Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place.
Immutable files on BSD require the same kind of care... but remember, Windows has this problem in a far worse way, because Microsoft's need to remain compatible with apps that ran on the old DOS-based Windows means that they have to accomodate programs that assumed they were effectively root!
If the original development path of NT, with a new object-oriented shell and API that would have come out somewhere around the time of NT4 or Windows 2000, had been followed... he might have a point.
But by merging the Windows 95 shell and the execrable HTML control and its associated APIs, Microsoft doomed any chance of Windows ever having a secure code base. Unless they back out or radically redesign the shell and security model they will never be able to honestly claim that Windows is more secure than (or even as secure as) any other protected-mode operating system.
Of course, once they're using a Mac they quit bugging me. Or they decide I'm too weird to work with, and quit bugging me anyway. It's a win-win proposition, really.
High-base encoding like Base-36 and Base-40 is old hat. DEC used a base-40 encoding over 30 years ago, and MIME-encoding has been using high bases forever.
And leaving off the vowels won't K33P P30PL3 FR0M SP3LL1NG N4WT1 W0RDS!
People simply don't believe that there actually are reasons why Windows in particular has deep problems that are nigh impossible for Redmond to fix, because they've been using Windows and in many cases DOS for years, and each new release from Redmond is a bit better for them than the last, they just figure the non-Windows apologists are behind the times, that Windows is better now.
Mac users used to be like this, too, back in the '90s, back when Mac OS was a pile of junk, before OS X. They didn't believe that concurrent multitasking was a good idea, or that a system could be responsive if it didn't give "the application" all the CPU time it needed. Systems like the Amiga or later Windows 9x (yes, really) weren't really any better. They couldn't be, everyone knew the Mac was the best.
It's normal. People who haven't experienced a better system really don't believe that having their cars catch on fire six miles from the dealership is avoidable.
When they calculate PDA sales figures, they exclude ALL PDAs with Cellphone functionality, including the tremendously popular Treo and all models from Samsung. No wonder they look bad, they're putting a huge percentage of PDA sales in the Cellphone column.
Until this is changed, take anything anyone says about PDA sales with a grain of salt... hell, you'll probably need half the Dead Sea to disguise the taste of BS in the figures they use.
However, there are more network daemons than are visible in the Sharing pane in OS X
But they're not turned on by default.
For example a telnetd is installed in OS X by default.
But it's not turned on by default.
If you're turning on telnetd, or installing your own Apache, then you're going to be opening holes for them in the firewall. Once opened, those holes won't magically close when you "forget" about them. Whether the firewall is "on by default" or "off by default" is going to make negligable difference to the security of the system.
All it does is give a *false* sense of security to people who think it *does* make a difference.
No, not in this case. I'm afraid you fell into the "Marcus Ranum Perfect Firewall" trap, and I admit I left the tripwire in place deliberately.
An IP based client firewall only provides an absolute bare minimum of protection: it prevents connections to running services. It won't protect against attacks on any services it's not blocking access to, and it will allow access to all services that you turn on deliberately (it will either do this automatically when you enable the service, or it will do it after you figure out why your service didn't work and you open it up in the firewall).
Mac OS X ships with all services disabled by default.
There is absolutely nothing running for a firewall to protect.
The client firewall in Windows isn't "layered security" either. Since Microsoft doesn't provide any consistent way to control the bindings of services to ports, and requires at least some services running just to use their client networking protocols, the only way to "turn off" a service while using the corresponding client component is through a firewall.
So... the Windows firewall is not an additional layer of protection, it's the ONLY layer of protection.
On Mac OS X, it *could* be an additional layer of protection, but it's not at all clear to me how Apple could set up a default configuration that would actually provide protection for local services in any meaningful sense.
I stopped reading one paragraph in to the second page:
"Mac OS X could have more comprehensive help files and we'd like to see the inbuilt firewall switched on by default."
Anyone who thinks a default client-based firewall is anything but an admission that the OS developers couldn't figure out how to make any network services secure by default simply has NO BUSINESS even commenting on security issues.
I suppose that excludes most of the pundits online and in magazines, but that's always been true, all the way back to Jerry Pournelle (after his friend Maclean died, anyway).
An operating system will never be bulletproof against such attacks (just read Goedel, Escher, Bach).
That's nice, but microsoft's "security" model, particularly in their Internet clients, doesn't even try to be bulletproof. It's barely cream-pie-proof.
In GEB terms, Windows is like a record player with a thermite charge wired to the "on" switch.
The way the web works is the perfect example of an application being "the UI getting out of sync with your actions"
In the sense that I would use that phrase, the web only gets out of sync with your actions when something goes wrong (you double-click on a link and get multiple fetches in the queue, you hit reload and repost a form, etcetera). If your actions produce repeatable and reliable results that don't depend on fine details of timing, then they're as close to in sync as they need to be.
A user interface is a soft real-time environment, not a hard real-time one.
In fact, it's much easier for a directly controlled user interface to get out of sync with your actions. It's fairly common for a GUI to actually slow you down, because the application is out of sync and by the time your clicks are registered a different UI element is under the mouse pointer.
Putting the UI closer to you than to the application is the best possible way of keeping the UI in sync with what you're doing.
The UI may be out of sync with the application, but who cares? If the application is multithreaded it can even be "out of sync" with itself. that's the whole point of an asynchronous environment (hell, we're using the same words to describe it). Keeping the UI in sync with the user is the key, what the application does under the covers is an implementation detail.
As time passes, it becomes more and more clear that RMS is dead on in most [emphasis added] of his positions, and the people who say otherwise are beginning to open themselves up to comparisons with MLK's detractors
This kind of phrasing describes an ever more inclusive definition of "most", and is generally used by people who really mean "all" but are aware that other people will only let them approach "all" asymptotically. I apologise if that wasn't your intent.
it becomes more and more clear that RMS is dead on in most of his positions
That's unsurprising, they're not all that far from the positions of most of the academic and free/open/whatever-you-call-it sodtware communities.
But you can't generalise from that to arguing that because many (or most) of his positions are correct, all of them are correct. And it's not fair, reasonable, or useful to imply that people who disagree with him are doing so because of his behaviour. It's also possible that he's simply mistaken about some things... it's been known to happen, why, he's even changed his position on occasion.
the people who say otherwise are beginning to open themselves up to comparisons with MLK's detractors
I wrote: "how about making all the gadgets independent of the app, so that an application can be slow and unresponsive without the UI getting out of sync with your actions."
That's impossible.
I feel like I'm in "The Princess Bride". "that word, you keep using that word, I don't think it means what you think it means."
Not only is it not "impossible", but it's been implemented dozens of times in everything from IBM's old mainframe terminals to the latest web browsers. It's how the web works. It's how AmigaOS' GUI (Intuition) works, it's how Sun's NeWS (Network Extensible Window System" works. Every time you post to slashdot, you're working with exactly that kind of scheme, with the input and responses going on in your web browser and the whole filled-out form only going back to the application in the webserver when you're done. If the webserver had to respond for every click and keystroke, the web simply wouldn't work... because the webserver would be too slow and unresponsive.
The same scheme, on a shorter term, can make VERY slow and low performance systems... where opening a file can take seconds and parsing a document half a minute or more. If an application is busy doing something for, oh, a couple of seconds, that's a HELL of a long delay for the UI to respond to your request... but the UI can *still* have all the information it needs to make that response (bring up menus, change the visible state of checkboxes, change the color of an icon)... so by the time the app gets back a second or two later you're waiting for the output, not waiting for a chance to complete your input.
If your X11 based application took a second to respond to every keystroke as you filled in a form, that would be "slow and unresponsive". If instead it only had to respond to less frequent events (anything from "user has completed inputing this form" down to "user has updated this textbox", depending on the tradeoff you're making) a program that took a second to respond could feel quite fast.
Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place.
Immutable files on BSD require the same kind of care... but remember, Windows has this problem in a far worse way, because Microsoft's need to remain compatible with apps that ran on the old DOS-based Windows means that they have to accomodate programs that assumed they were effectively root!
If the original development path of NT, with a new object-oriented shell and API that would have come out somewhere around the time of NT4 or Windows 2000, had been followed... he might have a point.
But by merging the Windows 95 shell and the execrable HTML control and its associated APIs, Microsoft doomed any chance of Windows ever having a secure code base. Unless they back out or radically redesign the shell and security model they will never be able to honestly claim that Windows is more secure than (or even as secure as) any other protected-mode operating system.
What does he think the term "known vulnerability" refers to? Does he think the converse doesn't exist?
If the best the entertainment industry has to offer, God help us all.
BSDI's lizard logo got accused of being satanic because the three lizards looked like three "6"es to some poor fellow.
sigh
It's the end of an era. Maybe I'll go back to the Amiga...
Why don't the /. moderators quit pointing people to the physorg tarpit. The never credit their sources or provide links to them...
http://cfa-www.harvard.edu/press/pr0505.html
Of course, once they're using a Mac they quit bugging me. Or they decide I'm too weird to work with, and quit bugging me anyway. It's a win-win proposition, really.
Even if IE had less market share it would still have the lion's share of the exploits, just as IIS does, because the design is fundamentally insecure.
http://www.larkfarm.com/honeywell_answers.htm
M R- V13.html#Animals
http://ed-thelen.org/comp-hist/TheCompMusRep/TC
My father used to have a miniature of the Honeywell Animals kangaroo as a paperweight.
If you screw up and make Mars atmosphere unsuitable for life... well, damn, it already *is*, so what have you lost?
... you're using tools you've developed yourself, as well as open source and commercial tools, all where they're appropriate.
High-base encoding like Base-36 and Base-40 is old hat. DEC used a base-40 encoding over 30 years ago, and MIME-encoding has been using high bases forever.
And leaving off the vowels won't K33P P30PL3 FR0M SP3LL1NG N4WT1 W0RDS!
I think almost everybody here is confusing the synthetizer with the musician.
A nice analogy.
Isao Tomita credited his bevy of synthesizers under the name "The Plasma Symphony Orchestra", but it was clearly tongue-in-cheek.
This is like suing the phone company for allowing competing listings on the same page!
You see it right here on /.
People simply don't believe that there actually are reasons why Windows in particular has deep problems that are nigh impossible for Redmond to fix, because they've been using Windows and in many cases DOS for years, and each new release from Redmond is a bit better for them than the last, they just figure the non-Windows apologists are behind the times, that Windows is better now.
Mac users used to be like this, too, back in the '90s, back when Mac OS was a pile of junk, before OS X. They didn't believe that concurrent multitasking was a good idea, or that a system could be responsive if it didn't give "the application" all the CPU time it needed. Systems like the Amiga or later Windows 9x (yes, really) weren't really any better. They couldn't be, everyone knew the Mac was the best.
It's normal. People who haven't experienced a better system really don't believe that having their cars catch on fire six miles from the dealership is avoidable.
I would describe many if not most screen-saver applications as software art.
Also...
http://www.verostko.com/epigenet.html
http://www.runme.org/
When they calculate PDA sales figures, they exclude ALL PDAs with Cellphone functionality, including the tremendously popular Treo and all models from Samsung. No wonder they look bad, they're putting a huge percentage of PDA sales in the Cellphone column.
Until this is changed, take anything anyone says about PDA sales with a grain of salt... hell, you'll probably need half the Dead Sea to disguise the taste of BS in the figures they use.
However, there are more network daemons than are visible in the Sharing pane in OS X
But they're not turned on by default.
For example a telnetd is installed in OS X by default.
But it's not turned on by default.
If you're turning on telnetd, or installing your own Apache, then you're going to be opening holes for them in the firewall. Once opened, those holes won't magically close when you "forget" about them. Whether the firewall is "on by default" or "off by default" is going to make negligable difference to the security of the system.
All it does is give a *false* sense of security to people who think it *does* make a difference.
It's called layered security.
No, not in this case. I'm afraid you fell into the "Marcus Ranum Perfect Firewall" trap, and I admit I left the tripwire in place deliberately.
An IP based client firewall only provides an absolute bare minimum of protection: it prevents connections to running services. It won't protect against attacks on any services it's not blocking access to, and it will allow access to all services that you turn on deliberately (it will either do this automatically when you enable the service, or it will do it after you figure out why your service didn't work and you open it up in the firewall).
Mac OS X ships with all services disabled by default.
There is absolutely nothing running for a firewall to protect.
The client firewall in Windows isn't "layered security" either. Since Microsoft doesn't provide any consistent way to control the bindings of services to ports, and requires at least some services running just to use their client networking protocols, the only way to "turn off" a service while using the corresponding client component is through a firewall.
So... the Windows firewall is not an additional layer of protection, it's the ONLY layer of protection.
On Mac OS X, it *could* be an additional layer of protection, but it's not at all clear to me how Apple could set up a default configuration that would actually provide protection for local services in any meaningful sense.
I stopped reading one paragraph in to the second page:
"Mac OS X could have more comprehensive help files and we'd like to see the inbuilt firewall switched on by default."
Anyone who thinks a default client-based firewall is anything but an admission that the OS developers couldn't figure out how to make any network services secure by default simply has NO BUSINESS even commenting on security issues.
I suppose that excludes most of the pundits online and in magazines, but that's always been true, all the way back to Jerry Pournelle (after his friend Maclean died, anyway).
An operating system will never be bulletproof against such attacks (just read Goedel, Escher, Bach).
That's nice, but microsoft's "security" model, particularly in their Internet clients, doesn't even try to be bulletproof. It's barely cream-pie-proof.
In GEB terms, Windows is like a record player with a thermite charge wired to the "on" switch.
The way the web works is the perfect example of an application being "the UI getting out of sync with your actions"
In the sense that I would use that phrase, the web only gets out of sync with your actions when something goes wrong (you double-click on a link and get multiple fetches in the queue, you hit reload and repost a form, etcetera). If your actions produce repeatable and reliable results that don't depend on fine details of timing, then they're as close to in sync as they need to be.
A user interface is a soft real-time environment, not a hard real-time one.
In fact, it's much easier for a directly controlled user interface to get out of sync with your actions. It's fairly common for a GUI to actually slow you down, because the application is out of sync and by the time your clicks are registered a different UI element is under the mouse pointer.
Putting the UI closer to you than to the application is the best possible way of keeping the UI in sync with what you're doing.
The UI may be out of sync with the application, but who cares? If the application is multithreaded it can even be "out of sync" with itself. that's the whole point of an asynchronous environment (hell, we're using the same words to describe it). Keeping the UI in sync with the user is the key, what the application does under the covers is an implementation detail.
As time passes, it becomes more and more clear that RMS is dead on in most [emphasis added] of his positions, and the people who say otherwise are beginning to open themselves up to comparisons with MLK's detractors
This kind of phrasing describes an ever more inclusive definition of "most", and is generally used by people who really mean "all" but are aware that other people will only let them approach "all" asymptotically. I apologise if that wasn't your intent.
it becomes more and more clear that RMS is dead on in most of his positions
That's unsurprising, they're not all that far from the positions of most of the academic and free/open/whatever-you-call-it sodtware communities.
But you can't generalise from that to arguing that because many (or most) of his positions are correct, all of them are correct. And it's not fair, reasonable, or useful to imply that people who disagree with him are doing so because of his behaviour. It's also possible that he's simply mistaken about some things... it's been known to happen, why, he's even changed his position on occasion.
the people who say otherwise are beginning to open themselves up to comparisons with MLK's detractors
Uh, OK... "I've stopped beating my wife, too".
I wrote: "how about making all the gadgets independent of the app, so that an application can be slow and unresponsive without the UI getting out of sync with your actions."
That's impossible.
I feel like I'm in "The Princess Bride". "that word, you keep using that word, I don't think it means what you think it means."
Not only is it not "impossible", but it's been implemented dozens of times in everything from IBM's old mainframe terminals to the latest web browsers. It's how the web works. It's how AmigaOS' GUI (Intuition) works, it's how Sun's NeWS (Network Extensible Window System" works. Every time you post to slashdot, you're working with exactly that kind of scheme, with the input and responses going on in your web browser and the whole filled-out form only going back to the application in the webserver when you're done. If the webserver had to respond for every click and keystroke, the web simply wouldn't work... because the webserver would be too slow and unresponsive.
The same scheme, on a shorter term, can make VERY slow and low performance systems... where opening a file can take seconds and parsing a document half a minute or more. If an application is busy doing something for, oh, a couple of seconds, that's a HELL of a long delay for the UI to respond to your request... but the UI can *still* have all the information it needs to make that response (bring up menus, change the visible state of checkboxes, change the color of an icon)... so by the time the app gets back a second or two later you're waiting for the output, not waiting for a chance to complete your input.
If your X11 based application took a second to respond to every keystroke as you filled in a form, that would be "slow and unresponsive". If instead it only had to respond to less frequent events (anything from "user has completed inputing this form" down to "user has updated this textbox", depending on the tradeoff you're making) a program that took a second to respond could feel quite fast.