhat · · Score: 1 · on Various *nix OSes Open To Format String Attacks
    If it's BugTraq ID 1634 then it's passing format strings into a localized program (using gettext and cousins) via specifying your own translation catalog.

    I'm not an expert in security, but the first 10 posts posted inaccurate information, so I thought I'd add my 2 cents.

    Yeah, that must be the BugTraq item, as it's credited to Ivan Arce of CORE SDI.

    Ciao!

  31. PHP Vulnerability by Felipe+Hoffa · · Score: 1 · on Two Books On Programming With PHP

    This bug was posted September 03, 2000, and no one have mentioned it so far. Does anyone have a solution?

    From Security Focus

    PHP Upload Arbitrary File Disclosure Vulnerability

    PHP's handling of uploads means that PHP applications can be manipulated into opening arbitrary files on the server, rather than those uploaded by the user. This may permit a remote user to read any file located on the server which is readable by a user of the server's privilege level.

  32. Paying Attention to Our Systems by VB · · Score: 1 · on Trinity DDoS Discovered

    About a week ago, I had received a couple interesting replies from ACs on a post I made on the Microsoft ApacheFP vulnerability. Apparently, my machine is owned. Perhaps...

    There's no excuse for ignoring your systems once they're up, and, some basic detection software should be mandated for future distros of any *n*x. Admins should read up on services that want to launch on start-up, as well, and, I'd also love to see a linux box come with a good set of firewall rules in the startup scripts by default.

    I've had quite a few servers scanned over the past month for the rpc services, and the machines have acted appropriately. Including responding to the AC who "owns me" and who proceeded to scan 3 of my boxes. He/she may be correct and own my box. Truth is, I haven't heard from him/her since the scans. And, before anyone mentions it: I get CERT alerts; Security Focus is a daily stop.

    Might seem off-topic. But, they're getting in through the rpc services. Firewall them. Then we won't hear a bunch of FUD about how insecure Linux is.....


    Linux rocks!!! www.dedserius.com

  33. Re:Only half the story. by Phexro · · Score: 3 · on Trinity DDoS Discovered

    according to this posting on the securityfocus INCIDENTS list, trinity is often propagated by the ever-popular rpc.statd exploit.

    oh, and the guy who posted to INCIDENTS beat out iss by >1 week. :)

    btw, trinity is old news to the skr1p+ k1ddi3 scene.
    --

  34. Re:Only half the story. by Phexro · · Score: 3 · on Trinity DDoS Discovered

    according to this posting on the securityfocus INCIDENTS list, trinity is often propagated by the ever-popular rpc.statd exploit.

    oh, and the guy who posted to INCIDENTS beat out iss by >1 week. :)

    btw, trinity is old news to the skr1p+ k1ddi3 scene.
    --

  35. No attention paid to security, though by peterw · · Score: 1 · on Helix Code's Red Carpet Simplifies Package Updates
    From the installer to the login screen, everything is well designed, looks very pretty, is well organized and just makes sense.
    The installer is "well designed" and "makes sense"? The recommended install for Helix Code Gnome involves piping a web fetch to a root shell; a really, really dangerous hack. (See http://www.securityfocus.com/archive/1 /79524 for information on exploiting any systems that use NAT or Web proxies: replace "echo" in ERR_GOGNOME with the commands of your choice. Helix Code doesn't sign packages. They don't respond to queries about improving their distribution and installation mechanisms unless publicly humiliated.

    The apps and desktop are a nice step forward visually, but Helix Code takes a drag-and-drool approach to security and deserves some heat for that. They're deliberately making the distribution and installation less secure than what's offered by the major RPM-based Linux distributions.

    I used to be an advocate of Gnome. But the Helix Code faster-dumber-riskier approach has me reassessing my aversion to KDE. If Miguel, Nat, & co. want to start taking seriously something besides eye candy and PR, that would be great.

    Steamroller, cathedral, ivory tower, flytrap, loaded gun: pick your analogy. There are serious problems with Helix Code.

    -Peter

  36. Re:Why do they include Slackware?? by Legolas-Greenleaf · · Score: 4 · on Learning GNU/Linux: The Survey Course Continues
    hmph... actually, slackware does have a packaging system. (i'm a slackware bigot running 7.1). It uses files in the .tgz format, and can be made to include installation scripts. Slackware comes with tools to build, install, and remove them (installpkg, makepkg, pkgtool), as well as a neat little tool for converting RPMs to the slackware format - rpm2targz ... i've been playing with packages somewhat recently because i managed to mangle my previous (slackware) install by playing with XFree86 4. Slackware format packages seem to be quite a bit easier to build then RPMs.

    My slackware machine is a 486/50, so slack really impresses me over Redhat and such because it's relivitely small, even fully installed. Also, coming in disk sets, it's easy for me to leave out KDE and associated tools, or LaTeX and install it later (instead of having to find it in a huge list, as is the case with Redhat). According to securityfocus (whose page layout makes baby Jesus cry), it seems to be one of the more secure Linux distros out there. Finally, as noted by the parent poster, the BSD-style startup scripts are nice.
    -legolas

    i've looked at love from both sides now. from win and lose, and still somehow...

  37. Re:When amazon is cracked, people fry. What of me? by v4mpyr · · Score: 4 · on FreeVeracity: Network Intrusion Detection

    Your best bet would be to head over to SecurityFocus and get on their ``Incidents'' mailing list. Give a thorough explanation of everything you know along with any recoverable (and relevant) logs. There's hundreds, if not thousands of security professionals on that list who would gladly help you out.

  38. Re:there is nothing wrong with user-agents by Legolas-Greenleaf · · Score: 2 · on Shopping Online While Protecting Your Privacy?
    hmph... but 97.4% still means that out of every 100, 3 or so would be not using Netscape or IE. That means out of 1000, 26, and so on and so on...

    white it's not the majority, that is certainly a fair number of people.

    heh.. sorry. I'm just annoyed when a page is completely unreadable with lynx, because it's usually faster then booting up with Netscape. It's aweful how bad securityfocus is... it even seems to crash any version of Netscape for Linux i use on it (on different systems).

    -legolas

    i've looked at love from both sides now. from win and lose, and still somehow...

  39. Securing Linux by Kiro · · Score: 4 · on GNOME, Security, Linux, and Cable Modems?
    Information sites on keeping your Linux box secured:

    http://www.linuxgazette.com/issue34/v ertes.html
    http://www.linu xworld.com/linuxworld/lw-1999-05/lw-05-ramparts_p. html
    http://www.secu rityfocus.com/focus/linux/articles/linux-securing. html
    http://www.isr.umd.edu/~dani elf/Linux/securinglinux.html
    http://www.gl.umbc.edu/~jjasen1/unix/ linux.html

    --
    Kiro

  40. just a question by mirko · · Score: 1 · on Mozilla M17 Is Out

    Mozilla was coded after Netscape source code.
    I'd like to know how different from the original Mozilla has become.
    In case there have been some source code blocks copy, how can we be sure that Netscape bugs don't occur in Mozilla ?
    Is Mozilla proofed against all of Netscape's security issues ???
    --

  41. Open Letter to Disney (owner of ABC) by Anonymous Coward · · Score: 1 · on Linux Sux Redux: A Rebuttal
    Dear Disney Enterprises,

    We, members of the open source community request your company to review your story posted on ABCnews.com named "Linux Sux Redux", a commentary by Fred Moody located at http://abcnews.go.com/sectio ns/tech/FredMoody/moody.html. We request your company to review the story to bias and incorrect data. The source of the informaiton regrarding the sercurity problems, sercurityfocus.com, has responded to the article with this article. Additional please consider the statements made by the open source community at Slashdot: Linux Sux Redux A Rebuttal and Linux the Worst Operating System Ever/a. Thank you for your time.

  42. Security Focus is one of the better... by Mark+A.+Rhowe · · Score: 3 · on Linux Sux Redux: A Rebuttal

    ...resources online. For example: FOCUS on Linux: Intrusion Detection on Linux is equivalent to the Koran for system security administrators.

  43. Analysis of Moody's analysis by Stephan+Schulz · · Score: 1 · on Fred Moody Says Linux Worst Operating System Ever
    Well, Moody's analysis is seriously flawed. You should read both the original article as well as the Bugtraq statistics. The statistics are accompanied by a lot of disclaimers which Moody just casts aside with half a sentence despite their importance.

    What is compared is also interesting. Moody's data about Linux vulnerabilities is not about the kernel or the core system. It is not even about a single Linux distribution. It is not even computed correctly. The numbers given by Moody are for the union of all vulnerabilities in all Linux distributions covered by the statistics, and to make it look worse he adds vulnerabilities of Red Hat in once more for good measure.

    Moreover, if you consider that Linux covers allpackages in all distributions and hence contains a lot more software than the standard Windows (NT or 98) distribution, the number become even more meaningless.

    Basically, the article is a bad example of how to lie with statistics.

  44. Re:So... by jmccay · · Score: 1 · on Fred Moody Says Linux Worst Operating System Ever

    It's probably already been posted but if you go to the web site for SecurityFocus.com (who does bugtrack), and scroll down. They have a chart that lists the top Vulnrablities of 2000. The top 2 are NT 4.0 and Win 2000. Also, if you look a little further down, The top 12 Vulnerable packages of 1999 were all Microsoft Packages. I wish Mr. Moody wasn't allowed to write tech articles. Let's all bug ABCNEWS.com by sending them email asking them to ban Mr. Moody.

  45. Re:Libel (was Re:More bugs) by geist42 · · Score: 2 · on Fred Moody Says Linux Worst Operating System Ever
    Boy, after looking at:

    SecurityFocus: BUGTRAQ VulDB Stats

    I really find it hard to believe that ABC is letting him post that stuff up on their site. What that sounds like is a troll post from slashdot, backing nothing up, and coming up with numbers from nowhere. If you look at the pretty charts they made, look who is at the top of the list for vulnerabilites for the year 2000.. And even better yet, 1999. Lets see, in 1999:

    Windows NT had 96 vulnerabilities

    Windows 98 with 44

    Windows 95 with 40

    And wait, then they have a section for:

    NT w/ sp3 at 32

    NT w/ sp1 at 31

    NT w/ sp2 at 30

    NT w/ sp4 at 29

    The next few entries are dealing with Internet Explorer (which I think should be just added in with Windows 98, but thats just my opinion). And then look at the bottom of the list, we have Red Hat 5.2 at 21, and Red Hat 6 at 19. At least with linux cut down the vulnerabilites with the later release, its only by one, but it is less. On this chart, it shows that SP1 had less vulnerabilities then SP3. Hey now, they told me it was going to fix problems, not create more. I was hoping this guy provided an email address to send comments to, but I fail to see one. I dont know if ive read an editorial without a way to send your comments in at all, he's probably sick of being flamed. I feel this guy has some sort of stake in the windows franchise, and doens't want to see his money maker start losing money when people open their eyes a bit. I feel that anything that can be opened up and studied by the general public is going to be more secure then something that is done within a closed enviorment. This may not always be true, but if you look at cryptography, it is studied and tested for many many years, trying to find vulnerabilities, weakness's, whatever it may be that could cause security/privacy/etc concerns in the future. You take a closed system, with a certain amount of people who can study it, they wont find everything out, and with a system like that, if they do find something, which may take a lot longer to get fixed then normal, they can still release the product, not tell anyone about it, hopefully it doesn't become an issue until a service pack can be released. They dont fix bugs unless its cost-effective, or will give them good PR. Well enough rambling, time for bed..

  46. Re:Here is my letter to ABC News.com: by RedWizzard · · Score: 1 · on Fred Moody Says Linux Worst Operating System Ever

    I think you're better off pointing out the verifiable inaccuracies in Moody's article. Don't sound like a Linux zealot, sound like a reader who's concerned about the facts.
    The source of the data is http://www.securityfocus.com/vdb/stats.ht ml. Moody has added the RedHat numbers to the Linux aggregate numbers (which already include the RedHat numbers).

  47. Libel (was Re:More bugs) by RedWizzard · · Score: 5 · on Fred Moody Says Linux Worst Operating System Ever
    It must almost border on libel. It looks like Moody has deliberately lied about the numbers. Here's the quote:
    Windows NT totaled 99 new vulnerabilities on the BugTraq list. (So far in 2000, the count stands at 37.) This looks like an alarmingly high number in comparison with Solaris' 34 or NetBSD's 10, but it is significantly less than the 122 racked up by Red Hat and the other Linuxes (their 2000 count stands at 47).
    The SecurityFocus stats page clearly shows RedHat's '99 vulnerabilities as 38 - less than 40% of WinNT's.
    So where did the 122 come from? Moody added RedHat's 38 to the Linux Aggregate of 84. He's done the same for this year's numbers (RedHat's count for this year is 17, and the total for Linux is 30 not 47). But the Linux Aggregate already includes the 38 RedHat vulnerabilities and it clearly states that in the preface on the page - Moody is either an incompetent researcher or he is deliberately counting vulnerabilities twice in order to discredit RedHat. I'd be consulting a lawyer about the possibility of a libel suit if I were them.
  48. Re:I wrote to abcnews... by cpeterso · · Score: 2 · on Fred Moody Says Linux Worst Operating System Ever

    You said:

    For instance, the apache server is included in the Linux numbers, but the IIS web servers numbers are split apart from the NT numbers and Mr. Moody didn't trouble himself to add them into the list of NT vulnerabilities.

    WRONG. Here is a quote from the SecurityFocus.com article:

    We consider a vulnerability to affect an application or operating system if the vulnerability affects a component that is part of the application or operating system when brought or downloaded. For example, this means that a vulnerability in IIS will also be considered a vulnerability in Windows NT at the later ships with the former.

  49. Re:Maybe we can get this: by nmx · · Score: 1 · on Fred Moody Says Linux Worst Operating System Ever

    Complain to ABCNews.com - I did. Be clear, polite, and be sure to indicate that not only was Mr. Moody obviously trolling, he deliberately lied about the data - see this link that another poster mentioned.

  50. Fred's numbers don't add up by ChaosDiscord · · Score: 1 · on Fred Moody Says Linux Worst Operating System Ever

    I love Fred. If I didn't have so much faith in human stupidity, I've suspect that his articles were actually some sort of satire on FUD.

    Since ABCNews, it in interested of giving people the direct facts, have neglected to provide a link to the actual BugTraq statistics. Here's one. Check it out, lots of fascinating disclaimers and real numbers. Fred cheerfully brushes off such fun disclaimers as "The statistics should not be taken to imply that some particular operating system or application is more or less secure than another one." He ignores " We consider a vulnerability to affect an application or operating system if the vulnerability affects a component that is part of the application or operating system when brought or downloaded." So, if sendmail has a vulnerability, it's likely to count against Linux, since most Linux distributions ship a sendmail. If a mail transport agent for NT has a vulnerability, well, it didn't ship with NT, so it's okay.

    Windows NT totaled 99 new vulnerabilities on the BugTraq list. (So far in 2000, the count stands at 37.) This looks like an alarmingly high number in comparison with Solaris' 34 or NetBSD's 10, but it is significantly less than the 122 racked up by Red Hat and the other Linuxes (their 2000 count stands at 47).

    Let's check Fred's numbers. A quick check for 1999 for Windows NT reveals 99 incidents, sure enough. A check for "Linux (aggr.)" reveals... 84? Something smells fishy.

    Well, the disclaimers at the top note " Were we display aggregate number of vulnerabilities (Linux and BSD) the number is the size of the set that results from the union of all vulnerabilities for the components without duplication. Vulnerabilities are not counted twice." Perhaps this means that the "aggr" entry doesn't include the Red Hat, SuSE, Debian, or Slackware entries. Not how I would have interpreted it (I would have read it as "If a single bug was found in Red Hat, SuSE, and Debian, we only counted it in the aggregation once, not three times.) But adding them together gets me... 182. Erm, so where did Fred pull 122 from?

    Fred, after blowing off BugTraq's very long disclaimer, summarises with:

    All that aside, though, one conclusion is inescapable: If you look this list over, and measure each system's number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft's the best.

    This is just stupid. If you remove his little "against the number of its customers", his analysis has no meaning. I can find a strong case for many of the system with a little justification like Fred's. Security vulnerabilities are more important for servers on the internet where random people can attack them. Given the number of Linux boxes to Windows boxes serving web pages on the internet, it's looks that Linux and Windows NT are closely matched. Taking into account severity of the vulnerability (Are there real exploits, or is it a suspected vulnerability? Can it be exploited externally, or only if you already have local user permissions? Does it effect all computers, or only ones in particular configuration?) I suspect you'd find different answers, but the information isn't there (and BugTraq admits as much).

    The amazingly low quality of this article makes me suspect that Fred is either so strongly biased against Linux that he is conciously or subconciously viewing the world through blue (screen) colored glasses. Of course, ABC doesn't have any reason to stop him, since clearly he's drawing huge hits.

    Oh well.

    As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one.

    Ultimately, we should just ignore the silly little man and go on enjoying our better product.