Thanks for bringing up the $20k issue. I was wondering about the price as well, but then figured out that it's just a made up number. If he asks for $20k maybe he'll get $1k. But the idea bothers me.
servers are cheap these days. really. I've found p3-666 machines in the trash a few years back, and other people are finding nice rack mount servers with drives,etc. I can't afford much more than my rent, and yet I can come up with more server power when I need it, just by using a bunch of old P300s or whatever.
One word: reliability.
Sure, any geek can make a computer out of toothpicks and bubble gum and run Linux on it and call it a "server", but these guys are trying to _reduce_ the amount of downtime they're seeing on some high-load systems. So it looks to me like they're trying to buy reliable hardware: new systems, lots of redundancy, and none of this "buying off eBay" or "systems assembled from parts pulled from the trask" junk which some people are suggesting. Real server hardware costs real money, presumably at least a few thousand per system.
Especially considering (konsidering?) that pressing the first letter of a menu option goes to that menu option, but when every one starts with the same letter, it makes the feature useless.
Of course, you can always set up the menu in "Description (Name)" order, e.g. "CD Player (kscd)".
Perhaps some kind of system that keeps track of how often you run certain programs and when you don't use one for X amount of time then it puts those programs into a submenu or something like that.
Try this in KDE 3.1:
Configure Panel -> Layout -> QuickStart Menu Items:
O Show the applications most recently used. 0 Show the applications most frequently used. Maximum Number of Entries: 5
Just ensure that the DNS checks to see that the new file is actually a legal DNS zone file. I assume these things have a required format?
Why would anyone want to "combat" it?
Remember, the RIAA/MPAA have lumped BitTorrent in with KaZaa and other P2P music services in its "war on piracy". Various people have counter-argued (correctly) that unlike those other services, BitTorrent is really just a protocol (like FTP, only peer-to-peer). The lack of any kind of built-in search functionality in BitTorrent is the clearest example of this, the example most obvious to non-technical types.
Now, what would happen if someone created a type of BitTorrent search? Perhaps nothing, especially as long as people are just making Linux ISOs and the like available. But what would happen if people started making ripped mp3s or movies available in large numbers? The RIAA/MPAA would presumably try to shut them down, right? Go after their servers, or their search software, or whatever. Okay, here's the 64K question... what happens if that search functionality uses the DNS protocol and DNS servers and the entire Internet relies on those protocols/servers? Things could get interesting!
wireless is much easier and much cheaper. Can you imagine wiring a desk or two for every child in the school?
Nope. I can't imaging paying for a computer on every desk in the school and then complaining about the cost of networking them. Having said that, if they are putting multiple computers in every classroom, it makes sense to cut down on wires, if only to avoid injuries and hardware damage due to tripping.:)
Radiation is around us.. everywhere.. We can't stop it. The big question on hand is, do we sacrifice technology and all its benefits for the risk of potential radition which may or may not hinder ones health and/or possibly lead to cancer?
While I don't agree with this particular lawsuit, you've got to admit that this is a valid question. In general, of course, you can ask this about every pollution-creating, electricity-using, impossible-to-dispose-of-safely and god-knows-what-else-is-wrong-with-it product out there. That really is something to think about before you decide to buy another blinking LED thing to make your cell phone more "pretty" or what have you.
In this specific case, would it really have been so hard for this school to use land lines? Are there any benefits to having a wireless connection? I notice that the Wired article says that the school district installed a wireless network in 1995. I wonder what kind of wireless security they had, and what kind of data they were sending over those connections... Hopefully they used some kind of encryption (but how much to you want to bet that they didn't?)
My point is that there may be more costs here than just the "increased risk" from background radiation. How much do you want to bet that a wireless network uses more electricity than land lines too? How much do you want to be that it's unreliable in bad weather? And so on...
Yes and it is worth the jump backwards in technology to help OS manufacturers continue to pedal sub par product and services that are the real cause of the problem. Attacking a problem at somewhere other than its source has always been such a great way to deal with challenges like this.
Perhaps the logic behind using firewalls is that the people dealing with the problem actually know what they're doing and are motivated to fix it? Even if bugless OSes actually existed, expecting the average computer user to avoid doing anything which might open up their system to abuse, which may include things as simple as installing software (oops, there's a trojan in P2P program!), is going to be impossible to implement. Trying to achieve the "perfect" solution (namely perfect software and perfect users) is certainly a noble goal, but the first goal should be to implement a plan which is (far) more likely to work.
Besides, let's not forget that _spammers_ are the problem here. Both firewalls and more secure code would just deal with one particular method of obscuring their location. There are others methods they use right now, such as abuse of free popmail accounts and AOL disks, and there will probably be even more in the future. Who knows, perhaps seeding P2P networks with fake mp3s which actually contain product ads will be the next big thing?
My point is, mail proxies are just one tool which spammers use. Making that one tool difficult/impossible to use won't finish off spam. It may, however, convince them that it's not worth the time or money to use that method anymore, which would save a lot of computer users a lot of headaches. Thus it might be worth the trouble to implement a quick, effective solution, even if there are some drawbacks.
The 1st line is "The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware."
That first line doesn't exactly convince me of the quality of the article. What does he mean by "impenetrable"? In discussing the possibility of a Linux worm, say using the recent ssh vulnerabilities, I might point out that most people run ssh with priviledge separation, so the attacked would just get user "nobody" priviledges (as compared to the recent Windows RPC worms). Does this mean that I'm making some wild claim that Linux is "impenetrable", or am I simply pointing out one reason why Linux is more secure than Windows -- that servers often run as non-root users? What is a "security-based" attack (that's a made-up term, isn't it)? A worm? A trojan? I think Linux advocates admit that both of those are possible on Linux. There are good reasons why viruses would have a hard time spreading on Linux (strict priviledge separation), but other types of attacks are certainly possible and acknowledged as such -- with the caveat that they might be harder to pull off (see ssh worm discussion above).
Looking at the article, I'm starting to understand why so many people believe that marketshare is the only reason why Windows is attacked more. It's as though every random Windows user thinks they understand Linux security. The author states "The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck." Bull. See my comment above about an ssh worm. Also note the usual arguments about the heterogeneity of Linux environments. Misunderstandings like that combined with flat out MS apologism ("It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand.") suggest to me the author is one of those people who want to blame anyone other than MS for the problems with Windows. Sure end users are responsible for many security breaches, many of which have little to do with software, e.g. weak passwords. But that still doesn't explain this
Isn't the fact that Windows's vulnerabilities are well known a product of its widespread use? I mean, this just sounds like a self-fulfilling prophecy of sorts.
Aw c'mon. Windows, Linux and MacOS are all widely enough used that their vulnerabilities are known.
Besides, how would this logic explain a worm created to exploit an "obscure" vulnerability like the slammer worm did? There can't be _that_ many MS-SQL servers accessible via the Internet, yet the worm was written, deployed, and managed to do some serious damage (taking down several root nameservers).
Snake oil gets its name from the snake people (The SENECA Nation of Indians, part of the iroquois league). It's petroleum. [snip] It was also taken internally as a laxative.
Think for a moment about exactly _why_ that would work.
And properly applied firewalls are the solution (okay, a solution, one which can be applied by an ISP). So what's the problem here?
Let's see here: could it be that there is more to the internet than HTTP, SMTP, POP3 and FTP? Nah
Surely there are ways of implementing ISP firewalls which don't reduce the Internet to a few services. What's wrong with the suggestion (first made by others in this thread) that ISPs should firewall almost everything by default but should open ports at the request of the user? Users who are knowledgeable enough to know which ports they need opened can have them, and the ISP can still thoroughly firewall the masses. Not open enough for ya'? How about setting up some interface (web-based?) for letting users open their own ports, combined with numerous warnings about the dangers of doing so (to keep the average joe from opening a lot of ports for no reason).
This might be useful against DoS attacks as well. "They're attacking our webserver? Have the ISP block port 80. At least we'll still get e-mail."
Of course, firewalls are still a godsend for end users. Got an application which just insists on listening on some ports? Firewall it. Simple and effective.
Each lump of ice and rock is roughly the size of Philadelphia and orbits just beyond Neptune and Pluto.... making them roughly the temperature of Philadelphia around the time the observations were made (January?)
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
Because there's fewer of you (not myself a Linux user) and as a result the law of averages says it's less likely that it will happen.
I've argued against this several times on Slashdot and elsewhere. Frankly, I'm getting sick of arguing it, but oh well. What do you think about this counter-argument:
1) When appropriate vulnerabilities in Linux show up, so do worms (e.g. ssh circa 2001, the RedHat lpd vulnerability).
2) Worms do not always target common boxes. Example, the MS SQL worm, whose "target audience" was very small. Note that this worm did massive damage, albiet indirectly, by causing enough faulty DNS lookups to bring down several root DNS servers.
3) Both of these examples show that worms sometimes target uncommon OS configurations. Furthermore, as the latter example points out, massive damage can be done in such cases.
4) Therefore, I would argue that worm writers do not target the most common systems, but rather those for which vulnerabilities are available. Even a worm which affects a small number of systems can cause massive damage, and I believe that this is the worm-writer's goal. Thus Windows worms are common not because Windows is so commonly used, but rather because it has more vulnerabilities of the appropriate type (remote execution of arbitrary code) than does Linux.
From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script.
I think one could say the same about Windows, no? It has nothing to do with the security of the OS if hackers find vulnerabilities in a commonly used application (e.g. Outlook).
To take this one step further, you could probably make the even more general argument that almost nothing really tells you which OS is more secure. Rather, break-ins involving a particular piece of code only tell you that the particular piece of code is insecure. You could argue that website defacements really measure the security of webservers, other web-related packages (PHP, shopping cart programs, and the like) and perhaps the security of other servers on the system, all depending on what exactly was used to break in to the system. Technically, even the security of other systems on the same network could play a factor (e.g. if someone roots the mail server and the root user has the same password on both the mail and web servers).
A big part of the difficulty here comes in splitting out applications from OS. Internet Explorer, Outlook and Media Player 9 are all technically applications, but I'm not sure that any of them can be properly "removed" from newer versions of Windows, at least not by your "average joe". Likewise in the Linux world, while it is rather clear that video games and the like are applications and thus separate (though some people insist on counting them in their Linux "vulnerability" lists anyway:) it gets harder when dealing with programs like SSH or LPD. SSH is third-party, but it's in such common use and is by far the preferred terminal server on Linux, so it seems as though it should count as part of the OS. Likewise, although LPD has sort of been replaced by CUPS, it's still in common enough use, and supplies a sufficiently basic function (printing), that many people count it as part of the OS. Yet I personally am not running either LPR or the SSH server and still have a perfectly functional Linux box, so they're hardly required parts of the OS.
Needless to say, comparing the security of OSes based on the number of times their applications are compromised is awfully hard to justify. If you include applications with the OS, then you beg the question: "which apps"? If you don't include applications with the OS, then in many cases one OS has much greater functionality and thus more opportunities to be compromised, so the comparison still seems unfair (having an always-on RPC server does provide functionality, you must admit).
Frankly, I'm starting to think that this argument should just go away. Nobody seems to agree on what constitutes Windows and Linux. Without even those basic ground rules, how in the world can we have an intelligent argument about the relative security of Windows and Linux (and MacOS, and *BSD, and...)?
Anyway, based on the other comments you've made in this thread, it would appear that you were being serious. Okay, here's my analysis of your analysis.
What a ridiculous rant.
It's complete, 100% common sense that if you were able to magically give Linux the 90+ percent marketshare that Windows has, it will suddenly come under HUGE fire, hackers will be flinging shit at it left and right, and no doubt dozens of holes will be discovered that nobody knows about because the system isn't as "beta-tested" as Windows is.
First, by using the "common sense" argument, you're simply dismissing my argument against this particular point rather than arguing against it. Translation: you have just said nothing. Second, according to another article on SlashDot right about now, some people believe that Mars is about to crash into the Earth. Needless to say, "common sense" isn't worth much. Many people don't have it at all, and even then people don't always agree on what the "common sense" answer is (see any political debate for an example of this). Third, you've presented speculation as fact. You said that if Linux had more market share then "bad things X, Y and Z" would happen. Based on what? What is the evidence for the scenario you presented? You're speculating without presenting any evidence for your position.
Second, didn't the last big Windows worm only affect people running MS SQL? What is that, 1% of all Windows installs? So despite the small number of computers which would be affected by this worm, it was still written.
The typical Slashbot strategy. Completely make up a number from thin air that you haven't even looked up--typically illogical (1%???)--and then proceed to base your argument on it as though it is true.
First, the exact number doesn't matter. The point was that there were relatively few MS SQL installs listening on the Internet. This contradicts your claim that it is merely the large market share of Windows which makes it a target because a worm writer targeted a small subset of computers on the Internet with that worm (they just happened to be Windows boxes). Clearly you just didn't _understand_ this argument (it's always lovely to argue with people like that). Do you understand now? The exact percent doesn't matter, jsut the sense that it's a small number, like Linux desktop use.
Second, you didn't present any evidence that my number (1%) was wrong. Don't complain about my lack of evidence or "illogical" argument when you're not willing to present any evidence yourself.
Microsoft had two announced holes last month, while Linux had nine. But there is a massive anti-Microsoft bias here at Slashdot, and everything they do is evil and wrong. Linux flaws only get reported when they're very major ones, like the filesystem-corrupting "turkey" release of the kernel, or the recent FTP hacking incident that people have been making excuses left and right for.
Okay, there are any number of problems with this paragraph.
The biggest one is that you used the word "holes". What is a "hole"? I don't remember even one vulnerability in Linux which allowed remote execution of arbitrary code in the past month (or the past several months, as I mentioned in my previous post). This would be a bug similar in severity to the Windows RPC bug. In other words, you left out vital information which would have hurt your argument and adjusted your language to avoid raising the issue. Perhaps you simply don't understand the difference between local and remote vulnerabilities, what a buffer overflow is, or what priveledge escalation means. I've seen a lot of that lately - MS supporters who use terms like "hole" or "vulnerability" while failing to distinguish types, presumably because those words are the totality of the depth of their understanding of the issue.
Other mistakes: Bugs patches does not equal bugs in existence (you argued this yourself in your
The only way that I can recommend giving yourself a little extra security is to Always pay for the damned insurance.
Or you could try buying only from people in your area, and insisting on meeting them in person for the transaction. That's what I do. This should work for relatively generic stuff, though of course unique or hard-to-find items may not be available locally.
And the memory only goes up to 2GB. Excuse me, but that's not an enterprise server. That's a low-end server. Perfect for a small department server or maybe for hosting a small website.
2GB of RAM to host a "small website"? Is that just me, or are you exaggerating a just little bit here?:)
Seriously, most of the "small" servers I see are in the 400 Mhz/128 MB range, mainly because that's the level of hardware which people in large companies are taking out of service (read: throwing away) right now. Perhaps a server like the XServe which is more powerful than that, but without enterprise level equipment (SCSI, ECC memory, etc.) doesn't have a niche anymore?
Given the same marketshare as Windows, Linux would be just as much targetted by the black hats and script kiddies alike as Windows is these days.
I'm getting sick of hearing this particular bit of FUD.
First of all, when a vulnerability of this calibre is found in Linux or in common Linux utilities (e.g. the ssh vulnerability) it _does_ get attacked, despite Linux's smaller marketshare. RedHat lpd anyone?
Second, didn't the last big Windows worm only affect people running MS SQL? What is that, 1% of all Windows installs? So despite the small number of computers which would be affected by this worm, it was still written. Note that it also did a fair amount of damage (took down some root nameservers, I think), which is exactly why worm writers are targetting systems with smaller marketshare -- because "smaller" still means something in the realm of a million or so computers, which is more than enough to do some serious damage!
Thus the argument that Linux's marketshare is the reason why it doesn't get attacked does not make sense. Systems with limited marketshare (like Linux) _do_ get attacked by worms, presumably because they can still do lots of damage.
So why so few Linux worms? I suspect the reason why there have been fewer Linux worms is in the past few years is that there have been fewer vulnerabilities in Linux and common Linux utilities which were severe enough to allow a worm to spread. Linux has its share of security vulnerabilities, but there's a big difference between a bug which allows a user to, say, overwrite arbitrary files on a system, and one which allows them to execute code on the system without even logging in!
If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms.
I don't buy it. When such vulnerabilities do appear in Linux (ssh, RedHat lpd) it seems to me that worms appear as well. But there haven't been any Linux worms in the last year or so, while there have been several Windows worms. How can you explain this?
I suspect that the only explanation is that Windows has more of these severe vulnerabilities which can be exploited to make viruses/worms. As I mentioned in another thread, I don't think that there are any Linux vulnerabilities right now which are of the proper type to allow worms to propogate. The vulnerabilities which are known are less severe than that (mostly local DoS or gaining root access from a user shell) and often involve programs which are unusual or at least optional, not vital services. I have the feeling that people fail to make these distinctions (more vs. less severe, required vs. optional software) when they argue that Linux could be "wormed" just as easily as Windows. Instead, I would argue that Windows has more _severe_ bugs than Linux, and that severity, not marketshare, is why it keeps getting hit so hard.
Slashdot Mirror
Thanks for bringing up the $20k issue. I was wondering about the price as well, but then figured out that it's just a made up number. If he asks for $20k maybe he'll get $1k. But the idea bothers me.
servers are cheap these days. really. I've found p3-666 machines in the trash a few years back, and other people are finding nice rack mount servers with drives,etc. I can't afford much more than my rent, and yet I can come up with more server power when I need it, just by using a bunch of old P300s or whatever.
One word: reliability.
Sure, any geek can make a computer out of toothpicks and bubble gum and run Linux on it and call it a "server", but these guys are trying to _reduce_ the amount of downtime they're seeing on some high-load systems. So it looks to me like they're trying to buy reliable hardware: new systems, lots of redundancy, and none of this "buying off eBay" or "systems assembled from parts pulled from the trask" junk which some people are suggesting. Real server hardware costs real money, presumably at least a few thousand per system.
Especially considering (konsidering?) that pressing the first letter of a menu option goes to that menu option, but when every one starts with the same letter, it makes the feature useless.
Of course, you can always set up the menu in "Description (Name)" order, e.g. "CD Player (kscd)".
Perhaps some kind of system that keeps track of how often you run certain programs and when you don't use one for X amount of time then it puts those programs into a submenu or something like that.
Try this in KDE 3.1:
Configure Panel -> Layout -> QuickStart Menu Items:
O Show the applications most recently used.
0 Show the applications most frequently used.
Maximum Number of Entries: 5
Just ensure that the DNS checks to see that the new file is actually a legal DNS zone file. I assume these things have a required format?
Why would anyone want to "combat" it?
Remember, the RIAA/MPAA have lumped BitTorrent in with KaZaa and other P2P music services in its "war on piracy". Various people have counter-argued (correctly) that unlike those other services, BitTorrent is really just a protocol (like FTP, only peer-to-peer). The lack of any kind of built-in search functionality in BitTorrent is the clearest example of this, the example most obvious to non-technical types.
Now, what would happen if someone created a type of BitTorrent search? Perhaps nothing, especially as long as people are just making Linux ISOs and the like available. But what would happen if people started making ripped mp3s or movies available in large numbers? The RIAA/MPAA would presumably try to shut them down, right? Go after their servers, or their search software, or whatever. Okay, here's the 64K question... what happens if that search functionality uses the DNS protocol and DNS servers and the entire Internet relies on those protocols/servers? Things could get interesting!
wireless is much easier and much cheaper. Can you imagine wiring a desk or two for every child in the school?
:)
Nope. I can't imaging paying for a computer on every desk in the school and then complaining about the cost of networking them. Having said that, if they are putting multiple computers in every classroom, it makes sense to cut down on wires, if only to avoid injuries and hardware damage due to tripping.
Radiation is around us.. everywhere.. We can't stop it. The big question on hand is, do we sacrifice technology and all its benefits for the risk of potential radition which may or may not hinder ones health and/or possibly lead to cancer?
While I don't agree with this particular lawsuit, you've got to admit that this is a valid question. In general, of course, you can ask this about every pollution-creating, electricity-using, impossible-to-dispose-of-safely and god-knows-what-else-is-wrong-with-it product out there. That really is something to think about before you decide to buy another blinking LED thing to make your cell phone more "pretty" or what have you.
In this specific case, would it really have been so hard for this school to use land lines? Are there any benefits to having a wireless connection? I notice that the Wired article says that the school district installed a wireless network in 1995. I wonder what kind of wireless security they had, and what kind of data they were sending over those connections... Hopefully they used some kind of encryption (but how much to you want to bet that they didn't?)
My point is that there may be more costs here than just the "increased risk" from background radiation. How much do you want to bet that a wireless network uses more electricity than land lines too? How much do you want to be that it's unreliable in bad weather? And so on...
Yes and it is worth the jump backwards in technology to help OS manufacturers continue to pedal sub par product and services that are the real cause of the problem. Attacking a problem at somewhere other than its source has always been such a great way to deal with challenges like this.
Perhaps the logic behind using firewalls is that the people dealing with the problem actually know what they're doing and are motivated to fix it? Even if bugless OSes actually existed, expecting the average computer user to avoid doing anything which might open up their system to abuse, which may include things as simple as installing software (oops, there's a trojan in P2P program!), is going to be impossible to implement. Trying to achieve the "perfect" solution (namely perfect software and perfect users) is certainly a noble goal, but the first goal should be to implement a plan which is (far) more likely to work.
Besides, let's not forget that _spammers_ are the problem here. Both firewalls and more secure code would just deal with one particular method of obscuring their location. There are others methods they use right now, such as abuse of free popmail accounts and AOL disks, and there will probably be even more in the future. Who knows, perhaps seeding P2P networks with fake mp3s which actually contain product ads will be the next big thing?
My point is, mail proxies are just one tool which spammers use. Making that one tool difficult/impossible to use won't finish off spam. It may, however, convince them that it's not worth the time or money to use that method anymore, which would save a lot of computer users a lot of headaches. Thus it might be worth the trouble to implement a quick, effective solution, even if there are some drawbacks.
A binary protocol is being used: :-)
it's WBXML over HyperQueue. RTFA.
Thanks for supplying a sample packet.
The 1st line is "The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware."
That first line doesn't exactly convince me of the quality of the article. What does he mean by "impenetrable"? In discussing the possibility of a Linux worm, say using the recent ssh vulnerabilities, I might point out that most people run ssh with priviledge separation, so the attacked would just get user "nobody" priviledges (as compared to the recent Windows RPC worms). Does this mean that I'm making some wild claim that Linux is "impenetrable", or am I simply pointing out one reason why Linux is more secure than Windows -- that servers often run as non-root users? What is a "security-based" attack (that's a made-up term, isn't it)? A worm? A trojan? I think Linux advocates admit that both of those are possible on Linux. There are good reasons why viruses would have a hard time spreading on Linux (strict priviledge separation), but other types of attacks are certainly possible and acknowledged as such -- with the caveat that they might be harder to pull off (see ssh worm discussion above).
Looking at the article, I'm starting to understand why so many people believe that marketshare is the only reason why Windows is attacked more. It's as though every random Windows user thinks they understand Linux security. The author states "The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck." Bull. See my comment above about an ssh worm. Also note the usual arguments about the heterogeneity of Linux environments. Misunderstandings like that combined with flat out MS apologism ("It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand.") suggest to me the author is one of those people who want to blame anyone other than MS for the problems with Windows. Sure end users are responsible for many security breaches, many of which have little to do with software, e.g. weak passwords. But that still doesn't explain this
Isn't the fact that Windows's vulnerabilities are well known a product of its widespread use? I mean, this just sounds like a self-fulfilling prophecy of sorts.
Aw c'mon. Windows, Linux and MacOS are all widely enough used that their vulnerabilities are known.
Besides, how would this logic explain a worm created to exploit an "obscure" vulnerability like the slammer worm did? There can't be _that_ many MS-SQL servers accessible via the Internet, yet the worm was written, deployed, and managed to do some serious damage (taking down several root nameservers).
Snake oil gets its name from the snake people (The SENECA Nation of Indians, part of the iroquois league). It's petroleum.
[snip]
It was also taken internally as a laxative.
Think for a moment about exactly _why_ that would work.
Hilarious!
And properly applied firewalls are the solution (okay, a solution, one which can be applied by an ISP). So what's the problem here?
Let's see here: could it be that there is more to the internet than HTTP, SMTP, POP3 and FTP? Nah
Surely there are ways of implementing ISP firewalls which don't reduce the Internet to a few services. What's wrong with the suggestion (first made by others in this thread) that ISPs should firewall almost everything by default but should open ports at the request of the user? Users who are knowledgeable enough to know which ports they need opened can have them, and the ISP can still thoroughly firewall the masses. Not open enough for ya'? How about setting up some interface (web-based?) for letting users open their own ports, combined with numerous warnings about the dangers of doing so (to keep the average joe from opening a lot of ports for no reason).
This might be useful against DoS attacks as well. "They're attacking our webserver? Have the ISP block port 80. At least we'll still get e-mail."
Of course, firewalls are still a godsend for end users. Got an application which just insists on listening on some ports? Firewall it. Simple and effective.
Each lump of ice and rock is roughly the size of Philadelphia and orbits just beyond Neptune and Pluto. ... making them roughly the temperature of Philadelphia around the time the observations were made (January?)
It kind of reminds me of the times when Europe was the known world. :)
You mean in high school History class?
The problem isn't ports - it's the applications that use the ports.
And properly applied firewalls are the solution (okay, a solution, one which can be applied by an ISP). So what's the problem here?
Try to think laterally. Not everyone uses computers on the desktop like you.
"Try to think outside your box."
Or perhaps you mean vertically?
"Try to think below your box. Waaaaay below."
Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
Because there's fewer of you (not myself a Linux user) and as a result the law of averages says it's less likely that it will happen.
I've argued against this several times on Slashdot and elsewhere. Frankly, I'm getting sick of arguing it, but oh well. What do you think about this counter-argument:
1) When appropriate vulnerabilities in Linux show up, so do worms (e.g. ssh circa 2001, the RedHat lpd vulnerability).
2) Worms do not always target common boxes. Example, the MS SQL worm, whose "target audience" was very small. Note that this worm did massive damage, albiet indirectly, by causing enough faulty DNS lookups to bring down several root DNS servers.
3) Both of these examples show that worms sometimes target uncommon OS configurations. Furthermore, as the latter example points out, massive damage can be done in such cases.
4) Therefore, I would argue that worm writers do not target the most common systems, but rather those for which vulnerabilities are available. Even a worm which affects a small number of systems can cause massive damage, and I believe that this is the worm-writer's goal. Thus Windows worms are common not because Windows is so commonly used, but rather because it has more vulnerabilities of the appropriate type (remote execution of arbitrary code) than does Linux.
Any comments?
From my own experience any website that I have had defaced on me was because I failed to update 3rd party OSS packages. This had nothing to do with the security of of the operating system or the web server for that matter. It was only a security hole in one php script.
:) it gets harder when dealing with programs like SSH or LPD. SSH is third-party, but it's in such common use and is by far the preferred terminal server on Linux, so it seems as though it should count as part of the OS. Likewise, although LPD has sort of been replaced by CUPS, it's still in common enough use, and supplies a sufficiently basic function (printing), that many people count it as part of the OS. Yet I personally am not running either LPR or the SSH server and still have a perfectly functional Linux box, so they're hardly required parts of the OS.
I think one could say the same about Windows, no? It has nothing to do with the security of the OS if hackers find vulnerabilities in a commonly used application (e.g. Outlook).
To take this one step further, you could probably make the even more general argument that almost nothing really tells you which OS is more secure. Rather, break-ins involving a particular piece of code only tell you that the particular piece of code is insecure. You could argue that website defacements really measure the security of webservers, other web-related packages (PHP, shopping cart programs, and the like) and perhaps the security of other servers on the system, all depending on what exactly was used to break in to the system. Technically, even the security of other systems on the same network could play a factor (e.g. if someone roots the mail server and the root user has the same password on both the mail and web servers).
A big part of the difficulty here comes in splitting out applications from OS. Internet Explorer, Outlook and Media Player 9 are all technically applications, but I'm not sure that any of them can be properly "removed" from newer versions of Windows, at least not by your "average joe". Likewise in the Linux world, while it is rather clear that video games and the like are applications and thus separate (though some people insist on counting them in their Linux "vulnerability" lists anyway
Needless to say, comparing the security of OSes based on the number of times their applications are compromised is awfully hard to justify. If you include applications with the OS, then you beg the question: "which apps"? If you don't include applications with the OS, then in many cases one OS has much greater functionality and thus more opportunities to be compromised, so the comparison still seems unfair (having an always-on RPC server does provide functionality, you must admit).
Frankly, I'm starting to think that this argument should just go away. Nobody seems to agree on what constitutes Windows and Linux. Without even those basic ground rules, how in the world can we have an intelligent argument about the relative security of Windows and Linux (and MacOS, and *BSD, and...)?
Sorry for taking so long to reply. I just moved.
Anyway, based on the other comments you've made in this thread, it would appear that you were being serious. Okay, here's my analysis of your analysis.
What a ridiculous rant.
It's complete, 100% common sense that if you were able to magically give Linux the 90+ percent marketshare that Windows has, it will suddenly come under HUGE fire, hackers will be flinging shit at it left and right, and no doubt dozens of holes will be discovered that nobody knows about because the system isn't as "beta-tested" as Windows is.
First, by using the "common sense" argument, you're simply dismissing my argument against this particular point rather than arguing against it. Translation: you have just said nothing. Second, according to another article on SlashDot right about now, some people believe that Mars is about to crash into the Earth. Needless to say, "common sense" isn't worth much. Many people don't have it at all, and even then people don't always agree on what the "common sense" answer is (see any political debate for an example of this). Third, you've presented speculation as fact. You said that if Linux had more market share then "bad things X, Y and Z" would happen. Based on what? What is the evidence for the scenario you presented? You're speculating without presenting any evidence for your position.
Second, didn't the last big Windows worm only affect people running MS SQL? What is that, 1% of all Windows installs? So despite the small number of computers which would be affected by this worm, it was still written.
The typical Slashbot strategy. Completely make up a number from thin air that you haven't even looked up--typically illogical (1%???)--and then proceed to base your argument on it as though it is true.
First, the exact number doesn't matter. The point was that there were relatively few MS SQL installs listening on the Internet. This contradicts your claim that it is merely the large market share of Windows which makes it a target because a worm writer targeted a small subset of computers on the Internet with that worm (they just happened to be Windows boxes). Clearly you just didn't _understand_ this argument (it's always lovely to argue with people like that). Do you understand now? The exact percent doesn't matter, jsut the sense that it's a small number, like Linux desktop use.
Second, you didn't present any evidence that my number (1%) was wrong. Don't complain about my lack of evidence or "illogical" argument when you're not willing to present any evidence yourself.
Microsoft had two announced holes last month, while Linux had nine. But there is a massive anti-Microsoft bias here at Slashdot, and everything they do is evil and wrong. Linux flaws only get reported when they're very major ones, like the filesystem-corrupting "turkey" release of the kernel, or the recent FTP hacking incident that people have been making excuses left and right for.
Okay, there are any number of problems with this paragraph.
The biggest one is that you used the word "holes". What is a "hole"? I don't remember even one vulnerability in Linux which allowed remote execution of arbitrary code in the past month (or the past several months, as I mentioned in my previous post). This would be a bug similar in severity to the Windows RPC bug. In other words, you left out vital information which would have hurt your argument and adjusted your language to avoid raising the issue. Perhaps you simply don't understand the difference between local and remote vulnerabilities, what a buffer overflow is, or what priveledge escalation means. I've seen a lot of that lately - MS supporters who use terms like "hole" or "vulnerability" while failing to distinguish types, presumably because those words are the totality of the depth of their understanding of the issue.
Other mistakes: Bugs patches does not equal bugs in existence (you argued this yourself in your
The only way that I can recommend giving yourself a little extra security is to Always pay for the damned insurance.
Or you could try buying only from people in your area, and insisting on meeting them in person for the transaction. That's what I do. This should work for relatively generic stuff, though of course unique or hard-to-find items may not be available locally.
Are you being serious or sarcastic?
And the memory only goes up to 2GB. Excuse me, but that's not an enterprise server. That's a low-end server. Perfect for a small department server or maybe for hosting a small website.
:)
2GB of RAM to host a "small website"? Is that just me, or are you exaggerating a just little bit here?
Seriously, most of the "small" servers I see are in the 400 Mhz/128 MB range, mainly because that's the level of hardware which people in large companies are taking out of service (read: throwing away) right now. Perhaps a server like the XServe which is more powerful than that, but without enterprise level equipment (SCSI, ECC memory, etc.) doesn't have a niche anymore?
Given the same marketshare as Windows, Linux would be just as much targetted by the black hats and script kiddies alike as Windows is these days.
I'm getting sick of hearing this particular bit of FUD.
First of all, when a vulnerability of this calibre is found in Linux or in common Linux utilities (e.g. the ssh vulnerability) it _does_ get attacked, despite Linux's smaller marketshare. RedHat lpd anyone?
Second, didn't the last big Windows worm only affect people running MS SQL? What is that, 1% of all Windows installs? So despite the small number of computers which would be affected by this worm, it was still written. Note that it also did a fair amount of damage (took down some root nameservers, I think), which is exactly why worm writers are targetting systems with smaller marketshare -- because "smaller" still means something in the realm of a million or so computers, which is more than enough to do some serious damage!
Thus the argument that Linux's marketshare is the reason why it doesn't get attacked does not make sense. Systems with limited marketshare (like Linux) _do_ get attacked by worms, presumably because they can still do lots of damage.
So why so few Linux worms? I suspect the reason why there have been fewer Linux worms is in the past few years is that there have been fewer vulnerabilities in Linux and common Linux utilities which were severe enough to allow a worm to spread. Linux has its share of security vulnerabilities, but there's a big difference between a bug which allows a user to, say, overwrite arbitrary files on a system, and one which allows them to execute code on the system without even logging in!
If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms.
I don't buy it. When such vulnerabilities do appear in Linux (ssh, RedHat lpd) it seems to me that worms appear as well. But there haven't been any Linux worms in the last year or so, while there have been several Windows worms. How can you explain this?
I suspect that the only explanation is that Windows has more of these severe vulnerabilities which can be exploited to make viruses/worms. As I mentioned in another thread, I don't think that there are any Linux vulnerabilities right now which are of the proper type to allow worms to propogate. The vulnerabilities which are known are less severe than that (mostly local DoS or gaining root access from a user shell) and often involve programs which are unusual or at least optional, not vital services. I have the feeling that people fail to make these distinctions (more vs. less severe, required vs. optional software) when they argue that Linux could be "wormed" just as easily as Windows. Instead, I would argue that Windows has more _severe_ bugs than Linux, and that severity, not marketshare, is why it keeps getting hit so hard.
All it takes is to know the root password. You don't even need to guess what the login name is. (Windows is NO better in this respect.)
To be fair, you can change the name of the Administrator account in Windows 2000, and perhaps other versions. That helps, doesn't it?