Agreed that it doesn't show what is unpatched, but that's not the original point of the entire topic.
One can sure argue that there are potential exploits out there, but it really doesn't do any good because it's all theoretical. Linux (in theory) should have fewer and fewer exploits as time goes on, is this true yet... nope. What I personally think, Linux is going to only get a little better and then stay at some kind of equilibrium point (little better, little worse depending upon the year). Now before you jump for the throat, I believe because of how much of a state of flux it is in, new code is going in daily, and that new code is going out the door just as quick.
What is the main cause for new exploits.... new code. The Linux distro's & writers are not taking enough time to audit their code before it gets out the door. All they are really doing is waiting for someone else to find the bugs that they should have worked to find, before they released in the first place. BSD does this the right way, lets get good code first then put it out into a stable release, instead of rush, rush, rush, cool feature, push out, and hope the bugs get found quickly. Opensource allows us to find & repair the problems quicker, but until the Linux community decides they don't need the latest wiz-bang feature now, their code is going to be constantly riddled with exploits (just like other software companies)
Spelling & grammar checker off because I don't care
It's very slow (don't slashdot it please) but you may want to check out http://www.securityfocus.com/frames/?content=/vdb/ stats.html
What they've done is count up the number of root level compromises on a per OS level on the bugtraq mailing list and ordered them up on a per year basis. Most/. Linux freaks will be suprised as to where Linux sits in (hint pretty much the same as Windows). Here's a small snippit before everyone slashdot's the poor website...
OS 97 98 99 00 ------------------- BSD (aggr) 8 8 26 7 Linux (aggr) 10 23 84 30 Win 3.-98 1 1 46 13 Win NT 4 6 99 37
Further down the page Linux gets some better positioning as it breaks down categories, etc.
Solid state disks have been around for years, they aren't offering anything a bit revolutionary or even a best of breed product. They even take out the functionality of a SSD by making you plug it into a pci slot, instead of a standard drive connection. Maybe if they've SIGNIFICANTLY reduced the price it might not be that bad, but that's a big if.
Check out solidstate.com, mti.com, etc. they have much better solutions than putting a card into your computer.
I checked out SSD's last year to see about SAN integration, but the cost if VERY prohibitive. i.e. 90k for a 4 gig disk with a fibre channel connections (of course that was battery backed up, disk backed up, etc). If you are running a big data base/warehouse they can become very useful, they appear to the system as a regular drive, no drivers, etc. I know of a couple of companies who do a raid set over multiples of these (think 10x4 gig striped SSD's to do big database billing then think price).
Umm... actually as much as I hate to admit it, Kerb 5 designers (in their infinite wisdom) allowed for "proprietery" extensions. Microsoft speaks the protocol properly, it is RFC complient with the servers
So Microsoft COMPLETELY complies with the kerberos specs, the Kerb 5 people are the ones that really started this whole mess by allowing something as stupid as this to be allowed into their specs. Microsoft can still say they use Kerberos, are completely compatible with Kerberos, even though they are throwing interoperability issues into the mix; because some engineer somewhere specifically added a clause to allow them to muck up the system.
It's a painful thing to hear, but the truth sometimes hurts, Microsoft can extend the protocol as much as they want because the protocol specifically has been made to allow it. Now whether or not Microsoft should be extending the protocol without telling anybody else how to talk to it is another thing.
I may sound like too much of a bastard, but not having time is not an excuse, you aren't doing your job. Each of those routers had to be configured to begin with, and most networking guys keep the entire configs in a text file that they upload to a router, add a couple of lines to the code and your done. Not doing this stuff is akin to doing a ("chmod -R 777/") for all of your unix boxes because it takes time to setup accounts, etc.
It's amazing how much time the admin seems to get when a site realizes that 80% of a T3 is full of bad traffic (the old saying and ounce of prevention...). If you don't have time to do this type of stuff, you need to have a serious talk with your boss; because sometime soon you are going to spend a whole week cleaning up some crap that would have only taken you a couple of hours to do in the first place (not to mention boss yelling, legal dept. yelling, ceo yelling, customers yelling...).
Your firewall should NOT become your SPOF (single point of failure) if you care about your site staying up (or designed it to be resilient)
Any site that is concerned about availability needs to run HSRP (hot standby routing protocol), or some equivalent. Routers have been using this for sometime, firewalls & load balancers too. I don't see any reason for Slashdot to NOT be running some kind of failover, it's not like they can't afford it.
I believe that he was more going along the line of things outgoing packets that have a source address from outside my network should be dropped before it gets outside your own network (not just the reserved, but anything that isn't supposed to be outgoing over that router).
As long as you aren't in wild and wooly peering arangements, one should be able to know all the ipaddress that are inside ones network (and within each segment of the network). Once a router sees something that can't possibly be coming from inside that network, it should be dropped and throw up alarms, bells, flashing lights, etc. cause something just ain't right (either a misconfigured client or someone trying something bad).
Doing this type of filtering doesn't prevent your system from being used in a DDOS attack, but it prevents your system from being used in the attack with a spoofed address. Hence see 50mb/sec from host w.x.y.z, contact owner of that address block and get it stopped, since it is not forged they have a compromised box internally. If everybody started doing that the world would be a MUCH better place to live in.
I disagree it doesn't have to act as a client. It presents the data to the browser who is the acting client. I guess if you want to get wild about it, it could be a client as much as pop3 is a client; their job is to get data to and fro not inspect and decide what you get. (maybe I'm just and old crusty bastard but that's the original intention of mail and I'm sticking to it).
The problem with your suggestion is that not only do these exploits work for Hotmail, because the client readily accepts them, any other site can send bad javascript to you. If the client would prevent you from executing bad code to begin with there could be 20 billion new exploits but if your browser didn't run them not only would your Hotmail account be fine but all the other sites one goes to doesn't have to be worried about either.
Is it just me or are these types of post annoying. It's getting to the point where everytime there is anything with a security problem in a Microsoft product that Slashdot lights up with Linux doesn't have this problem... well duhh.
I don't seem to remember other people making asses out of themselves as much. When was the last time you heard after a Linux security problem the Microsoft people coming out of the woodwork to say "Well we use NT so we didn't have problems, haha"... It's like these people are little children, it's so f*cking anoying. I've never heard supporters of other products doing the "na, na, na, we didn't have the problem cause we use Solaris/Irix/Dynix/etc". I don't even use Microsoft products and it's anoying the bejeebers out of me.
Spelling & Grammar checker off because I don't care
I would say that it's NOT a hole in Hotmail, but a hole in the browser. Color me crazy but I believe that a mail server's purpose is to send data to you, not to scan/prevent bad data from getting to you.
The way the process works now, it's only a matter of time before the next java filter work-around gets through. It's like filtering ILOVEYOU in subject lines, it only works until... whoops somebody changed the subject line. Now if the client had those dangerous actions fixed/disabled then instead of filtering for KNOWN problems they could prevent the problems from occuring to begin with.
Kinda like chasing our own tail is what it seems like to me. My opinion is that Hotmail should NOT filter anything and make the browser responsible.
I'd go a step further and say that Linux really has never "led the way" (of course there are certain projects, but as a whole no). Linux itself is a clone of unix functionality, nothing really inovative technically (no gee wiz stuff, just re-implementation of other tech).
I disagree with "when will open source start leading the way"... and rephrase that to when did open source STOP leading the way. Think of the old projects before open source was really called open source. Sendmail, bind, innd... all of these were produced BEFORE the open source craze they were the pioneers, they led the way, they were the ones who made the rules... now for some reason people seem to be cool with just copying commercial software functionality.
Anymore the way of the world is this: make a cool product, see lots of dollar signs, decide to keep it closed source for the additional income instead of sharing it, then the open source people see how cool it is and say we need that and start making copies.
To answer my own statement about when it lost it's way... I guess my opinion is once they found how easy they could make money off the same products they normally would give away. To head off the typers, open source can/does/will make money, but lets be honest closed source tends to make larger amounts of money faster.
Spelling & grammar checker off because I don't care
So what is your suggestion for fixing the problem. Obviously there is a problem, 90% of Napster are illegal copies. Metallica actually went down the path that Napster asked them to, do you have a better suggestion than what Napster tells them?... If not than you aren't helping.
I thought that Metallica was pretty decent about their process; they asked Napster to remove their name from searches they refuse (that to me puts them in the wrong to begin with), and say to give us the nick's of users and we will ban them. Metallica being pretty chapped off with the attitude Napster gives them (and I'd be pissed too, if a reasonable request like that was thrown back in my face) says you want to be asses then fine we will give you names. What recourse do they have if they want to get their music off of Napster? They ask to be removed from searches, Napster pretty much tells them to f* off and to get a list of all the "bad" users, so they go and do exactly what Napster requested and hand in the names.... and Slashdot is pissed at Metallica for this????
Personally I think Napster is the one being the prick in this situation, Metallica is doing just what Napster said to go and do; and for some reason most of Slashdot is defending Napster instead of actually seeing that Metallica is only doing what Napster told them to do. Why isn't Slashdot pissed at the policies at Napster?
Nope that would be the bright orange Chaos Theory book with the fractals on the front, now who wrote & who published I can't remember right now, but it's sitting on the shelf at home. Good high-level read for general public, got a blue book from college (title "Advanced Analysis" maybe) in a box somewhere that goes into the nitty gritty goodness.
Course, I don't remember that part in Jurassic Park (maybe when he was talking about the frogs???), but not remembering wouldn't surprise me; as you might be able to guess, I need to upgrade my memory unit in my brain or at least my access algorithm. I never can remember titles, authors, names...:)
Depends upon what period you want to be accurate: weather 10 seconds from now, pretty darn accurate, 10 days from now not so accurate, a month... well throw a dart at the guessing board. This will allow them to add more variables into the equation, but I don't think it will get show the public any noticeable differences.
You can throw as big of a machine as you want at these problems and you will only marginally increase it's effectiveness, this is all due to chaos theory. There are so many items that seem insignificant (I seem to remember the phrase insignificantly significant from a professor somewhere) that can not be accounted for; that makes any long-range forcasting of weather impossible. Extremely small items added into an equation that at first glance would seem to only add maybe a.0001% variation can infact greatly change the results as you increase the period that the equation is used with. i.e. For small periods it doesn't add much variation but for longer periods it adds significant variation. There is no possible way for anyone to take in all these suttle complexities: if a raindrop rotates clockwise after it hits the ground and hits another one on it's way down moving it's position how does it affect weather 6 months from now?
The main guise that anti-uce laws are being drafted under is for cost-shifting. Many people are paying by the minute for internet usage, so receiving UCE cuts into their pocket directly. Whereas most (if not all) phone calls to a land line in the US are free for the receiving party (note cell, etc. are not included in "land line" part). So to receive their messages the advertiser is not directly pushing their cost the customer (my time is worth X dollars, etc. isn't much of a REASONABLE complaint before congress, nor is I pay X dollars for service when you'd pay the same fee if you got the call or not).
I believe that there is a law somewhere about cell phone numbers being "unlawful to spam", I may be incorrect, but I seem to remember reading that somewhere. Both cellphones & faxes can be applied with the cost shifting rules, faxes (used to) cost lots of dollars and incoming minutes still cost quite a bit so the advertisers can't shift costs to the consumer to hear their speil.
I would love to stop spammers, telemarketers, etc as much as the next guy, but where does it stop? An accident occurs, there are gawkers on the rode can I sue the gawkers & the people involved in the accident because they inconvenieced (sp?) me on may way back from work? How about going to a sporting event and having the opposing team harrasing me with chants about how great their team is? This stuff neads to be fought in the cost-shifting arena, if an advertiser wants to eat ALL THE COST to send me an advertisement great, I can ignore it and not worry about it.
Spelling & Grammar checker off because I don't care
Slashdot Mirror
Agreed that it doesn't show what is unpatched, but that's not the original point of the entire topic.
One can sure argue that there are potential exploits out there, but it really doesn't do any good because it's all theoretical. Linux (in theory) should have fewer and fewer exploits as time goes on, is this true yet... nope. What I personally think, Linux is going to only get a little better and then stay at some kind of equilibrium point (little better, little worse depending upon the year). Now before you jump for the throat, I believe because of how much of a state of flux it is in, new code is going in daily, and that new code is going out the door just as quick.
What is the main cause for new exploits.... new code. The Linux distro's & writers are not taking enough time to audit their code before it gets out the door. All they are really doing is waiting for someone else to find the bugs that they should have worked to find, before they released in the first place. BSD does this the right way, lets get good code first then put it out into a stable release, instead of rush, rush, rush, cool feature, push out, and hope the bugs get found quickly. Opensource allows us to find & repair the problems quicker, but until the Linux community decides they don't need the latest wiz-bang feature now, their code is going to be constantly riddled with exploits (just like other software companies)
Spelling & grammar checker off because I don't care
It's very slow (don't slashdot it please) but you may want to check out/ stats.html
/. Linux freaks will be suprised as to where Linux sits in (hint pretty much the same as Windows). Here's a small snippit before everyone slashdot's the poor website...
http://www.securityfocus.com/frames/?content=/vdb
What they've done is count up the number of root level compromises on a per OS level on the bugtraq mailing list and ordered them up on a per year basis. Most
OS 97 98 99 00
-------------------
BSD (aggr) 8 8 26 7
Linux (aggr) 10 23 84 30
Win 3.-98 1 1 46 13
Win NT 4 6 99 37
Further down the page Linux gets some better positioning as it breaks down categories, etc.
Solid state disks have been around for years, they aren't offering anything a bit revolutionary or even a best of breed product. They even take out the functionality of a SSD by making you plug it into a pci slot, instead of a standard drive connection. Maybe if they've SIGNIFICANTLY reduced the price it might not be that bad, but that's a big if.
Check out solidstate.com, mti.com, etc. they have much better solutions than putting a card into your computer.
I checked out SSD's last year to see about SAN integration, but the cost if VERY prohibitive. i.e. 90k for a 4 gig disk with a fibre channel connections (of course that was battery backed up, disk backed up, etc). If you are running a big data base/warehouse they can become very useful, they appear to the system as a regular drive, no drivers, etc. I know of a couple of companies who do a raid set over multiples of these (think 10x4 gig striped SSD's to do big database billing then think price).
Umm... actually as much as I hate to admit it, Kerb 5 designers (in their infinite wisdom) allowed for "proprietery" extensions. Microsoft speaks the protocol properly, it is RFC complient with the servers
So Microsoft COMPLETELY complies with the kerberos specs, the Kerb 5 people are the ones that really started this whole mess by allowing something as stupid as this to be allowed into their specs. Microsoft can still say they use Kerberos, are completely compatible with Kerberos, even though they are throwing interoperability issues into the mix; because some engineer somewhere specifically added a clause to allow them to muck up the system.
It's a painful thing to hear, but the truth sometimes hurts, Microsoft can extend the protocol as much as they want because the protocol specifically has been made to allow it. Now whether or not Microsoft should be extending the protocol without telling anybody else how to talk to it is another thing.
Not knowing if that's a joke or not...
/") for all of your unix boxes because it takes time to setup accounts, etc.
I may sound like too much of a bastard, but not having time is not an excuse, you aren't doing your job. Each of those routers had to be configured to begin with, and most networking guys keep the entire configs in a text file that they upload to a router, add a couple of lines to the code and your done. Not doing this stuff is akin to doing a ("chmod -R 777
It's amazing how much time the admin seems to get when a site realizes that 80% of a T3 is full of bad traffic (the old saying and ounce of prevention...). If you don't have time to do this type of stuff, you need to have a serious talk with your boss; because sometime soon you are going to spend a whole week cleaning up some crap that would have only taken you a couple of hours to do in the first place (not to mention boss yelling, legal dept. yelling, ceo yelling, customers yelling...).
Your firewall should NOT become your SPOF (single point of failure) if you care about your site staying up (or designed it to be resilient)
Any site that is concerned about availability needs to run HSRP (hot standby routing protocol), or some equivalent. Routers have been using this for sometime, firewalls & load balancers too. I don't see any reason for Slashdot to NOT be running some kind of failover, it's not like they can't afford it.
I believe that he was more going along the line of things outgoing packets that have a source address from outside my network should be dropped before it gets outside your own network (not just the reserved, but anything that isn't supposed to be outgoing over that router).
As long as you aren't in wild and wooly peering arangements, one should be able to know all the ipaddress that are inside ones network (and within each segment of the network). Once a router sees something that can't possibly be coming from inside that network, it should be dropped and throw up alarms, bells, flashing lights, etc. cause something just ain't right (either a misconfigured client or someone trying something bad).
Doing this type of filtering doesn't prevent your system from being used in a DDOS attack, but it prevents your system from being used in the attack with a spoofed address. Hence see 50mb/sec from host w.x.y.z, contact owner of that address block and get it stopped, since it is not forged they have a compromised box internally. If everybody started doing that the world would be a MUCH better place to live in.
I disagree it doesn't have to act as a client. It presents the data to the browser who is the acting client. I guess if you want to get wild about it, it could be a client as much as pop3 is a client; their job is to get data to and fro not inspect and decide what you get. (maybe I'm just and old crusty bastard but that's the original intention of mail and I'm sticking to it).
The problem with your suggestion is that not only do these exploits work for Hotmail, because the client readily accepts them, any other site can send bad javascript to you. If the client would prevent you from executing bad code to begin with there could be 20 billion new exploits but if your browser didn't run them not only would your Hotmail account be fine but all the other sites one goes to doesn't have to be worried about either.
Is it just me or are these types of post annoying. It's getting to the point where everytime there is anything with a security problem in a Microsoft product that Slashdot lights up with Linux doesn't have this problem... well duhh.
I don't seem to remember other people making asses out of themselves as much. When was the last time you heard after a Linux security problem the Microsoft people coming out of the woodwork to say "Well we use NT so we didn't have problems, haha"... It's like these people are little children, it's so f*cking anoying. I've never heard supporters of other products doing the "na, na, na, we didn't have the problem cause we use Solaris/Irix/Dynix/etc". I don't even use Microsoft products and it's anoying the bejeebers out of me.
Spelling & Grammar checker off because I don't care
I would say that it's NOT a hole in Hotmail, but a hole in the browser. Color me crazy but I believe that a mail server's purpose is to send data to you, not to scan/prevent bad data from getting to you.
The way the process works now, it's only a matter of time before the next java filter work-around gets through. It's like filtering ILOVEYOU in subject lines, it only works until... whoops somebody changed the subject line. Now if the client had those dangerous actions fixed/disabled then instead of filtering for KNOWN problems they could prevent the problems from occuring to begin with.
Kinda like chasing our own tail is what it seems like to me. My opinion is that Hotmail should NOT filter anything and make the browser responsible.
I agree with part of your statement.
I'd go a step further and say that Linux really has never "led the way" (of course there are certain projects, but as a whole no). Linux itself is a clone of unix functionality, nothing really inovative technically (no gee wiz stuff, just re-implementation of other tech).
I disagree with "when will open source start leading the way"... and rephrase that to when did open source STOP leading the way. Think of the old projects before open source was really called open source. Sendmail, bind, innd... all of these were produced BEFORE the open source craze they were the pioneers, they led the way, they were the ones who made the rules... now for some reason people seem to be cool with just copying commercial software functionality.
Anymore the way of the world is this: make a cool product, see lots of dollar signs, decide to keep it closed source for the additional income instead of sharing it, then the open source people see how cool it is and say we need that and start making copies.
To answer my own statement about when it lost it's way... I guess my opinion is once they found how easy they could make money off the same products they normally would give away. To head off the typers, open source can/does/will make money, but lets be honest closed source tends to make larger amounts of money faster.
Spelling & grammar checker off because I don't care
So what is your suggestion for fixing the problem. Obviously there is a problem, 90% of Napster are illegal copies. Metallica actually went down the path that Napster asked them to, do you have a better suggestion than what Napster tells them?... If not than you aren't helping.
I thought that Metallica was pretty decent about their process; they asked Napster to remove their name from searches they refuse (that to me puts them in the wrong to begin with), and say to give us the nick's of users and we will ban them. Metallica being pretty chapped off with the attitude Napster gives them (and I'd be pissed too, if a reasonable request like that was thrown back in my face) says you want to be asses then fine we will give you names. What recourse do they have if they want to get their music off of Napster? They ask to be removed from searches, Napster pretty much tells them to f* off and to get a list of all the "bad" users, so they go and do exactly what Napster requested and hand in the names.... and Slashdot is pissed at Metallica for this????
Personally I think Napster is the one being the prick in this situation, Metallica is doing just what Napster said to go and do; and for some reason most of Slashdot is defending Napster instead of actually seeing that Metallica is only doing what Napster told them to do. Why isn't Slashdot pissed at the policies at Napster?
Spelling & grammar check off because I don't care
Nope that would be the bright orange Chaos Theory book with the fractals on the front, now who wrote & who published I can't remember right now, but it's sitting on the shelf at home. Good high-level read for general public, got a blue book from college (title "Advanced Analysis" maybe) in a box somewhere that goes into the nitty gritty goodness.
:)
Course, I don't remember that part in Jurassic Park (maybe when he was talking about the frogs???), but not remembering wouldn't surprise me; as you might be able to guess, I need to upgrade my memory unit in my brain or at least my access algorithm. I never can remember titles, authors, names...
Depends upon what period you want to be accurate: weather 10 seconds from now, pretty darn accurate, 10 days from now not so accurate, a month... well throw a dart at the guessing board. This will allow them to add more variables into the equation, but I don't think it will get show the public any noticeable differences.
.0001% variation can infact greatly change the results as you increase the period that the equation is used with. i.e. For small periods it doesn't add much variation but for longer periods it adds significant variation. There is no possible way for anyone to take in all these suttle complexities: if a raindrop rotates clockwise after it hits the ground and hits another one on it's way down moving it's position how does it affect weather 6 months from now?
You can throw as big of a machine as you want at these problems and you will only marginally increase it's effectiveness, this is all due to chaos theory. There are so many items that seem insignificant (I seem to remember the phrase insignificantly significant from a professor somewhere) that can not be accounted for; that makes any long-range forcasting of weather impossible. Extremely small items added into an equation that at first glance would seem to only add maybe a
The main guise that anti-uce laws are being drafted under is for cost-shifting. Many people are paying by the minute for internet usage, so receiving UCE cuts into their pocket directly. Whereas most (if not all) phone calls to a land line in the US are free for the receiving party (note cell, etc. are not included in "land line" part). So to receive their messages the advertiser is not directly pushing their cost the customer (my time is worth X dollars, etc. isn't much of a REASONABLE complaint before congress, nor is I pay X dollars for service when you'd pay the same fee if you got the call or not).
I believe that there is a law somewhere about cell phone numbers being "unlawful to spam", I may be incorrect, but I seem to remember reading that somewhere. Both cellphones & faxes can be applied with the cost shifting rules, faxes (used to) cost lots of dollars and incoming minutes still cost quite a bit so the advertisers can't shift costs to the consumer to hear their speil.
I would love to stop spammers, telemarketers, etc as much as the next guy, but where does it stop? An accident occurs, there are gawkers on the rode can I sue the gawkers & the people involved in the accident because they inconvenieced (sp?) me on may way back from work? How about going to a sporting event and having the opposing team harrasing me with chants about how great their team is? This stuff neads to be fought in the cost-shifting arena, if an advertiser wants to eat ALL THE COST to send me an advertisement great, I can ignore it and not worry about it.
Spelling & Grammar checker off because I don't care
My guess would be that using a Transmeta chip will be a bit more than the $100 price point they are going after.