I was just joking. I installed FreeBSD6 on my moms computer after fixing it for her, and set it up with KDM+autologon and firefox/thunderbird. I'm waiting to see how they react when they fire it up. I guess I'm an insenstitive clod.
...and you are misinformed about Microsoft's Windows 2000 support policy.
"I don't see this! I have two comparable machines running on a KVM switch. One runs Linux (Gentoo + 2.6 kernel) and the other runs win 2k. I run OpenOffice and Mozilla on both. In general, The Linux machine runs so much faster that I use it in preference to the Windows machine for everyday tasks."
And I don't see what you're seeing. I run OpenOffice on both FreeBSD 6 and WinXP and loading times are roughly the same. They very well might be faster on FreeBSD, but I don't think that was point of the parent. The parent was probably thinking of an OO/Microsoft Office comparison. On Windows, even with Open Office "quick launch" enabled (which makes it a fair comparison) Microsoft Office blows away OO as a far as loading times and memory footprint. When you compare Firefox to IE, IE takes up less memory when ideintical pages are loaded. One more thing. You said "comparable" machine. For a fair comparison, identical machines are needed.
"And isn't that the beauty of OSS? You can use the previous kernel without being forced to upgrade to keep your machine up to date with the latest security patches! Microsoft is dropping support for Win2k so I may be forced to upgrade just to keep my desktop secure! I personally use 2.4.x kernels on my servers because the latest improvements in the 2.6.x kernels seem to all be related to desktop performance improvements so it isn't really needed on my servers and, like you, I want the most stable for my servers. I have a lot of good experience with 2.4 kernels, why change now? Security issues are still being patched in the 2.4.x tree so I don't have to worry about that."
That's great, but Windows 2000 is a 6 year old OS, and contrary to what you're saying, Microsoft will be releasing security patches for it until *June 2010*. How many ten year old linux kernels do you use? If you do use any, are security patches still back ported to it? how about drivers? If you bought a new server would the hardware it contains have drivers that support the 2.4 kernel? I've seen some linux drivers that only support a specific *point* release of the 2.6 kernel. What if you buy some product that only supports the latest version of RHEL which uses a linux kernel that you don't trust? This broad assumption that older linux kernels don't become obsoleted due to support issues is at best, a half-truth.
Also, the overall quality (both security *and* stability) of Microsoft's server and desktop products has increased steadily from version to version. Aside from application support scenarios, there is no reason not to go with the latest Windows version when purchasing a new desktop or server. I'm not sure what your hang-up has been with moving from Win2k to Win XP on the desktop. It's more secure than Windows 2000, has more features, and supports more hardware. Do you use the same desktop machine you used in 2000, or have you been installing the same copy of 2000 on each desktop machine you purchased since 2000? Since XP will be ending around the same time as 2000 (It was released around the same time), I suggest you just wait for Vista and move to it after it comes out. After all, like I said before, you'll still have security patches for Win2K for quite some time.
"I have always thought that Intel has a high yield, quality process. However, their prices have always been higher than AMD, Cyrix, and any of the other competitors over the years."
That's because with Intel you're paying for the chip, plus a portion of the Blue dudes' salaries.
My guess is because you can configure all telnet traffic (an any other IP traffic) to require authetication and/or encryption via IPSEC which is built in to 2000/XP/2003.
My other guess is that there is little demand for it among Windows admins. How many windows admins do you know that use the command line or scripts regularly to admin Windows. If I count myself, I know only one.
"Wikipedia give a good history of Unix including predecesors Multics, etc. all of which were designed from the start for multi-user environments. When you're designing an OS for a multi-user environment, the basic architecture is designed for security unlike Windows which assumed that there was only one user."
Sheesh, before suggesting I brush up on OS history, learn some yourself. Just because the shell in Windows NT/2000/XP looks like the shell in Windows 95/98/ME doesn't mean the underlying OS architecture has anything in common. Windows NT was built from the ground up to be multi-user and have a robust security model. Windows 2000/XP/2003/Vista all derive from Windows NT, which was designed by the same people who designed VMS.
Yes, UNIX was designed to be mult-user, and had some rudimetary security mechanisms built into it, but it was primarily built to allow users to share the processing power of big expensive machines, and that's about all. Security was an afterthought at the time, because it really wasn't a huge issue.
There is command line option similar to "su". It's called "runas". Runas is avaiable in the gui to by holding down shift and right clicking on a shortcut.
"# The problem with Windows is that you can't do anything in a limited account. At least in Linux you can do stuff with non-root accounts (such as install programs), which is why you don't go in there ever (since you can set super user mode on command line and do it that way). Some software makers go as far as to tell you to login to an admin account, and disable your anti-virus and firewall!!!"
Windows doesn't force you to do anything of the sort. I've been running my Windows machines as a limited user for years. There are many things MS could have done to make it easier though. The reason companies write software that doesn't install or work well for limited users is not because it's hard to do, but because Microsoft never forced the issue by making users limited users by default. They went for compatibility over security, and hoped that all of the software developers would start writing their programs to work with the Windows' security model.
"So basically the Linux ownership system. Another good idea, but needs a changing of Windows core code, such as #1"
No changes to the Windows core code would be needed for this. Limited accounts are already are pretty much restricted to writing to their home dir.
"The reputation, sanity, motives, and anything else dealing with the person making the claim has nothing to do with the validity of the claim itself."
Technically what you just said is absolutely correct, but, regardless of whether it's correct to do so or not, the fact that people are taking Gibson's claim with a grain of salt is hardly suprising.
NT is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from VMS, and then was jury-rigged to float a GUI on top of it.
Well by *that* logic.....
GNU/Linux is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from Minix, and then was jury-rigged to float a GUI on top of it.
FreeBSD is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from the original UNIX Time Sharing System, and then was jury-rigged to float a GUI on top of it.
OSX is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from FreeBSD and Mach projects, and then was jury-rigged to float a GUI on top of it.
"How many *default* holes are there in the preloaded config.
Port 3389 which is RDP - but the RDP service is turned off by default. A program exception for remote assistance - so it can use RDP when it needs to UPnP Framework (TCP 2689/UDP 1900) - restricted to the local subnet only.
Somethings wrong here. We run Office 2003 now, but previosuly we ran 2000 at work, and the 400 or so users that used it and didn't have admin privs didn't have any problems.
"I guess because the point you were making is a tautology and above comment in itself."
If you believe it's good to let people continue to believe falsehoods, then sure.
Having said that, what would you have liked me to comment about and in what way?
How about giving me real reason why my point was "partially false"? The fact is, people have this unfounded belief that Microsoft applications have some sort of magic access to the operating system that other application don't. If you want to say some MS apps have more vulnerabilities discovered than third party alternatives, and more of it's vulnerabilities are serious, fine - that certainly seems to be true at least with IE - but it doesn't in any way negate what I said.
"Oh, and the point I was trying to make was that an equivalent flaw might not have equivalent effect"
By equivalent flaws, I meant a flaws that have the same consequences when explioted. I thought that would be obvious, but I guess not.
"Except that such is not needed. In general, Microsoft seems more focused on trying to build a strong perimeter than to make sure that components are robust. The result is that anyone who can manage to obtain any sort of local access to effect objects is bound to find a means to use said objects to execute code (look at WMF for example). And because a local user effecting an object to execute code isn't a security risk (as a general rule, at least), little focus is set on making sure components are robust against such attacks. So it's not surprising that little consideration is given when such components are used in internet applications (think of the security implications of printf(user_provided_string); for example)."
Why do people keep missing the point I was making, or changing the subject?
The point I was making was very simple:
A remote code execution flaw in IE (or any other windows app) is no more dangerous than a remote code execution flaw in Firefox (or any other third party windows app).
I never said anything about...
* the number of flaws in either. * the severity of those flaws. * that IE was secure. * The firefox was insecure.
That's a nice story you wrote there, but it's not very believable.
What you wrote *may* have been possible *if* the user was a "power user", got infected with adware which wrote a shortcut to the "all users\startup" folder and then logged onto the machine as an admin - which would run the rogue process with admin rights.
Otherwise, your story reeks of BS, or just a misunderstanding by you or your friend of what really happened.
"Incorrect. They are the two options available via the control panel's users control, yes. However, if you right click "My Computer" and choose "Manage", you'll have access to the same users and groups admin that's been present since at least NT 4. By default, that gives you Administrators, Power Users and Users, and you're free to create whatever other groups you wish, assigning them whatever privileges you desire."
He's talking about XP Home, in which there is no "power user" group - even when you go into the advanced user management.
"The biggest problem that Windows has,IMO, is the lack of a secure user system. They give you all of two options for users in XP; Administrator, and Limited. Administrator has full control of the computer and unlimited access to the registry Limited has next to no control over anything besides just "using" the computer."
Correct and it sucks, but is actually only in XP Home. XP Pro has that middle ground, which BTW is being removed in Vista.
"There is no middle ground, no permission system on comparable grounds to Linux. I run as Admin on my Windows box primarily due to the fact that I don't want the hassle of logging out every time I want to update a program or do some other mundane task."
Actually, there is a very robust permission system for both the filesystem and registy and there is a full set of system policies which hand out rights for specific system rights (for example, installing drivers, and changing the system time). The problem is XP Home hides it all from the user, which is stupid. In XP home you can modify file permissions with the command line tool, cacls.exe. I'm not sure about registry permissions, but I do know there is a command line tool to do that too. You can also boot up to safe mode, log in as administrator and access the file permission from explorer. The other problem really isn't Microsoft's (well maybe it is), its the fact that software deveolpers contune to write programs that assume the user with be running them as admin.
"Another thing that bothered me about Windows that is commonplace in Linux is the ability enter and exit Administrator mode without logging out the user through the use of a Password Prompt."
Actually, windows has this ability too - run-as. There is also a cool tool called "Make me admin" which temporairly makes your user account an admn account without having to log off and back on. But that doesn't solve the problem of XP Home making it very difficult to fix permissions so that regular users can run things.
"The difference being, however, that Firefox (unlike IE) can not execute ActiveX objects, making it far less likely for a remote execution flaw to occur in Firefox than in IE. An important point to leave out."
That has nothing to do with my point. - that an exploit is an exploit regardless of weather it's IE or Firefox, but FYI, executing activeX controls is not actaully the danger - it's installing new, nasty ones, and in IE , only administrators can install ActiveX controls.
Vulnerabilties that cause auto-installation of ActiveX controls fail if the user doesn't have admin rights.
Slashdot Mirror
"Why do we need FreeBSD?"
So we don't have to run linux.
"What does it do that Linux doesn't?"
Things right.
"Who actually uses FreeBSD?"
People who like UNIX.
All major software packages come with these types of EULAs. It's not limited to the proprietary/commercial software arena.
A follow-up to this....
:)
Well, my mom called. She ask me to come over when I have some free time and put Windows back on the computer.
Oh well.
I was just joking. I installed FreeBSD6 on my moms computer after fixing it for her, and set it up with KDM+autologon and firefox/thunderbird. I'm waiting to see how they react when they fire it up. I guess I'm an insenstitive clod.
Some would say installing Linux on your mothers PC would make you an insensitive clod.
...and you are misinformed about Microsoft's Windows 2000 support policy.
"I don't see this! I have two comparable machines running on a KVM switch. One runs Linux (Gentoo + 2.6 kernel) and the other runs win 2k. I run OpenOffice and Mozilla on both. In general, The Linux machine runs so much faster that I use it in preference to the Windows machine for everyday tasks."
And I don't see what you're seeing. I run OpenOffice on both FreeBSD 6 and WinXP and loading times are roughly the same. They very well might be faster on FreeBSD, but I don't think that was point of the parent. The parent was probably thinking of an OO/Microsoft Office comparison. On Windows, even with Open Office "quick launch" enabled (which makes it a fair comparison) Microsoft Office blows away OO as a far as loading times and memory footprint. When you compare Firefox to IE, IE takes up less memory when ideintical pages are loaded. One more thing. You said "comparable" machine. For a fair comparison, identical machines are needed.
"And isn't that the beauty of OSS? You can use the previous kernel without being forced to upgrade to keep your machine up to date with the latest security patches! Microsoft is dropping support for Win2k so I may be forced to upgrade just to keep my desktop secure! I personally use 2.4.x kernels on my servers because the latest improvements in the 2.6.x kernels seem to all be related to desktop performance improvements so it isn't really needed on my servers and, like you, I want the most stable for my servers. I have a lot of good experience with 2.4 kernels, why change now? Security issues are still being patched in the 2.4.x tree so I don't have to worry about that."
That's great, but Windows 2000 is a 6 year old OS, and contrary to what you're saying, Microsoft will be releasing security patches for it until *June 2010*. How many ten year old linux kernels do you use? If you do use any, are security patches still back ported to it? how about drivers? If you bought a new server would the hardware it contains have drivers that support the 2.4 kernel? I've seen some linux drivers that only support a specific *point* release of the 2.6 kernel. What if you buy some product that only supports the latest version of RHEL which uses a linux kernel that you don't trust? This broad assumption that older linux kernels don't become obsoleted due to support issues is at best, a half-truth.
Also, the overall quality (both security *and* stability) of Microsoft's server and desktop products has increased steadily from version to version. Aside from application support scenarios, there is no reason not to go with the latest Windows version when purchasing a new desktop or server. I'm not sure what your hang-up has been with moving from Win2k to Win XP on the desktop. It's more secure than Windows 2000, has more features, and supports more hardware. Do you use the same desktop machine you used in 2000, or have you been installing the same copy of 2000 on each desktop machine you purchased since 2000? Since XP will be ending around the same time as 2000 (It was released around the same time), I suggest you just wait for Vista and move to it after it comes out. After all, like I said before, you'll still have security patches for Win2K for quite some time.
Those damn AOL commercials that say broadband makes you more succeptible are perpertuating this myth.
"I have always thought that Intel has a high yield, quality process. However, their prices have always been higher than AMD, Cyrix, and any of the other competitors over the years."
That's because with Intel you're paying for the chip, plus a portion of the Blue dudes' salaries.
My guess is because you can configure all telnet traffic (an any other IP traffic) to require authetication and/or encryption via IPSEC which is built in to 2000/XP/2003.
My other guess is that there is little demand for it among Windows admins. How many windows admins do you know that use the command line or scripts regularly to admin Windows. If I count myself, I know only one.
"Wikipedia give a good history of Unix including predecesors Multics, etc. all of which were designed from the start for multi-user environments. When you're designing an OS for a multi-user environment, the basic architecture is designed for security unlike Windows which assumed that there was only one user."
Sheesh, before suggesting I brush up on OS history, learn some yourself. Just because the shell in Windows NT/2000/XP looks like the shell in Windows 95/98/ME doesn't mean the underlying OS architecture has anything in common. Windows NT was built from the ground up to be multi-user and have a robust security model. Windows 2000/XP/2003/Vista all derive from Windows NT, which was designed by the same people who designed VMS.
Yes, UNIX was designed to be mult-user, and had some rudimetary security mechanisms built into it, but it was primarily built to allow users to share the processing power of big expensive machines, and that's about all. Security was an afterthought at the time, because it really wasn't a huge issue.
"OTOH, the *nix OSs were designed from the start for a network environment with appropriate security."
No they were not. UNIX was designed with no security and it was bolted on later.
There is command line option similar to "su". It's called "runas". Runas is avaiable in the gui to by holding down shift and right clicking on a shortcut.
"# The problem with Windows is that you can't do anything in a limited account. At least in Linux you can do stuff with non-root accounts (such as install programs), which is why you don't go in there ever (since you can set super user mode on command line and do it that way). Some software makers go as far as to tell you to login to an admin account, and disable your anti-virus and firewall!!!"
Windows doesn't force you to do anything of the sort. I've been running my Windows machines as a limited user for years. There are many things MS could have done to make it easier though. The reason companies write software that doesn't install or work well for limited users is not because it's hard to do, but because Microsoft never forced the issue by making users limited users by default. They went for compatibility over security, and hoped that all of the software developers would start writing their programs to work with the Windows' security model.
"So basically the Linux ownership system. Another good idea, but needs a changing of Windows core code, such as #1"
No changes to the Windows core code would be needed for this. Limited accounts are already are pretty much restricted to writing to their home dir.
"The reputation, sanity, motives, and anything else dealing with the person making the claim has nothing to do with the validity of the claim itself."
Technically what you just said is absolutely correct, but, regardless of whether it's correct to do so or not, the fact that people are taking Gibson's claim with a grain of salt is hardly suprising.
Recommended Reading
"Apache is far from vulnerability-free, but all the major worms target IIS"
Hey, five years ago called and wants that statement back.
"Yes, but they also said that they got much, much better stability to boot."
Wihtout visiting Netcraft, I'll take a guess and say they must have gone with IIS6. IIS6 is nice.
NT is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from VMS, and then was jury-rigged to float a GUI on top of it.
Well by *that* logic.....
GNU/Linux is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from Minix, and then was jury-rigged to float a GUI on top of it.
FreeBSD is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from the original UNIX Time Sharing System, and then was jury-rigged to float a GUI on top of it.
OSX is poorly designed. In fact it wasn't designed (from the ground up) at all. It borrowed(depending on your use of the term borrowed) heavily from FreeBSD and Mach projects, and then was jury-rigged to float a GUI on top of it.
Solaris is poorly designed....
"How many *default* holes are there in the preloaded config.
Port 3389 which is RDP - but the RDP service is turned off by default.
A program exception for remote assistance - so it can use RDP when it needs to
UPnP Framework (TCP 2689/UDP 1900) - restricted to the local subnet only.
The preloaded defaults are sane.
Somethings wrong here. We run Office 2003 now, but previosuly we ran 2000 at work, and the 400 or so users that used it and didn't have admin privs didn't have any problems.
"I guess because the point you were making is a tautology and above comment in itself."
If you believe it's good to let people continue to believe falsehoods, then sure.
Having said that, what would you have liked me to comment about and in what way?
How about giving me real reason why my point was "partially false"? The fact is, people have this unfounded belief that Microsoft applications have some sort of magic access to the operating system that other application don't. If you want to say some MS apps have more vulnerabilities discovered than third party alternatives, and more of it's vulnerabilities are serious, fine - that certainly seems to be true at least with IE - but it doesn't in any way negate what I said.
"Oh, and the point I was trying to make was that an equivalent flaw might not have equivalent effect"
By equivalent flaws, I meant a flaws that have the same consequences when explioted. I thought that would be obvious, but I guess not.
"Except that such is not needed. In general, Microsoft seems more focused on trying to build a strong perimeter than to make sure that components are robust. The result is that anyone who can manage to obtain any sort of local access to effect objects is bound to find a means to use said objects to execute code (look at WMF for example). And because a local user effecting an object to execute code isn't a security risk (as a general rule, at least), little focus is set on making sure components are robust against such attacks. So it's not surprising that little consideration is given when such components are used in internet applications (think of the security implications of printf(user_provided_string); for example)."
Why do people keep missing the point I was making, or changing the subject?
The point I was making was very simple:
A remote code execution flaw in IE (or any other windows app) is no more dangerous than a remote code execution flaw in Firefox (or any other third party windows app).
I never said anything about...
* the number of flaws in either.
* the severity of those flaws.
* that IE was secure.
* The firefox was insecure.
That's a nice story you wrote there, but it's not very believable.
What you wrote *may* have been possible *if* the user was a "power user", got infected with adware which wrote a shortcut to the "all users\startup" folder and then logged onto the machine as an admin - which would run the rogue process with admin rights.
Otherwise, your story reeks of BS, or just a misunderstanding by you or your friend of what really happened.
"Incorrect. They are the two options available via the control panel's users control, yes. However, if you right click "My Computer" and choose "Manage", you'll have access to the same users and groups admin that's been present since at least NT 4. By default, that gives you Administrators, Power Users and Users, and you're free to create whatever other groups you wish, assigning them whatever privileges you desire."
He's talking about XP Home, in which there is no "power user" group - even when you go into the advanced user management.
"The biggest problem that Windows has ,IMO, is the lack of a secure user system. They give you all of two options for users in XP; Administrator, and Limited.
/ 07/24/193721.aspx
Administrator has full control of the computer and unlimited access to the registry
Limited has next to no control over anything besides just "using" the computer."
Correct and it sucks, but is actually only in XP Home. XP Pro has that middle ground, which BTW is being removed in Vista.
"There is no middle ground, no permission system on comparable grounds to Linux. I run as Admin on my Windows box primarily due to the fact that I don't want the hassle of logging out every time I want to update a program or do some other mundane task."
Actually, there is a very robust permission system for both the filesystem and registy and there is a full set of system policies which hand out rights for specific system rights (for example, installing drivers, and changing the system time). The problem is XP Home hides it all from the user, which is stupid. In XP home you can modify file permissions with the command line tool, cacls.exe. I'm not sure about registry permissions, but I do know there is a command line tool to do that too. You can also boot up to safe mode, log in as administrator and access the file permission from explorer. The other problem really isn't Microsoft's (well maybe it is), its the fact that software deveolpers contune to write programs that assume the user with be running them as admin.
"Another thing that bothered me about Windows that is commonplace in Linux is the ability enter and exit Administrator mode without logging out the user through the use of a Password Prompt."
Actually, windows has this ability too - run-as. There is also a cool tool called "Make me admin" which temporairly makes your user account an admn account without having to log off and back on. But that doesn't solve the problem of XP Home making it very difficult to fix permissions so that regular users can run things.
http://blogs.msdn.com/aaron_margosis/archive/2004
"The difference being, however, that Firefox (unlike IE) can not execute ActiveX objects, making it far less likely for a remote execution flaw to occur in Firefox than in IE. An important point to leave out."
That has nothing to do with my point. - that an exploit is an exploit regardless of weather it's IE or Firefox, but FYI, executing activeX controls is not actaully the danger - it's installing new, nasty ones, and in IE , only administrators can install ActiveX controls.
Vulnerabilties that cause auto-installation of ActiveX controls fail if the user doesn't have admin rights.