Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?
Yes. For most CVEs, the major distributions do backport fixes. They don't however backport all security fixes.
For example, there was a bug in crypt's bcrypt implementation which would cause collisions for certain classes of passwords (specifically those with characters with high bits set). The fix in 5.3.6 was to add a check into the normal $2a$ implementation, and to add $2x$ (legacy) and $2y$ (proper implementation). So when using > 5.3.6, you can enforce proper behavior using $2y prefix to crypt. CentOS backported this into their 5.3.3 version. Debian did not. So from a security standpoint, we now how a divergence between the two.
I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information.
Absolutely. The analysis is only as good as its data source. There are other people looking at other data sources (httparchive for one) to try to get more data for it. But ultimately I had to go with what I had.
I suppose there are also questions as to what "insecure" means in practice.
Well, perhaps insecure is an extremely misleading term in this context. Vulnerable would be better. Yes, an attack vector may not exist, but the vulnerability does. The reason this is important is that today you may not be using unserialize() on user input, but that doesn't say you won't tomorrow. The hole will exist, the vector would be what's created.
Check out my slight elaboration on this in this comment
There's a difference between a vulnerability and an attack vector. Even if it's not exploitable, the vulnerability still exists.
However, I would like to make a point. How many of these installs made a conscious decision by investigating the security fixes and balancing that against their codebase to see if it's exploitable or not? I'd wager that the number is so small as to not even register.
Besides, I think a variant of Schneier's law applies:
"any person can invent a security system so clever that she or he can't think of how to break it."
The same thing applies to vulnerabilities: If you can't think of a way to exploit it, that doesn't mean it isn't exploitable.
So yes, it is an over-statement. But it's also showing quite clearly how updates are being dealt with. And that was the precise point of the original post. If it gets people to think about upgrading more, then awesome. If not, nothing lost.
I mean, come on: 82.27% of perl installs are secure? 77.59% of python installs? Get real.
No. 82.27% of all PERL installs have no known vulnerabilities in PERL itself.
This isn't to say the code on top is secure. And it isn't saying that it's exploitable. Just whether known vulnerabilities in the platform itself exist.
The point most people make when you talk about running old versions is that "well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".
So, to get around that, I looked at the popular distro's versions that they maintain. Then I counted *all* of those point versions as secure (over counting). So 5.3.3 is insecure as distributed by php.net, but as installed by Debian 6 it is secure.
So therefore to get an upper bound (rather than lower bound) on secure versions, you need some way of factoring in for distro support.
So I picked the most popular distros for server usage. Is this hand-waving? Absolutely. But it should give a pretty reasonable upper-bound.
Have you actually read the bill? Because I find it REALLY hard to believe that anyone who actually has would say that it does anything about the health care problems the USA has. It's not a health care bill. It's a health insurance bill. One which does nothing to solve the existing problems that health care has (abuse, ridiculous spiraling costs, ridiculous GOVERNMENT regulations - aka Medicare's rules, etc). Not to mention fraud or malpractice abuse (false malpractice cases, which drive up costs significantly)...
Does that make it useless? No, absolutely not. But it does nothing for the healthcare problems that we face. All it does is put a band-aid on a gunshot wound. A band-aid that costs how many billion dollars per year (that we're already over-budget by)?
Everyone thinks that high turnover is a bad sign. And it is. But very few people think of what extremely low turnover means.
If a company has 40% turnover each year, that's a sign that something's wrong in the organization. There's a reason that people are leaving so quickly. If the average tenure is only 14 months, that's not a good sign. But on the flip side, it could be that same 40% that keeps turning over. Imagine that they have a small team, and are trying to grow it. High turnover in the growth area could mean that they just haven't found the right fit. (in this case, the average tenure could be 3 or 4 years, even though the turnover appears so high). That could indicate the quality of applicants, or that their interviewing process sucks. So turnover by itself is hard to understand. But turnover with average tenure tells a more complete picture.
Now, if turnover is under 1%, that could also be a scary sign. It could indicate that employees are never growing. That they are stagnating in their position and can't move on because their skills have gone rusty. That could also be a huge negative.
I personally look for moderate turnover. Somewhere between 5% and 20%. Signs that there's some new blood in the team, keeping complacency in check. It also may indicate that people are actually growing in their positions. Which is an awesome thing to look for.
So turnover by itself is a useless metric. It may indicate towards a good or bad thing. But the more important factor is not what the turnover is, but why it is what it is. Unfortunately, that's not something that's usually going to be easy to understand in an interview. But luckily, it should be pretty clear in the first few weeks of employment...
Basically, it used one valvebody with two separate chambers (one for each system). However, the main valve cover covered both chambers. So when the cover's seal blew, both were compromised. Granted, it's an edge case. But it did happen to me...
The only common points of failure are the pedal assembly (designed fail-safe, by the way) and the master cylinder
And the ABS valve body assembly. Which I had go on my catastrophically on a 1994 Chevy Blazer. In that has, the only brakes I did have was the parking brake cable assembly.
The more complicated vehicles become, the more failure modes are possible...
Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.
Android requires that you give consent, since it tells you what permissions the application needs prior to installing it. So by very definition, these data leakages on Android are not malware. The user said it was ok for that application to collect that data.
Actually, that's my definition of a good team player. That's one reason we work as a team (to spot each other's mistakes, and help prevent them in the final product). Have you ever heard of Pair Programming?
I think you missed the point, or at least read something in that wasn't there. What does knowing how a person will act have to do with wanting them to be that way?
Absolutely. But do they let that panic take over their thoughts? Or do they push that down and try to approach it rationally? In that 5 minute puzzle I can get insight. Sure, I won't know the full story on the person, but that would take years of knowing them to get. So in the span and constraints of an interview, I find it to be absolutely worth while...
I actually wrote a blog post on this very subject this morning (I pushed up the publishing when I saw this). The post
In short, I disagree. I find brain teasers invaluable. But not in determining skill, but in determining personality and how a candidate behaves when they are faced with a challenge that they aren't familiar with...
Look at the line below it. I said if you search for those names by itself (I skipped email, but I got the rest) Google is on top. Then again, those are the product names. And searching them on Bing produces strikingly similar results (email has gmail #3, calendar #4, news #5).
In fact, those three searches on Bing have Yahoo as either #1 or #2. So who's to say that what we are seeing is Google altering the results? Could it be that MS is altering the results so their partner is higher? I'm not accusing MS here. I'm just pointing out that just because something comes up #1 or #2 doesn't mean that it's malevolent.
In fact, let's try those searches on Ask.com:
Email - Google #1, Yahoo #2
Calendar - Google #1, Yahoo #5
News - Google #2, Yahoo #4
So 2 out of the 3 main search engines (Google, Bing and Ask) put Google above Yahoo. Yet the one that has an agreement with Yahoo puts it higher. While I completely understand your point, a cursory look at evidence looks to point exactly the opposite...
That's a very good point. I didn't disagree with the investigation in principle. I was just pointing out that the traditional metrics, and the ones indicated by the post are rather, iffy...
If other search companies cannot compete because of Google's dominance of either or both ads and searching, that is also anti-competitive.
I would just like to point something out here. If other companies can't compete because Google is really good at search, that's not anti-competitive (in fact, it's the exact opposite). So the simple assertion that other companies can't compete isn't enough to bury Google. What they need to prove/find is that Google leveraged its position unfairly to keep competition out. An example of that would be if Google required advertisers to sign an exclusivity deal (or gave incentives to do so) which would then unfairly keep competition out (hint: they haven't, although MS and Apple both do). Another example would be if Google used its dominance in search to promote its other products (by artificially raise their search, or artificially lower competitors), of which my OP is evidence to the contrary.
The key is that other companies not being able to compete does not make Google in violation of anything. It can be just free market pressure that does that (because Google has the "best" product, or whatever reason). But if they are unfairly leveraging their position in one area into other areas, that's where it becomes a dangerous problem...
Yes you can. In fact, Motorola launched a series of android phones that used Bing for everything on Verizon. Now, they were a flop because they sucked, but that's not Google's fault...
It's not illegal to be a monopoly. It's illegal to abuse that power. So, let's look at the main categories of anti-trust abuse that have been prosecuted in the past:
Limiting Supply - there's no way Google is doing that...
Predatory Pricing - They have always been free, as are the competitors. Then again, could that be classified as predatory I guess...
Price Discrimination - The same as above
Refusal to deal - Not that I've heard of...
Exclusive Dealing - Not that I've heard of either
Product Bundling - This is tricky. Sure, their products integrate. But then again you need to sign up for each one separately. There's no "Use search and automatically get this other product"...
So, either they will need to go out and tread new territory with little legal precedent to lead the way. Not saying it should or shouldn't be done, but just that it's a relatively new area.
Additionally, I really find the line who said that it was 'only fair' that Google put its own sites on higher placements than competitors odd. Let's show a few examples:
Free Email - GMail is #5 on the list for me. Yahoo, Mail.com, Hotmail and GMX.com are all above it...
ebooks - Google Books is #6 on the list. Ebooks.com, Amazon, Project Gutenberg, Barnes and Noble and Free-ebooks.net are all above it...
US News - Google News isn't even on the first page for me (not even in an ad)...
Shopping - Google Shopping is #2 behind Shopping.com
Now, searches for News, Gmail, Images, Videos, Maps and other product names return google first. But that sort-of makes sense, since those are the product names...
In fact, searching for Maps and Images on Bing returns Google for the first results! Is it an anti-trust violation to name your products intelligently???
Except that it's cheaper to launch a new satellite, with advanced technology, then it would be to retrieve and relaunch
And this exact mentality is the reason there are between 2,000 and 5,500 tons of large debris (over 500,000 distinct objects) in space. Since when is money the sole factor in doing something? Stop worrying about the monetary cost and starting thinking of the overall impact of the decisions...
More payload, sure. But smaller cargo dimensions (the shuttle was 4.6m x 18m vs 4.6m x 11.4m). But lower orbit capabilities (200km vs 960km for the shuttle). But without the ability to bring back cargo (the shuttle could retrieve payload from space for return to Earth). But with lest liftoff thrust (17MN vs 30MN).
You don't get something for nothing. I'm not saying it shouldn't be replaced. But this *it's so expesnive, it must die* bs is nothing more than rhetoric. But as of yet, the only alternative to it (the Falcon Heavy) still has not flown. And it also has no human capabilities as of yet (it's designed to be human rated, but there's no crew module, which would take quite a while to design and build). So kill it, it must die! But we won't have something to take the place of it anytime soon...
I really can't stand this *cost effective* bs. People keep coming out and saying how expensive the shuttle was, and how much of a waste of money it was. In reality it was actually very cheap in comparison to other things we spend money on. Source: XKCD
Shuttle
Total: $194 billion
Per Launch: $1.43 billion
Per Year: $6.46 billion
Apollo Program
Total: $192 billion
Per Launch: $11.94 billion
Per Year: $17.45 billion
Federal Fraud
Per Year: $125.4 billion
Iraq War
Per Year: $98 billion
Ballistic Missile Submarines
Per Year: $12 billion
Federal Interest on Debt
Per Year: $198 billion
US foreign military aid
Per Year: $11.5 billion
So yes, it was expensive. But we spend money like it's going out of style (heck, the 2009 stimulus was 115 times the annual cost of the program. It was even 4 times the total cost of the program)!!!
Slashdot Mirror
Yes. For most CVEs, the major distributions do backport fixes. They don't however backport all security fixes.
For example, there was a bug in crypt's bcrypt implementation which would cause collisions for certain classes of passwords (specifically those with characters with high bits set). The fix in 5.3.6 was to add a check into the normal $2a$ implementation, and to add $2x$ (legacy) and $2y$ (proper implementation). So when using > 5.3.6, you can enforce proper behavior using $2y prefix to crypt. CentOS backported this into their 5.3.3 version. Debian did not. So from a security standpoint, we now how a divergence between the two.
Absolutely. The analysis is only as good as its data source. There are other people looking at other data sources (httparchive for one) to try to get more data for it. But ultimately I had to go with what I had.
Well, perhaps insecure is an extremely misleading term in this context. Vulnerable would be better. Yes, an attack vector may not exist, but the vulnerability does. The reason this is important is that today you may not be using unserialize() on user input, but that doesn't say you won't tomorrow. The hole will exist, the vector would be what's created.
Check out my slight elaboration on this in this comment
The 5.3 branch is end-of-life. Meaning that the latest release (5.3.29) has known vulnerabilities that weren't fixed. Therefore, it's not secure.
5.3.10 is listed as secure by the post because that version is supported by Ubuntu 12.04...
However, I would like to make a point. How many of these installs made a conscious decision by investigating the security fixes and balancing that against their codebase to see if it's exploitable or not? I'd wager that the number is so small as to not even register.
Besides, I think a variant of Schneier's law applies:
The same thing applies to vulnerabilities: If you can't think of a way to exploit it, that doesn't mean it isn't exploitable.
So yes, it is an over-statement. But it's also showing quite clearly how updates are being dealt with. And that was the precise point of the original post. If it gets people to think about upgrading more, then awesome. If not, nothing lost.
No. 82.27% of all PERL installs have no known vulnerabilities in PERL itself.
This isn't to say the code on top is secure. And it isn't saying that it's exploitable. Just whether known vulnerabilities in the platform itself exist.
The point most people make when you talk about running old versions is that "well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".
So, to get around that, I looked at the popular distro's versions that they maintain. Then I counted *all* of those point versions as secure (over counting). So 5.3.3 is insecure as distributed by php.net, but as installed by Debian 6 it is secure.
So therefore to get an upper bound (rather than lower bound) on secure versions, you need some way of factoring in for distro support.
So I picked the most popular distros for server usage. Is this hand-waving? Absolutely. But it should give a pretty reasonable upper-bound.
Ummm... No. WordPress was first written in PHP3. Before it was even called "register globals". Back when that was just how you did things.
Thank you for the kind words :-)
That has 2 1s, which is prime (2 is prime), but 6 definitely is NOT prime...
Likewise,
That has 2 1s, which is prime, but 9 definitely is NOT prime...
Have you actually read the bill? Because I find it REALLY hard to believe that anyone who actually has would say that it does anything about the health care problems the USA has. It's not a health care bill. It's a health insurance bill. One which does nothing to solve the existing problems that health care has (abuse, ridiculous spiraling costs, ridiculous GOVERNMENT regulations - aka Medicare's rules, etc). Not to mention fraud or malpractice abuse (false malpractice cases, which drive up costs significantly)...
Does that make it useless? No, absolutely not. But it does nothing for the healthcare problems that we face. All it does is put a band-aid on a gunshot wound. A band-aid that costs how many billion dollars per year (that we're already over-budget by)?
Actually, this touches on an interesting point.
Everyone thinks that high turnover is a bad sign. And it is. But very few people think of what extremely low turnover means.
If a company has 40% turnover each year, that's a sign that something's wrong in the organization. There's a reason that people are leaving so quickly. If the average tenure is only 14 months, that's not a good sign. But on the flip side, it could be that same 40% that keeps turning over. Imagine that they have a small team, and are trying to grow it. High turnover in the growth area could mean that they just haven't found the right fit. (in this case, the average tenure could be 3 or 4 years, even though the turnover appears so high). That could indicate the quality of applicants, or that their interviewing process sucks. So turnover by itself is hard to understand. But turnover with average tenure tells a more complete picture.
Now, if turnover is under 1%, that could also be a scary sign. It could indicate that employees are never growing. That they are stagnating in their position and can't move on because their skills have gone rusty. That could also be a huge negative.
I personally look for moderate turnover. Somewhere between 5% and 20%. Signs that there's some new blood in the team, keeping complacency in check. It also may indicate that people are actually growing in their positions. Which is an awesome thing to look for.
So turnover by itself is a useless metric. It may indicate towards a good or bad thing. But the more important factor is not what the turnover is, but why it is what it is. Unfortunately, that's not something that's usually going to be easy to understand in an interview. But luckily, it should be pretty clear in the first few weeks of employment...
Yes
Basically, it used one valvebody with two separate chambers (one for each system). However, the main valve cover covered both chambers. So when the cover's seal blew, both were compromised. Granted, it's an edge case. But it did happen to me...
And the ABS valve body assembly. Which I had go on my catastrophically on a 1994 Chevy Blazer. In that has, the only brakes I did have was the parking brake cable assembly.
The more complicated vehicles become, the more failure modes are possible...
This article is pure FUD. Plain and simple.
Malware, by its very definition is:
Android requires that you give consent, since it tells you what permissions the application needs prior to installing it. So by very definition, these data leakages on Android are not malware. The user said it was ok for that application to collect that data.
Exactly. It's called a Power Law.
Actually, that's my definition of a good team player. That's one reason we work as a team (to spot each other's mistakes, and help prevent them in the final product). Have you ever heard of Pair Programming?
I think you missed the point, or at least read something in that wasn't there. What does knowing how a person will act have to do with wanting them to be that way?
Absolutely. But do they let that panic take over their thoughts? Or do they push that down and try to approach it rationally? In that 5 minute puzzle I can get insight. Sure, I won't know the full story on the person, but that would take years of knowing them to get. So in the span and constraints of an interview, I find it to be absolutely worth while...
I actually wrote a blog post on this very subject this morning (I pushed up the publishing when I saw this). The post
In short, I disagree. I find brain teasers invaluable. But not in determining skill, but in determining personality and how a candidate behaves when they are faced with a challenge that they aren't familiar with...
Look at the line below it. I said if you search for those names by itself (I skipped email, but I got the rest) Google is on top. Then again, those are the product names. And searching them on Bing produces strikingly similar results (email has gmail #3, calendar #4, news #5).
In fact, those three searches on Bing have Yahoo as either #1 or #2. So who's to say that what we are seeing is Google altering the results? Could it be that MS is altering the results so their partner is higher? I'm not accusing MS here. I'm just pointing out that just because something comes up #1 or #2 doesn't mean that it's malevolent.
In fact, let's try those searches on Ask.com:
Email - Google #1, Yahoo #2
Calendar - Google #1, Yahoo #5
News - Google #2, Yahoo #4
So 2 out of the 3 main search engines (Google, Bing and Ask) put Google above Yahoo. Yet the one that has an agreement with Yahoo puts it higher. While I completely understand your point, a cursory look at evidence looks to point exactly the opposite...
I would just like to point something out here. If other companies can't compete because Google is really good at search, that's not anti-competitive (in fact, it's the exact opposite). So the simple assertion that other companies can't compete isn't enough to bury Google. What they need to prove/find is that Google leveraged its position unfairly to keep competition out. An example of that would be if Google required advertisers to sign an exclusivity deal (or gave incentives to do so) which would then unfairly keep competition out (hint: they haven't, although MS and Apple both do). Another example would be if Google used its dominance in search to promote its other products (by artificially raise their search, or artificially lower competitors), of which my OP is evidence to the contrary.
The key is that other companies not being able to compete does not make Google in violation of anything. It can be just free market pressure that does that (because Google has the "best" product, or whatever reason). But if they are unfairly leveraging their position in one area into other areas, that's where it becomes a dangerous problem...
Yes you can. In fact, Motorola launched a series of android phones that used Bing for everything on Verizon. Now, they were a flop because they sucked, but that's not Google's fault...
It's not illegal to be a monopoly. It's illegal to abuse that power. So, let's look at the main categories of anti-trust abuse that have been prosecuted in the past:
Limiting Supply - there's no way Google is doing that...
Predatory Pricing - They have always been free, as are the competitors. Then again, could that be classified as predatory I guess...
Price Discrimination - The same as above
Refusal to deal - Not that I've heard of...
Exclusive Dealing - Not that I've heard of either
Product Bundling - This is tricky. Sure, their products integrate. But then again you need to sign up for each one separately. There's no "Use search and automatically get this other product"...
So, either they will need to go out and tread new territory with little legal precedent to lead the way. Not saying it should or shouldn't be done, but just that it's a relatively new area.
Additionally, I really find the line who said that it was 'only fair' that Google put its own sites on higher placements than competitors odd. Let's show a few examples:
Free Email - GMail is #5 on the list for me. Yahoo, Mail.com, Hotmail and GMX.com are all above it...
ebooks - Google Books is #6 on the list. Ebooks.com, Amazon, Project Gutenberg, Barnes and Noble and Free-ebooks.net are all above it...
Online Calendar - Google Calendar is #3 on the list.
US News - Google News isn't even on the first page for me (not even in an ad)...
Shopping - Google Shopping is #2 behind Shopping.com
Now, searches for News, Gmail, Images, Videos, Maps and other product names return google first. But that sort-of makes sense, since those are the product names...
In fact, searching for Maps and Images on Bing returns Google for the first results! Is it an anti-trust violation to name your products intelligently???
And this exact mentality is the reason there are between 2,000 and 5,500 tons of large debris (over 500,000 distinct objects) in space. Since when is money the sole factor in doing something? Stop worrying about the monetary cost and starting thinking of the overall impact of the decisions...
More payload, sure. But smaller cargo dimensions (the shuttle was 4.6m x 18m vs 4.6m x 11.4m). But lower orbit capabilities (200km vs 960km for the shuttle). But without the ability to bring back cargo (the shuttle could retrieve payload from space for return to Earth). But with lest liftoff thrust (17MN vs 30MN).
You don't get something for nothing. I'm not saying it shouldn't be replaced. But this *it's so expesnive, it must die* bs is nothing more than rhetoric. But as of yet, the only alternative to it (the Falcon Heavy) still has not flown. And it also has no human capabilities as of yet (it's designed to be human rated, but there's no crew module, which would take quite a while to design and build). So kill it, it must die! But we won't have something to take the place of it anytime soon...
I really can't stand this *cost effective* bs. People keep coming out and saying how expensive the shuttle was, and how much of a waste of money it was. In reality it was actually very cheap in comparison to other things we spend money on. Source: XKCD
Shuttle
Total: $194 billion
Per Launch: $1.43 billion
Per Year: $6.46 billion
Apollo Program
Total: $192 billion
Per Launch: $11.94 billion
Per Year: $17.45 billion
Federal Fraud
Per Year: $125.4 billion
Iraq War
Per Year: $98 billion
Ballistic Missile Submarines Per Year: $12 billion
Federal Interest on Debt
Per Year: $198 billion
US foreign military aid
Per Year: $11.5 billion
So yes, it was expensive. But we spend money like it's going out of style (heck, the 2009 stimulus was 115 times the annual cost of the program. It was even 4 times the total cost of the program)!!!
So sure, let it die with nothing to replace it. Because nothing ever came from it...