Slashdot Mirror
Slashback: Public, Anecdotes, Conclusions
How many anecdotes? Drestin writes "Looks like all the flame mail and traffic to WinInfo for the recent 'Windows more secure than Linux' article prompted it's author, Paul Thurrott, to reply with his opinion. He tells us to think with our heads, not our hearts."
Several readers complained about my original (since updated) headline, and they're all right. As Kathleen Ellis put it:
"I find this title to be rather misleading. Bugtraq is a security mailing list that happens to be archived on security focus' web site (it is also moderated by one of SecurityFocus' founders, but bugtraq content is not subjected to SecurityFocus editorial control), and WinInformant is really the one making the assertion, based on their analysis of Bugtraq list traffic.Here, why don't you pay? TheGeneration writes "Recently Salon had an article about public money being used to write private code (ie, for a university.) The article apparently moved Richard Stallman enough to write a response and opinion. Stallman sites his own reason for leaving MIT such as his inability to write free software while under their employ. Stallman discusses ways to sidestep University control of free software, and how to get admins to allow software developed under them to be licensed as free software."As an occasional SecurityFocus reader (and occasional writer), I am particularly concerned that your headline (and the attribution of the assertion to SecurityFocus) will make SecurityFocus look bad. As a professional in "the industry" and as someone who follows computer security very closely, I am confident most sensible members of the security community will quickly realize that the assertion is of extremely dubious merit and your attribution could make SecurityFocus look extremely foolish."
For your personal museum's display cases. airrage writes "As a follow-up to the early design docs for some of the earliest ATARI games. More fascinating, is the 30 Secrets of Atari. Did Jobs ever do any work? Finally, the creater of ATARI's adventure has a web site. Check out his work on virtual nano-technology and his presentation on creating Adventure. They sure didn't have much to work with did they?"
Connecting everything to everything. seanadams.com writes: "Our company has just published the firmware source code for our SliMP3 Ethernet MP3 player, previously reviewed on Slashdot. The firmware, written entirely in assembler, includes our super-compact TCP/IP stack for the 8-bit PIC microcontroller. The license allows for non-commercial use, so I hope this will be of interest to PIC hackers! If you're interested in experimenting with Ethernet and TCP/IP on the PIC, we will have an integrated PIC+CS8900 module and development kits available next month."
Next stop is telepathy. ruvreve writes "An update to a previous article featured here on Slashdot. Wellington is offering not only city-wide gigabit ethernet they are also offering wireless access. Currently it is still 11Mbps but plans are to make it 56Mbps down the road."
Not someone I'd want to mess with anyhow. yndrd writes "As a follow up to a previous Slashdot story about Harlan Ellison's feud with what he considers to be pirates of his work, Ellison has reached a settlement with Critical Path Inc. who will create software that enables Ellison to immediately delete postings of his work on the RemarQ service. The (somewhat) full article is here. He's still ready to rumble with America Online, the other party in his lawsuit."
The dirty side of quick n' dirty. nailgun writes: "http://www.maokhian.com/wireless/wap11.html has before-and-after oscilloscope traces of the spectra of a power-boosted (hacked) Linksys WAP. From the traces it is apparent that power-boosting does no good, since all (or nearly all) additional power is blasted out in neighboring frequencies. Boost your Linksys and you'll step on all other WAPs in the neighborhood. These are cool pictures too."
This took a survey to determine?An Anonymous Coward writes "Remember the Space Survey Thread? Where NASA was asking for our opinion on where to go in space? Well, the results are in. Lo and behold, we all want to go to Mars."
...and I quote:
For example, generalities (like "Windows is more secure than Linux") are barely defensible.[...] What I am trying to say is that Linux is not more secure than Windows.
So windows is not more secure than linux, and linux is not more secure than windows. They're exactly equal in security? Huh?
Tastes like burning! - Ralph Wiggum
You are forgetting that universities get public money, as well as contributions from private sources to do with as they please. So, lets say I'mABC University. I apply my private donation dollars to technical development or payment of teachers who do research, etc, and then I turn around and use state funds etc to fund everything else. Its all about how you distribute the dollars -- and its done everyday.
Ellison has reached a settlement with Critical Path Inc. who will create software that enables Ellison to immediately delete postings of his work on the RemarQ service.
I could barely give a crap about Harlan having ubercancel powers over Supernews's servers, except as it leads to this:
There's a reason that usenet servers almost never respect cancels, and that's frivolous cancelling. It's destroyed froups in the past. Now once Supernews engineers their servers to allow Harlan to cancel any posting he has a personal problem with, there's no reason why others can't also have this power. Universal Music Group will ask for the same thing, followed by all the RIAA. And so on and so forth.
If Critical Path gives it them (and why wouldn't they?), Supernews will turn into a wasteland with as close to 0% binary completion as makes no odds. Harlan has gutted his chosen usenet service.
Next stop for me, Giganews. At least until Harlan gets to them.
I have to vehemently disagree. That "very difficult to exploit" line is a part of the standard Microsoft vunerability report. It's crap there, and it's crap here. Now matter how difficult something is to exploit, only one person has to figure out how to do it and script it. After that, it becomes easy.
I'd say one hell of a reason to say that linux is more secure, by a longshot, is the control you have over it. A hole exists in IIS, for example, allowing anyone to look at all files on your system. Crackers found the hole and decide to play with it. They might play with it for months, possibly stealing a heap of documents from you. Then someone else discovers it and publicizes it. How much more time before you get a fix from M$? They might first say it's not a hole. Then they'll admit it at some point. Then they'll get to the patch. This is either time where you take the risk of leaving your server open, or accept downtime.
On Linux: first, there's people looking at the code of Apache out of Apache: it's so much easier to find holes by looking at the code than from the outside (which might be reason #1 that holes make it to things like bugtrak more often!), so you have a good chance that more people will find the hole, which makes your chances higher that someone nice will be among the bunch, which means it's publicized more quickly.
Then you can very, very easily down- or side-grade to a version that doesn't have the hole, and in any case, chances are a new version will be out within hours!!!
So chance of being cracked are very much lower. And i call that higher security.
Another thing to consider is the fact that you should look at the holes discovered in, say only a specific set of versions of Debian 2.2 for example. Then the # goes down significantly. Looking at all linux bugs vs windows bugs would be like having people running ALL builds of ALL windows versions around the world: wouldn't they find HEAPS and TONS of bugs and holes then?
If you want to be serious, look at Windows 2k vs Debian 2.2 (again, for example, you pick one), and look at bugs that would actually have had any time period in which it could have been exploited before a fix was available. They weren't serious about this.
Microsoft does a lot of things wrong, you don't have to go looking for trouble that doesn't exist. You just lose credibility.
...brings me to an obvious conclusion. a computer system is not made secure by the default settings of the operating system. A computer system is made secure through unending toil on the part of the system administrator.
Rather than counting the number of vulnerabilities that were reported-- a number easily skewed by the size and knowledgeability of the user base-- the only sure measure would be percentage of deployed systems compromised, a number that most companies would not readily admit.
The linux community has more eyes looking at security issues, more hands to post bug reports and more minds to fix them. Source is available for all to peruse, and bug reports come in often and highly detailed. This makes the job of the dilligent sysadmin a good deal easier by any standard.
This comment is fully compliant with RFC 527.
Comment removed based on user account deletion
Even with a script, some things are much more difficult to exploit than others. Some holes require local access, a specific set of configuration options, or some other timing aspect to key off of. For instance, heap-overflow attacks require that the overflowable buffer get allocated next to something interesting, which, depending on the program, may or may not happen the bulk of the time.
Compare this to a remote-root overflow vulnerability in telnet that merely requires sending 1000 bytes to in.telnetd over a remote link. No local account needed, no special configuration, and works every time.
So, I'd have to disagree with you -- some flaws are much harder to exploit than others.
This is why, for instance, people harden their machines in various manners -- making the root fs read-only, removing exec permission for the stack, /tmp (and in draconian circumstances) the home areas, and so on.
You lock down as many things as you can, making
it less easy to script and mount an attack.
--JoeProgram Intellivision!
Research grants: Medical research grants, DOE Big friggin' laser grants, etc.
And of course, students are federally supported, and all that money (indirectly) goes to the Univ.
I never said that some flaws weren't harder to exploit than others, I just said that it is invalid to say that a system is secure because its flaws are "hard to exploit."
/tmp directory before they are used. Again, this is a less severe case because automated attempts like that are easier to detect, but it is still a security flaw that needs to be dealt with.
A hole that requires local access is less severe than one that does not, because it has a precondition. However, it is still serious, since it means that anyone who can compromise a local account can compromise the entire machine.
A hole that only occurs with a specific set of configuration options should not be counted as a distrubution/package hole unless those are the options it ships with. Issues like this are the reason for the big disclaimer on SecurityFocus about not using the numbers to draw conclusions about the security of operating system. Also, even given this, it's remarkably easy to write exploits. My home machine sees periodic queries that I'm pretty sure are testing to see if I'm vunerable to the SSH1 bug.
A heap-overflow attack can be executed repeatedly by a cron job, as can attacks that rely on modifying files created in the
I agree that hardening your machine (for instance, removing the exec bit from stack pages) is a great idea. I think one of the reasons Linux _is_ more secure that Windows is that it is both by default more hardened and easier to harden.
I suppose part of this is a question of what is meant by "hard." If you mean (as I thought the first responder did) that "it is hard to create an exploit that could work" then I think that that is invalid. However, if you mean "the probability of a well-coded exploit succeding is reduced" then that does give you some measure of security. The second is the basis behind improving the randomness of sequence number generation in TCP, for instance.
Ouch! What a guy! From my perspective, that only enhances my view of Woz, and diminishes that of Jobs. He discovered Jobs probably screwed him, but prefers to make bygones be bygones. Maybe he's just naive, or maybe he's just a great guy (I really suspect the latter). I hope to be that big a man someday about folks who have screwed me over in my career.
More power to the Woz. He exudes hard work, talent, integrity, caring, and understanding. We should all do so well to live up to that.
I used to get a chuckle out of the Simpeons' line, regarding the US festival, "the guy from *what* computer?" But the guy was obviously trying to make a difference and have an impact on society back then, just as he does now in more personal ways through his teaching career. He's one of the few real heroes out there in this industry. I raise a glass to you, Woz...
-me
Love many, trust a few, do harm to none.
Where did you get that impression from?
The Woz has a decent amount of money, certainly more than I have, but between his giving away stock to Apple employees who were shafted on the IPO, and his divorce, he really hasn't got as much as you'd think. Certainly not compared to billionare Steve Jobs.
Woz is young enough still that he likely will spend it all; so here's hoping his new company goes well.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
I don't usually take the flamebait, but you're not only wrong, you're so wrong, that as Walter Huston said in "The Treasure of the Sierra Madre", "You're so wrong there's nothing to compare you to!"
Ellison as a writer is uneven. Some of his early work is brilliant, some is crap. Ellison as an editor is why we're not still reading either space opera or artless thought experiments that are neither art or literature.
Dangerous Visions, the series he edited over 30 years ago, broke ground that no one else had the guts to tread upon. More than anyone, he opened the door to the writers who would challenge their readers on levels more fundamental than "Ooh! What if there was a whole world in zero gee..." yadayada.
He also wrote two of the best Outer Limits episodes: Demon with a Glass Hand and Soldier, both of which won deserved Hugos. So blow me. End of rant.
There is a thin line between genius and insanity. I have erased that line. -- Oscar Levant
As someone who works in very large corperations I would say two things are generally true about MS software.
It is widly deployed in 99% of large corperations.
It is not used for "betting thier entire business" applications in 99% of large corperations.
MS software is used for word processing, mail clients, non critical web servers, spread sheets, non critical databases and (probably its most important functions) terminal and X windows emulation.
Applications like warehousing, billing, accounts, order processing, important web servers are run on (in orderof usage) OS/390, Sun Solaris, AS/400, AIX, OpenVMS, HP/UX, etc.etc.
This is all besed on personal observation but I am sure most IT professionals working in Fortune 500 companies would agree with these observations.
Old COBOL programmers never die. They just code in C.