Slashdot Mirror
Microsoft's Goal, Security Through Obscurity?
dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were
they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.
TRILLIAN CONTAINS NO MICROSOFT CODE. THIS IS A FLAW IN MICROSOFT'S CODE, NOT THE PROTOCOL.
WTF was the author on?? HTF can he say this? It's blatantly wrong.
p.s. I'm a Trillian user.
"Evil will always triumph because good is dumb." -- Dark Helmet
Not quite.
More like security through brillantly designed APIs. See, rather than letting Windows get cracked, MS cleverly designed the APIs to crash the system first. Everytime you see a BSOD, you should thank MS that they prevented a evil hacker from taking over your system. And if MS let people see their APIs, they could stop the APIs from crashing the system in response to hack attempts, leaving all Windows users vurnable with a non-crashing insecure Windows!
-Henry
"Useless organic meatbag" -HK-47
Wow, now that's really something, seeing as how Microsoft doesn't even have the concept of Root.
Having just spent another bad week wrangling with Win9X (wish they'd at least fund 2K upgrades) and SirCam viri, while my *nix boxes just run flawlessly - All I can say is what utter rubbish, bullocks.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.
Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.
...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.
But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.
The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.
"Provided by the management for your protection."
"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.
Gee ... I guess that's why theres so FEW reported news stories about the hacking of Windows ... and so MANY stories about the hacking of Linux.
Karma? Karma? I don't need no stinkin' karma.
*pauses to wipe coffee off monitor*
Three arguments against Microsoft's position: .Net was released to the wild before the "official" .Net specification.
Nimda.
Code Red.
The fact that a virus framework for
No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.
'Nuff said.
All the world's an analog stage, and digital circuits play only bit parts.
I'm going to hide a cookie in this glass cookie jar over there. If I find out that you ate it, I'll just have to put a new cookie in the jar and hide it somewhere else.
I firmly believe that software should be held accountable to liability laws and consumer rights laws. Microsoft has repeatedly fought laws designed to provide these protections and re-written their EULAs to provide no liability whatsoever. Compare the EULA for MS Office from 1995 to todays. About ten times as long, with each additional page reducing their liability and increasing yours.
More FUD from Microsoft. Their legal department must have more employees than their coding department by now.
hmmm... i'm think i'm going to write a book. and then, on page 156, I'm going to include my IP address and root password. And then, I'm going to make sure that every copy of the book has it's covers bound together tightly together so that it can not be opened without extreme difficulty. Then I'm going to sell the book for $50 dollars a copy(aw hell, why not make it a hundred). And then, If anyone who buys my book actually tries to open it, I'm just going to have to sue them for every penny they have because, goddammit my root password's in their(didn't they read the EULA that came on the complimentary bookmark?).
lysergically yours
One word: Debian.
Put security.debian.org in your sources.list conf file, and then the standard 'apt-get dist-upgrade' procedure will simply, automagically plug those naaaaasty holes. Debian might not be the best distro for everything, but it's great security-wise for a reason.
-- B.
This sig does in fact not have the property it claims not to have.
Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.
Of course, I am speaking of Sendmail.
Oops...
Sometimes it's best to just let stupid people be stupid.
The OSS community typically acts a lot more quickly than Microsoft has on security problems... when security flaws are found on Windows the patches usually take longer to release.
Also... security flaws under *NIX systems usually are limited to one service... not the Internet Explorer/Outlook Express/MS Messenger Core OS holes that seem to plague MS since everything is so entwined.
Somebody should maintain a list of executives at large companies and specifically bomb them with these 'sploits as soon as they become available.
I think that the IT departments of large companies do their jobs too well -- the executive never realizes just how vulnerable they are with MS products.
If we bring the problem home to the people that make decisions, then there will be top-down sponsorship of better computing environments.
The computer will crash before an exploit can be used anyway, thus proving once again Windows is far more secure than that *other* OS which some people run for years at a time.
If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does.
Just how much easier can they make it? You can already walk right in the front door whistling Dixie with the way things are currently. It's scary - they're admitting that their API's are so full of holes that it can be that much worse than it already is. It's not like they're trying to make crackers work for it - they sneeze and a new crack is born. At least with open API's the public will be exposed to how atrociosly bare bellied Microsoft really is and perhaps either:
A. Put serious legal pressure on Microsoft to fix them.
B. Switch to Linux, FreeBSD or MaxOSX.
C. Dump computers altogether and move to Tibet.
>>
Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states "would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate" Microsoft's flagship software.
>>
Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.
Yes Sendmail had some atrocious holes. Yes it seemingly took forever to get them fixed.
But c'mon we are talking about a program that at best was running on tens of thousands of machines during it's worst security times. As Sendmail usage has gone up so has the security it has offered. Comparing to a hole in a client that is deployed on millions of computers really isn't fair.
--- I do not moderate.
In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.
The author is right, completely right. Try reading next time.
Am I missing something here? How is it that opening up the API creates a security flaw? I can maybe see them saying that giving away their source will, but how is an API going to? The API is just how to talk to the machine. Unless their API contains something like "let me do anything I want on the target machine", how does this cause a security breach?
"The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.
Allchin also warned that if Microsoft were compelled to disclose all the APIs and technical information the states are asking for, digital rights management would be compromised.
From Tuesday, news.com http://news.com.com/2100-1001-900905.html
It may sound silly and idiot, but I wonder what could happen if some open-source company or just any individual buys windows source code. Or just the APIs. Or whatever they sell (because they DO sell their source code, obviously under heavy NDAs).
:)
Now, what would happen if this individual releases it in the wild? Surely he will get fined, blah blah blah. But it would be too late - he will be a martyr, and the entire world will know about the windows source code.
...anyone wants to donate me 1 euro cent?
crazy cheers
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
err no..
l #P ublicizingVulnerabilities
http://www.counterpane.com/crypto-gram-0002.htm
But the point is Windows was made with the idea of it being a closed system. So they would have to fix many many security holes before they opened up there code. And everybody would have to update there windows too.
However, what most people miss is that obscured code STILL needs to be audited by a neutral third-party. This is where Microsoft fails - they don't appear to have their code audited. Or, if they do, their auditors should be fired.
Security through obscurity should also not be your ONLY parameter. An obscured system should still be using encryption, should still be testing input, and shouldn't have any buffer overflow exploits.
Obscurity can be used effectively. It's not a do-all, be-all, and end-all.
..were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
Wow, so releasing APIs and protocols would give too much inforamtion about how the system works so people can hack into it. Thank god no operating systems take this a step further release their entire source code or people would be hacking into them like an axe through butter!
Outdoor digital photography, mostly in New Engl
If these security vulnerabilities are so easy and obvious from reading the APIs, then why can't Microsoft's programmers find and close the security holes before someone finds them? Don't they read and adhere to their own APIs?
If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.
Darth --
Nil Mortifi, Sine Lucre
"In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.
'The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,' said Marc Maiffret, Eeye's 'chief hacking officer.'"
i'm sure marc actually said, "1 c4n 0wN j00," but the washington post author didn't know what the hell he was talking about.
---
I'm just an ordinary man with nothing to lose.
"....frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."
I'd rather have a golf course (18 holes per 40 hectares) than swiss cheese (18 holes per pound).
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
On DOS boxen (including, of course, all the non-VMS derived Windows releases, which boot COMMAND.COM and are thus DOS based) all local users are root superusers.
Proof of concept: On a Windows 98 machine, cancel the "windows login" and start a DOS session. Now delete the entire filesystem (including hidden, system, and read-only files). Tada, it works, you are ROOT.
On VMS-derived windows (such as all versions of Windows NT and of course Windows 2K) the root superuser account is named "Administrator" and is directly analogous to Unix "root"
One of the reasons MS can't effectively compete against linux and the BSDs in the server market is that their systems include this same fatal weakness. At least *nix is stable!
Incidentally, now that linux has "capabilities" built into the kernel, and Linus wants to put a resource handle into the filesystem API, the groundwork has been laid to get rid of this stupid root superuser concept and create a real successor to Unix rather than just a clone. Hopefully linux (or perhaps the Hurd) will one day incorporate all the strengths of Unix while jettisoning ancient kludges like "root" and the primitive "rwxrwxrwx" access control system.
--Charlie
While none of us here will disagree with the fact that there are programming flaws in Linux and Apache, the time from discovery of a flaw to the fixing of it is MUCH shorter compared to the "it's-my-toy-you-can't-play-with-it" attitude of Microsoft.
The ONLY way Microsoft is going to reduce the number of successful hacking attempts, is to LISTEN to the people reporting the flaws and fix them in a timely manner, with respect to the severity of the flaw. If one person can create the problem, sure enough, another one will find it as well. (I believe that there was an exploit published a couple of months ago, and MS had the info for about 6 months and did nothing, until the report was published ... but I don't know the reference off-hand.)
My objection has always been that almost all of the most popular viruses, hacks, and backdoors have been discovered or created by accident.
Ahhh ... people "thinking outside the box" ... you have to like these people. As a programmer, I rely on these people to "shore-up" my code. Hopefully, these people will be in the testing department, and not the end user.
Karma? Karma? I don't need no stinkin' karma.
Microsoft Reveals Anti-Disclosure Plan
(emphasis in original)
Sig: What Happened To The Censorware Project (censorware.org)
I'm not running Windows, so I don't remember where it stashes the GUIDs for lookup. HKEY_LOCAL_MACHINE\Software\Classes might be a place to start, or you could wade through all the links an "ActiveX registry" search on Google will get you in order to find something more adequate.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
this says more about your skills as a Linux user / admin than the security of the box.
Computer Science is Applied Philosophy
I wonder if it is a coincidence? The poster of this article. There is a Dave Cutler at Microsoft who used to be the lead designer of NT who used to be the lead designer of VMS. There is an interesting Urban Legend about that too.
This is a boring sig
My objection has always been that almost all of the most popular viruses, hacks, and backdoors have been discovered or created by accident.
These bugs are not discovered by accident. There are people (both good and bad) that spend many hours a day looking for these exploits. They do everything they can to find cracks in the armor of any package (be it Slashdot, windows XP or whatever).
And when the good guys find it, they publish information about it so it can be quickly patched and fixed. If the bad guys find it, then it gets posted where the script kiddies can find it. Under no circumstances think that these holes are found by accident. Thats as crazy as thinking that a high school student can sit down and guess the root password at NATO in three tries.
Now that I've done a little research, I see this as a naive view. For one thing, it doesn't explain the frequent security flaws in Linux and Apache.
All programmers write security holes at some time in their life. Having a buffer overrun or a security hole is not exclusive to Microsoft programmers, everybody does it.
The thing that you fail to understand is that since the same security flaws are going to exist in both open source and propriatary software, the security risk is the same for both sides. But, if the open source is openly available, then the white hats can quickly attack it and publish the exploits before the black hats have a chance to use it.
For propritary software, the crackers need to wait for the software to go into the wild. Once it is widly distributed, then they start attacking it slowly. The white hats start examining it too, but without the benifit of the code, they can only move as fast as the crackers. Some times the good guys win, and the exploits are published (and hopefully fixed). Some times the bad guys win,
and you get a Melissa virus.
This suggests that it is far more harmful to publish this info (which really isn't helpful to users anyway) than to keep it secret, where it can do no harm.
Don't for a minute think that obscurity is going to prevent an exploit from being discovered and used. The only think obscurity can do is prevent somebody from finding the bug, and informing the proper people so that it can be fixed before further damange can be done.
All programmers make mistakes. You can either hide those mistakes away and wrongly hope that somebody isn't going to find it, or you can get your mistakes exposed to the world and get them fixed quickly and efficiently.
Do you have Linux and a DotPal? Click here now!
Its a good thing OpenBSD doesn't provide a good amount of detail about their protcols and API's. Otherwise, it might become vulnerable to crackers real quick.
It really irks me to no end that every piece of software you every seem to get off the shelves seems to follow the same thought as a downloaded product that you can patch it up as you go.. (take windows-update for example) and I always end up feeling like I am endlessly beta-testing everything, down to my OS (luckily I run windows under vmware, so at least it reboots faster).. So as far as security goes in MS products, because I treat it as an endless "beta" and the fact that off the shelf, windows seems to barely work, I am not surprised as each new security hole comes up. In all reality, the fact that they obscure everything seems to make people all the more interested in digging around in it. just my 2-cents..
anime+manga together at last.. in real time.
From Jim Allchin: "We have to work on our reputation for security in the marketplace."
Yes, that's it, it's a public relations issue. I guess the idea of FIXING THE GODDAMMED SOFTWARE hasn't occured to him.
Stop-Prism.org: Opt Out of Surveillance
It's my impression that those holes are, in the large majority of cases, discovered by people auditing and examining the code. The auditors then publicize the flaws. I frequently see advisories of the form, "no known current exploits, but..."
On the other hand, security flaws in Windows seem to become publicised when they are used in an attack, too late for many.
PHEM - party like it's 1997-2003!
"For one thing, it doesn't explain the frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."
From the SecurityFocus vulnerability db:
IIS since 5.0 - 56 entries
Apache since 1.3.17 - 7 entries
Your argument is flawed at best, outright FUD at worst.
LEXX
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Any large corporation can tell you where true security lies:
Security through obesity
Sure, they'll say they are fit and nimble - they can change their direction quickly, squash bugs in their code in record time, etc. But the truth is that only corporations large enough to squash evildoers, such as those who find bugs, can truly be considered 'secure'. You'd be surprised at how much more information would be out now if certian people didn't have that 800lb gorrilla breathing down their neck...
-Adam
There probably are more news stories about *hacking* linux than *hacking* windows (altough how many of these are news it's difficult to say). Cracking, well maybe that's a different matter :P
For a laugh I did a quick google search and it seems there are more sites for Linux than Windows but I doubt you can read to much into that.
Think about your average consumer who goes into a store to buy a computer. This person goes in thinking that buying a computer is like buying a TV or stereo. Basically, plug it, turn it on, and it works fine. It's another appliance to them. Little does this person realize that they have just bought themselves a piece of Systems Administrator Hell! What with the barrage of upgrades (read patches) to Windows and IE. Now couple that computer with Broadband and its always on connection to the internet. Now they have to worry about Viruses, SPAM and the script kiddie down the street trying to use their PC in an attack on EBAY or Yahoo. So much for the PC and the internet making life easier!
"Luckily for Microsoft, it's difficult to see a naked emperor in the dark."
--- Ted Lewis, (former) editor-in-chief, IEEE Computer
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
When asked about opening up the Windows API, a Microsoft VP testified that doing so would be bad, since it would allow folks to clone Windows.
Now, out of the blue, Salon decides that opening up Windows would also make it more vulnerable to attacks (is that anything like "more pregnant", btw?).
Can't you just picture the guy leaving the courtroom and saying, "D'oh! I shoulda said that it'd lead to more viruses, too! (Dials Phone) Hello? Salon editor's desk?" ...
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
For those who don't know yet, VBA virii exists just due to a single function. Something called CopyFunction (or something like this), that copies a function from a document to another. If MS removes this function no VBA virii will ever exist againg.
Note that this function is very well documented and is not hidden anywhere, all you need to do is search at VBA documentation.
Now is MS insecure due to obscurity or is it insecure anyway? Maybe that conspiracy theory that MS owns Antivirus software companies is right.
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
And Microsoft still crashes a lot.
You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...
Here is the specific difference between closed and open models.
If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].
If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.
Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.
Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.
Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.
Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
I'm not sure about the depth of the State's API and protocol information requests, but this is a perfectly valid statement if you assume detail means code, and it applies to OSS as well. By providing your source code, you provide black hats with an easily accessible opportunity to find your mistakes and use them against you. This is a fact you cannot avoid.
Of course, just describing how your protocols or APIs work should not be a security risk in most cases, unless MS has cut too many corners. As to whether we would see a noticeable increase in MS exploits, your guess is as good as mine.
"The area of penetration will no doubt be sensitive." ~ Spock
The idea that you can have users that are not admins but at the same time can make some changes (i.e. power users) is a good idea.
Using a nix system requries having absolute permissions make me nervious, even when i have the root account
Again.. if they weren't a monopoly, it would be a non-issue. Could you imagine an embedded systems OS company refusing to reveal their APIs? I mean, the API *IS* the product.
Why yes, yes you do. You have to work on the fact that you have a reputation for not having any security. There is a two step plan which is the only effective way to build that reputation in today's world:
Anything else is just masturbation, which I enjoy, but not when we're talking about securing systems and networks.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
but if they don't they shouldn't be allowed to market products that get an unfair advantage by using the undisclosed information.
The race isn't always to the swift... but that's the way to bet!
I'm sorry, there seems to be a typo in that sentence. Shouldn't there be a "not" or "doesn't" in there somewhere?
Got Rhinos?
are unprofessional and completely asinine. The articles are completely unrelated. Did Michael even read the article he attached before his mindless masterbation about "yet another remote root hole?" Windows has no concept of "root." What in the fuck is he babbling about? The article he attached is about Microsoft alerting customers about a hole. The title is "Microsoft Warns of Critical Instant Messaging Flaw." There is absolutely no mention of integration with Microsoft's operating system. Why the hell does he insist on bashing needlessly?
Dijkstra Considered Dead
Of course I can contact Microsoft, but they won't respond for the shorter of 4 months
Obviously you have never really contacted Microsoft, because they take security issues very seriously, and usually respond back to you within 24 hours (if you've discovered a real security problem)
Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply.
I don't know about you, but I've never had a hotfix on XP/2k/NT4 break anything. Follow the directions and it works fine.
Not All Who Wander Are Lost
That's NOT to say that OSS/FS is automatically more secure. But even proprietary vendors often describe their APIs and protocols, without claiming that this information will cause security problems.
Hiding the APIs and protocols has little hope in making a program secure if the program is widely available to attackers anyway. Attackers will just examine the software directly. What secures programs is diligence by the developers, combined with serious security review by independent people who know how to review software. Trying to hide the APIs and protocols is just begging for trouble, because then you won't get much help from the "good guys".
The cryptographic community learned this years ago; look at the process that was used to develop the Advanced Encryption Standard (AES). Clearly an encryption standard is critical for security, yet the standard was publicly analyzed for quite some time.
- David A. Wheeler (see my Secure Programming HOWTO)
Redhat comes with those things secured via xinitd and iptables - atleast 7.3 does
The ultimate network admin tool needs HELP!
I have already stated this. The vendor should specify the security level rating of the product. That is, offer some limited warranties.
Microsoft you offer their products for home destop users at a NO WARRANTY AT ALL level, same as with Open Source.
But competing firms in biz markets (say Sun, or whoever) could offer some higher security product (implied warranty, or public scrutiny of the source, private audition, etc). And finantial firms, banks and the goverment should be forced to use products like this.
For Open Source, it would mean that companies would be able to audit the code for money and release them back for us. Also, they could provide warranties, or "promot response" (warranty to solve an issue in a given timeframe), etc.
unfinished: (adj.)
there are disassemblers available that show you what REALLY in your code.
:-) These T00LZ make life so much easier.
They'll overlay a linkage symbol table file if you've got one but its just a suggestion (obfuscation?) Some will let you overlay multiple symbol tables and create concordances between versions.
3L33t HAXORZ don't need no stinkin' symbol table.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
It sounds like you're talking about 'dselect', which is horrible, but has become obsolete since apt-get.
Need a program? 'apt-get install programname'
Need the source? 'apt-get source programname'
Patch and compile? 'dpkg-buildpackage'
Remove a program? 'dpkg --purge progamname'
How hard is that?
And/or use the GUI wrappers around apt-get mentioned by Scooby Snacks.
--- Hindsight is 20/20, but walking backwards is not the answer.