Slashdot Mirror


User: Bert64

Bert64's activity in the archive.

Stories
0
Comments
12,200
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,200

  1. Re:The proof is ..... on How To Argue That Open Source Software Is Secure? · · Score: 1

    I should also point out that it's easily possible to fake the uptime and os type returned to something like netcraft...

  2. Re:What does the government think? on How To Argue That Open Source Software Is Secure? · · Score: 1

    The air force hack happened in 1996, what were they running back then? It probably wasn't linux...

    The navy hack happened in 2003, far more recently, and they run windows behind a linux load balancing system from akamai:
    http://toolbar.netcraft.com/site_report?url=http://www.navy.mil

    The FBI hack was not against the web server, i don't believe the fbi website has ever been hacked.

  3. Re:No Software is More (or Less) Secure Due to Sou on How To Argue That Open Source Software Is Secure? · · Score: 1

    While that may be true, with oss you have the choice...

    You can wait for the original vendor to fix it for you.
    You can wait for an arbitrary third party to provide a fix.
    You can fix it yourself.
    You can pay an arbitrary third party to fix it for you.

    Closed source only gives you the first option, open source gives you all 4. Just because you aren't capable of fixing it yourself, doesn't mean someone else won't do so and provide the fix.

    With closed source, if the original vendor doesn't provide a fix you're screwed... With open source you always have a backup plan. You'd have thought having a backup plan and a second source would be standard practice in business or government procurements.

  4. Re:Simply.. on How To Argue That Open Source Software Is Secure? · · Score: 1

    While the 70s-80s unix designs on which linux is based are far from perfect, it does seem that windows has been far worse in many ways...

    Much of the problem is that although the NT kernel was originally well designed, the legacy cruft inherited from dos and the 9x windows series has severely impaired the security design of NT.

    The idea of running as admin, and with apps requiring this has been inherited from the 9x series which had no concept of permissions... This is one of the biggest issues.

    The idea that an image format can contain executable code (see the recent wmf vulnerability), this was an intentional feature not a bug.

    Autorun - again an intentional feature that opens up a big security hole.

    Encryption used for passwords, unix is modular in this respect, although older versions used DES it is easy to substitute in a new and stronger algorithm. Windows on the other hand used Lanman which is trivially weak, and removing it breaks compatibility with older systems due to the way the network authentication works. Newer versions use NTLM as well which is also fairly weak, and changing it would again break compatibility. Vista finally has lanman turned off by default, but you're still stuck with ntlm.

    And then there are new technologies MS have developed which suffer from huge design flaws...

    ActiveX - executable objects delivered by websites, an attempt to copy java applets, tho java was sandboxed while activex isnt...

    UPNP - allows machines behind a firewall to open arbitrary holes in the firewall, a protocol which is inherently insecure by design.

    Group policies - client side security, group policies are great for convenience but shouldn't be used as a security measure... Look at the policy which restricts access to cmd.exe, the check for this is implemented in the cmd.exe binary itself and easily overcome... Also the restriction thats supposed to stop you browsing to the c: drive, it only affects explorer and the file open dialogs, it doesnt affect the underlying apis so your cmd.exe can still go into that dir and view files, also if you do something like open a zipfile which gets put in a temporary subdir of c:, keep hitting the up button until you reach the root...

    Bloat / non modular - even "server" versions of windows come with all kinds of crap that will never be used on a typical server, things like ie, outlook express, media player, directx etc... I want my servers to be absolutely minimal, and controlled entirely over a serial console... I don't want any unnecessary code installed or running because it introduces risk and increases patching burden.

    Linux may be based on an older design, but it doesn't suffer from so many serious design flaws, it's a much simpler system and when it comes to security simple is good. Simple is easier to understand, and with a strong understanding you can more easily improve security.

  5. Re:Antivirus on How To Argue That Open Source Software Is Secure? · · Score: 2, Interesting

    While that may be true, blackhats also prefer unix machines...

    The CLI is better, and usable over a slow connection, smart blackhats will relay through multiple machines in different countries resulting in a connection far too slow for use of a gui.

    Unix machines will also have a whole set of cli based tools installed, and it's usually easy to install more if necessary...

    Blackhats will typically only resort to windows machines when they need mass numbers, eg spam sending and ddos, and they will write automated tools to do it rather than logging in and running tools manually.

  6. Re:Don't show them OSS is secure on How To Argue That Open Source Software Is Secure? · · Score: 1

    Or were they the result of a malicious admin?

    Or a weak password?

    Was the site itself hacked, or was it the DNS? Was it the load balancer? Was it the firewall?

    Linux will be the target of more hacks against webapps, as it's easier and cheaper for someone with little or no experience to start writing them, or to deploy such apps written by others.

  7. Re:The proof is ..... on How To Argue That Open Source Software Is Secure? · · Score: 1

    Interesting, but doesnt say if they got root or just the user running the site...

    Also, why would they give their server a name like "ubuntu1", and their kernel is 1 revision out of date...

  8. Re:The proof is ..... on How To Argue That Open Source Software Is Secure? · · Score: 1

    Your uptime should generally be as high as the time since the last kernel level security patch...

    On unix you can patch all your user land apps without rebooting, it's sometimes possible to patch the kernel without rebooting and with an open source kernel it's possible to build a minimal kernel which has a lower chance of vulnerabilities... As an example, an issue was discovered in the support for ATM networking in the linux kernel fairly recently, this issue didn't affect me because i don't have ATM support compiled in.

    Also on unix you can strip down the system to the minimum required, thus the frequency of patching is reduced because you don't have unnecessary applications installed...

    Windows makes this whole approach much harder:
    You can't strip down the kernel
    You almost always need to reboot to apply patches, even userland ones
    Even a "server" version of windows comes with a whole heap of stuff that is useless for a webserver, and yet cannot easily be removed, and still needs to be patched.

    You also have to consider how the uptime is measured... If it's being done over the network using ICMP requests as i believe netcraft does, what is actually answering those requests? Is it the actual server, or a firewall in front of it?

  9. Re:The proof is ..... on How To Argue That Open Source Software Is Secure? · · Score: 1

    Incidentally, many of the systems in that list are BSD/OS (aka BSDi), a commercial variant of BSD which stopped being developed several years ago.

    Also, the uptime checks are done based on ICMP responses I believe... Depending on your configuration, those responses might actually be coming from a firewall or load balancer sitting in front of the web server itself. Or your firewall may be blocking them completely, such that netcraft can't get a response.

  10. Re:The proof is ..... on How To Argue That Open Source Software Is Secure? · · Score: 1

    It doesn't clarify how the sites were compromised...

    Was it the system that got compromised, or something in the site itself?

    Linux hosting is generally cheaper, and therefore more commonly used by casual users who aren't concerned about security and are likely to upload vulnerable applications.

    Free webapps are more widely available for linux, the barrier to entry for someone wishing to develop webapps on linux is much lower resulting in thousands of readily available applications of dubious quality. Anyone can make an app for linux/php and upload it somewhere that others can obtain it from.

    Linux is more commonly used for shared hosting - where a single server can host thousands of sites. When you have thousands of sites and thus thousands of users on a single system, the chance of one of those being compromised is very high, and once you have local access the chance of elevating privileges is also much higher. If you were to compromise such a system, you could deface thousands of sites at once.

  11. Re:The proof is ..... on How To Argue That Open Source Software Is Secure? · · Score: 1

    Older versions of the linux kernel roll their uptime back to 0 after 497 days when running on 32bit hardware... Newer ones don't, but newer versions are by definition not so old and haven't had chance to reach such levels of uptime yet. I used to have a box which rolled around more than once.

  12. Re:Think of it like an academic report on How To Argue That Open Source Software Is Secure? · · Score: 1

    Yes, while there are thousands of open source applications out there, some of which have terrible track records, the big projects are generally well audited and often have several big companies standing behind them. I would take the combined word of RedHat, Novell and IBM over the word of MS.

    When it comes to all the small projects, you can compare them to all the small third party programs available for windows, only if you really depend on a small project you can hire someone to audit it or maintain it... If you rely on a small closed source windows utility there is a very high risk of it going unsupported, or having vulnerabilities which are never fixed etc.

  13. Re:turn tables on How To Argue That Open Source Software Is Secure? · · Score: 2, Insightful

    Actually no...
    The legit shared source approaches come with strings attached, like any bugs you find must not be disclosed except to microsoft themselves...

    And because they are a for-profit company, bugs which are discovered in private are usually kept quiet because disclosing them has a negative impact on business. They only disclose to the public bugs which were found by third parties because they have no other choice.

    What do you think the ratio of issues being found by third parties reverse engineering the binaries, vs people with the source code? How many more vulnerabilities have been discovered in private and silently fixed?

    MS like to make a big deal that the number of vulnerabilities reported in a given linux distro such as debian is greater than the number reported in a specific version of windows... But they don't point out that not only does debian distribute and support a much larger range of software some of which is also capable of running on windows, but all vulnerabilities discovered are dealt with in public.

    When it comes to the shadier methods such as bittorrent, only blackhats will acquire source code that way, and these people will actively exploit vulnerabilities rather than disclosing them.

  14. Re:turn tables on How To Argue That Open Source Software Is Secure? · · Score: 1

    Have you personally disassembled and gone through the billions of lines of resultant assembly code in windows to make sure there isn't a backdoor?

  15. Re:Good but.. on Shifting Apps To ARM Chips Could Save Laptop Batteries · · Score: 1

    Not sure how up to date it is now, but there was definitely a java version for linux/arm a few years ago, and with the jdk being open source now I'm sure there will be an updated version before long.

    Flash is available for some arm based linuxes, such as the nokia n800, not sure if you could reuse the plugin on another linux/arm system, but considering a plugin already exists it shouldn't be too hard to convince adobe to write one.
    Also, the flash spec was opened up recently so open source plugins will be progressing and could be ported to arm.

  16. Re:Not a problem on Shifting Apps To ARM Chips Could Save Laptop Batteries · · Score: 1

    Even games need not be a problem, the nintendo ds is arm based and probably wouldn't be terribly difficult to emulate on an arm based laptop. There are plenty of games for the ds, games which are suited to small low powered machines.
    If you want to play big bloated games with fancy graphics then a netbook was never a choice anyway.

  17. Re:Not a problem on Shifting Apps To ARM Chips Could Save Laptop Batteries · · Score: 1

    It doesn't run the same apps, it is only partially source compatible and 99% of windows apps don't come with source code anyway.
    Compare that to arm linux, on which 99% of linux apps can simply be recompiled, the source is available for anyone to do the compile and most apps are already available precompiled for arm, look at the debian/arm packages...

    Binary closed source software is the millstone, if you have the source then porting to a new superior architecture is easy, and you don't have to do it because someone else will. Because of binary software, people have been stuck on x86 which was always a pretty poorly designed architecture to start with... Even Intel tried to move away from it with IA64, and failed due to the binary software ball and chain.

  18. Re:Resource intensive? on Metasploit Hacking Tool To Get Services-Based Model · · Score: 1

    You could also rapidly develop new modules in the way you described in perl...
    Perl provided a good compromise between speed and ease of development, ruby however, and assembly at the opposite end of the spectrum, just sacrifice too much.
    Perl is also already installed and well supported on virtually everything...

    Ditching the perfectly working perl framework and rewrite it in what amounts to a "fashionable" language, while effectively rendering the whole thing useless on small devices (think wireless aps, netbooks, nokia's tablets, phones etc) just seems like a bad idea... All that duplicated effort to produce something that's less useful than the previous version.

    What will version 4 be? completely rewritten in the next fashionable language and requiring a minimum of 8 cores and 8gb ram?

  19. Resource intensive? on Metasploit Hacking Tool To Get Services-Based Model · · Score: 4, Interesting

    Maybe if they hadn't decided to rewrite metasploit in ruby it wouldn't be so resource intensive...
    The speed difference between 2.x and 3.x is absolutely insane. Calling the msfcli interface results in 10+ seconds of initialization before it even starts trying to exploit the target, when you have a script calling msfcli multiple times it soon gets tiring... And this is on a fairly modern dual core box. I used to run metasploit 2.x on a much slower single core box and it performed quite well.

  20. Re:So use vizualisation of some kind on Average User Only Runs 2 Apps, So Microsoft Will Charge For More · · Score: 1

    Or they could run a free OS natively, and run the cheap windows under virtualization leaving 3 spots for windows only applications...
    This would actually suit a lot of people who use linux or osx natively, but need a vm for one or two windows apps they are still tied to.

  21. Re:This is the real world calling on Average User Only Runs 2 Apps, So Microsoft Will Charge For More · · Score: 1

    Multitasking was touted as a big feature of windows 95, they advertised it on tv heavily...
    At the time, my grandma came in having seen the advert and commented on how she'd seen me doing that for years on my Amiga and wondered what was so new about it...

  22. Re:windows != applications on Average User Only Runs 2 Apps, So Microsoft Will Charge For More · · Score: 1

    MS often confuse the issue, for instance the "taskbar" is actually a "window bar", as it relates to the number of open windows rather than the number of running tasks.

    My assumption is that a "task" is another name for a "process"...

  23. Re:xterm and firefox on Average User Only Runs 2 Apps, So Microsoft Will Charge For More · · Score: 1

    Yes, but then you could just run linux natively and get better performance...
    And this version of windows is intended to be very cheap, but its still more expensive than linux, so if cheapness is your goal linux is a good fit.

  24. Re:Pricing Rational? on Average User Only Runs 2 Apps, So Microsoft Will Charge For More · · Score: 1

    I don't think anyone really liked DOS... It was either just what the computer came with, or all their computer was capable of running... Some enlightened people had expensive unix workstations, mainframes or even amigas which all had far superior systems to DOS.

  25. Re:Pricing Rational? on Average User Only Runs 2 Apps, So Microsoft Will Charge For More · · Score: 1

    It actually costs MS more to produce the crippled version which only allows a limited number of apps... They already had the existing versions, and now had to write lots of additional code to manage the restrictions and any exceptions like antivirus etc...
    So yes, the pricing structure is ridiculous... But this kind of stuff is common place, for instance the cut down versions of vista were developed after the full versions and extra effort was expended to strip them down, and many other things are sold like this.

    Microsoft doesn't care if you like their product, they just care that you buy it... Most people are locked in to their products, so they can just push total crap and you still have no choice but to buy it. Why waste effort improving the product if people are going to buy the lousy version anyway?