No offense, but you gotta be a dumb bastard if you figure that you did that. You see when two parties are in the process of exchanging consideration for a product or service, each side gets to set the terms at which they are willing to operate. Blizzard set the terms which they offered you the game, when you gave your local software distributor money, you agreed to those terms. Sucks don't it.
By following the steps of this recommendation, reporters are being responsible. And in return it is completely reasonable for the vendors (who ultimately are responsible for the flaws existance) to have a list of behaviors and practices that a reporter can expect to encounter. By following this process, vendors are aiding and encouraging reporters in working in a middle ground that gives the best to both worlds. A reporter always has the option of immediate, full disclosure. In order to discourage this, it makes sense for vendors to do their absolute best to bend over backwards for a reporter who has made the effort to work within a framework that benefits the vendor more than the reporter. Additionally, there are numerous recommendations in there for a reporter to do the best possible job they can to verify the validity of the issue. Which, again, if everybody is willing to come to the table, is of benefit to the vendor as much as to the reporter.
What's more is that exploits typically don't violate the "personal integrity" of the software (ie. Apache.) It violate the integrity of a service providers server.
It's only absurd if you don't consider that things that are copyrighted, patented, trademarked, etc. require the expenditure of time, effort, and money. If you look at it from the point of view of the creator (which is really the only valid point of view, since without the creator, the thing wouldn't exist) then it's not absurd to consider ownership of IP.
No, you should not. First off, your children should have to make thier own way in the world. While its a nice thought to provide for them, i think that people are better off providing for themselves.
Why shouldn't I be able to give my possessions away to whomever I desire, whenever I desire? I mean for fucks sake, should I be able to give a birthday present to my kid? Or should he have to go out and earn his own way? It's the same kind of situation. No matter what kind of shenanigans people want to get up to re. the 'Death Tax', the fact is it will be possible for me to transfer ownership to my descendants effectively at my death.
Second, copywrites should expire just for that reason. You'll be forced to write another great novel to feed yourself. And then later another. You continue to live off your talent, and in the end we have a library of great works, not just one
That's a great idea. We should extend it to other areas. Like home ownership. You should have to repurchase your home on an annual basis. You shouldn't be able to pay it off and own it. You should have to pay again and again to keep it. You should have to do the same with your marriage vows. Every six months you must re-court, re-engage, re-marry your spouse. And you should have to rebuy your clothes. And you should have to pay for that bigmac you at least night every day. On a continuing basis. That way the rest of us can continue to benefit from your work. Who cares if you'll never get ahead, you owe us. You must work for us. You have to do what we want you to do and we're going to make sure that you do by taking away what you have already earned unless you pay for it all again.
What the fuck? Do you not read? Or do you always argue your own argument so you can win? Jesus fucking Christ on a crutch. You're looking at the fucking 2000 table. Not the 2001 table which is what the rest of the fucking thread is talking about.
As far as the rest of the discussion goes, assuming you want to join us over here where we are talking, of the four linux distros with more vulnerabilities reported, there are three different distributors involved. That's three different groups of people making more fuck-ups than Microsoft.
Next time you might want to actually make sure you know what everbody is discussing before uncorking that giardia laden orifice you call a mouth.
I am betting that the numbers listed on the NTBugtraq site do include holes in IIS, Outlook, Exchange Server, SQLServer, etc. Just like I expect that they include bugs in Apache, Sendmail, mysql, etc.
Personally, all the servers at work run Solaris. And we still harden the hell out of it, and have multiple firewalls segregating various boxes from each other and the net at large.
Well, is IIS part of 2K? It's not on any of my 2K boxes? It could be installed, but it's not. So do you think they are including IIS exploits in those NT/2K numbers? How about Exchange? Exchange server? I bet they are. So it's rational to include problems with software that a vendor (ie. RedHat, SuSe, Mandrake, Microsoft) includes as (a potentially optional) part of their out of the box install. The vendors should be held accountable for software they include as part of their distros. RedHat, et. al., make choices about what they include in their OSes. And they are responsible for those choices. Yes, Microsoft has dramatically larger resources so one might expect Microsoft to be a little more capable of producing a higher quality product so maybe we should give the little guys some slack when it comes to comparing... fuck that. Linux distributors have chosen to compete with Microsoft, they should be held to the same level of accountability.
Perhaps you need to look at those numbers again. Last time I checked, 54 > 42. I would assume that that includes all vulnerabilities reported for 7.0 & 7.1, while the MS numbers include NT & 2K.
Look at the third or fourth chart. The one that lists vulnerabilities for 2001 by OS. It breaks things down into smaller pieces, such as RedHat 7.1, etc. There are four different Linux distros that are higher than Windows 2000.
One would hope that they won't lose their entire server farm in one fell swoop. Losing a single server out of something like 4000 or 8000 isn't a big deal even if you lose all the data it had, when you are in the business that google is in.
I don't think you looked at the numbers as closely as you would like people to think. Yes, it's true, the *aggregate* linux number is huge, but some of the individual distros are higher than WinNT/Win2K (which is also an aggregate number, BTW.)
Additionally how do you know that point 1 is true. If I was collecting such statistics, I wouldn't include the same bug, because it's obvious that it's wrong and the value that I would be providing would be lessened. Unless you've actually gone through and analyzed the entire statistics gathering process used, you don't actually know that they are counting the same bug multiple times, you are just assuming that.
This is bullshit. No offense intended, but what support do you have for your theory? That's like saying that there isn't any descrepancy between the AIDS epedemic in Africa (> 25%) vs. North America (< 1%), it's just reported more in Africa.
Major/minor security issues are well reported by third parties pretty much across the board. What's more people want to give MS black eyes. They actively search for problems there and when they do they wave their hands above their heads, jump up and down, hoot and holler, and in general try and get as much attention for themselves as they can. It's not a reporting issue. It's just one of those things about life. (ie. OS coders are often doing it out of curiousity and once that itch has been scratched and it's Good Enough(tm), they are "done" regardless of the actual state of their project.)
Of course now we're going to get tons of people who say "Linux is just the kernel." Or "It's the distros that are insecure, not Linux." Or "It's apache/lpd/sendmail/wuftpd/bind/etc that's insecure, not Linux." But let's get our ass on straight here. Nobody posting here is just running Linux-the-kernel. We're all running Linux-the-kernel plus apache, plus userland tools, plus bind, plus sendmail, plus proftpd, plus etc. And we all tell people we are running Linux on our servers, and perhaps sometimes we'll say "with apache as our webserver." But ultimately it's "Linux" that is our OS. And all the mainstream apps that we include are part of that "Linux" that we tell people we use. And, yes, it is appropriate that we take our lumps on issues like this. This isn't a dick measuring contest, it's about running a quality IT enviroment and providing a quality service to our customers. Denial won't provide that.
And for those who really really want to argue that it's not Linux at fault, then make sure that you point the finger squarely where it belongs: at yourself! Right? I mean, Linux-the-kernel doesn't have any remote buffer overflows in it's webserver. It doesn't provide for local root escalation. It's the tools that you, the admin, are responsible for having in place there that are the problem. And since you obviously chose to put them there (via installing them with the standard RedHat installer, or dl-ing, compiling and installing by hand) you are the one who is responsible. So there.
The idea that all this is on DRAM is staggering. If the refresh stops (board failure, power problem) the data is just GONE?!
Google doesn't create content. They are a search engine. Nor are they in the business of archiving the net for posterity. If they lose data, it's out there to be recollected or if not, then there's no point in them saving it anyway.
And nobody is telling you that you must get your zip program from any particular source. If you can get one that meets your needs for free, then fucking get that one for free. But just because you could get info-zip for free doesn't mean that you should automatically get winzip or powerarchiver for free. Just as it's your right to choose to use info-zip it's the software authors' right to tell you the terms that they want you to use their software. The exact same right that allows people to put their software under the GPL allows them to say "I want $5,000 for this 'Hello World!' program." Yes, it is your choice if you want to use it, but let's not rationalize taking the results of someone's hard work and not paying for it.
And afterall, when you think about it that is all they are paying for.
Are you stupid or just acting that way on slashdot? If all you are paying for is bits, then why pay at all? I mean for fucks sake, right there on your hard drive you have more bits than you have days of life left. Hell, everything you download over the net is just bits. Every piece of music you listen to on CD, MP3, WMA, WAV, etc. is just bits. Hell man, you really should just get rid of your net connection, cause, like you got the bits already, you don't need no fucking content producers.
Or maybe it's not the bits you are paying for, but the particular arrangement of bits. Bits that are arranged in a particular order to interact in a particular way with the hardware and software you have. Arrangements that take time, effort, specialized knowledge, specialized tools to prepare and organize, and just fucking smarts on the part of the person putting the bits in the order that makes them valuable to you. And yes, they are valuable to you otherwise you wouldn't be paying for those "bits" or even stealing those "bits." What a dumb ass.
Fancy thought, but just plain wrong. GCC doesn't define what the characteristics of the operating enviroment are. All it does is provide one way of interacting with it. If code was more portable by writing against GCC then why do all the packages that you download and compile from source include a configure script which checks what the properties of the platform you are building for are? And unfortunately automake and autoconfig do not provide replacements for the differences in the various OSes out there. Each and every package has to decide how to deal with the foibles of each platform that the program is ported to.
Something you might want to consider: GCC isn't "more compatible" it's just that a lot of people write code using GCC. There are a number of non-standard "features" (and GCCisms) in GCC that are the default behavior. People write code to them, and then their code doesn't compile on other compilers on the same platform.
Actually, I think what you are seeing is that the CPUs are "good enough" so that the compiler don't have to be. And it is a matter of "good enough". If CPUs were only one tenth the speed that they are, that 10%, or 15%, or even 5%, speed difference would be sufficient to cause an outcry and result in changes.
Just out of curiousity, if that's your normal installation procedure, why do you care if you have the source at all? Yes, it's partially true, that the source being available leads to people in the community fixing bugs (sometimes), but you apparently do not (not a knock, just an observation.) So why go to the trouble of downloading source, and building yourself? Binaries would suit you fine.
...after Apache of course. (Sendmail? Bind? Proftpd? PHP? - not jewels perhaps, but great workhorses.)
Ironic, isn't it, that the real software that makes the internet go aren't GPLed, but instead released under the BSD license. It's also interesting how many notable GPLed packages are half done, whereas many BSD license packages seem more complete. Like the programmers involved have a better work ethic.
It's a registry patch. That's all. If you have multiple machines on a network and the users log into a domain, you can trivially write a batch file that will apply the patch. The difficulty of placing this patch is going to be entirely dependant upon each specific situation.
The only way linux/freebsd/etc. will see this as being an easier situation is if in the future they make detection and application of the problem an automatic feature of the OS. MS could do the same, but the question is will they?
Slashdot Mirror
No offense, but you gotta be a dumb bastard if you figure that you did that. You see when two parties are in the process of exchanging consideration for a product or service, each side gets to set the terms at which they are willing to operate. Blizzard set the terms which they offered you the game, when you gave your local software distributor money, you agreed to those terms. Sucks don't it.
By following the steps of this recommendation, reporters are being responsible. And in return it is completely reasonable for the vendors (who ultimately are responsible for the flaws existance) to have a list of behaviors and practices that a reporter can expect to encounter. By following this process, vendors are aiding and encouraging reporters in working in a middle ground that gives the best to both worlds. A reporter always has the option of immediate, full disclosure. In order to discourage this, it makes sense for vendors to do their absolute best to bend over backwards for a reporter who has made the effort to work within a framework that benefits the vendor more than the reporter. Additionally, there are numerous recommendations in there for a reporter to do the best possible job they can to verify the validity of the issue. Which, again, if everybody is willing to come to the table, is of benefit to the vendor as much as to the reporter.
What's more is that exploits typically don't violate the "personal integrity" of the software (ie. Apache.) It violate the integrity of a service providers server.
It's only absurd if you don't consider that things that are copyrighted, patented, trademarked, etc. require the expenditure of time, effort, and money. If you look at it from the point of view of the creator (which is really the only valid point of view, since without the creator, the thing wouldn't exist) then it's not absurd to consider ownership of IP.
Why shouldn't I be able to give my possessions away to whomever I desire, whenever I desire? I mean for fucks sake, should I be able to give a birthday present to my kid? Or should he have to go out and earn his own way? It's the same kind of situation. No matter what kind of shenanigans people want to get up to re. the 'Death Tax', the fact is it will be possible for me to transfer ownership to my descendants effectively at my death.
That's a great idea. We should extend it to other areas. Like home ownership. You should have to repurchase your home on an annual basis. You shouldn't be able to pay it off and own it. You should have to pay again and again to keep it. You should have to do the same with your marriage vows. Every six months you must re-court, re-engage, re-marry your spouse. And you should have to rebuy your clothes. And you should have to pay for that bigmac you at least night every day. On a continuing basis. That way the rest of us can continue to benefit from your work. Who cares if you'll never get ahead, you owe us. You must work for us. You have to do what we want you to do and we're going to make sure that you do by taking away what you have already earned unless you pay for it all again.
What the fuck? Do you not read? Or do you always argue your own argument so you can win? Jesus fucking Christ on a crutch. You're looking at the fucking 2000 table. Not the 2001 table which is what the rest of the fucking thread is talking about.
As far as the rest of the discussion goes, assuming you want to join us over here where we are talking, of the four linux distros with more vulnerabilities reported, there are three different distributors involved. That's three different groups of people making more fuck-ups than Microsoft.
Next time you might want to actually make sure you know what everbody is discussing before uncorking that giardia laden orifice you call a mouth.
I am betting that the numbers listed on the NTBugtraq site do include holes in IIS, Outlook, Exchange Server, SQLServer, etc. Just like I expect that they include bugs in Apache, Sendmail, mysql, etc.
Personally, all the servers at work run Solaris. And we still harden the hell out of it, and have multiple firewalls segregating various boxes from each other and the net at large.
Well, is IIS part of 2K? It's not on any of my 2K boxes? It could be installed, but it's not. So do you think they are including IIS exploits in those NT/2K numbers? How about Exchange? Exchange server? I bet they are. So it's rational to include problems with software that a vendor (ie. RedHat, SuSe, Mandrake, Microsoft) includes as (a potentially optional) part of their out of the box install. The vendors should be held accountable for software they include as part of their distros. RedHat, et. al., make choices about what they include in their OSes. And they are responsible for those choices. Yes, Microsoft has dramatically larger resources so one might expect Microsoft to be a little more capable of producing a higher quality product so maybe we should give the little guys some slack when it comes to comparing... fuck that. Linux distributors have chosen to compete with Microsoft, they should be held to the same level of accountability.
Perhaps you need to look at those numbers again. Last time I checked, 54 > 42. I would assume that that includes all vulnerabilities reported for 7.0 & 7.1, while the MS numbers include NT & 2K.
Look at the third or fourth chart. The one that lists vulnerabilities for 2001 by OS. It breaks things down into smaller pieces, such as RedHat 7.1, etc. There are four different Linux distros that are higher than Windows 2000.
Enough of an explanation?
One would hope that they won't lose their entire server farm in one fell swoop. Losing a single server out of something like 4000 or 8000 isn't a big deal even if you lose all the data it had, when you are in the business that google is in.
I don't think you looked at the numbers as closely as you would like people to think. Yes, it's true, the *aggregate* linux number is huge, but some of the individual distros are higher than WinNT/Win2K (which is also an aggregate number, BTW.)
Additionally how do you know that point 1 is true. If I was collecting such statistics, I wouldn't include the same bug, because it's obvious that it's wrong and the value that I would be providing would be lessened. Unless you've actually gone through and analyzed the entire statistics gathering process used, you don't actually know that they are counting the same bug multiple times, you are just assuming that.
This is bullshit. No offense intended, but what support do you have for your theory? That's like saying that there isn't any descrepancy between the AIDS epedemic in Africa (> 25%) vs. North America (< 1%), it's just reported more in Africa.
Major/minor security issues are well reported by third parties pretty much across the board. What's more people want to give MS black eyes. They actively search for problems there and when they do they wave their hands above their heads, jump up and down, hoot and holler, and in general try and get as much attention for themselves as they can. It's not a reporting issue. It's just one of those things about life. (ie. OS coders are often doing it out of curiousity and once that itch has been scratched and it's Good Enough(tm), they are "done" regardless of the actual state of their project.)
There is no article to speak of. It's a one paragraph blurb, most of which was copied directly into the slashdot posting.
Of course now we're going to get tons of people who say "Linux is just the kernel." Or "It's the distros that are insecure, not Linux." Or "It's apache/lpd/sendmail/wuftpd/bind/etc that's insecure, not Linux." But let's get our ass on straight here. Nobody posting here is just running Linux-the-kernel. We're all running Linux-the-kernel plus apache, plus userland tools, plus bind, plus sendmail, plus proftpd, plus etc. And we all tell people we are running Linux on our servers, and perhaps sometimes we'll say "with apache as our webserver." But ultimately it's "Linux" that is our OS. And all the mainstream apps that we include are part of that "Linux" that we tell people we use. And, yes, it is appropriate that we take our lumps on issues like this. This isn't a dick measuring contest, it's about running a quality IT enviroment and providing a quality service to our customers. Denial won't provide that.
And for those who really really want to argue that it's not Linux at fault, then make sure that you point the finger squarely where it belongs: at yourself! Right? I mean, Linux-the-kernel doesn't have any remote buffer overflows in it's webserver. It doesn't provide for local root escalation. It's the tools that you, the admin, are responsible for having in place there that are the problem. And since you obviously chose to put them there (via installing them with the standard RedHat installer, or dl-ing, compiling and installing by hand) you are the one who is responsible. So there.
Google doesn't create content. They are a search engine. Nor are they in the business of archiving the net for posterity. If they lose data, it's out there to be recollected or if not, then there's no point in them saving it anyway.
And nobody is telling you that you must get your zip program from any particular source. If you can get one that meets your needs for free, then fucking get that one for free. But just because you could get info-zip for free doesn't mean that you should automatically get winzip or powerarchiver for free. Just as it's your right to choose to use info-zip it's the software authors' right to tell you the terms that they want you to use their software. The exact same right that allows people to put their software under the GPL allows them to say "I want $5,000 for this 'Hello World!' program." Yes, it is your choice if you want to use it, but let's not rationalize taking the results of someone's hard work and not paying for it.
Are you stupid or just acting that way on slashdot? If all you are paying for is bits, then why pay at all? I mean for fucks sake, right there on your hard drive you have more bits than you have days of life left. Hell, everything you download over the net is just bits. Every piece of music you listen to on CD, MP3, WMA, WAV, etc. is just bits. Hell man, you really should just get rid of your net connection, cause, like you got the bits already, you don't need no fucking content producers.
Or maybe it's not the bits you are paying for, but the particular arrangement of bits. Bits that are arranged in a particular order to interact in a particular way with the hardware and software you have. Arrangements that take time, effort, specialized knowledge, specialized tools to prepare and organize, and just fucking smarts on the part of the person putting the bits in the order that makes them valuable to you. And yes, they are valuable to you otherwise you wouldn't be paying for those "bits" or even stealing those "bits." What a dumb ass.
I think America feels pretty good about Aria Giovanni.
Fancy thought, but just plain wrong. GCC doesn't define what the characteristics of the operating enviroment are. All it does is provide one way of interacting with it. If code was more portable by writing against GCC then why do all the packages that you download and compile from source include a configure script which checks what the properties of the platform you are building for are? And unfortunately automake and autoconfig do not provide replacements for the differences in the various OSes out there. Each and every package has to decide how to deal with the foibles of each platform that the program is ported to.
Something you might want to consider: GCC isn't "more compatible" it's just that a lot of people write code using GCC. There are a number of non-standard "features" (and GCCisms) in GCC that are the default behavior. People write code to them, and then their code doesn't compile on other compilers on the same platform.
Actually, I think what you are seeing is that the CPUs are "good enough" so that the compiler don't have to be. And it is a matter of "good enough". If CPUs were only one tenth the speed that they are, that 10%, or 15%, or even 5%, speed difference would be sufficient to cause an outcry and result in changes.
Just out of curiousity, if that's your normal installation procedure, why do you care if you have the source at all? Yes, it's partially true, that the source being available leads to people in the community fixing bugs (sometimes), but you apparently do not (not a knock, just an observation.) So why go to the trouble of downloading source, and building yourself? Binaries would suit you fine.
Ironic, isn't it, that the real software that makes the internet go aren't GPLed, but instead released under the BSD license. It's also interesting how many notable GPLed packages are half done, whereas many BSD license packages seem more complete. Like the programmers involved have a better work ethic.
I'd mod you up (+1 Informative, but useless information.), but I posted.... :(
Raadt.
It's a registry patch. That's all. If you have multiple machines on a network and the users log into a domain, you can trivially write a batch file that will apply the patch. The difficulty of placing this patch is going to be entirely dependant upon each specific situation.
The only way linux/freebsd/etc. will see this as being an easier situation is if in the future they make detection and application of the problem an automatic feature of the OS. MS could do the same, but the question is will they?