The only way you can even come close to calling this FUD is by rescoping the problem to school/business.
Uh, don't blame me because you're illiterate. The original scope, as created by the person I was responding to, was school/business settings. He was specifically referring to locking down computers in those settings by not allowing regular users admin access.
Half the games my kids get for Christmas can't run without admin privs.
Again, if you had read the comment I was responding to, you wouldn't bother saying this. For home users admin passwords are pointless, since your average home users are just going to blindly type it in and click through.
That was the whole point and the person I was responding to was trying to counter tha tpoint by saying that the admin password was still useful in a business/school settting, which obviously you're not playing games in.
Ok, how about sendmail vulnerabilities? What about fetchmail ones? Does checking email (which users does regularly) not count? What about the Quicktime url bug which works just by inserting a malformed url? There are many vulnerbilities that can be exploited.
And please don't backpedal and say you meant literally no user intervention at all (as opposed to user intervention beyond normal activity like browsing websites), since even 99% windows worms/viruses aren't spread without the user at least checking e-mail or doing SOMETHING other than just keeping their computer running.
By contrast, OS X has a default restrict model, where you are by default a user with restricted abilities, and have to elevate your account by entering the administrator password to get more power.
That's a pointless action, since users just end up entering in the administrator password willy nilly. What's the point in having it prompt you if you want to run a program when you're the one who double clicked it? That doesn't make much sense. Viruses work by infecting already trusted programs, so that's kind of pointless.
Also, is it really default deny? Does it, by defualt, prompt you for each new connection a program tries to make? I can't imagine that would go over well with your average user, they wouldn't know what to do and would just end up making it default accept.
In practice this means that an exploit in a mail program that allows executing attachments in windows is automatically a root-level exploit, while in OS X it is not.
Uhm no, not if the mail program is not running as the administrator.
Granted, there are still many ways of building a virus that takes advantage of exploits in OS X, there are just less ways than there are in windows.
In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.
What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.
Restricting users like this would go a long way to reducing the spread of malware
You can restrict users like that. They're called group policies.
Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user.
False. Dude, do your damn research. I just looked over Apple's advisories for the first time and I quickly found a DHCP vuln that allows you full access to the file system just using the DHCP protocol. No user intervention required.
I've used back through System 7, and my experience and understanding has always been that macos releases are substantially more secure than their Windows contemporaries
What planet are you living on? All the previous versions had no file security and no memory protection mechanisms AT ALL. Any program executed on the machine has 100%, uninhibited access to all resources. This is public knowledge.
They're doing it to enleeten themselves in the eyes of their friends, and tainting the relatively-pristine territory of macosx or linux would do that far more than writing Windows Virus #72,927,215.
That's a nice little theory, but it really only goes to show your complete ignorance of how things really work. If that were true, why were viruses so extroadinarily rare for all prior Mac OS versions despite it having no standard patching mechanisms and no built in security? I guess NO ONE CARED.
The potential to write worms for linux has been out in the open for quite a long while too--there are many machines running outdated versions of bind, sendmail, fetchmail, and so forth that could be taken advantage of.
Every so often a new vulnerability will come out for some popular piece of networked *nix software and it will take months or years until most systems are patched. So if your theory were true, why hasn't some hax0r written worms for them? Perhaps it's because a lack of interest.
They get far more praise by infecting many Windows machines than the much smaller number of OS X machines. Ditto for Linux. You don't seem to understand that the 'feat' is about numbers, not about your imagined pristine reptuation of OS X. And they're not actually pristine, they've had tons of vulnerabilities and even exploits, just not many viruses/worms.
Because Apple fixed them.
No, actually, it seems that Apple doesn't even write the majority of that software, so they don't write the fixes for it.
whose user has not gone out of their way to disable updates.
Not gone out of their way? You mean not clicked 'off'?
within a not-bad span of time
I see you turned on the "RDF" option. You really shouldn't preach that as a matter of faith. Apple can only fix it AT BEST, as fast as the authors of the software will fix it.
Software Update runs by default and makes it inconvenient to not maintain current patches.
I'm sorry, but you're under the mistaken impression that everyone wants and does have it running, especially a bad assumption with dial-up users.
You're also under mistaken assumptions about time between discovery and fixing of something, especially since you seem to think it's APPLE fixing bugs, when more often it's not them doing the fixing.
You're making an even worse assumption that the software compromised will be something covered by Apple's automated update system. That's a really, REALLY horrible assumption to make.
For someone who is critical of false security experts, you sure are making yourself look like an even worse one.
Uh, hello? Did apple even release a single advisory for its software pre-OS X? There undoubtedly were many buffer overflows lurking in common software used, it wouldn't be hard to compromise. And there's no patching system before then either.
21 years? You realize that all pre-OS X versions of Mac OS had no memory protection mechanisms, right? That means any program you would run could modify all of running memory, including the kernel.
Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
Ok, so you're acknowledging that Firefox will become suspceptible to malicious websites then? So where's your disagreement?
The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over.
And it's still true despite what those inside the RDF say. BTW, it's viruses, not 'viri' or 'virii.' That's how l33t kidd13z spell it.
Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause
Why would it make them more famous? Because you say it's more difficult? If they did, no one would care. People have made viruses for older versions of Mac OS and no one cared. The funny thing is, the pre-OS X versions had very few viruses due to lack of popularity, despite even Apple admitting it having even less security than windows.
And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?
No, why would anyone be surprised that unpopular software hasn't had viruses written for it yet?
Despite that incentive, it has yet to be done.
What incentive? Praise from a tiny number of geeks? Because that's all that would happen, realistically.
A rootkit is being touted as "proof of OS X's insecurity." Give me a break.
Hello. For someone who just mocked others for not knowing about security, you obviously don't know about it yourself. You're basically suggesting that OS X is perfectly secure barring a really stupid user error, which is absurd.
Take a look at a list of past vulnerabilities for OS X and take special note of the REMOTELY EXPLOITABLE ONES, including ones that require no special access to the machine:
For someone who claims to know about security, I am *shocked* that you didn't even bother to check the advisories on Apple's official website. All it takes is a single unpatched machine to spread and that's no different than it is for windows--since windows users are notorious for not patching.
Just a quick look revealed one vulnerability that allows you to gain access to the machine's hard drives via malformed DHCP packets. Another allows you to execute arbitrary code via a quicktime URL.
If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.
WELCOME TO COMPUTER SECURITY, PEOPLE ARE STUPID. That is principle number one. If you thought that security could operate under the assumption that people had common sense, you are sadly mistaken. OS X, l ike all OSes, has vulnerabilities and inevitably there will be many unpatched machines and that can be taken advantage of.
That's a piss poor argument. First of all, just because a language is designed to be "embedded", doesn't mean it's good.
Second of all, that's not really a design issue of the language itself--that's a design issue of the interpreter and the interfaces it provides to other languages.
Third of all, Python embeds well with C/C++ programs. In fact, there's a Boost (C++) Python library that makes it pretty easy.
Fourth of all, the domain of Python is of an interpreted language for general purpose programming. Embedable languages are a subset of that domain.
Fifth of all, your argument is based on (incorrect) generalizations that are admittedly based on ignorance of the Python and LUA languages.
And I have no idea where you got "OS-level scripting" from.
Ungh, how did the parent get moded up? Oh yeah, it's Slashdot.
Re:Python is nice but consider LUA for game script
on
Game Scripting With Python
·
· Score: 1, Insightful
I really wish people would stop promoting languages just because *insert name of project they like* is using it. Why should LUA be used over Python? Ok, it has a small footprint, but what features does the language itself offer?
Don't give me "it's small, clean and power", many advocates of their favorite language say that. When people say that, it actually raises red flags for me that the person doesn't actually know what they're talking about, since that's about as in depth as they can get.
Are you even a programmer? You even used LUA or Python? Why should a PC game developer be concerned with such a tiny memory space when they have so much memory available?
Of course, sufficiently strong passwords will survive precomputed hash attacks, and it's still pretty hard to brute-force MD5 hashes (even given recent weaknesses)
That depends entirely on the password hashing algorithm used. There is a common misconception that if it uses md5, that it is automatically secure. That is patently false and the way much software uses md5 is insecure, especially with the 'custom' php forum apps.
Many will just apply md5 once or twice and some will uses little or nothing for a salt. That can easily be cracked via brute force with a single modern computer and a couple of days at most, even for a good password. Take a look at the mdcrack webpage, an older Athlon computer can do 9 million md5 hashes PER SECOND. That's a lot.
For something good, look at FreeBSD's md5 crypt, which hashes it 1000 times, concatenates the large salt and password in various ways each iteration. THAT would be infeasible to crack.
Hello, I'm still accusing you of spreading FUD and not reading TFA, because that's NOT the time period covered by the article. You're talking about a two year time period, 2003-2005. This is about a period from March 2005-September 2005, ACCORDING TO THE ARTICLE IF YOUHAD ACTUALLY READ IT. You are using 2003-2005, not the correct time period.
Don't accuse other people of making up numbers when the source is obviously mentioned
I read the article, you OBVIOUSLY DIDN'T. They clearly stated they were referring to a specific recent time period. They clearly stated that there were 40 in Firefox and 10 in IE. If you had read the article, you'd see that doesn't jive with your numbers in the slightest.
Second, my numbers are about advisories - the root problem of the vulnerability
No, that doesn't properly explain the discrepency in statistics. If we were to take your word as true, then there would actually be lower numbers for IE, because, according to your, there are less advisories than there are vulnerabilities.
HOWEVER, the numbers SHOT UP, and you completely ignored that, despite it being totally illogical and not supporting your point. The fact is, both in terms of advisories AND vulnerabilities, IE has more for the time period described in the article, read the damn article already.
Excellent point, I didn't even notice that at first, my brain automatically corrected the wording so I didn't notice the mistake.
Here's the relevent quote: "We tested his clothes with a static electricity field meter and measured a current of 40,000 volts, which is one step shy of spontaneous combustion, where his clothes would have self-ignited,"
One also wonders: 1. Why the fireman happened to have a "static electricity field meter." 2. What exactly a "static electricity field meter" is. You can measure electric fields with an electric field meters, but that's something different. 3. How they determined what the point of spontaneous combustion was and how a fireman happened to know that 4. Why that charge was still lingering on the clothes afterwards. 5. Why they weren't extremely alarmed to be handling clothes that could just explode at any moment.
40,000 volts is only enough to generate a few microamps over a small gap in the air. Air has a huge resistance. There's no way 40,000 volts could cause that much damage. From a quick internet search, it appears even a simple van de graff generator would create over 75,000 volts, and that's fairly harmless.
The reports are also inconsistent. The AP is saying it was 30kV, Reuters is saying 40kV.
Firefox had 40 vulnerabilities, not just 22. You're limiting yourself only to the Secunia statistics, which doesn't include all of the vulnerabilities in that time period.
Where are you getting 69 from? There were only 10 vulnerabilities TOTAL for IE the time period. Only 9% were 'extremely critical' in 2005 (and that's longer than the time period specified in the article). You're making up numbers now, I call that spreading FUD.
Furthermore, the "highly critical" vulnerabilities include ones that allow you to install arbitrary extensions without the users permission and access any files on their hard drive.
An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed.
There have been Firefox exploits that give you access to the local file system, including at least one that let you install arbitrary extensions.
That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.
It's not a security study, it's an op-ed piece. It's just pointing out that Firefox is not magically immune to exploits and it doesn't have some super security design like some people seem to think it does. It's just your average piece of software, holes and all, that's the whole point.
You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.
Uh, how so? There's nothing in the design of Firefox that makes it more magically immune than IE.
Yes, why are you ignoring all the highly critical vulnerabilities in Firefox? Talk about spreading FUD. Firefox has had its fair share of highly critical vulnerabilities and you're ignoring that simpyl because it doesn't suit you.
That's silly reasoning. The only reason it's so 'secure' is because you're relying on security through obscurity. I could make my own custom made browser with thousands of obvious buffer overflows in it and because it's so obscure, it would be rarely exploited. Does that mean it's "secure"? Not really.
The only reason the Firefox machines have so few reports is because Firefox's marketshare is still too small, very few websites have bothered to exploit its vulnerabilities.
The articles has CLEARLY DEMONSTRATED there are WORKING exploits. The only issue is that they're just not in wide use. So your so-called security comes through minimal use. That's good journalism. Your comment is bad FUD.
javascript, css, even html can be thought of as a language
They ARE languages, what the heck else would you call them? Hypertext Markup LANGUAGE. Ring a bell? Is English not your native language?
this ignores insane things like activeXpoit
Your use of said colorful language otally speaks for how unbiased and experienced you are.
That is nuts. It is also probably the biggest reason why MS has so many security problems in general.
You're right. It's nuts. That's why MS doesn't do it. The kernel isn't tied to MSIE. You said you weren't trying to spread FUD and yet here you are spreading something with ZERO FACTUAL EVIDENCE based entirely on what a bunch of anti-MS zealots have told you.
Can you even produce evidence of a SINGLE MSIE exploit being a result of being tied into the kernel?
Seriously. If you can't produce a single case, then it is CERTIFIABLE F-U-D.
Every peice of software they write is tied to everything in the OS in 10K ways.
Based on your scientific analysis, right? Oh wait, that's right, you're not a scientist, you're not a programmer, you know nothing of systems level programming and you don't know the slighest bit of how the windows kernel actually functions.
What is this statement based on? Seriously. let me guess, you got some errors with THIRD PARTY VIDEO DRIVERS and blamed it on MS. I'm curious as to your source of information. Is it your massive '100+' (oh yeah, that's a LOT...not really) workstations.
The difference is, when you crash my browser using spify example exploit, or even get it to run code, all you can do is execute in my user land environment or kill that app.
REVISIONIST HISTORY! Lets not forget about exploits like teardrop and the like which froze the Linux kernel before it was patched. The person didn't even need to be running any specific internet software.
Nevermind local expliots that can be run once you get local access as well that can kill the kernel too. Woot woot, FUD AND REVISIONIST HISTORY! Do I need to run down a list of DoS exploits against the Linux kernel?
There is almost no risk to the computer as a whole or even of effecting stability.
Now ignoring the fact that this is wrong, this isn't exaclty a grave threat to windows either. The past windows freezing/crashing exploits (such as teardrop) have long since been fixed. Let me guess, you're one of those anti-MS zealots who uses Windows 95 as an example even though practically everyone is using the NT based Windows kernels now.
Oh yeah, oh wise administrator, you DO know what teardrop is don't you? I mean, after all, you're the SHIZNITE and you'd totally PWN ME in a graduate level class, so you MUST know the history of Linux exploits.
Your entire post is a straw man attack. You either don't understand my points or are pretending not to so you have a ground for this post. As such it is invalid (ever had a class in classic logic?).
Pot and kettle situation, since you're completely disregarding the author's actual conclusion and engaging in a strawman argument yourself. I suggest you read the author's conclusion again and tell me which specific parts of it--with you actually QUOTING them, are unscientific.
Quoting full statistics, given the strawman formed conclusion, he's right. Without full statistics, given his actual conclusion, he's right.
Like most media, he reports a number in a vacume (that was the point of #1). He doesn't give you context. Without context the number is meaningless.
They weren't "in a vacuum", he included statistics on exploits, not just vulnerabilities. You COULD wrongfully assume that Firefox as an INSANELY low rate of serious vulnerabilities, but why would you do that? It was a short op-ed piece, he's not going to go into details and it's assumed that readers are people in the know--who aren't quite stupid enough to make that assumption.
But, I continued, because arguments are built in layers. Even if you understand the context, there are still flaws.
You're not one to point out flaws. In your rebuttal, you included a completely unsubtantiated assumptions which weren't based ANY statistics or factual evidence at all. You just assumed that MSIE had horrible security design in comparison to Firefox immediatly. What's that expression about rocks and glass houses? If you're going to be critical of others pseudo-scientific spin, don't dish it you yourself.
I never said it didn't matter (another example of straw man).
You explicitly referred to them as "useless statistics." I'm pretty sure that "useless" means "doesn't matter." If you had said incomplete statistics, THEN you might have had a point, but to flat out call them useless is ridiculous. Just admit you made a mistake and move on, don't backpedal.
I said it didn't tell you anything about the total number that exists except as a minimum. Their could be 0 more, or 1,000,000 more.
And here's where part of your strawman argument comes in. The author's conclusion had nothing to do with the number of vulnerabilities. It had to do with the safety of the users of the browser and he correctly stated that people's overrating of Firefox as being a super safe browser, were now debunked.
Try reading his conclusion: As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.
What part of that is not correct? Was it the part about Firefox not magically being a fix for security issues? It seems to me that concluding that any reasonably popular internet software will have to deal with signifigcant working exploits is a perfectly reasonable conclusion.
Remember, my post was about bad journalism, not about religios browser loyalty.
If it wasn't about religious browser loyalty, then why did you quickly conclude, without having seen the code of either browser, that one has a fundamentally better security design than the other?
Firefox is better currently.
It's not "better currently" in any technological sense, only in a social sense. It just happens that there are much, much less websites using Firefox exploits than those using MSIE exploits. That's not result of technological advances, that's a result of Firefox being less popular (as social factor) and thusly being targetted by attackers much less.
So in essence, your "better currently" is really "better through security through obscurity."
I'd guess you either have no real experience (being a PHB does NOT count) in the field or are some ki
1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.
Or perhaps you're being a hypocrite. Strange, I've never once seen this defense come up for MSIE on Slashdot. You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.
It's funny, people always scream "ZOMG L@@K @ TEH NUMBER OF VULNERABILITIES FOR MSIE3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design).
Is that your SCIENTIFIC opinion based on a study of FACTS or just anti-MS FUD on your part? Don't bother answering that, the answer is obvious. For someone who blasts a legitimate finding for being 'bad science', you sure are fond of using bad science when it suits you. You simply ASSUME--with absolutely no factual grounding (unless you count hearsay) that it's a result of poor browser design.
The firefox team appears to address the bigger problem, not just stop the current bleeding.
Again, what are you basing this on? Your "scientific opinion"? The multiple dialog spoof and frame injection vulnerabilities? The multiple, related cross-site scripting vulnerabilities? The partial fixes? THe workarounds?
I'm sorry, but firefox isn't fixing the source, its design is flawed too. Have you even LOOKED at the design of Firefox? After all, you're the expert, surely you've seen the strides they've taken in security design. OH wait, no, just like with all browsers, security was an afterthought in design.
2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category.
Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.
As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.
MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.
6% workarounds, 6% partial fixes as per the above statistics. Yeah, they're awesome:-) Firefox is great enough to have a simple auto-patching system, whereby you don't have to wait for an entirely new version to come out and install it over the new ones, thus not having any compatibility issues with plug-ins or the like. Doesn't happen with Firefox. Nope.
IAAITG (I am a IT guy)
But not a scientist, nor a rational thinker, apparently.
How can Ubuntu guarantee that the software they package is free of exploits? Offering it through a central repository is no different than offering windows shareware througha popular website like tucows. The only real advantage you get is that they might virus/trojan scan it for you, but that's it.
Not just that, but the user is STILL installing it, they're just installing it with a package manager instead of running an executable directly. The scripts that come with package managers still allow you to clobber all kinds of stuff.
And this is ignoring the fact that there is still software that they don't have available. You can say it's not a valid reason, but the fact is that's what people want and there are in fact many software packages which are good that you wouldn't, at least initially, get through any 'official repository.'
Maybe it's because we've been treated as the lesser of two human beings for centuries.
Damn, you're old, have you contacted the guiness book people?
You haven't been denied the right to vote, discriminated at the workplace, took lesser wages, get constanly objectified
Neither have you, unless as implied above, you're old as hell.
Furthermore, your assumption is racist. Blacks have had it worse off than women historically. So if you want to talk about privilege, consider what black MALES had to go through.
We're not all crazy bitches.
Does thinking that you're world-record-setting-old qualify is crazy? What about reacting emotionally to a study without reading what its about?
Slashdot Mirror
The only way you can even come close to calling this FUD is by rescoping the problem to school/business.
Uh, don't blame me because you're illiterate. The original scope, as created by the person I was responding to, was school/business settings. He was specifically referring to locking down computers in those settings by not allowing regular users admin access.
Half the games my kids get for Christmas can't run without admin privs.
Again, if you had read the comment I was responding to, you wouldn't bother saying this. For home users admin passwords are pointless, since your average home users are just going to blindly type it in and click through.
That was the whole point and the person I was responding to was trying to counter tha tpoint by saying that the admin password was still useful in a business/school settting, which obviously you're not playing games in.
Ok, how about sendmail vulnerabilities? What about fetchmail ones? Does checking email (which users does regularly) not count? What about the Quicktime url bug which works just by inserting a malformed url? There are many vulnerbilities that can be exploited.
And please don't backpedal and say you meant literally no user intervention at all (as opposed to user intervention beyond normal activity like browsing websites), since even 99% windows worms/viruses aren't spread without the user at least checking e-mail or doing SOMETHING other than just keeping their computer running.
By contrast, OS X has a default restrict model, where you are by default a user with restricted abilities, and have to elevate your account by entering the administrator password to get more power.
That's a pointless action, since users just end up entering in the administrator password willy nilly. What's the point in having it prompt you if you want to run a program when you're the one who double clicked it? That doesn't make much sense. Viruses work by infecting already trusted programs, so that's kind of pointless.
Also, is it really default deny? Does it, by defualt, prompt you for each new connection a program tries to make? I can't imagine that would go over well with your average user, they wouldn't know what to do and would just end up making it default accept.
In practice this means that an exploit in a mail program that allows executing attachments in windows is automatically a root-level exploit, while in OS X it is not.
Uhm no, not if the mail program is not running as the administrator.
Granted, there are still many ways of building a virus that takes advantage of exploits in OS X, there are just less ways than there are in windows.
In what ways does windows have more? List some.
In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.
What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.
Restricting users like this would go a long way to reducing the spread of malware
You can restrict users like that. They're called group policies.
Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user.
False. Dude, do your damn research. I just looked over Apple's advisories for the first time and I quickly found a DHCP vuln that allows you full access to the file system just using the DHCP protocol. No user intervention required.
I've used back through System 7, and my experience and understanding has always been that macos releases are substantially more secure than their Windows contemporaries
What planet are you living on? All the previous versions had no file security and no memory protection mechanisms AT ALL. Any program executed on the machine has 100%, uninhibited access to all resources. This is public knowledge.
They're doing it to enleeten themselves in the eyes of their friends, and tainting the relatively-pristine territory of macosx or linux would do that far more than writing Windows Virus #72,927,215.
That's a nice little theory, but it really only goes to show your complete ignorance of how things really work. If that were true, why were viruses so extroadinarily rare for all prior Mac OS versions despite it having no standard patching mechanisms and no built in security? I guess NO ONE CARED.
The potential to write worms for linux has been out in the open for quite a long while too--there are many machines running outdated versions of bind, sendmail, fetchmail, and so forth that could be taken advantage of.
Every so often a new vulnerability will come out for some popular piece of networked *nix software and it will take months or years until most systems are patched. So if your theory were true, why hasn't some hax0r written worms for them? Perhaps it's because a lack of interest.
They get far more praise by infecting many Windows machines than the much smaller number of OS X machines. Ditto for Linux. You don't seem to understand that the 'feat' is about numbers, not about your imagined pristine reptuation of OS X. And they're not actually pristine, they've had tons of vulnerabilities and even exploits, just not many viruses/worms.
Because Apple fixed them.
No, actually, it seems that Apple doesn't even write the majority of that software, so they don't write the fixes for it.
whose user has not gone out of their way to disable updates.
Not gone out of their way? You mean not clicked 'off'?
within a not-bad span of time
I see you turned on the "RDF" option. You really shouldn't preach that as a matter of faith. Apple can only fix it AT BEST, as fast as the authors of the software will fix it.
Software Update runs by default and makes it inconvenient to not maintain current patches.
I'm sorry, but you're under the mistaken impression that everyone wants and does have it running, especially a bad assumption with dial-up users.
You're also under mistaken assumptions about time between discovery and fixing of something, especially since you seem to think it's APPLE fixing bugs, when more often it's not them doing the fixing.
You're making an even worse assumption that the software compromised will be something covered by Apple's automated update system. That's a really, REALLY horrible assumption to make.
For someone who is critical of false security experts, you sure are making yourself look like an even worse one.
Uh, hello? Did apple even release a single advisory for its software pre-OS X? There undoubtedly were many buffer overflows lurking in common software used, it wouldn't be hard to compromise. And there's no patching system before then either.
21 years? You realize that all pre-OS X versions of Mac OS had no memory protection mechanisms, right? That means any program you would run could modify all of running memory, including the kernel.
It was definitely security through obscurity.
Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
7 980 6676 31
Ok, so you're acknowledging that Firefox will become suspceptible to malicious websites then? So where's your disagreement?
The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over.
And it's still true despite what those inside the RDF say. BTW, it's viruses, not 'viri' or 'virii.' That's how l33t kidd13z spell it.
Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause
Why would it make them more famous? Because you say it's more difficult? If they did, no one would care. People have made viruses for older versions of Mac OS and no one cared. The funny thing is, the pre-OS X versions had very few viruses due to lack of popularity, despite even Apple admitting it having even less security than windows.
And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?
No, why would anyone be surprised that unpopular software hasn't had viruses written for it yet?
Despite that incentive, it has yet to be done.
What incentive? Praise from a tiny number of geeks? Because that's all that would happen, realistically.
A rootkit is being touted as "proof of OS X's insecurity." Give me a break.
Hello. For someone who just mocked others for not knowing about security, you obviously don't know about it yourself. You're basically suggesting that OS X is perfectly secure barring a really stupid user error, which is absurd.
Take a look at a list of past vulnerabilities for OS X and take special note of the REMOTELY EXPLOITABLE ONES, including ones that require no special access to the machine:
http://docs.info.apple.com/article.html?artnum=61
http://docs.info.apple.com/article.html?artnum=30
http://docs.info.apple.com/article.html?artnum=25
For someone who claims to know about security, I am *shocked* that you didn't even bother to check the advisories on Apple's official website. All it takes is a single unpatched machine to spread and that's no different than it is for windows--since windows users are notorious for not patching.
Just a quick look revealed one vulnerability that allows you to gain access to the machine's hard drives via malformed DHCP packets. Another allows you to execute arbitrary code via a quicktime URL.
If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.
WELCOME TO COMPUTER SECURITY, PEOPLE ARE STUPID. That is principle number one. If you thought that security could operate under the assumption that people had common sense, you are sadly mistaken. OS X, l ike all OSes, has vulnerabilities and inevitably there will be many unpatched machines and that can be taken advantage of.
WELCOME TO THE REAL WORLD.
Lua is a multi-paradigm language, not a functional language. Those languages only dominate academic AI research. They are dead in AI outside of it.
That's a piss poor argument. First of all, just because a language is designed to be "embedded", doesn't mean it's good.
Second of all, that's not really a design issue of the language itself--that's a design issue of the interpreter and the interfaces it provides to other languages.
Third of all, Python embeds well with C/C++ programs. In fact, there's a Boost (C++) Python library that makes it pretty easy.
Fourth of all, the domain of Python is of an interpreted language for general purpose programming. Embedable languages are a subset of that domain.
Fifth of all, your argument is based on (incorrect) generalizations that are admittedly based on ignorance of the Python and LUA languages.
And I have no idea where you got "OS-level scripting" from.
Ungh, how did the parent get moded up? Oh yeah, it's Slashdot.
I really wish people would stop promoting languages just because *insert name of project they like* is using it. Why should LUA be used over Python? Ok, it has a small footprint, but what features does the language itself offer?
Don't give me "it's small, clean and power", many advocates of their favorite language say that. When people say that, it actually raises red flags for me that the person doesn't actually know what they're talking about, since that's about as in depth as they can get.
Are you even a programmer? You even used LUA or Python? Why should a PC game developer be concerned with such a tiny memory space when they have so much memory available?
Of course, sufficiently strong passwords will survive precomputed hash attacks, and it's still pretty hard to brute-force MD5 hashes (even given recent weaknesses)
That depends entirely on the password hashing algorithm used. There is a common misconception that if it uses md5, that it is automatically secure. That is patently false and the way much software uses md5 is insecure, especially with the 'custom' php forum apps.
Many will just apply md5 once or twice and some will uses little or nothing for a salt. That can easily be cracked via brute force with a single modern computer and a couple of days at most, even for a good password. Take a look at the mdcrack webpage, an older Athlon computer can do 9 million md5 hashes PER SECOND. That's a lot.
For something good, look at FreeBSD's md5 crypt, which hashes it 1000 times, concatenates the large salt and password in various ways each iteration. THAT would be infeasible to crack.
Hello, I'm still accusing you of spreading FUD and not reading TFA, because that's NOT the time period covered by the article. You're talking about a two year time period, 2003-2005. This is about a period from March 2005-September 2005, ACCORDING TO THE ARTICLE IF YOUHAD ACTUALLY READ IT. You are using 2003-2005, not the correct time period.
Don't accuse other people of making up numbers when the source is obviously mentioned
I read the article, you OBVIOUSLY DIDN'T. They clearly stated they were referring to a specific recent time period. They clearly stated that there were 40 in Firefox and 10 in IE. If you had read the article, you'd see that doesn't jive with your numbers in the slightest.
Second, my numbers are about advisories - the root problem of the vulnerability
No, that doesn't properly explain the discrepency in statistics. If we were to take your word as true, then there would actually be lower numbers for IE, because, according to your, there are less advisories than there are vulnerabilities.
HOWEVER, the numbers SHOT UP, and you completely ignored that, despite it being totally illogical and not supporting your point. The fact is, both in terms of advisories AND vulnerabilities, IE has more for the time period described in the article, read the damn article already.
That website doesn't mention anything about any kind of electrical measuring equipment nor firemen.
Excellent point, I didn't even notice that at first, my brain automatically corrected the wording so I didn't notice the mistake.
Here's the relevent quote: "We tested his clothes with a static electricity field meter and measured a current of 40,000 volts, which is one step shy of spontaneous combustion, where his clothes would have self-ignited,"
One also wonders:
1. Why the fireman happened to have a "static electricity field meter."
2. What exactly a "static electricity field meter" is. You can measure electric fields with an electric field meters, but that's something different.
3. How they determined what the point of spontaneous combustion was and how a fireman happened to know that
4. Why that charge was still lingering on the clothes afterwards.
5. Why they weren't extremely alarmed to be handling clothes that could just explode at any moment.
40,000 volts is only enough to generate a few microamps over a small gap in the air. Air has a huge resistance. There's no way 40,000 volts could cause that much damage. From a quick internet search, it appears even a simple van de graff generator would create over 75,000 volts, and that's fairly harmless.
The reports are also inconsistent. The AP is saying it was 30kV, Reuters is saying 40kV.
Firefox had 40 vulnerabilities, not just 22. You're limiting yourself only to the Secunia statistics, which doesn't include all of the vulnerabilities in that time period.
Where are you getting 69 from? There were only 10 vulnerabilities TOTAL for IE the time period. Only 9% were 'extremely critical' in 2005 (and that's longer than the time period specified in the article). You're making up numbers now, I call that spreading FUD.
Furthermore, the "highly critical" vulnerabilities include ones that allow you to install arbitrary extensions without the users permission and access any files on their hard drive.
An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed.
There have been Firefox exploits that give you access to the local file system, including at least one that let you install arbitrary extensions.
That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.
It's not a security study, it's an op-ed piece. It's just pointing out that Firefox is not magically immune to exploits and it doesn't have some super security design like some people seem to think it does. It's just your average piece of software, holes and all, that's the whole point.
You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.
Uh, how so? There's nothing in the design of Firefox that makes it more magically immune than IE.
Yes, why are you ignoring all the highly critical vulnerabilities in Firefox? Talk about spreading FUD. Firefox has had its fair share of highly critical vulnerabilities and you're ignoring that simpyl because it doesn't suit you.
That's silly reasoning. The only reason it's so 'secure' is because you're relying on security through obscurity. I could make my own custom made browser with thousands of obvious buffer overflows in it and because it's so obscure, it would be rarely exploited. Does that mean it's "secure"? Not really.
The only reason the Firefox machines have so few reports is because Firefox's marketshare is still too small, very few websites have bothered to exploit its vulnerabilities.
The articles has CLEARLY DEMONSTRATED there are WORKING exploits. The only issue is that they're just not in wide use. So your so-called security comes through minimal use. That's good journalism. Your comment is bad FUD.
javascript, css, even html can be thought of as a language
They ARE languages, what the heck else would you call them? Hypertext Markup LANGUAGE. Ring a bell? Is English not your native language?
this ignores insane things like activeXpoit
Your use of said colorful language otally speaks for how unbiased and experienced you are.
That is nuts. It is also probably the biggest reason why MS has so many security problems in general.
You're right. It's nuts. That's why MS doesn't do it. The kernel isn't tied to MSIE. You said you weren't trying to spread FUD and yet here you are spreading something with ZERO FACTUAL EVIDENCE based entirely on what a bunch of anti-MS zealots have told you.
Can you even produce evidence of a SINGLE MSIE exploit being a result of being tied into the kernel?
Seriously. If you can't produce a single case, then it is CERTIFIABLE F-U-D.
Every peice of software they write is tied to everything in the OS in 10K ways.
Based on your scientific analysis, right? Oh wait, that's right, you're not a scientist, you're not a programmer, you know nothing of systems level programming and you don't know the slighest bit of how the windows kernel actually functions.
What is this statement based on? Seriously. let me guess, you got some errors with THIRD PARTY VIDEO DRIVERS and blamed it on MS. I'm curious as to your source of information. Is it your massive '100+' (oh yeah, that's a LOT...not really) workstations.
The difference is, when you crash my browser using spify example exploit, or even get it to run code, all you can do is execute in my user land environment or kill that app.
REVISIONIST HISTORY! Lets not forget about exploits like teardrop and the like which froze the Linux kernel before it was patched. The person didn't even need to be running any specific internet software.
Nevermind local expliots that can be run once you get local access as well that can kill the kernel too. Woot woot, FUD AND REVISIONIST HISTORY! Do I need to run down a list of DoS exploits against the Linux kernel?
There is almost no risk to the computer as a whole or even of effecting stability.
Now ignoring the fact that this is wrong, this isn't exaclty a grave threat to windows either. The past windows freezing/crashing exploits (such as teardrop) have long since been fixed. Let me guess, you're one of those anti-MS zealots who uses Windows 95 as an example even though practically everyone is using the NT based Windows kernels now.
Oh yeah, oh wise administrator, you DO know what teardrop is don't you? I mean, after all, you're the SHIZNITE and you'd totally PWN ME in a graduate level class, so you MUST know the history of Linux exploits.
Your entire post is a straw man attack. You either don't understand my points or are pretending not to so you have a ground for this post. As such it is invalid (ever had a class in classic logic?).
Pot and kettle situation, since you're completely disregarding the author's actual conclusion and engaging in a strawman argument yourself. I suggest you read the author's conclusion again and tell me which specific parts of it--with you actually QUOTING them, are unscientific.
Quoting full statistics, given the strawman formed conclusion, he's right. Without full statistics, given his actual conclusion, he's right.
Like most media, he reports a number in a vacume (that was the point of #1). He doesn't give you context. Without context the number is meaningless.
They weren't "in a vacuum", he included statistics on exploits, not just vulnerabilities. You COULD wrongfully assume that Firefox as an INSANELY low rate of serious vulnerabilities, but why would you do that? It was a short op-ed piece, he's not going to go into details and it's assumed that readers are people in the know--who aren't quite stupid enough to make that assumption.
But, I continued, because arguments are built in layers. Even if you understand the context, there are still flaws.
You're not one to point out flaws. In your rebuttal, you included a completely unsubtantiated assumptions which weren't based ANY statistics or factual evidence at all. You just assumed that MSIE had horrible security design in comparison to Firefox immediatly. What's that expression about rocks and glass houses? If you're going to be critical of others pseudo-scientific spin, don't dish it you yourself.
I never said it didn't matter (another example of straw man).
You explicitly referred to them as "useless statistics." I'm pretty sure that "useless" means "doesn't matter." If you had said incomplete statistics, THEN you might have had a point, but to flat out call them useless is ridiculous. Just admit you made a mistake and move on, don't backpedal.
I said it didn't tell you anything about the total number that exists except as a minimum. Their could be 0 more, or 1,000,000 more.
And here's where part of your strawman argument comes in. The author's conclusion had nothing to do with the number of vulnerabilities. It had to do with the safety of the users of the browser and he correctly stated that people's overrating of Firefox as being a super safe browser, were now debunked.
Try reading his conclusion: As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.
What part of that is not correct? Was it the part about Firefox not magically being a fix for security issues? It seems to me that concluding that any reasonably popular internet software will have to deal with signifigcant working exploits is a perfectly reasonable conclusion.
Remember, my post was about bad journalism, not about religios browser loyalty.
If it wasn't about religious browser loyalty, then why did you quickly conclude, without having seen the code of either browser, that one has a fundamentally better security design than the other?
Firefox is better currently.
It's not "better currently" in any technological sense, only in a social sense. It just happens that there are much, much less websites using Firefox exploits than those using MSIE exploits. That's not result of technological advances, that's a result of Firefox being less popular (as social factor) and thusly being targetted by attackers much less.
So in essence, your "better currently" is really "better through security through obscurity."
I'd guess you either have no real experience (being a PHB does NOT count) in the field or are some ki
1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.
i sticst ics
:-) Firefox is great enough to have a simple auto-patching system, whereby you don't have to wait for an entirely new version to come out and install it over the new ones, thus not having any compatibility issues with plug-ins or the like. Doesn't happen with Firefox. Nope.
Or perhaps you're being a hypocrite. Strange, I've never once seen this defense come up for MSIE on Slashdot. You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.
It's funny, people always scream "ZOMG L@@K @ TEH NUMBER OF VULNERABILITIES FOR MSIE3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design).
Is that your SCIENTIFIC opinion based on a study of FACTS or just anti-MS FUD on your part? Don't bother answering that, the answer is obvious. For someone who blasts a legitimate finding for being 'bad science', you sure are fond of using bad science when it suits you. You simply ASSUME--with absolutely no factual grounding (unless you count hearsay) that it's a result of poor browser design.
The firefox team appears to address the bigger problem, not just stop the current bleeding.
Again, what are you basing this on? Your "scientific opinion"? The multiple dialog spoof and frame injection vulnerabilities? The multiple, related cross-site scripting vulnerabilities? The partial fixes? THe workarounds?
I'm sorry, but firefox isn't fixing the source, its design is flawed too. Have you even LOOKED at the design of Firefox? After all, you're the expert, surely you've seen the strides they've taken in security design. OH wait, no, just like with all browsers, security was an afterthought in design.
2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category.
Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.
As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.
Here are the statistics:
http://secunia.com/product/4227/?period=2005#stat
http://secunia.com/product/11/?period=2005#statis
MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.
6% workarounds, 6% partial fixes as per the above statistics. Yeah, they're awesome
IAAITG (I am a IT guy)
But not a scientist, nor a rational thinker, apparently.
How can Ubuntu guarantee that the software they package is free of exploits? Offering it through a central repository is no different than offering windows shareware througha popular website like tucows. The only real advantage you get is that they might virus/trojan scan it for you, but that's it.
Not just that, but the user is STILL installing it, they're just installing it with a package manager instead of running an executable directly. The scripts that come with package managers still allow you to clobber all kinds of stuff.
And this is ignoring the fact that there is still software that they don't have available. You can say it's not a valid reason, but the fact is that's what people want and there are in fact many software packages which are good that you wouldn't, at least initially, get through any 'official repository.'
Maybe it's because we've been treated as the lesser of two human beings for centuries.
Damn, you're old, have you contacted the guiness book people?
You haven't been denied the right to vote, discriminated at the workplace, took lesser wages, get constanly objectified
Neither have you, unless as implied above, you're old as hell.
Furthermore, your assumption is racist. Blacks have had it worse off than women historically. So if you want to talk about privilege, consider what black MALES had to go through.
We're not all crazy bitches.
Does thinking that you're world-record-setting-old qualify is crazy? What about reacting emotionally to a study without reading what its about?