Reflecting on Linux Security in 2003

LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."

IP Theft and The Linux Community

The Linux community likes to hide behind the mantra of free and open
software for all and as such has the twisted mindset that all software
should be free for everyone. This should come as no surprise seeing
that the Linux community seems to take pride in stealing anything they
can get their hands on and breaking laws designed to protect IP at the
same time.

Linux users have been advocating downloading Microsoft True Type Fonts
for years mostly because their own fonts and font system in general
has been so horrific that Linux screen fonts in most stock installs
are almost unreadable. Of course they will claim that Linux fonts are
great but if that were really the case why is the internet clogged
with Linux Font DeUglification documents written by Linux users?

They even have documents that give a step by step procedure for
stealing the Microsoft fonts and installing them on Linux systems!
Notice in particular the instructions for the Tahoma font.

http://www.tldp.org/HOWTO/mini/FDU/truetype.html
http://corefonts.sourceforge.net/

Next we have Linux users violating the EULA for the X-Box and
tinkering with it so that it can run Linux.
Why on earth any sane person would want to take a bitching game
machine like X-box and ruin it by installing Linux is a mystery to me.

http://xbox-linux.sourceforge.net/index.php

http://xbox-linux.sourceforge.net/faq.php

Pay particular attention to the question about it being illegal and
how they avoid answering the question.

They are also doing the same thing with Sony Play station as well.

http://playstation2-linux.com/faq.php

None of this is going to hold up in a court of law and the Linux
people who are leading these projects are looking for some serious
trouble should Microsoft and Sony decide to pursue this matter.

Finally we have the suit filed by SCO which claims that the Linux
community at large has incorporated stolen code into it's open source
programs.

http://www.eweek.com/article2/0,3959,936269,00.a sp

This should come as no surprise to anyone who has followed the Linux
movement from the day Linux wrote the kernel.

The Linux community has proven themselves to be a fight to the end,
steal whatever can be stolen from big business because it is big
business that is killing Linux.

The Linux community has absolutely no respect for the property of
others and will resort to any type of clandestine tactics to steal
whatever isn't cemented down all in the good name of Linux.

So if you are thinking of betting your business on Linux software, you
had better think it over carefully, because if SCO should win, Linux
will be out of business.
And if SCO should lose, do you really think it is wise to bet your
entire business on software that is supported by a community that
promotes stealing and in fact is full of thieves?

Food for thought.

Re:IP Theft and The Linux Community

[ottawanker]

They even have documents that give a step by step procedure for stealing the Microsoft fonts and installing them on Linux systems! Notice in particular the instructions for the Tahoma font.

http://www.tldp.org/HOWTO/mini/FDU/truetype.html

Your link is bad, it should be
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other- formats/html_single/FDU.html#TRUETYPE

Also, from the HOW-TO, "TrueType is a registered trademark of Apple Computer, Inc.", not Microsoft. I'm not sure if the 'Tahoma' font in particular is property of Microsoft.

Just thought that you should know.

Re:IP Theft and The Linux Community

[xirtam_work]

Actually TrueType is an Apple invention and the trademark is properly credited. The Tahoma font is the property of Microsoft, as is Arial and many other fonts.

Re:IP Theft and The Linux Community

Actually TrueType is an Apple invention and the trademark is properly credited. The Tahoma font is the property of Microsoft, as is Arial and many other fonts. Properly credited in the HOW-TO, yes, but not in the great-grandparent's Anonymous Coward's post, where (surprisingly) nothing about Apple is mentioned.

Re:IP Theft and The Linux Community

.. Linux community seems to take pride in stealing anything they can get their hands on and breaking laws designed to protect IP at the same time. ..
Linux community has absolutely no respect for the property of others and will resort to any type of clandestine tactics to steal whatever isn't cemented down all in the good name of Linux.

Oops .. s/Linux( community)+/Microsoft/ ..

.. Microsoft seems to take pride in stealing anything they can get their hands on and breaking laws designed to protect IP at the same time. ..
Microsoft has absolutely no respect for the property of others and will resort to any type of clandestine tactics to steal whatever isn't cemented down all in the good name of Microsoft.

There, now accords with reality, as documented in various trial records.

.. the day Linux wrote the kernel.

A kernel that wrote itself. Cool!

Re:IP Theft and The Linux Community

[sould]

My God you are a useless troll.

You say:

a step by step procedure for stealing the Microsoft fonts and installing them on Linux....

Then you link to http://corefonts.sourceforge.net/

Which has a copy of the microsoft licesne the fonts were obtained under:

Reproduction and Distribution. You may reproduce and distribute an unlimited number of copies of the SOFTWARE PRODUCT; provided that each copy shall be a true and complete copy, including all copyright and trademark notices.....

Re:IP Theft and The Linux Community

[imroy]

Hi Mr McBride, welcome to Slashdot :)

Re:IP Theft and The Linux Community

[ninewands]

Quoth the poster:

The Tahoma font is the property of Microsoft, as is Arial and many other fonts.

And there is a certain subset (I forget the exact fonts) of Microsoft's proprietary fonts which are freely licensed for use by anyone who has a capability to use TrueType(TM) fonts in their OS. The collection is referred to as WebFonts, I believe, the licensing exists to encourage people to use the fonts on web pages (and by extension, to encourage use of Front Page), and the collection includes, Arial and its derivatives, Tahoma, Verdana, Times New Roman, and others. These fonts have been freely available for all to use (but not redistribute) since at least 1999 ...

So, where's the "theft?"

Re:IP Theft and The Linux Community

[swillden]

Why on earth any sane person would want to take a bitching game machine like X-box and ruin it by installing Linux is a mystery to me.

We know you don't understand.

Your lack of understanding doesn't cause us to lose any sleep, though. We're fine with it.

Re:IP Theft and The Linux Community

[infiniphonic]

this guys just pissed because he couldn't figure out how to make a swap partition.

One thing's for sure..

[qewl]

It's better than Microsofts! Sorry, I do not mean to troll..

Re:One thing's for sure..

[NanoGator]

"It's better than Microsofts! Sorry, I do not mean to troll.. "

Ah. Little low on karma then?

Re:One thing's for sure..

[Elektroschock]

Listen what Ms say in its advertisements about Linux Server security:

Take a look at the german MS advertisement

- no GUI for linux server on old hardware
- authentification with uncrypthed text as default
- no Kerberos support
- no smartcart authentification support
- no public key infrastructure with directory service
- no default cryptho file system

translated "the protection of sensitive business data can only partiell be done with Linux"

- bug fixes by "free will" contributors (may be okay for hobby applications, not for sensitive business data)
- few professional trained specialists

- Linux as a problem and cost trap

--- don't tell me this is FUD :-)

Re:One thing's for sure..

[Schugy]

Maybe I dont use my smartcard for the login, but I use HBCI ( home banking with smartcard ) with moneyplex ( http://www.matrica.de ). I guess thats quite secure. Schugy

It's been great

[puffing_billy69]

I've heard about vulnerabilities in a timely manner, and been able to patch them similiarly.

I haven't been r00t3d.

Sweet.

Re:It's been great

[danidude]

I haven't been r00t3d.

Too bad Debain can't say the same thing :)
Sorry, couldn't resist. I'm a Debain user myself, and I think the wayt they handled the thing was very brave and honest.

Re:It's been great

[puffing_billy69]

Yeah, even though a couple of distributors got broken into, well, it happens when you're on 24/7 and known quite well.

Even though I said I found out about vulns in a timely manner, there was still a window of opportunity for me to get 0wnz3r3d. I credit the community for making me aware of things like the OpenSSH vulnerability - Linux isn't self securing on it's own - but if you keep your eye on the ball, you can keep your Linux machine pretty damn secure.

Nice idea (?)

[Elie+De+Brauwer]

Quote from the article: SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. --> Just imagine the amount of e-mail worms there could be out there if people would have to pay for outlook updates.

Re:Nice idea (?)

[The+One+KEA]

Forcing people to pay for security updates would be so incredibly stupid that it would guarantee the insecurity of even more Internet-connected machines than right now. I think that security updates for ANY OS or application, irregardless of the status of its source code, should be free and available for everyone.

Re:Nice idea (?)

[Elie+De+Brauwer]

Indeed in fact it is the fault of the author, and if someone does something wrong, the only sane thing to do is to try to correct the mistake as quickly as possible.

Re:Nice idea (?)

Hal Flynn has apparently never read the GNU GPL.
Any patch on a GPLed software has to be under the GPL itself, and thus charging for it will be quite pointless: once someone has payed for it, he can redistribute it freely, including for free.
And since the patcher has to distribute the patch source, the patch can readily be included into the original source code...

So Hal Flynn's idea is not only discutable rearding the responsibility of the vendor, it is also legally incompatible with the free software licensing scheme.

Try again, Hal.

Re:Nice idea (?)

[wo1verin3]

It is however within the authors rights to release a non-GPL version of the software that doesn't have the same bug or exploit.

Re:Nice idea (?)

[Mostly+a+lurker]

I think that security updates for ANY OS or application, irregardless of the status of its source code, should be free and available for everyone.

I am not disagreeing, but there is an implied assumption in your post: that fixes are always available. A serious security issue will rapidly be fixed in any widely used open source product. With closed source products, provision of a fix is at the whim of the vendor, and serious security exposures can sometimes go months without a fix.

Re:Nice idea (?)

>>It is however within the authors rights to
>>release a non-GPL version of the software that
>>doesn't have the same bug or exploit.

It is certainly not what I read in the <a href="http://www.gnu.org/licenses/gpl-faq.html#GPL RequireSourcePostedPublic">GPL FAQ</a>, if the release is based on the original GPL'ed source code, you can't do that.

---
Does the GPL require that source code of modified versions be posted to the public?
The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you.

Re:Nice idea (?)

[Tim+C]

And it's even more in the vendor's best interest to get security holes patched as quickly as they can, as too much negative press about such things will lose them sales to competing products.

Re:Nice idea (?)

[The+One+KEA]

I think you just agreed with me....

What I was trying to say was that irregardless of whether or not the OS or application in question has source available or not, when a security problem is discovered involving one of those items, the fix should be written, tested and made freely available without expectation of renumeration. Especially in the case of OSS security fixes.

I don't mean to beat a dead horse here, but that's another advantage of open source: when security problems appear, the fixes for those problems are more likely to be available.

Re:Nice idea (?)

[kfg]

Well I don't understand why a software vendor might think it reasonable to charge to correct inherent design flaws in their product.

We're not talking upgrades here, more like a recall.

There are aspects of the software industry that would be considered just plain daft, or even criminal, in any other.

KFG

Re:Nice idea (?)

[Cody+Hatch]

Mmm, your close. More correct would be:

Forcing people to pay for security updates would be stupid IF it guaranteed the insecurity of a greater number of Internet-connected machines.

You are, of course, assuming that a smaller percentage of people will install the available patches if they have to pay - which is obviously true. You are also assuming that nobody will be lured to write a patch for an unsolved vulnerability by the thought of large piles of cash, which is obviously incorrect.

To put it another way, by limiting the price to zero, you will cause a shift in both the quantity demanded and the quantity supplied. When there is a shift in both, you can make no conclusions about the net effect on the equilibrium point. :-)

In *general*, it would be quite silly to charge for a patch to Apache - but its easy to imagine a specific case (maybe a remote root exploit) where volunteers might be able to deliver a patch in 36 hours, but someone might be willing to pay for a patch delivered in 12 hours[1], even knowing that another 24 hours would give them a comparable patch for free.

In that situation, how could you possibly argue that banning payment (meaning there won't be any patch for the full 36 hours) possibly do any good? Or for an even better example, what about for a program so old and/or obscure it simply won't BE patched if someone doesn't pay?

[1]: Feel free to substitute your own times if it makes the example seem more realistic to you. Hours, days, weeks, minutes.

Re:Nice idea (?)

> Mmm, your close. More correct would be:

Once again:

Your == possessive form of 'you'
You're == YOU ARE

You STUPID, fucking, illiterate American. :p

Re:Nice idea (?)

[Elektroschock]

Securityfocus belongs to Microsoft, that seems to be very likely. They don't seem to be experts in It security.

Re:Nice idea (?)

Also open software only stops being updated when intrest dwindles in the project. As opposed to a company deciding its not cost effective to support X product(Despite users still using X product), Windows 98 being a good example.

Re:Nice idea (?)

[jonadab]

> You are also assuming that nobody will be lured to write a patch for an
> unsolved vulnerability by the thought of large piles of cash, which is
> obviously incorrect.

It's also obviously irrelevant. The entity supplying the service will collect
the fees whether any given specific patch is released in a timely fashion or
not; the person(s) creating the patch has no way to collect any of that money.

If the software is open, the problem will be patched by someone who is motivated
to create the patch because they use the software and don't want to be
vulnerable. Yes, there are people who might be motivated by the money, but
not with the same panicked this-has-to-be-done-YESTERDAY motivation that will
possess the admin of a mission-critical system left open by a vulnerability.
Also, the people who are most familiar with the software (and therefore best
able to patch the issue) are the people who already work with the source code
on a regular basis -- so (in the case of open-source stuff) they're obviously
already motivated to work on the software in question.

With proprietary software, the only people who could fix the problem would be
the employees who are already paid to work on the software, and they'll do it
when (or if) management says so. Any money that the company collected from a
security patch service would almost surely not make it into the pocket of the
employee who fixed the problem. It would be *possible* for a company to have
a program that fed bonuses to employees who come out with the first viable fix
for vulnerabilities, but it is by no means a foregone conclusion that this
would be any more likely to be the case if fees were charged to the end users
for an security update service.

Anyway, any possible benefit in reduced response times would be far outweighed
by the many, many systems that would go unpatched due to lack of funds for the
security update service. The obvious solution to this (for commercial
software) is to include an n-year subscription with the price of the software.

For open-source software, I'm thinking a bittorrent-like solution to _reduce_
the bandwidth cost of the update server is preferable to a subscription fee to
offset the cost. Incremental binary patches from one specific version to
another might potentially be a bandwidth-saving option for some distros, but
the bittorrent solution is probably even better and probably also more robust.

Re:Nice idea (?)

[ILoveMyGeeky1]

Actually, MS is charging now for the security patch for the worm... I work in electronics at a Staples store, we did have the patch on a CD and would make copies of it for our customers, but we had to stop doing that when MS started charging for it.

Re:Nice idea (?)

[ErikTheRed]

Securityfocus belongs to Microsoft, that seems to be very likely. They don't seem to be experts in It security.

That's not even a good troll. Actually, SecurityFocus is owned by Symantec Corporation:

SecurityFocus was acquired by Symantec Corporation in the fall of 2002, and Symantec has since incorporated the SecurityFocus commercial products DeepSight Threat Management System and Alert Services into its product line. Part of the purchase agreement was to keep SecurityFocus as an independent Website that is not influenced by Symantec corporate policies or products. The SecurityFocus Website retains full editorial discretion for all content and remains a vendor-neutral voice for the security community.

Now, it can be argued that Symantec is Microsoft's little bitch, but that's another flamewar entirely...

security

Euros -

In the spirit of the season, do us all a favour and leave. You don't like us, and we sure as fuck don't like you.

Slashdot - by Americans, for Americans.

Re:security

[nametaken]

"favour"?

Re:security

English is spoken in countries other than mine?

Re:security

Yes, favour. Far more of the world spell it like that. Guess you didn't know there was a world outside of North America.

Re:Security

[bmajik]

M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it

do you have any substantiation of this ?

You may have heard something about software engineering, but if not, i'll tell you. The later you discover a bug, the more expensive it is.

Lets take some examples.

• Developer writes code with bug. Next day, tester finds bug and tells developers. Cost to fix ? - low, because code is fresh in developers mind, and the impact is roughly 1 tester and 1 developer.
• Developer writes code with bug. Bug isn't found because tests dont cover it yet. Developers code lives on for weeks. Other code is written which uses that code. Dependant behaviors make their way into other parts of system. Finally, test is written and run which finds bug. Now we've got a problem. Developer has to figure out where the hell the bug is. Then developer has to figure out what the cause is. Then developer has to consider the impact to any code which has been written since the bug was introduced. Developer has to come up with a fix that fixes the original bug but doesn't introduce a new bug.
• developer writes a bug. This but isn't caught until Beta 1. Bug prevents product from installing on 1/8th of real-world customer machines. 1/8th of most important customers have worst possible product experience - they cant install product. All existing CD's with this build need to be destroyed (they're garbage). developer needs to drop everything they're doing (the're working on beta 2 by now), crack open the beta 1 code (it was forked off for stabilization and may already have been removed from beta 2 tree), and propose a fix. developer thinks about everything that might possibly depend on code with bug. developer has to come up with a fix that unbreaks 1/8th of users, but doesn't break any other users.
• bug makes it into shipping product. userbase is now entire planet. bug prevents product from installing on 1/8th of computers. sales expectations are missed by at least 12.5%. Customer satisfaction is down by at least 12.5%. Developer stops working on version n+1, cracks open the code for the shipped product, and begins investigating a fix for SP1. Customers with support contracts are going insane because their business is down. single-customer fixes (QFEs) must be prepared on 24hr schedule to unblock customers. these patches are customer specific and are separate from what gets rolled into SP (the minimum amount of code change to unblock a customer is what we're talking about - not generally suitable for wide deployment). The developer may need to do one QFE for each major customer (they may have slightly different failure modes ?)

I think you get the idea. If a bug makes it out into the public, it will cost microsoft at least $100,000, at a minimum.

So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?

Re:Security

[dexterpexter]

I absolutely agree with every point in your bulleted list. But the short answer is yes, I do believe that bugs make it into code because of emphasis on cranking out software quickly. It would seem illogical to do so, true, but the sad truth is that it happens and I have watched in horror as it has happned at the place at which I work. When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic, and developers many times get no say in when their project ships.

Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?

Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.

Re:Security

[azaris]

In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user.

This is a simple result of the law of large numbers. If we assume "technological savvy" is normally distributed within the population then very small samples can have on average very high "savviness" rates. Once the sample size grows the average "savviness" goes down and approaches the mean (which in today's world is still quite low) asymptotically.

Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on.

And herein lies the problem of making blanket statements: yes, most people who are not experienced with computers do run Windows at home. Of course they're going to get infected with something! They lack the experience to mitigate risks and to know what they should never do. DOS didn't have one tenth of the complexity of the latest versions of Windows and stupid DOS users still got viruses all the time.

Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success.

I'm pretty sure a bunch of CS majors deriding SCO on /. won't help Linux kernel development all that much or attribute to any possible success.

M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard.

You are Eric S. Raymond and I claim my free-as-in-beer Tux merchandise.

You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)

Naturally, since you won't find the "Linux community" putting out any patches at all, ever. They're always put out by individuals or by companies/devteams that simply wish to produce the best possible product for their users.

If I had to put my money down on which one was more secure, my money would go on Linux.

The best way to keep you computer system secure is to make sure it's not run by idiots. How do you accomplish this? Make sure it's as complicated as possible[1]. For a long time Unix had this going for it, which means that Unix administrators had to have a lot experience coupled with knowledge and consequently would usually run a secure network.

By comparison, since "any idiot can run a MS network", then idiots were hired to run MS networks, with predictable results.

[1] The same principle actually works on a broader scale. Intrinsically hard topics tend to gather a more knowledgeable crowd while idiots flock to the easy topics like politics, religion and such. Which usually means that the level of discussion over political topics is far lower than that, say, for hard sciences.

Re:Security

[dexterpexter]

I am not sure if you are attempting to argue with me or not, but it sounds like you are actually agreeing/clarifying points that I actually meant, but are better said by you.

I am sure that the average Linux user was at some point technologically unsavvy, but you usually find that individuals who migrate from Windows to Linux are those users with at least some grasp on what they are doing. However, that does not change the end result, that being that the average Linux user probably has some idea of how to "secure" their computer. Now, as Linux desktops become more popular, we will find that these numbers will change. However, I would feel a lot more confident running an unpatched Open Source product than an unpatched Microsoft one, although doing either is tempting fate.

I did take the time to point out that contributors to the Linux community are far fewer than those who use Linux. However, it still holds true that the few people who do contribute, do an excellent job at it. Anyone disagree with this? I, for one, am impressed with the thankless work that they do.

And the "any idiot can run a MS network" fits perfectly in with my point that the insecurity, often times, lies in the user/administrator. *Laughs* Do Microsoft certifications even mean anything anymore? Or are there big wigs out there who use terms like "paradigm" and phrases like "thinking outside the box" that still get impressed with shiny stones and MS Certs?

As I said, same point (with an argumentative tone), better said by you.

Re:security

That's what's FUNNY about it! The original post uses favour while telling Europeans to get out! It's ironic! Laugh!

Re:security

[ReallyQuietGuy]

if I had mod points i would have modded parent up. the AC who posted re: "far more of the world spell it like that", and the mods who modded down parent - at least the way i see it, the parent was making the point that while the grandparent is telling the euros to fuck off because hey he's so american, he's actually using non-American spelling. which i think is a masterful point to make.

Re:Security

[John_Sauter]

So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?

The parent has an eloquent description of the software development process from the point of view of fixing bugs. The conclusion is obvious: it costs less to fix bugs sooner rather than later, and every software development manager agrees with this. However, the reality is that software is coded quickly, without regard for quality or testing, and shipped as soon as possible.

Why? There is an unvoiced feeling among software managers that they had better get the product on the shelves by Christmas or their careers will suffer. In the extreme, they become yes-men, telling their bosses only what is pleasing, with no regard for the truth. Too many yes-men and the company crashes because top management is not aware of problems until it is too late to fix them.

The solution? Software product managers must have the intelligence to recognize when their product needs more time, and the courage to tell their superiors the bad news. To encourage that behavior, top management needs to be tolerant of bad news, and not limit the careers of their subordinates who bring it.
John Sauter (J_Sauter@Empire.Net)

Re:Security

[evilquaker]

When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic...

There most certainly is logic. I know because I've been in that situation. While I'm not a CEO and I'm not in the software industry, I have released a product with "bugs" which we'll try to work around or fix eventually. So I think I understand the desire to ship things before they're "ready".

It comes down to two simple words: market share. Every day, people are making decisions and buying products that serve their needs. If they're not buying your product, then they're buying your competitor's product. Moreover, if you don't have a relatively recent product, you start to lose mindshare. It's very possible to release a product so late that even though it's the best, no one cares anymore: they all bought a competitor's product and are locked in to it. So in a very real sense, every day you delay the release date is costing you money.

Thus, you need to balance the desire to ship a product with no bugs with the desire to have a product in the market now. And the way to choose when to do that is to balance the monetary costs and try to release the product when the cost is minimized.

Re:Security

[Bloodax]

UNIX has been built from the ground up with security in mind, it's called OpenBSD.

Re:Security

Naturally, since you won't find the "Linux community" putting out any patches at all, ever. They're always put out by individuals or by companies/devteams that simply wish to produce the best possible product for their users.

Hey, DIPSHIT

That is the Linux community.

Re:Security

[wildwood]

It comes down to two simple words: market share.

Another two simple words also apply: cash flow.

As employees, it can be easy to take the long view - invest a lot of resources in the product now, and it'll be that much better a product, and we won't have to do expensive fixes later.

The CEO, on the other hand, has to keep track of issues like, if we keep pushing back the release date to improve it, in a few months we won't be able to make payroll. And, besides, when cash is plentiful from sales of a release, making expensive fixes is a lot more do-able.

Re:Security

[Just+Some+Guy]

top management needs to be tolerant of bad news, and not limit the careers of their subordinates who bring it.

Even more importantly, management needs to recognize bad news as input variables and nothing more. A lower manager shouldn't be making the decision whether to ship now or later; they should be able to openly pass accurate information upward to more appropriate decision makers.

A CEO may decide that software is too buggy to ship based on input from below, or he may decide to push the release date. A junior team leader shouldn't be the one making that call, although a culture of fear tends to make that exactly what happens all too often.

Re:Security

[man_of_mr_e]

What you say is true, but the person you are responding to also has a point. Products of all kinds (not just software) are often shipped with known defects (and many unknown ones) for a variety of reasons. Ed Yourdon in one of his books (either "Deathmarh" or Rise and Resurection of the American Programmer, I don't remember which) advocates that there's such a thing as "good enough" software. This is software that isn't perfect, but is cheaper and faster to market than a competitors that strives for perfection. This is one way that the US has dominated the software market for the last 20+ years and fought off the off-shore invasions that Yourdon predicted in his book "The decline and fall of the american programmer".

Frankly, "good enough" software is still the norm for most things, but the bar for "good enough" has risen quite substantially in the public network world due to the exponensial increases in penetration attempts (and successes).

Closed source commerical companies aren't the only ones to do this either. Look at most Open Source software, which pretty much ships something as soon as it can compile and then slowly morphs into a solid product. Frankly, you're never going to find all the bugs in your software in the lab. It has to be exposed to the billions of permutations of end-user systems to find most of the problems. A good example was the 2.4 kernel, which was still going through major "beta" changes up until about 2.4.14, despite supposedly being "stable".

Re:Security

[man_of_mr_e]

The fact of the matter is, as humans we're alwasy going to miss problems. Until software verification becomes so completely automated this will continue.

One can say the same about many products, including Linux. We shouldn't have seen the kinds of problems we saw in the early 2.4 kernels. We shouldn't be seeing the kinds of problems from Sendmail, OpenSSH, wu-ftpd, and a host of other "usual suspects" either, but we do.

Open source tends to ship early and often just as much as closed source. We just hide behind 0.x version numbers for years and tell anyone that has problems that they shouldn't be using unstable versions.

Re:Security

[John_Sauter]

A CEO may decide that software is too buggy to ship based on input from below, or he may decide to push the release date. A junior team leader shouldn't be the one making that call, although a culture of fear tends to make that exactly what happens all too often.

Who makes the decision on whether to slip a product for quality reasons depends heavily on the size of the company. When I worked for Digital Equipment Corporation, we did not expect Ken Olsen to make those decisions. Generally, the tension was between the Project Leader (a technical team leader) the Product Manager or Cost Center Manager, who might have several products under his care, and his boss, who was still well below top management. If all three of these people were intelligent and honest, we shipped working products.
John Sauter (J_Sauter@Empire.Net)

Re:security

[nametaken]

At least someone understood. This other reply to my message was apparently too pissed by the grandparent to see what I was saying.

Re:Security

do you have any substantiation of this ?

History speaks quite eloquently on this. In addition, Gates and Balmer both are on quite public record as saying that developing a bug-free product would simply cost too much.

I think you get the idea. If a bug makes it out into the public, it will cost microsoft at least $100,000, at a minimum.

Then, given Windows history, even Microsoft, with all their billions, should be flat broke!

C'mon, you are astroturfing to the max. Anyone that has been using Windows on a steady basis for the last ten years simply cannot defend them on any kind of QA effort!

Head, meet Sand

[t0ny]

From the looks of things, they still have a while to go. IMO, Linux people talking about security is like that saying about people who live in glass houses.

Who was it at MS who basically made that statement that regarding security, they ALL suck? What Linux really needs is somebody to tell their community the same thing, instead of continuing to burry their heads in the sand.

Re:Head, meet Sand

[divide+overflow]

> From the looks of things, they still have a while to go. IMO, Linux people talking about security is like that saying about people who live in glass houses.

Note that many if not most of the vulnerable programs shown in your link to securitytracker.com are not related to the Linux kernel nor part of most Linux distributions. This makes for a potential "apples to oranges" comparison with Windows vulnerabilities.

Re:Head, meet Sand

[t0ny]

Apparently you missed that story last month regarding the hack which exploited a Kernel bug. This effected ALL distros, since it was a kernel exploit.

Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples. One can also argue that IIS is not really a Windows component, since it is an optional service. But thats the way they organize their site. If you dont like it, talk to Security Tracker; Im sure they would be happy to hear from you!

Re:Head, meet Sand

[C10H14N2]

Don't throw stones inside your modded linux box?

Right, Check.

As for security, that would explain why my Linux boxes have for years been under constant attack from compromised Windows machines without incident.

Re:Head, meet Sand

[dexterpexter]

Ahhh, but the difference is that if I throw a stone and break my little glass Linux house, I have the ability to fix it... for free. That is the beauty of Open Source.

Re:Head, meet Sand

[windows]

It's an unpleasant truth, but Bill Gates was right when he suggested that perfect bug-free, unexploitable code is impossible. There are going to be vulnerabilities, no matter how much of an effort you make to keep them out of code.

Security has to be achieved through firewalling, shutting off unnecessary services, keeping software up to date with the latest security-related patches, and some common sense on the part of the user. In my experience, a lot of Linux users are every bit as ignorant as their Windows counterparts when it comes to security. I know plenty of people who don't know what daemons are running on their computers, who don't keep their software updated, and who don't follow basic common-sense security procedures. Unfortunately, there's the perception among a lot of people that just running Linux makes them secure. They feel they don't need to bother with things such as firewalls, because they're invincible. Even among their Windows counterparts, firewalls are considered a necessary tool for security.

There's a basic competence needed to run Linux. Unfortunately, beyond that, many users are clueless when it comes to security.

Linux doesn't lend itself to many of the problems Windows does. But that's only part of being secure.

Linux distributions shouldn't come with lots and lots of services enabled by default. We complain at Microsoft because a lot of users have IIS running on their machines and just aren't aware of it. Many Linux distributions are just as guilty as Microsoft here.

If we want to make Linux more secure, we need to fix the two biggest vulnerabilities - the default settings of many Linux distributions and the user.

Re:Head, meet Sand

(s)he said "most" so yes, the kernal bug is accounted for. yes, there are vulns in linux, nobody argues with that, but the fact is that in default install (and how many home users use anything else?) there are far more problems with windows. integration is also a problem. problem in moz? no big if you don't use moz, and you can use other things. problem in ie? too fucking bad, it's part of the os bitches.

hey t0ny, why does your face smell like ass?

Re:Head, meet Sand

[divide+overflow]

> Apparently you missed that story last month regarding the hack which exploited a Kernel bug. This effected ALL distros, since it was a kernel exploit.

No, I *didn't* miss it. I'm on the BugTraq mailing list.

>Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples.

Without a direct comparison of the number of exploits for code that comes with the OS for both systems your statement is speculative at best.

>One can also argue that IIS is not really a Windows component, since it is an optional service.

Baloney. IIS comes on every Windows CD-ROM and is used by lots of Microsoft apps. And there's plenty of bugs that cross boundaries thanks to Microsoft's blurring the distinction between OS and application...like that WebDAV bug in ntdll.dll that was exploitable via IIS.

>But thats the way they organize their site. If you dont like it, talk to Security Tracker; Im sure they would be happy to hear from you!

Don't blame Security Tracker for the deficiencies in your analysis!

Re:Head, meet Sand

Haha. Tony's an assface!

Re:Head, meet Sand

[bmajik]

minor nitpick. if you read the link you posted, you'll see that there's infact no WebDAV code in ntdll.dll (why would there be ?)

WebDAV depends on some code in ntdll.dll, and it looks like you can feed WebDAV goop that it happily uses to exploit the BO in ntdll.dll.

So, webdav is the attack vector to remotely get at a problem in ntdll.dll. it's not substantially different than php triggering a bug in kmalloc() :)

Re:Head, meet Sand

[t0ny]

Not only that, but to address this poor analysis...

Baloney. IIS comes on every Windows CD-ROM and is used by lots of Microsoft apps. And there's plenty of bugs that cross boundaries thanks to Microsoft's blurring the distinction between OS and application...like that WebDAV bug in ntdll.dll that was exploitable via IIS [microsoft.com].

Where to begin?

1. Just because it comes on the CD-Rom does not make it any less of an optional component. If I started ranking on security flaws on some of the obscure, minor, optional programs what come with the varios Linux distros, you would just change song and say "hey, nobody uses that" or "its just optional, nobody is forcing them to use it". Just a tip- pick one story, and stay with it. It makes you look less hypocritical.

2. Used by other apps- MS cannot be held responsible for non-MS apps causing holes in the security. To claim otherwise is lunacy, and throws the whole issue of personal responsibility out the windows. I am responsible for what *I* do, but to hold me responsible for what people I work with do? Thats absurd.

3. You mentioning the WebDAV exploit demonstrates your lack of knowledge in how Windows uses DLLs. I try to always get my expert opinions from experts, so please stop spewing nonsense about things you dont really understand. Just because you are on a mailing list doesnt make you knowledgeable, or an expert.

Also, your former gripe regarding no kernel exploits, of which there were some, is just as valid if you want to talk about Windows. So why dont YOU stop talking about apples and oranges? You cant have it both ways.

Re:Head, meet Sand

[t0ny]

Yes, if your time is worthless, than it IS free.

is that the beauty of unemployment?

Re:Head, meet Sand

Haha, Im too big a pussy to post with my real account, so just like an infantile sissy, Im going to post anonymously!

Re:Head, meet Sand

Q: Would you like some evidence with your anecdotes?

A: No thank you, I have no wish to remove my head from the sand...

Re:Head, meet Sand

[The+Analog+Kid]

So? Then IIS is part of the OS(going by what your saying), what difference does it make? If the system gets cracked because of this program, whether or not it's integrated into the OS, makes no difference when you loose all of your data.

Re:Head, meet Sand

Strange, but I've never experienced this 'unemployment' that you speak of. Open source has been a great set of tools for me to use to bid on jobs that I'd have a hard time getting otherwise. By using mapserver instead of a proprietary system, I can bid $8000 lower on a job. Same thing for using open source dbms in situations that warrant it.

Re:Head, meet Sand

[nathanh]

It's an unpleasant truth, but Bill Gates was right when he suggested that perfect bug-free, unexploitable code is impossible.

Yes, it is an unpleasant truth, but I hope you don't hold the mistaken belief that this idea is an original from Bill Gates. It's been common lore in the computer industry since before Microsoft came into being.

Re:Head, meet Sand

Hack this then: CLI label: JMP label Its bug free and you know it

Re:Head, meet Sand

[t0ny]

By using mapserver instead of a proprietary system, I can bid $8000 lower on a job. Same thing for using open source dbms in situations that warrant it.

All that money, and you still cant afford a Slashdot account....

Re:Head, meet Sand

[t0ny]

He's only saying IIS is part of the OS because he doesnt know what he is talking about (despite attempts to appear so). He may impress the other guys at the help desk with his mailing list membership, but it really shouldnt impress anybody around here (especially those of us already working computer security positions).

An open source businessmodel?

1: Make free software.
2: ?
3: Patch like a mad-man.
4: Profit!

Er it isn't just Europe...

Try the Middle East, China.
South America probably hates you too.
Canada secretly think you are satan.
Central America just wants to sell you drugs.

Best security fix in Linux: 'tar'

[jkrise]

A simple backup-restore utility that allows users to backup all their filesystems, and restore them in the event of a crash. A separate unnmounted filesystem to store the 'image' - no worm can get past this simple strategy. A major security breach? Simple:

1. Remove network cable (OR) Internet connection.
2. Boot from tomsrtbt
3. Mount backup partition(s)
4. Run simple restore script.
5. Reboot and enjoy!

Can any other OS do this, with off-the-OS tools?

-

Re:Best security fix in Linux: 'tar'

[puffing_billy69]

Unless you've been 0wnz3d for weeks, and simply restore the trojans and rootkits with a restore, unless you're using some md5ing on your /etc and other things, or tripwire or whatever.

Re:Best security fix in Linux: 'tar'

[DA-MAN]

surprisingly tripwire was ripped out of RedHat Enterprise.

In addition it can compile the rh9 src.rpm fine, but won't execute!

Arg, I think RHEL is a piece of junk. For anyone who runs a LAMP it's actually a better bet to use one of the rebuilds, unless you want to be in charge of building a whole slew of rpm's when errata comes out for mysql, etc.

Re:Best security fix in Linux: 'tar'

[dmdimon]

Yes, I can.

And what's the big deal with that?
ANY flavor of UNIX and many more os'es can do that.

By the way, it's very impractical - for example, I have fast enough changing information, multi-Gig sized and important on my box. It changes near fully in term of week.

PS. best solution for ANY PROBLEMS - 'universal Belkin patch' :

sudo
cd ../
rm -R -P -f -v

PPS. It also checks your system for true UNIX compatibility!
Enjoy! ;)

Re:Best security fix in Linux: 'tar'

[Waffle+Iron]

no worm can get past this simple strategy.

I hope you don't keep those unmounted disks physically attached to the system. People have been lucky, because all worm writers to date have been kind-hearted enough not to zero out all of the systems' hard drives or flash their BIOSes. You have no guarantee that the next worm won't be written by a real asshole.

Probably even worse: a worm that quietly opens a back door to your system without you even knowing it. You could go run for months with your system totally compromised, and your backups would copy the same problem to your offline partitions.

Re:Best security fix in Linux: 'tar'

[Storm]

The problem with this approach is that most compromises are not detected immediately. Most are found days, weeks or months after the actual breakin. Meanwhile, the compromised files are faithfully backed up. This means that restoring from backup will most likely place the same compromised files in place.

You could set up your backup script to md5sum or a similar mechanism to check files, but it still requires "situational awareness" to know what the differences are and why these diffs occurred. Most diffs are innocuous, caused by upgrading packages, changing passwords, etc. An intrusion detection system (e.g. Samhain, Integrit, Tripwire, AIDE) does similar functions on the live files, and is a must-have security tool, and must be properly employed (e.g. database on "safe" media).

Security? Hell, if it were easy, anybody could do it.

Re:Best security fix in Linux: 'tar'

The two problems are fast-changing directories (e.g. /home) and rootkits that trojans that are present when creating the backup.

Those are solved by:
1) As part of the install, create a system image, excluding the fast-changing directories (e.g. /home, /var/www) after the site-specific configuration changes have been made.
2) Make backups of the fast-changing directories at regular intervals.

tar is not the only utility for backups and imaging. (Tape ARchive was originally not for backups and imaging; even the GNU-on-steroids tar poorly handles simple errors in the archive by terminating restore.)
You have dump/restore (though still broken on Linux?), dd, amanda (runs on several UNIX and GNU/Linux flavors), Mondo Rescue (the Linux-specific, practically automated drive imager), and g4u (dd dressed up in pretty scripts). (The Mondo Rescue also has a compare facility to check system integrity from the image CD.)

Re:Best security fix in Linux: 'tar'

[utahjazz]

The breaches that do real damage are ones where private info is stolen, like all the custmers' credit card numbers.

Tar your way out of that.

Re:Best security fix in Linux: 'tar'

[sparkz]

Sure, give me physical access to the machine, as you require, and I can do as much damage as I want - even install Windows!

Re:Best security fix in Linux: 'tar'

Translation for those that don't know:

sudo
might give you root privilages, so you will delete important stuff

cd ../
goes one step up the system tree (thus increasing eventual damage)

rm
deletes files

-R
recursively

-P
POSIX-compliant output... this is a bit of a red herring and is frankly pretty useless for most people

-f
Force, doesn't ask for confirmation

-v
verbose outout, so you can see exactly what you've just killed on your filesystem.

In short, please don't run these commands any time soon. Thanks.

My brother

My brother got leid more times than there are security patches for your dickhead OS.

Nipples are cool.

Re:My brother

You, however, have never been laid.

At least nobody claimed it was "objective"

[bmajik]

Oh boy! An article which takes 1 authors clearly subjective feelings, piles on the anecdotes, and pronounces evidentiary conclusions!

From reading this, it would appear that Gagne is pretty much what happens when you give a linux zealot some airtime. I'll comment on just a few things i got a kick out of:

At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."

but then we have

The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.

So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

"Frankly, it seems incredible that this is even open to debate.

There's that objective analysis shining through. Definitely not the words of someone pushing a beleif as opposed to an argument :)

One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used

Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?

has nothing to do with Microsoft's market penetration.

riiiiiiiight. Let me tell you what. if windows update gets owned, you will hear about it in the papers, and on the news, etc. And it wont be because of the magnitude of the issue - because it happend to the FSF, Debian, _and_ Gentoo _first_. When something goes wrong with microsoft software, it hits the whole internet. It's a market share issue.

It doesn't hurt that at its very core, Linux is designed with security in mind.

What do the original UNIX authors have to say about designing UNIX from the ground up with security in mind ? A history of linux will show a few things, I think.

• UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
• linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix). secutiy is about trying to get perfect code out of imperfect people, and moreover, trying to get perfect designs out of imperfect people. NT _Was_ designed from the ground up with security in mind. The security training happening recently at MS had a lot more to do with sloppy coding and thinking about security at every layer of the platform then it did with redesigning NT's security features (which are actually quite advanced)
• remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?

No need here for launching a security initiative after years of neglect."

Or, said another way - "not too much new ground to cover making a freeware clone of 25 years of operating system research!"

Despite the fact that I do not run a Microsoft computer in this office,

why am i listening to your opinion of MS software again ?

costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact

Really ? which documents ? Where are the documents that talk about how much money business MAKE by leveraging software - Microsoft software. If, overall, MS software is hurting business financially, why dont they go back to notebook paper ? Why not use linux ?

This article is pretty much a non-article.

Re:At least nobody claimed it was "objective"

[Space+cowboy]

Agreed, the "article" was horribly biased, and you rightly cast aspersions on the author's integrity, but normally when critiquing someone in this way, you might also point out the glaring errors in *what* (s)he says, as well as showing *why* what (s)he says is wrong. I'm not sure anything he says is *wrong* per-se (at least on the linux front - I don't know enough about the win32 side to comment). I do think it needed to be couched in a more balanced article though...

As for your points about ssh, yep they're security products, that's why the instant someone finds something wrong, it's important to broadcast that info far and wide. No-one (should, at least) expects the code to be perfect because it has an extra 'S' in the name. We do expect a careful approach to security, and an open one too. I don't believe you do yourself much credit with this argument - it's about ssh anyway, not Linux.

I doubt WU has been owned by anyone, but if it had been, the sensible approach to take would be for the perpetrator to contact MS and tell them they've just distributed X million 'delete-the-system' virii to their customers, and it'll cost 100 million dollars to get the 'undo' key... It would then all be dealt with quietly. Open source is ... unlikely ... to follow this route :-)

Simon.

Re:At least nobody claimed it was "objective"

[warmcat]

I was trying to decide whether to mod you as Flamebait when I went back and looked at your posting history to look for troll footprints.

'' I agree with you completely, and i work for microsoft :)''

You could have mentioned that you are a MSFT employee in your impassioned defense of MSFT here. I have Box Toxen's ''Linux Security'' book, its pretty interesting. But your post seems to be a big ''we're all as bad as each other so ignore the fact I am evil'' astroturf.

Something you might want to chew on is the different value proposition of being given control of sources for software for free, vs being trained into a dependent monkey for whatever MSFT give you. Merry Christmas!

Re:At least nobody claimed it was "objective"

[agwis]

So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

I don't see a contradiction. Gagne is implying that most users will upgrade and manage patching there own systems. However, if you decide to stay with an older version (for whatever reason) you have access to the full source code and can either patch it yourself or hire someone to do so. How can you do that with MS without access to the code? You can't...so your forced to upgrade. MS made this clear with their recent announcement about Win 98.

Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?

Yep, that would be them. That doesn't refute the fact that it is all too common to read yet another security flaw with MS products. Those papers may not have mentioned the security breaches incurred by Debian, Gentoo, and the FSF, but it certainly wasn't due to a lack of information. In Debian's case, they had the servers shut down and information posted within hours. Now if these had been reported by the main stream media do you believe that it would even the playing field? These handful of compromises as opposed to the barrage of problems we hear about with MS aren't even slightly comparable. What exactly was your point here?

riiiiiiiight. Let me tell you what. if windows update gets owned, you will hear about it in the papers, and on the news, etc. And it wont be because of the magnitude of the issue - because it happend to the FSF, Debian, _and_ Gentoo _first_. When something goes wrong with microsoft software, it hits the whole internet. It's a market share issue.

And you should read about it in the papers, or watch it on the news.. The media should report any flaws or security problems regarding MS immediately, as the majority of computer users are affected. Gagne states "Of course Linux is more secure, and it has nothing to do with Microsoft's market penetration." Time and again I've heard from MS zealots that MS is no less secure than *nix, but the fact that they have a greater percentage of the market share is the reason so many exploits are found. This, of course, is utter nonsense. Linux has a greater approach to software development, hence greater security. This is what Gagne is alluding too.

why am i listening to your opinion of MS software again ?

Huh? You don't need to use MS software to be aware of its problems. Did you miss the article on ./ the other day? People can't even download and install critical updates before their machines are compromised. Anyone using a firewall that checks their logs periodically is all to familiar with nimda, blaster, etc. It doesn't matter what OS your using to see that.

Really ? which documents ? Where are the documents that talk about how much money business MAKE by leveraging software - Microsoft software. If, overall, MS software is hurting business financially, why dont they go back to notebook paper ? Why not use linux ?

How long do you think any company would last nowadays if they weren't using computers? Companies need computers now, and they have to spend a lot of money keeping their networks up to date and secure. As to "Why not use linux?" more and more they are. Management is becoming aware that there actually is a better alternative to MS, and the rate of companies converting is rapidly growing. It amazes me in my area alone the number of small companies replacing their IIS and Exchange servers. I've even seen some replace their employee's desktops from MS to linux. It's the snowball effect...first the servers are being replaced, next the desktops...you'll see :)

I'd argue that with each year of Windows, we've only seen improvements. does it then follow that there's only a bright future ahead ? If so, how is

Re:At least nobody claimed it was "objective"

[X-Phile]

At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."

but then we have

The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.

So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

You will notice that he said "an opportunity exists". That's ultimately what the open source model is all about, the opportunity to do something, the opportunity to change something. Whether people pick up the ball and run is up to them, but at least they are given the opportunity

Your points on UNIX history and security are intersting

UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!

User and network security were unknown concepts at the time. That's like saying that we should have been preparing for the AIDS epidemic in the 70's

Linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix).

The security concepts were copied from UNIX to Linux, but the application level security, and the newly discovered types of programming errors (most, but not all buffer overflows, etc) were "coded out" so to speak.

remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?

Remember when anyone could halt any Windows box with some fragmented IP information in TCP headers? Did MS forsee this and code to avoid it? Interesting how you're condemming Linux and OSS for not doing so.

As for the OpenSSL and OpenSSH stuff, ok, I'll give you those ones =)

I'd argue that with each year of Windows, we've only seen improvements. does it then follow that there's only a bright future ahead ? If so, how is linux "better" in this regard ? How is this news ?

When any company _innovates_ (embraces and extends, rapes and pillages, whatever), they are marching into new territory, and the territory is unknown. New innovations mean new possibilities for logic and programming errors for the first company to leap into that territory. The Linux community usually sees the innovations that MS, Apple, etc, are coming up with, and adopt it, without a lot of the inherent security issues and usability problems. That's not to say that there are no security issues, but a lot of the obvious ones are worked out.

MS has in the past put the users experience above the users security, and as a desktop OS, this has worked for them, but they need to take a deeper look at application security, which is the reason why worms and virii are plaguing them to this day.

My $0.02 CDN.

Re:At least nobody claimed it was "objective"

I suppose then that since you actively support Linux and the open source model you are somehow objective? Come on.

Re:At least nobody claimed it was "objective"

[mbrinkm]

First

costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact
Really ? which documents ?

From 2001 - CNN Survey: Costs of computer security breaches soar

• http://www.cnn.com/2001/TECH/internet/03/12/csi. fbi.hacking.report/">

Second

With every year since the birth of Linux we've only seen improvements so I think there's only a bright future ahead.
I'd argue that with each year of Windows, we've only seen improvements.

How can you actually believe that we have only seen improvements with Windows? Yes, there have been improvements in functionality and capability, but by no means has there ONLY been improvements. Tying a HTML interpreter's code to the OS'es kernel is not only an abuse of the OS'es monopoly, but also an ignorant way to package additional functionality. Or, how about adding functionality for admin purposes that is accessible to anyone on the Internet when the computer is connected to the Internet.

Spammers slip ads through Windows

• http://news.com.com/2100-1001_3-962483.html

By the way - CNET is owned by Microsoft.

How do I shut that service off without downloading a patch? I don't need the service, I don't want the service and I see it as redundant since I can e-mail updates or, this is novel, pick up the f-ing phone and call the person and tell them the message.

PS - I run both Linux (Red Hat - for now) and MS at home on two separate computers - does that give me credibility in your eyes?

Re:At least nobody claimed it was "objective"

[warmcat]

The reason I posted was to point out the irony that the guy at the top of this thread complaining about a lack of objectivity works himself for Microsoft, and failed to mention this in his astroturfing.

Re:At least nobody claimed it was "objective"

So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

I don't see a contradiction. Gagne is implying that most users will upgrade and manage patching there own systems. However, if you decide to stay with an older version (for whatever reason) you have access to the full source code and can either patch it yourself or hire someone to do so. How can you do that with MS without access to the code? You can't...so your forced to upgrade. MS made this clear with their recent announcement about Win 98.

It's clearly contradictory. The author states that 36 months is a reasonable time for a vendor to support their products. But when Microsoft announced the end of support on products that are now 60 months (Windows 98) and 96 months (Windows 95) old the industry is all up in arms because a lot of businesses continue to use those operating systems. Microsoft, if the authors support period is to be considered reasonable, has gone above and beyond what is reasonable.

Re:At least nobody claimed it was "objective"

[qoute]
* UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
[/qoute]

Yes. Unix was created for the specific purpose of multiusering operating system. It was designed in a era were you had big mainframes with lots of little terminals and you shared everything.

The main difference between it and other OS designed in that era (and why it is still around) is that it is designed to be completely portable OS, thru the extensive use of C. Meaning that you could develope the code on a Vax, and recompile it to work on a x86 workstation without having to completely rewrite it.

Everything is has a specific job. It's designed in the layered approch were each program has a specific job to do and that's it. You can ramdomly replace any part of the OS with any other program as long as it correctly takes the inputs and makes the correct outputs.

One of the Major issues with MS security is that it is a model of a OS that was based on pure Single User enviroment, and MS basicly said that if users want security they would pay extra for it. This sucks for MS users because the OS is so tightly integrated that repairing or replacing any part of the OS can result in unpredictable issues with another subsystem that you would think would be entirely unrelated. So fixing the bad designs of the past 10 years or so is nearly impossible without a complete rewrite. And MS can't even do that.

[qoute]
* linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix). secutiy is about trying to get perfect code out of imperfect people, and moreover, trying to get perfect designs out of imperfect people. NT _Was_ designed from the ground up with security in mind. The security training happening recently at MS had a lot more to do with sloppy coding and thinking about security at every layer of the platform then it did with redesigning NT's security features (which are actually quite advanced)
[/qoute]

I don't know what NT was designed from the ground up. But your issues about linux are unfounded and steam from ignorance. Linux is not a clone, it was designed as a posix-compatable kernel, internelly it operates very differently from a *BSD or system-V operating system. What you see lots of times is fairly cosmetic similarities. It is designed to be compatable with Unix stuff because it's a excellent and proven design, not be a clone. It's similar to saying that Mozilla is a clone of Explorer, which is absured.

[qoute]
* remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?
[/qoute]

Sure, you could similar things with all windows OSes. Think about this: The same RPC vunerabilities affected all OSes from win9* to NT to WinXP. This means that a great deal of the code from WINDOWS 95 is still being used in Windows XP.

If the head developers involved in SMB protocol are any idication about the depth of understanding of the vague programming mess that is windows, they couldn't match the knowledge that the to the head SAMBA developers had about their own OS!

THis is not encouraging. Seems to me that while linux continually rewrites and audit's it's code and is continously improving it's design, while Windows developers are faced by a morass of undocumented features and black-box programs were nobody is completely sure on how they operate anymore.

Re:At least nobody claimed it was "objective"

> . Tying a HTML interpreter's code to the OS'es kernel is not only an abuse of the OS'es monopoly, but also an ignorant way to package additional functionality

Please to point out any entry points where the kernel uses any of the IE DLL's. A stack dump will do, though documentation is always more helpful.

Can you in fact name any of the IE DLL's?

And you're the one talking about ignorance?

Re:At least nobody claimed it was "objective"

[michael_cain]

UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!

I believe that the answer to this is, yes, it was multi-user from the beginning. Remember, UNIX was initially developed in an era when computers were physically large and so expensive that it was a basic assumption that more than one person would use the machine. It was also intended to be a time-sharing system, so was designed with the idea that more than one person would be using it at the same time. Certainly by the time that UNIX came out of the research groups and into more common usage at Bell Labs, there were security features.

There were security bugs, too. As is the case today, some of those involved the default configurations. At some point, the default when you logged in was that your tty device was writeable by the world. On at least one occasion, this led to a spate of problems where one user, pissed off at something another user had done, would run a command like

$ cat /bin/* >/dev/tty3 &

where the offending user was logged in on tty3. Binary, interleaved with the output you expected to get, dumped to your terminal at 300 cps, was annoying. Users learned quickly to build a variety of checks and corrections into their .profile file.

Geez, knowing that makes me feel OLD.

Re:At least nobody claimed it was "objective"

[mbrinkm]

I'm sorry I mistook this

"We had warned the Justice Department and the court that removing all of those files would not result in a workable product, but that's what the DOJ demanded," Murray said.

• http://www.internetwk.com/news/news1230-6.htm

To mean that IE was tied to the Kernel - I should have said "Tied to the fluff that they wrap together in a tangled mass of buggy code brought to us by the innovative thinkers at Microsoft"

Re:At least nobody claimed it was "objective"

[swillden]

Read it in context. 36 months is a reasonable time period for a vendor to support their stuff if it's open source and the customer can patch it themselves if they need to stay with the old versions. Closed source software needs long-term support. If you really think companies have a moral responsibility here, it's pretty easy to argue that they should either support it forever or help their customers get upgraded to a version that is supportable. I'm not so sure abou the moral responsibility part myself, but I do think it's good business.

Re:At least nobody claimed it was "objective"

The same RPC vunerabilities affected all OSes from win9* to NT to WinXP. This means that a great deal of the code from WINDOWS 95 is still being used in Windows XP.

Even more interesting, similar RPC vunerabilities also affected most commercial UNIX OSes -- Solaris, HPUX, etc. Which indicates that the code-reuse was practically industry wide.

In fact, the only reason that Linux distros escaped this problem was because they are rather unique in not providing DCE RPC services.

Re:At least nobody claimed it was "objective"

[man_of_mr_e]

Oh, you've got to be kidding me. You really think that this quote from his post:

"Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)"

Is an "impassioned defense of MSFT"? Do you honestly think just because someone works for a company that they have no rights to opinions anymore?

The fact of the matter is, he is right. The article is *NOT* what it claims to be. It's not any kind of analysis, nor is it even a discussion of Linux security at all. I was hoping for a reasoned analysis of linux performance in the security field in 2003, and frankly, all I got was a bunch of soapbox zealoting.

You seem to be objecting to the fact that he was critical of an article that's critical of a Linux competitor, and seem to not care if the article has any merit in and of itself. Here's a hint, criticism of things that really do need it is your friend, not your enemy.

The troll here is you, and if I had mod points right now I'd so mod you. You're a prime example of the kind of advocate that the Linux communtiy doesn't need. You're as bad as the author of the article for misrepresenting it in the first place.

Re:At least nobody claimed it was "objective"

From 2001 - CNN Survey: Costs of computer security breaches soar

http://www.cnn.com/2001/TECH/internet/03/12/csi. fbi.hacking.report/

I can't say that I see this as supporting the authors statement that Windows has led to billions of dollars of lost revenue. Looks to me that the article is about computer security in general and not any specific platform/vendor.

Re:At least nobody claimed it was "objective"

The reason I posted was to point out the irony that the guy at the top of this thread complaining about a lack of objectivity works himself for Microsoft, and failed to mention this in his astroturfing.

So?

Re:At least nobody claimed it was "objective"

[nathanh]

Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?

Uhh, no they didn't. At least in Gentoo's case it was a single independent mirror that got owned. The root servers were not compromised. Pay attention to the phrase independent mirror.

In the Debian incident there were 4 servers compromised but none were "root file distribution servers" in the sense of main/contrib/non-free. From the newspapers:

The spokesman said the servers hosting the bug tracking system, the mailing lists, the web, CVS (concurrent versioning systems), security, non-US, web search, www-master, and QA had been compromised.

By the way, both Debian and Gentoo security incidents made the newspapers in Australia (both The Age and The Sydney Morning Herald).

Or, said another way - "not too much new ground to cover making a freeware clone of 25 years of operating system research!"

Ok, you didn't explicitly state it, but I'd like to ask if you'd be happier if Linux didn't build upon 25 years of OS research? Should Linux start from scratch? Reinvent decades of work?

If you're pissed off that Linux uses the UNIX API rather than invent an entirely new and obscure yet original API, then I'd like to know why.

If you're pissed off that Linux builds upon public domain research into SMP, scheduling, memory management, real-time processing, etc, then I'd also like to know why.

What, exactly, is the problem?

Re:At least nobody claimed it was "objective"

[Faluzeer]

"NT _Was_ designed from the ground up with security in mind. "

What version of NT are you referring to? I have been using NT since about 1995 so I have been administering all versions from NT 3.51 upwards.

A number of glaringly obvious "NT features" lead me to question your statement :

NT by default gave group Everyone full control of the filesystem.
NT by default had Guest Account Enabled.
NT by default had no minimum password length (ie blank passwords were acceptable).
NT by default allowed commands submitted via the at command (to schedule a job) to be run in a higher security context than that of the user who submitted the job.

Most of these "features" were eventually fixed but the fact that they were all originally allowed makes me believe that NT was not "...designed from the ground up with security in mind.".

Now I am far from being a Linux or Open Source Zealot and I freely admit that security _has_ improved on MS Operating Systems but I don't believe that any non biased person could honestly state that NT "..was designed from the ground up with security in mind".

Re:At least nobody claimed it was "objective"

[bmajik]

read up on the architecture of NT.. things like DACLS, ACE, SIDs, two-factor auth, etc etc.

NT was designed with a solid security _architecture_, built with many cool security features. I handily admit that there was lots of bad code implementing those (and other) features, and some poor configuration decisions..

but the internals of the OS have always have an advanced security model as an instrinsic part since the beginning. Earlier, nobody cared (at MS at least) and the focus was on bringing forward dos/win3.1/win95 customers with as little pain as possible. that meant "ignore the stuff NT has built in, just get it working smoothly". The recent security work has been cleaning up bad coding, bad app-layer decisions, and learning how to take advantage of the fine grained security mechanisms NT has had all along.

Re:At least nobody claimed it was "objective"

[Faluzeer]

Hmmm

The points I raised in my previous post were not bad code implementations for the most part, they were design / configuration decisions.

I could have listed more points, but I concentrated on those that made privelage elevation easy, as such they helped to negate/bypass a lot of security features that NT had (at the time of NT 3.51 / NT 4).

Security in NT has improved massively over the last 8 years, I believe that Win2003 is better than previous versions and that MS is now starting to take security seriously (or least more seriously than they had done).

Re:At least nobody claimed it was "objective"

The points I raised in my previous post were not bad code implementations for the most part, they were design / configuration decisions.

They were configuration decisions...as evidenced by your use of the words "by default...". The security was built in from the beginning. It was just the default configurations that bypassed it.

Security

[dexterpexter]

In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user. Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on. My mother, who would "never try an operating system like 'Linus'" is just as oblivious to the necessity of a good firewall on her machine. In fact, before I intervened, she nor any of her friends even had one. Worse, they were under the opinion that you can not retrieve email without Outlook, and that Internet Explorer was the internet. That might sound preposterous to you or I, but I have found this to be true of many casual PC owners. So, beyond security problems inherent in code are problems inherent in the user as well.

Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success. Now, I do not subscribe to the idea of thousands of users pouring over the source code and fixing security holes, but I will assert that the small number of users who actually contribute to the community do a fine job of it, and are extremely dedicated. What Open Source offers is the ability to pour over the code, even if most of us don't take advantage of this. M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard. You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)

If I had to put my money down on which one was more secure, my money would go on Linux.

-dexterpexter

Here's a short abstract for those too lazy to RTFA

[azaris]

"Reflecting On Linux Security In 2003

How about that unsecure Windows huh? What a piece of crap innit? I get virus-related spam all the time and I read in the newspaper that Windows-machines are really vulnerable so I can't imagine why anyone in their right mind would run one.

I've never had a security incident so Linux must be 100% secure. I hear even MS themselves have gotten hacked, how's that for bad publicity? You'd never see that happen to people like the FSF, Debian or Gentoo. I say we should ban all MS software and move to using OSS on Linux. Then we could all stop patching our systems since they'd be secure forever. Think of all the money and effort we'd save!"

SSH and SSL

[PacoTaco]

I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL. What does that first 'S' stand for again?

Re:SSH and SSL

Encrypted.

Your point?

Re:SSH and SSL

[LucidityZero]

What does that first 'S' stand for again?

Shaky? Suspect? Speculative?

Re:SSH and SSL

[evilquaker]

I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL. What does that first 'S' stand for again?

SCO?

Re:SSH and SSL

[jc42]

I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL.

Well, I'd think that this is a Good Sign. The term "secure" doesn't really mean that no holes exist. That's hardly likely. What it really means is that no holes are known. Or, a hole was just discovered, and we're working furiously to fix it.

The fact that these patches came out really mean that the OpenSS[HL] crowd is 1) actively looking for problems, and 2) fixing them rapidly. In particular, they don't hide the problems behind a shield of secrecy, and they don't collect patches into sets to be released when the PR people decide it's appropriate.

If their patches taper off, it will be time to take a skeptical look, to make sure that people are still actively attacking the OpenSS* code and trying to poke holes. If this process stops, we should worry. If people are still studying and attacking the code, but failing to find holes, we'll know we're in good shape.

But we aren't quite there yet. So the patches are a Good Thing.

Re:SSH and SSL

[WuphonsReach]

SSH and SSL are very attractive targets... breaking them is like breaking through a building's wall (the inside elements of the system are probably not as well protected). As a result of the high reward of breaking SSH or SSL, a lot of effort is going into attacking / checking the code.

Also, any exploits that are found/patched are pretty serious, if for no other reason then that they are part of SSH or SSL. (The same exploit in Solitare would not rate near the same level of attention.) When the bad guys break into Chuck's Chicken Shack, it's not front page news. When they break into the local bank vault, it is.

Re:SSH and SSL

[Lispy]

Lucky you. I was busy patching my friends Win2k clients to get rid of blaster. *sigh*

BREAKING NEWS!

[Vint+Cerf]

Evil George "Evil" Bush uses powers of HATE and EVIL to MURDER 20,000 innocent children in Iran.

And one for those too STUPID to accept the truth

STFU!

reflecting on unprecedented evile in 2003

tough year to say the leased. what a mess?

as we can see, despite evile's unprecedented assault/life0cide perpetraitored on the creators' planet/population/humankind, most of us are still alive.

as the # of lumenaries grows, you might also note the declining 'influence' of evile on many of US?

the planet/population remains in high crisis alert with a real risk of overheating (peacing off?) the main processors still looming large.

consult with/trust in yOUR creators.... get ready to lighten up.

Hoooeee!!! Hooray for linux!

Now don't break your arm patting yourselves on the back. That article hasn't really stated ANYTHING new or anything of even mild interest. Yeah Steve Ballmer said windows was as secure as linux, did anyone actually BELIEVE the guy? Maybe the non-techies, but this article is really only going to be read by /.ers which is the epitome of geeky techs. What point did this article actually have other than calling the kettle black?

Short on facts

[iron_weasel]

I found the article not very informative.
It had a lot of verbiage but thats about all.
'Someone said this, someone said that, yada yada.'

Exactly how many holes were there? How many known of are still there? "Where's the beef?"

viruses?!?

virii

Re:viruses?!?

[AmericaHater]

No, the plural is viruses not virii. Like you I made this mistake out of a mistaken confidence in my own superior education. Worse still I made it in a magazine article. Worse yet I'm not American which would be partial justification for being ill-informed & ill-educated.
Ouch. At least you are anonymous.
see; viruses definition

Re:viruses?!?

Worse yet I'm not American which would be partial justification for being ill-informed & ill-educated.

Nice troll, you fucking terrorist.

Check out whom the thief turns out to be.

Might Darl McBride face prison time?

Rebuttal to MS

[bhtooefr]

- XFree86 will run on a lot of stuff. However, why do you need a GUI? Last I checked, you were developing a better CLI...
- SSH?
- No Microsoft proprietary Kerberos support. There's Kerberos, just not MS Kerberos.
- I'm pretty sure it's there, and if not, someone can whip it up quickly.
- Hmm... Samba, anyone?
- I thought most of them WERE crypto...
- The "free will" contributors do a better job and go through more of a review process than your patches, thank you very much
- That's just pure BS
- No. Initial cost is much less than Windows, and TCO would have to be less.

Re:Rebuttal to MS

[Elektroschock]

Your're right. We know it. I guess Microsoft knows it too. I just wanted to show their Propaganda.

Re:Rebuttal to MS

[t0ny]

Please compare this and this. To be blunt, neither of them appear to be the apex of computer security; people need to stop kidding themselves about how secure Linux is, or it will never get better.

Re:Rebuttal to MS

[bhtooefr]

Most of those seem to be optional software on both sides. Also, more of it seems to be optional on the Linux side. I'm not saying that Linux is "t3h s3kur3 05!", I'm saying it's better than Windows. If you want so-damn-secure-it'll-survive-every-cracker-in-the- world, get OpenBSD. If you want a decent OS that's better than Windows, get Linux.

Re:Rebuttal to MS

[t0ny]

Im sorry, but I dont buy that. If you want to say "better", you need to quantify it.

Looking at the Windows page, most of it is likewise optional. However, poke around Security Tracker's site- you have a greater chance of getting r00ted with Linux (assuming all other things are equal), IMO.

Thats why, of course, computers need full-network security. Having a computer connecting to the internet without a firewall is lunacy, even for home users.

My point isnt to get into some OS penis-size arguement. It's to say that all these people here thinking Linux is so secure are only fooling themselves. They definitely arent fooling the malicious hackers.

Re:Rebuttal to MS

[bhtooefr]

By better, I mean that Linux is more stable in certain applications, more secure from the desktop, not necessarily through the ethernet cable, and has less draconian licensing. I don't deny that Windows has it's uses - this laptop dual boots between Win2K and SuSE 8.2 (except the registry is chkdsked on the 2K partition, so it won't boot, and attempts to repair or reload it just lock the computer up - I'm tempted to blow out the partition, and resize the SuSE partition).

BTW, it looked like those were services your average desktop user wouldn't run by default on Linux. On Windows, there's SO much more stuff on by default that's exploitable.

Re:Rebuttal to MS

"However, poke around Security Tracker's site- you have a greater chance of getting r00ted with Linux (assuming all other things are equal), IMO."

That's only if you don't count cracking an admin account on windows to be rooted. Good lord, man, you are talking an OS that defaults users to admin.

Re:Rebuttal to MS

[t0ny]

It doesnt default the user to admin in any OS *I* use. But I only use Win2k Pro or Server; life is too short to waste my time with consumer level computer goods.

One other point, now that you bring it up; if Windows Home had seperate Admin and User accounts, what percentage of people do you thing would end up locked out of their computers? See, what you Linux guys cant accept is the fact that computers need to be used by non-computer experts. They dont want to remember two or more accounts, what account you need to do what, etc.

Thus, MS makes trade-offs regarding ease of use vs. security. Why? Because EVERY security measure you can impliment goes directly counter to ease of use. If you cant understand this concept, I would advise you to take a few computer security and network design classes.

Re:Rebuttal to MS

[t0ny]

No, I know what YOU are saying, but Im asking you to quantify it with something other that 'dude states something as fact on an Internet forum'. My favorite reference is security tracker, but there is a whole world wide web of information out there for you to cite.

For example, there has to be somebody who did a side by side comparison of Windows 2000 (or XP) and Linux. Maybe they even have pretty bar charts showing operating speeds, Quake3 framerates, etc.

Much, much more credible and informative than the esteemed Dr. bhtooefr's gracious posting to Slashdot. Thats what I mean by quantifying what you are saying.

Re:Rebuttal to MS

[bhtooefr]

OK, anyone want to send me a souped up rig to do these benchmarks on?

Re:Rebuttal to MS

[t0ny]

How about the next best thing...

Implications of this concept:

[Crypto+Gnome]

Terry Pratchett (in his many and various Discworld novels) overed this quite clearly.

The Patrician privatised everything.
I mean everything
All the usual goings on in a big city (eg crime) were arranged much like insurance is today (in our world).

Unfortunately (you knew I was going to say that).... The Fire Department got into the insurance business (have to raise money somehow) - specifically FIRE insurance.

This ended up with them having such pleasant conversations (amongst themselves) while walking down the main business streets.

My My. Such lovely Old Buildings. Wonderful WoodWork. Would be such a shame if one of them should catch fire. Would prolly burn most of the city down. Oh Dear! What a disgrace that would be.

Basically, in our world, most people recognise that such a situation (ie charging to fix something that you should not have broken in the first place) would very rapidly lead to (essentially) rampant wholesale uncontrolled extortion.

If a company were to charge you for security and other bug fixes, they would then have a strong financial incentive to produce shoddy bug ridden software and frequent updates.

Product quality would decrease, and administration overhead would increase.

It's the same issue with charging for software subscriptions. What is their incentive to produce another updated version with new features? After all they've already got your money.

A Software Subscription (with ALL updates FREE for 5 YEARS !!!!) does nothing more than make software updates come out once every 5 years.

Re:Implications of this concept:

If a company were to charge you for security and other bug fixes, they would then have a strong financial incentive to produce shoddy bug ridden software and frequent updates.

Um, doesn't that describe today's environment? Win98/Win98SE, Microsoft Office, most commercial software where they stop work on last years version and force you to upgrade to this years version...

Re:Implications of this concept:

[wildwood]

Terry Pratchett (in his many and various Discworld novels) overed this quite clearly.

The Patrician privatised everything.
I mean everything
All the usual goings on in a big city (eg crime) were arranged much like insurance is today (in our world).

Unfortunately (you knew I was going to say that).... The Fire Department got into the insurance business (have to raise money somehow) - specifically FIRE insurance.

Did this happen later in the series?

In the first book, I distinctly remember that the insurance policy that Twoflower wrote for the shop keeper was the first insurance policy ever written in Ankh-Morpork.

Which, of course, promptly led to the first case of insurance fraud, and a great fire that destroyed most of the city...

Re:Implications of this concept:

[Al-Hala]

Funny you should use firemen as an example.

I've been told that Firemen in Roman times did just this. The main job was to head to burning (or soon to be) properties and convince the owners to sell out cheap :)

Re:Implications of this concept:

[Crypto+Gnome]

The firemen/insurance thing was mentioned in passing (like one paragraph in one of the books) along the lines of "it used to be done this way, but the patrician heard of the rampant extortion and shut it down before the entire city burnt to the ground".

Re:Implications of this concept:

[wirelessbuzzers]

It wasn't insurance, and it wasn't a big thing. It was mentioned in Guards! Guards! when the dragon was burning the city that the firefighters' guild had been outlawed for this reason.

Debian and Gentoo DIDN'T have their "root file ...

... distribution servers OWNED".

Debian's is a Sparc machine, the x86-only kernel exploit bounced off it harmlessly.

In the Gentoo case, it was _one_ machine out of a pool of dozens of DNS-round-robined _mirrors_. Not the master.

Given these, you tell me how "root file distribution servers" were compromised.

Sadly

2003 was the year for LSM (Linux Security Modules) to become mainstream by the release of the 2.6.x kernel. Though LSM's basic idea is great, it doesn't at the moment include even a fraction of the required hooks (couldn't support PAX for instance!) so it is kind of useless.

In any case, the mainstream kernel still doesn't include buffer overlow protection for the userspace processes. It isn't protected itself either. Some smart people use Grsecurity and Propolice kernel patches to obtain both, but...

MS will release XP sp2 soon with "some tweaks" over the matter. Soon perhaps only the Linux boxes will be virtually breakable.

Nice going, kernel developers.

Linux built with security in mind. ROFL BS!

Linux built with security in mind. ROFL BS! That's the biggest load of shit I've heard since I've heard people claim that redhat is as secure as debian or slackware.

Linux is NOT built with security in mind, only after it's built and breached, is it then "patched" with security fixes. The development model of Linux is out of control and does really suck. The amount of Linux distro's alone is out of control and way too fragmented for real use. Why not standardize like the BSD's, such as OpenBSD in which is REALLY built with security in mind.

everything that's wrong with slashdot..

[bmajik]

so your first impulse upon readin this was to think i was trolling ? why, because i have an uncommon point of view ? do you disagree with my argument, my conclusion, or my employer ?

Yeah, I _could_ have mentioned that, but it should be obvious from my posting history and my user page that im certainly not hiding it. I wasn't aware that slashdot required a disclosure statement of employment for dissecting a poorly made "argument"

my post was to point out that this was hardly an article at all, and basically some free advertising for this gagne fellow. It had NOTHING to do with linux security in 2003, over half of it was a rant on how shoddy microsoft is.

I've pondered the value proposition of open source before.

I'm sure since you value open source so highly, instead of being dependant on whatever is given to you, that you also sew your own clothes and grow your own food :)

The article i responded to was not an article at all - it was an anti-MS rant and i was irate that something with an interesting title claiming to be about linux security in 2003 - was nothing more than someone pushing their ideaology.

Also - i really dislike the use of the term astroturfing. I'm _not_ being paid by MS to post to slashdot, especially the day after christmas.

I'm not blindly supportive of everything MS does - but unlike alot of people, I'm also not blindly critical. When someone has something interesting or objective to say about MS, I listen, because thats how we get better. When someone is just ranting off and sounding uninformed, occasionally I let them have it (I say occasionally because responding to each instance of this would be a 24/7 endeavour for multiple people :)

Re:everything that's wrong with slashdot..

Dear Mathew Evans (aka: ``bmajik''):

In recognition of outstanding Anti-Linux viral marketing, you are hereby awarded a bonus coupon of $500 valid at any Microsoft Company Store (only).

In addition, in recognition of your "objective" deflection of astroturfing accusations, you are hereby awarded $200 in Microsoft Stock Options (only).

Keep up the good work! Keep those Open Sores hippies away from their code and on slashdot!

Sincerely,
John Greedicus
Director of Slimy Viral Marketing
MisterSlimy@microsoft.com

Re:everything that's wrong with slashdot..

Dear Mathew Evans (aka: ``bmajik''):

In recognition of outstanding Anti-Linux viral marketing, you are hereby awarded a bonus coupon of $500 valid at any Microsoft Company Store (only).

In addition, in recognition of your "objective" deflection of astroturfing accusations, you are hereby awarded $200 in Microsoft Stock Options (only).

Keep up the good work! Keep those Open Sores hippies away from their code and on slashdot!

Sincerely,
John Greedicus
Director of Slimy Viral Marketing
MisterSlimy@microsoft.com

How pathetic. You've just demonstrated how childish the anti-Microsoft crowd is. He gave reasonable explainations and this is the best you can come up with?

Re:everything that's wrong with slashdot..

[MidnightLog]

I think you both have good points: You're right when you say that the article was not objective. It would be nice if that was hinted at in the story summary, but that may be too much to ask from the /. editors. He's right when he says you should have mentioned that you're a Microsoft employee. Most people won't check your posting history or user page to learn that, but most people will think it affects your viewpoint.

Disclaimer: I work for an advertising agency, so everything I say should be taken with a (large) grain of salt.

Re:everything that's wrong with slashdot..

[nathanh]

I'm sure since you value open source so highly, instead of being dependant on whatever is given to you, that you also sew your own clothes and grow your own food :)

The difference is that each item of clothing and each bushel of grain requires a repeated amount of effort. But with open source, the first instance requires effort and each subsequent copy requires no effort at all.

To put it another way, if by sewing a single shirt I could clothe the world's homeless, and by growing a single bushel of wheat I could feed the world's hungry, then I'd do both in an instant and I would never consider the cost to me. The benefit to the world is far greater than my personal loss.

You apparently think charity of this nature is something to sneer at.

Re:everything that's wrong with slashdot..

[man_of_mr_e]

To put it another way, if by sewing a single shirt I could clothe the world's homeless, and by growing a single bushel of wheat I could feed the world's hungry, then I'd do both in an instant and I would never consider the cost to me. The benefit to the world is far greater than my personal loss.

Even if it costed you your entire lifes work? And the lifes work of all your friends, co-workers, and thousands of their friends? Even when you have to figure out some way to pay your own bills, feed yourself, and clothe yourself while doing this?

The part you seem to forget is that the cost develop software is monstrous. It takes thousands of man-years to develop something like the 2.6 kernel. It's great that these thousands of people are willing to give away their hard work for the profit of other companies, but that really doesn't mean that it's reasonable to expect that to be the norm in the world of software.

In order for "good" software to be created there must either be a viable market for software amortized over the number of copies sold (ie, you need to sell enough copies at a cost people are willing to pay to make back what you've spent and provide enough money to expand) or you need to have an army of loyal followers catalyzed against a common foe that will work for you for free and not demand any of your profits in the perhaps futile hope that when the enemy is vanquished that the world will be a nice place.

There is one thing that is fueling the vast majority of open source work these days: A combined concern about Microsoft and their products. I guarantee you that if MS did not exist, IBM, Sun, SGI, and most other corporate contributors wouldn't be doing so and Linux would still be in the stone ages of computing.

This leads to the inevitable question of, what happens when Microsoft is defeated? Well, likely the clans will turn on themselves and eat their young. Without a common enemny, the united forces will be reduced to bickering and infighting.

In a way, Linux owes it's progress to Microsoft.

Re:everything that's wrong with slashdot..

[nathanh]

Even if it costed you your entire lifes work? And the lifes work of all your friends, co-workers, and thousands of their friends? Even when you have to figure out some way to pay your own bills, feed yourself, and clothe yourself while doing this?

But you and I both know that open-source developers are not starving, homeless, unclothed, unable to pay their bills. Strawman argument.

The part you seem to forget is that the cost develop software is monstrous. It takes thousands of man-years to develop something like the 2.6 kernel. It's great that these thousands of people are willing to give away their hard work for the profit of other companies, but that really doesn't mean that it's reasonable to expect that to be the norm in the world of software.

Yet Bill Gates has billions of dollars of cash. We have IT CEOs flying around in private jets. Is this where the money is going? It's not paying for developers; it's paying for junkets and jaunts and jollies for the Rich White Men in control.

The reality is that software isn't nearly as expensive as you think it is. The fact that Linux was built by volunteers in their spare time really says it all. The true cost of developing software is cheap; Linux proves that. It's the support and maintenance of software that is expensive.

In order for "good" software to be created there must either be a viable market for software amortized over the number of copies sold (ie, you need to sell enough copies at a cost people are willing to pay to make back what you've spent and provide enough money to expand) or you need to have an army of loyal followers catalyzed against a common foe that will work for you for free and not demand any of your profits in the perhaps futile hope that when the enemy is vanquished that the world will be a nice place.

Nice dichotomy. Such a shame that it's false. Software development will always be in demand. If somebody codes software as an unpaid volunteer then that's great. But there will always be some software that nobody wants to write. If that software is in demand then capitalism says that money will appear and developers will be paid, even if the fruits of their labour are open-source. Write that down as cardinal rule #1.

Cardinal Rule #1: There will always be opportunities for paid software development.

The real question is: will there be more or less paid software development work than we have today and how will this translate into salaries and employee numbers. In any event, there are multiple reasons why software is developed. The idea that the only way of making money from software is by hiding the source and extracting a license-fee per copy of the binary is utter nonsense.

There is one thing that is fueling the vast majority of open source work these days: A combined concern about Microsoft and their products. I guarantee you that if MS did not exist, IBM, Sun, SGI, and most other corporate contributors wouldn't be doing so and Linux would still be in the stone ages of computing.

Linux was a best of breed UNIX before any of the "corporate contributors" paid the least attention. The KDE project delivered a usable desktop in 1997; that's an achievement the combined "might" of the UNIX vendors failed to deliver despite a decade headstart.

This leads to the inevitable question of, what happens when Microsoft is defeated? Well, likely the clans will turn on themselves and eat their young. Without a common enemny, the united forces will be reduced to bickering and infighting.

In a way, Linux owes it's progress to Microsoft.

Do you actually believe any of that nonsense?

Re:everything that's wrong with slashdot..

[man_of_mr_e]

But you and I both know that open-source developers are not starving, homeless, unclothed, unable to pay their bills. Strawman argument.

As was your original argument about feeding the world with one field of wheat. And yes, there are some developers that are largely "starving". While RMS seems to be making good money today, there were many years where he claimed to survive the entire year on only $3000.

Yet Bill Gates has billions of dollars of cash. We have IT CEOs flying around in private jets. Is this where the money is going? It's not paying for developers; it's paying for junkets and jaunts and jollies for the Rich White Men in control.

Umm.. I think you're forgetting that Bill Gates, Larry Ellison, etc.. make their money off the sale of stock, not their salary. Revenues from the sale of software do not contribute significantly to the bank accounts of these people (in fact, Bill Gates draws one of the lowest salaries of any CEO in the industry.)

This is not to say that Microsoft itself doesn't make an absurd amount of money, it does. But this is a function of them being a monopoly. If they had more reasonable sales they wouldn't have billions in the bank.

The reality is that software isn't nearly as expensive as you think it is. The fact that Linux was built by volunteers in their spare time really says it all. The true cost of developing software is cheap; Linux proves that. It's the support and maintenance of software that is expensive.

The reality is that you don't know the value of the time and effort being contributed to Linux. You do the people that have contributed to it a great disservice by dismissing their contributions as "cheap". The fact of the matter is, you're enjoying the fruit of many *THOUSANDS* of man hours worth of effort, equaling many billions of dollars worth of work if all of those people were being paid.

Nice dichotomy. Such a shame that it's false. Software development will always be in demand.

I didn't say it wouldn't. I said "good" software. Most software developed in-house is not good software, it tends to be "good enough" (if they're lucky) software. Since companies view internal software development as an expense, they want to pay as little as possible and will seldom pay for software to be perfect.

The idea that the only way of making money from software is by hiding the source and extracting a license-fee per copy of the binary is utter nonsense.

Really? It's pretty much been proven that in all but a few exception circumstances that that's the only way to make money on software. Even Red Hat is moving towards a licensing fee per copy, which is why they've dropped RHL and is concentrating on RHEL.

Companies are becoming increasingly less likely to spend the kind of money that original software development costs, even for internal use. Internal development staffs have been slashed over the last few years.

Linux was a best of breed UNIX before any of the "corporate contributors" paid the least attention. The KDE project delivered a usable desktop in 1997; that's an achievement the combined "might" of the UNIX vendors failed to deliver despite a decade headstart.

You have got to be kidding me. You call a system that couldn't scale beyond 4 processors "best of breed"? You call a system that had such a poor VM and scheduler that it required numerous rewrites to actually make them useable by todays standards "best of breed"?

KDE's first incarnation was total crap. It may have been "useable" but it was nowhere near "best of breed" in 1997. Further, KDE was based on the work of a corporate contributor (TrollTech) that was donating the code to make it happen.

Do you actually believe any of that nonsense?

I could ask the same of you. Best of breed indeed.

Re:everything that's wrong with slashdot..

[nathanh]

But you and I both know that open-source developers are not starving, homeless, unclothed, unable to pay their bills. Strawman argument.

As was your original argument about feeding the world with one field of wheat.

It wasn't my original argument. You brought up the idea that open-source programmers should "also sew your own clothes and grow your own food". I pointed out the logical fallacy in your argument that software and material goods are not the same thing. I pointed out that the production costs of software are basically zero. I illustrated the logical fallacy in your argument by demonstrating how wonderful the world would be if production costs for clothes and food were zero. Basically I was showing, in a polite way, that your argument to equate "free software" with "free clothes and free food" is invalid.

Umm.. I think you're forgetting that Bill Gates, Larry Ellison, etc.. make their money off the sale of stock, not their salary. Revenues from the sale of software do not contribute significantly to the bank accounts of these people (in fact, Bill Gates draws one of the lowest salaries of any CEO in the industry.)

I didn't say salary. Where do you think the money comes from? The stockholders are making money, so it's not coming from them. The money is coming from the end-users when they pay their license fees. That means the billions of dollars of cash in Bill Gates wallet came from end-users. In other words, end-users have paid billions of dollars more than the actual development cost of the software.

The reality is that you don't know the value of the time and effort being contributed to Linux. You do the people that have contributed to it a great disservice by dismissing their contributions as "cheap". The fact of the matter is, you're enjoying the fruit of many *THOUSANDS* of man hours worth of effort, equaling many billions of dollars worth of work if all of those people were being paid.

The reality is that I do understand and you don't. I didn't say their [Linux developer's] contributions are cheap. I said the development cost of Linux is cheap. That's a simple fact. Compared to the cost of developing Windows or UNIX, the development cost of Linux has been a drop in the bucket. Yes, billions of dollars worth of man-years have been spent on Linux. This is still a tiny percentage of what has been spent on Windows or UNIX.

It's very easy to understand why open-source development is cheaper. An open-source project can build upon existing open-source projects. Open source is the perfect realisation of code re-use. Even if an open-source project dies, the code lives on. Contrast with the incredible amount of wasted and repeated effort in the proprietary world. Even with the redundant efforts in open-source - how many text editors are there? - it's nothing compared to the redundant effort in the proprietary world.

I didn't say it wouldn't. I said "good" software. Most software developed in-house is not good software, it tends to be "good enough" (if they're lucky) software. Since companies view internal software development as an expense, they want to pay as little as possible and will seldom pay for software to be perfect.

How do you think this is any different to externally developed software? Come back to the real world! Most software is shithouse. Your own company is infamous for the low-quality software it produces; the industry joke is to wait for Microsoft's third version because they might get it right by then. Your last sentence is bemusing; you say companies running internally developed projects "want to pay as little as possible and will seldom pay for software to be perfect". That sounds exactly like ALL software companies to me, both internal and external.

Oh, really? What about...

[Overly+Critical+Guy]

...the security breaches of GNU/FSF (twice), Debian, GNOME, and Gentoo. All within six months!

Don't troll if Linux has its flaws like any other operating system does.

Windows Update has been 0wn3d too...

[j0hnyb1423]

and not so long ago, anyone remember Code Red? Former co-worker of mine saw the defaced page and that screenshot that was passed around was priceless

However ...

[DroversDog]

if you want a life get rid of you're computer ... ah, mmm, now what am I going to do? Can Slashdot send me a printed copy?

Microsoft 0w3Nz j0o

[mu-sly]

Next we have Linux users violating the EULA for the X-Box and tinkering with it so that it can run Linux.
Why on earth any sane person would want to take a bitching game machine like X-box and ruin it by installing Linux is a mystery to me.

But that's a big question about ownership of the box. If you buy an Xbox and want to break it (by smashing it with a hammer, for example) then who is to stop you? It's your Xbox, right?

So, if you want to "break" it by attempting to install other software on it, then why should you not be allowed to? It's your Xbox, after all, and if you break it, it's your problem.

Trying to prevent people doing unintended things with equipment that they own is ridiculous. Sure, you can make it illegal, but there is no point in making laws that people are just not going to follow, since that only serves to bring the rest of the law into disrepute.

You may not understand why someone would want to run Linux on their Xbox, but really - why should Microsoft (or you, or anyone else) give a shit what anybody wants to do with their own Xbox? They stumped up the cash to buy it in the first place, therefore it's their choice what they do with it.

The DMCA is a stupid law that serves no good purpose whatsoever, and by it's very existence deserves to be disobeyed. Using a machine for something other than it's original intended purpose is a totally different ballpark to copyright infringement, and should not be illegal.

The government that governs best, governs least.

You sir are a troll.

[zoloto]

Number 1) eula's have never stood their ground in court. certianly not my own local one. Nor have they ever constituted any sort of agreement without both parties present.

Number 2) It's an xbox. You bought it, you can break it anyway you seem fit.

Number 2) Darl... is that you??

lol

Check the spelin

[sparkz]

The open source development model insures that Linux code is open to scrutiny at the most basic level
That should be "ensures" not "insures".
Shame this advocate can't apply the principles himself - getting a peer review of the article should have picked up that simple mistake (assuming that his peers, at least, lernt gramer at skuwl)

Re:Oh, really? What about...

In A.D. 2003
War was beginning.
Slashbot 1: What happen ?
Slashbot 2: Somebody set up us the bomb.
Slashbot 3: We get signal.
Slashbot 1: What !
Slashbot 3: Main screen turn on.
Slashbot 1: It's You !!
Overly Critical Guy: How are you gentlemen !!
Overly Critical Guy: All your base are belong to us.
Overly Critical Guy: You are on the way to destruction.
Slashbot 1: What you say !!
Overly Critical Guy: You have no chance to survive make your time.
Overly Critical Guy: HA HA HA HA ....
Slashbot 1: Take off every 'sig' !!
Slashbot 1: You know what you doing.
Slashbot 1: Move 'sig'.
Slashbot 1: For great justice.

No date or source

[SgtChaireBourne]

Well, there's no date or source attibuted to the supposed ad. It could be fake. But regardless here are the points,

- no GUI for linux server on old hardware

Just how old? 8088? xfree86 will run on even an i486 with 16 MB RAM.

- authentification with uncrypthed text as default

SSH, PAM

- no Kerberos support

Standard Kerberos, both MIT and Heimdal, not MS's broken, proprietary variant is supported in both client and server. It's on all distros I've seen in the last few years.

- no smartcart authentification support

PAM

- no public key infrastructure with directory service

LDAP/OpenLDAP/NDS

- no default cryptho file system

No, but doing an encrypted loopback filesystem is an install option on many distros.