I dont know much about delphi/kylix, tho i do seem to remember about kylix having been discontinued some time ago... Does it abstract the native api in a way similar to say java?
And much code isn't written in such languages,// I.E.-> As long as the.h files called between platforms ported to work fully & don't overlook things like registry vs. config files under etc. for instance, or sockets diff.'s that exist between diff. OS (how they use them), OR drive letters (Ms stuff) vs. mounted devices (NIX for example).
This example is interesting, i often have to write cross platform code, and it basically boils down to: Every major os except windows has a standard way to do something, windows has a different way
You talk about backwards compatibility being a blessing in relation to dos, but it's really not... Have you ever looked at iBCS (intel binary compatibility system), it's a fairly old program for linux that lets you execute non-native binaries, and it stems from the days when linux was very new and sco was the dominant x86 unix and thus most closed source apps were compiled for it. iBCS allowed you to execute alien binaries (eg sco) under linux, and worked by remapping the sco system calls to their linux equivalents. This was relatively easy because the apis were so similar, and even worked for older (16bit) unix binaries. By contrast, dos is wildly different from current versions of windows, dos was pretty much a hack and had to be replaced, they couldnt simply continue to use the same apis. The unix apis on the other hand, while being far from perfect are still much cleaner and better designed, and hence why they've lasted so long. Even today it's possible to run linux binaries on freebsd and solaris, for the same reason as before - linux is now the biggest x86 unix and gets the lions share of the closed source apps. Attempts to remap the windows api (wine) still dont work very well, even after many thousands of man hours of coding time.
As to the cleanliness of windows apis, the first example i can pull off the top of my head is winsock.. current versions of windows support at least 2 different winsock apis, from winsock.h and ws2_32.h. They both do much the same thing, and both still work for basic socket operations. this is just pure cruft, and wouldnt have been needed if whoever decided to write winsock2 had felt winsock1 was well designed enough in the first place that it could be updated rather than scrapped and replaced. By contrast, linux has gone through several tcp stack implementations (arent they now upto net4?) but the api has remained constant, and there is never more than 1 api and 1 backend implementation at a time. And even so, i can take a program i compiled many years ago on redhat 4 using a 2.0.x kernel (net2) and run it on a current system with a 2.6.x kernel (net4)
Unix apis may get extended for new functionality, but the developers dont generally feel the old api is so flawed it cant be updated, and better to replace it from scratch (and have to leave the old one there unmodified for backwards compatibility)
All this extra complexity, legacy cruft and multiple revisions of apis floating around doesn't help security or performance either...
The backwards compatibility cruft is only necessary because the original system it's intended to be backwards compatible with was so poorly designed to begin with... Linux is backwards compatible at the binary level to the early 1.x series kernels (tho support for a.out binaries is optional nowadays), many distributions don't include the necessary backwards compatibility libraries anymore primarily because most programs are distributed as source and thus simply get recompiled, but there's nothing to stop you loading older libs. It's also source compatible to a large number of even older systems, I have C code that was originally written for old unixes running on vax systems which can still be compiled and executed on modern linux, because the source API for unix has largely remained compatible. Contrast with the windows API which differs hugely between releases, but also keeps the old incompatible APIs on newer versions, and cant easily be removed even if people don't intend to run older programs.
I doubt they would care about vmware, while it is emulation of a kind it emulates the hardware so the os can run unmodified. Perhaps paravirtualization like xen, or even higher level virtualization like virtuozzo would have more of an impact. Even so, vmware esx is very commonly used in server deployments these days so it is a perfectly valid configuration to test.
The windows test is much larger, this is mostly to do with windows itself being a far more complex beast.. It has layers upon layers of backwards compatibility cruft, many instances where multiple APIs do the same thing in slightly different ways or with slightly different options etc. Unix by contrast runs off a simple philosophy, everything is a file and is accessed through the single VFS layer, and it has always been like this. By having a good design in the first place, they've not needed to fundamentally change anything in an incompatible way. This also brings up another point against closed source, had windows and the apps running atop it being open source, the old backwards compatible apis could have been removed long ago as programs could easily have been updated to use the newer apis instead.
As to why the default install is so weak, it's because people are lazy. They want everything to work out of the box with no hassle to configure (and hence why they dont bother turning off the default crap most of the time). That said, the diversity of open source operating systems has resulted in plenty of distributions which do have a secure-by-default approach, but these have limited mass market appeal for the reason stated above. Windows by contrast tries to be one size fits all, and thus caters to the largest body of users (the lazy ones).
Well, it could spur drive makers to create a replacement technology to get round the ban. But more likely they'd just revert to some older non infringing technology, resulting in inferior drives for any country which enforces the patent.
But his server is headless, as servers should be. What is he going to be directly rendering to? He also stated the videocard was built in, so he cant even put it to good use in another machine.
That's a very good idea, and some window managers try to do it... Unfortunately while they can restart the same app in the same workspace, they can't configure it so you'l get a bunch of apps in their default startup state. Firefox's restore session feature works nicely here, but very few apps have anything like that.
I still fail to see how vmware can have any effect on the things tested by the cis tool... None of the things tested would be in any way effected by the use of vmware, in which case creating a vmware image was both much quicker.
As i noted, a default install of SUSE 10.3 gets a score of around 60, i forget the exact number.
The issues you have with windows 2003 are very similar to things i encountered with suse 10, in that the tool was intended for an earlier version and things have changed. In the case of suse it's possible to comply with the test by rolling back the applications it fails on (bastille, syslog etc) although this actually decreases security while increasing your test score.
You mention Ubuntu and SELinux, the cis test doesn't support Ubuntu. It only supports SUSE 9 and aparrently RedHat, but i couldn't get the RH version working. That said, i did run the suse test on a gentoo box and the results are here: http://enigma.ev6.net/result2.html
The score was 46, and is incredibly misleading, most of the tests fail because they cannot find suse specific files such as/etc/permissions.local, or the suse specific locations for configuration files. The actual goals sought to be achieved by the tests are for the most part implemented on this system, just not in the same way as the cis test expects, for instance: 3.4 Disable GUI Login If Possible Failed I don't have any form of GUI installed on the system whatsoever, no X11 nothing.
But i have no doubt that an install of suse 9 could get a 100% score simply by cutting+pasting the help provided in the html output. I would imagine windows 2000 or any other supported os would be exactly the same. However I'm also certain that i could configure suse 9 in a more secure way but which would fail this test. I believe suse 9 supports selinux by default btw, tho it's not enabled and the cis test doesnt make any mention of it.
----- I said in the original post how closed source stifles progress, not in relation to bug finding, but in relation to several other points. Your points about bug finding are correct, it is easier to find bugs but also easier to fix them too. This can be a plus or down side depending on who you are, what your requirements are and who you're scared of etc. It's also important to remember that not all bugs are security related, a majority of them have no security impact whatsoever but are still incredibly annoying to users. I would say that overall it's a plus to have the source, because blackhats will search for bugs in any case, but with the bugs being easier to find the chance of white hats finding and fixing those bugs is also higher. Then you have the advantage that you and/or others can fix non security related "annoying" bugs.
You are also missing out on another interesting point. With closed source there will only be a small number of "builds", so the memory layout will often be the same or predictable. Conversely, programs compiled by hand can be compiled in many different ways, different compiler flags, different configure options, making an exploit coder's work that much harder.// I could not understand in your init. post HOW ON EARTH you could say that "closed source stifles progress", & especially vs. those looking for security holes in code...
I _NEVER_ made the point your trying to argue against, please reread the original post. It stifles the general advancement of computing as a whole. Although finding and fixing bugs could also be considered a form of advancement too.
Yeah, i come from the school of leaving your machine running 24/7, and I always liked the convenience of all my apps immediately available when i started work in the morning. I never had a laptop, and i always had a lot of programs running. If i ever had to reboot for whatever reason it was a HUGE annoyance having to reload everything. Not just the loading time, but the time spent laying my apps out just how i like them on all the virtual workspaces i had.
I will quote the original post i made, which you are seemingly unable to read:
---- Closed source is negative because it stifles progress... Each vendor has to reinvent the wheel, and can't legally learn from the others. With open source you can reuse other people's code and build upon it. Closed source ensures that only vendors with enough cash to develop a complete application can enter the market, with open source it's easy to build upon an existing project.
Smaller companies or individuals who want particular features have very little chance of getting them in a closed source world, they would have to pay whatever fees a given vendor demanded *if* that vendor was even willing. With open source sufficiently capable people can implement those features, while other people can hire coders to do it for them.
New hardware architectures are far less likely to succeed, just look at IA64 as an example, failing miserably even with the backing of Intel and HP, because people can't run their closed-source apps on it. And vendors won't port those apps until there's a market, thus you have a catch-22. Therefore processor makers are constrained by choices Intel made 30 years ago, as they try to develop new chips while maintaining compatibility. As another example, Apple had to spend considerable time and effort on Rosetta to allow legacy PPC apps to run on their Intel based Macs. In an open source world many of those apps could be easily recompiled, and doing so for a large number of them would probably have taken Apple less time and effort than writing rosetta.
There's also the matter of trust, some large companies and governments are paranoid and want to see the source code and actually build it (so they can be 100% sure the binaries they have came from the source they've seen). A lot of people are equally paranoid, and some of them do have the capability to audit and compile the source.
Long term support - closed source software is at the mercy of it's vendor, so there is a chance of the product being discontinued, or the source code being lost. Users of closed source software have no fallback in situations like these.
Multi vendor support - with the source open, any vendor can begin providing support services around an open source application, customers are free to choose the vendor and support package that suits them, instead of being stuck with a single source of support. As a consequence, vendors are forced to compete. If you want a commercially supported linux you have plenty of choices, for commercially supported windows you have only one source.
Less lock-in, with open source you are far less likely to find your data locked away in a secret format known only to one company.
There are many negatives associated with closed source, and virtually no positives as far as the customers are concerned. If you have evidence to the contrary i'd like to hear it. ----
And i was replying to an anonymous poster who said: ---- Explain how closed source is so negative? Sure, you don't have the option of multiple people looking at things and fixing bugs, but when it comes to an end user only thing, does that really matter?
Be serious with yourself here - no mom-and-pop is gonna see "ooh, this program has a bug, we better look at the source and fix it" - at BEST you'd find then posting, on a forum, the bug, and someone else fixing it. Other times, they just deal with the bug and continue.
*** how long are we going to have to wait for the big breakthrough?" ***
There won't ever be a big breakthrough until there are games out SOLELY for Linux systems that can compete against the mainstream games out there nowadays....games that make people WANT to run linux and NEED to run it in order to play the games.
Once that happens, then you'll see your breakthrough.
Too bad we'll all be dead before it happens. ----
Can you point out where i talked about finding vulnerabilities/bugs? The AC i posted to mentioned it, I mentioned seve
When doing security work of any kind, the companies you work for don't like the information being made public. I don't want or need people on slashdot knowing who i am, so i am quite happy for people to believe i'm unemployed. Also what you call "proof" merely proves that someone exists, it doesnt prove that the user on slashdot is the same person as mentioned on the sites posted.
Why is vmware not legitimate? Many companies run a large number of servers under vmware these days. How exactly does being executed under vmware make a difference to the cis test? If you can show me a valid reason why vmware makes a difference i will re-run it on native hardware. I used vmware so i could post the image online, so that the results could be verified.
Yes obviously html can be edited, you should be smart enough to realise that for yourself without me having to point it out. Again, i posted the vmware image online for the express purpose of allowing people to verify that this wasnt the case. Did you bother to do so?
I stated that closed source stifles progress, and then listed a number of reasons why i believe that to be the case. I did not list the ability to find bugs as a reason. None of the replies have addressed any of the reasons that i did post, and have completely strayed from the point. If you believe any of the original reasons i posted are not valid, please explain why. They were (in a nutshell):
Cant port to new architectures, vendors wont until there are users, users wont use the new arch until there is software, this has contributed greatly to the failure of ia64 and the slow transition from 16->32 bit. You have only one proper source of support If vulnerabilities / bugs are found, only one vendor can really fix them
Incidentally, i believe you are apk. Few other people would bother still reading this story, your just trying to fool me into thinking your not a single pathetic loser.
Modern bioses have to: Probe for more hardware Test more memory (although the memory is faster) Support booting from more types of hardware Test more processors/cores And some things (like the wait time for hard drives to spin up) hasnt decreased..
Apple's "safesleep" is good... It suspends to ram, but also writes out the memory to disk as if it was hibernating. So if you lose power while in sleep mode, the machine comes back online properly (it just takes longer).
It should only swap out the whole 8GB if your actually using all that memory, at least software suspend on linux works this way. I figure if i'm running so many apps that i'm using 8gb of ram, then loading memory from disk will actually be quicker than loading all those apps manually. Also, at least with software suspend it can compress the image and it resumes fairly quickly, because it swaps the core kernel back in and swaps all the apps back in later (chances are you wont be actively using every app your running on an 8gb system).
You have it the wrong way round... The A1000 loaded kickstart from disk, and used 256Kb of it's 512KB of ram to store it. Later machines (except the A3000) had kickstart in rom. Kickstart includes most crucial parts of the OS, but you still needed a floppy or some other media to boot from. Although workbench was in rom, you needed the "loadwb" command which was disk based. Although the A4000T had the workbench.library on the hard drive. My amiga would take about 6 seconds to boot, that includes drive spin up/detection time and loading of lots of third party utilities.
Now come on, all you can do is accuse me of cheating without having downloaded the vmware image to prove how i cheated. As i said before, i simply followed the recommendations within the cis tool itself. If you would bother to read the output, you would find that it actually provides COMMANDS WHICH YOU CAN CUT AND PASTE alongside any "fail" results, have you ever even tried running it on a unix system? Did you even bother reading the HTML which i posted?
for FILE in apache2 apache apmd autofs fbset gpm hotplug \ hwscan joystick lpd mars-new named nfs portmap smb snmpd \ ypbind ypserv yppasswdd; do/etc/init.d/$FILE stop chkconfig $FILE off done for USERID in lp apache named mysql; do usermod -L -s/bin/false $USERID done Discussion:
If you merely execute the commands posted in the HTML output, you will usually achieve a pass in that area.
You challenged people to point out flaws in the cis test? not to me you didnt, but here you go anyway:
1.5 Install and Run Bastille Current versions of bastille (3.x and higher) have an upper case B in the package name, the cis tool checks for it's presence with a lowercase b (as version 2.x) but the tool tells you to install 3.x
2.2 Configure TCP Wrappers and Firewall to Limit Access It checks for the presence of tcp wrappers, most people use firewalls instead of tcp wrappers these days as theyre less susceptible to dos attacks, the tool doesnt check for firewalls
5.1 Capture Messages Sent To Syslog AUTHPRIV Facility Modern linux systems no longer use syslog, preferring to use a superior alternative such as syslog-ng, the cis tool checks only for a syslog config,
5.2 Turn On Additional Logging For FTP Daemon It also says to turn *OFF* ftp.. I would remove ftp completely, in which case the configuration file enabling logging wouldnt be present and this test would fail.
5.3 Confirm Permissions On System Log Files This test explicitely tests the permissions of several system log files, and will fail if the permissions are wrong or those files DONT EXIST... if you run something other than syslog, or dont run all of the log-generating programs (as the cis test recommends) then the files wont exist and you'l fail.
5.4 Configure syslogd to Send Logs to a Remote LogHost same as 5.1
7.2 Create ftpusers Files What is the point of this if you dont run ftp, cis recommend you dont run ftp but then demand that you create an ftpusers file (which would be redundant without ftp running)
7.3 Prevent X Server From Listening On Port 6000/tcp this checks for the presence of certain configuration files too, not only that but it checks for the exact formatting within those files, a space or a comment in the wrong place and it fails. I would secure a server by removing X11, in which case it wouldnt be listening on port 6000, cis would fail me for this even tho not having X at all is more secure.
7.4 Restrict at/cron To Authorized Users I never run at/atd, therefore the cis would fail on my systems due to the lack of an at.deny/at.allow, i would probabl configure cron by setting permissions on the executable rather than using cron.allow/deny as this is more secure (you cant execute it at all, vs the crontab program executing and following the code path to parse the cron.deny file)
7.6 Configure xinetd Access Control not running xinetd at all is surely more secure than configuring it in any way, cis test fails if this configuration is not found
7.11 Only Enable syslog To Accept Messages If Absolutely Necessary see 5.1
9.2 Create Warnings For GUI-Based Logins this requires warning banners to be configured for all the graphical login programs, if you dont have them installed the config files wont exist so you fail.
Many of the tests are also flawed in that they check for particularly for
Surely the use of native widgets would make cross platform apps much harder to develop... That said, could they write a cross platform back end, and then a frontend for each supported system?
So you bring it back to the point that closed source stifles innovation, where i quoted several reasons for this. Not one of those reasons made any reference to being able to reverse engineer the code, I made several other points none of which you have addressed.
Instead you have fabricated a point that I didn't make, and then used that to try and argue against me. Have you got mental problems or are you just trying to be annoying? I really do pity someone who's so incapable of intelligent debate as to fabricate both sides of an argument himself.
Shouldn't some of the linux vendors sue microsoft for libel? If they're making such threats, shouldn't they be required to prove them, and subsequently to pursue their rights (if any) in the matter? I'm sure if a large company made such threats and claims against microsoft products they would try to do something about it...
Chances are microsoft has little or no claim, and they know if they pursued it they'd get little or no money, the offending code (if any) would be replaced and linux would go on but with the patent threat now lifted. Someone should force their hand by suing them for libel.
Have you no idea what vmware is? It simulates a physical machine, no part of the cis test ever tests for being installed in a virtual. I could dd the vmware image to a physical host and get the exact same score. The reason i used a vmware image was so that you could download it and verify the results, but you obviously have no idea how vmware works so i dont hold much hope of you being able to actually run it.
You still think i used photoshop on an HTML file? I suggest you go and read photoshop for dummies...
And you still think i cheated? I did not "cheat" as you put it. Cheating would be to modify the test program (which is trivially easy to do, the test parameters are an xml file) or modify the results (in a text editor, not photoshop). Instead, i merely implemented the configuration changes suggested by the tool's output. Had you downloaded my vmware image you would be able to see that, but your more concerned with making yourself look stupid than actually try to prove your point.
I also did some searching around the information you posted earlier about yourself, and it seems you do this all over the place... Post garbage, cry like a spoilt child when your proven wrong. A very brief search on google basically makes you out to be a laughing stock with virtually nothing positive to be said about you.
I haven't read any of the articles you mentioned, simply because they are in old printed magazines which are at least several years old. It seems that some years ago you at least had some respect and a few worthwhile tools published, it's sad to see how far you've sunk and i truly feel sorry for you. I would liken you to SCO, once respected but due to some back luck, stupidity, errors etc, you've become a laughing stock that everyone looks down upon and pities.
Without "cheating" as you put it, you could make a system far more secure and it would get a very low score on the cis test. I have already pointed out multiple flaws in this test and you have failed to answer them, why should anyone bother pointing out more when you have yet to answer the few that have been posted already?
You challenged people to get a higher score than you, which is what i have done, nowhere did you ask for the flaws to be pointed out, but that has also been done too, and now you are trying to backpedal.
But i will reiterate what i have said already. CIS DOES NOT TEST "SECURITY", IT IS MERELY A COMPLIANCE TEST
Since you failed to understand that, CIS publish a set of configuration guidelines and this test merely checks if your system complies with these configuration guidelines. Because of the flexibility of linux, there are often multiple ways to achieve the same goals, and the cis guidelines only specify a small subset of those.// Funniest part is, ALL I ever asked for was a valid result from *NIX folks, & asking them to discuss where they felt this test was in error on their OS, & if possible, to share know-how.
This is what i did the first time, my system scored 60.something, and i went through the points where it failed one by one and pointed out why they were incorrect, i write it in response to one of your posts in august. I wrote the response within 12 hours of your original post, but i can't locate it now because slashdot no longer lets me see my entire posting history.
As for cheating, i did not cheat, i merely implemented the configuration changes as specified by CIS. I wouldn't say the resulting box is as secure as it could be made, but it complies with the cis test 90%. I notice from the web logs that you didn't bother downloading the test results, they are at: http://enigma.ev6.net/benchmark-report.html Nor did you download the vmware image, it is at: http://enigma.ev6.net/vmware-suse-cis.tar.bz2
The fact you could only get 86%, even tho full instructions on how to comply with the cis configuration is supplied both as a PDF and within the output from the testing tool, suggests a high level of incompetence on your part. I am certain that a score of 100% would be easily achievable on any supported system, including windows. After all, someone at cis must have configured a machine in the described way when writing the test.
Before you accuse me of cheating, why don't you actually read the results and have a look at the 90% compliant machine?// Think anyone believes you, now, Bert64... After you stated that which I quote from you above & your "VMWare testing methods" & PROBABLY PHOTOSHOP JOB ON YOUR "RESULTS", too??
This is the funniest part... Can i have a copy of your version of photoshop which edits HTML files and VMware images? The results i submitted are in HTML format, that stands for "Hyper Text Markup Language" and is plain text with markup for formatting. When you run the CIS tool it creates output in HTML and XML formats, i chose to post the HTML form so it would be convenient to browse from the web. Photoshop on the other hand is for editing IMAGE files, there are absolutely NO IMAGE FILES in the results I posted.
Obviously i could have edited the HTML results, but i would have done this using a TEXT EDITOR and not PHOTOSHOP. And because the HTML is so easy to change, i posted a vmware image so that you could verify the results.
So face it, your argument has been proven wrong and like a cocky little child, having been proven wrong your trying to deny ever making the argument in the first place. You remind me of someone i used to work with, he used to go away and cry when people would see through his bullshit. Your writing style is very childish too, hardly what you'd expect from someone with supposedly 20+ years experie
I dont know much about delphi/kylix, tho i do seem to remember about kylix having been discontinued some time ago... Does it abstract the native api in a way similar to say java?
// I.E.-> As long as the .h files called between platforms ported to work fully & don't overlook things like registry vs. config files under etc. for instance, or sockets diff.'s that exist between diff. OS (how they use them), OR drive letters (Ms stuff) vs. mounted devices (NIX for example).
And much code isn't written in such languages,
This example is interesting, i often have to write cross platform code, and it basically boils down to:
Every major os except windows has a standard way to do something, windows has a different way
You talk about backwards compatibility being a blessing in relation to dos, but it's really not...
Have you ever looked at iBCS (intel binary compatibility system), it's a fairly old program for linux that lets you execute non-native binaries, and it stems from the days when linux was very new and sco was the dominant x86 unix and thus most closed source apps were compiled for it. iBCS allowed you to execute alien binaries (eg sco) under linux, and worked by remapping the sco system calls to their linux equivalents. This was relatively easy because the apis were so similar, and even worked for older (16bit) unix binaries.
By contrast, dos is wildly different from current versions of windows, dos was pretty much a hack and had to be replaced, they couldnt simply continue to use the same apis. The unix apis on the other hand, while being far from perfect are still much cleaner and better designed, and hence why they've lasted so long. Even today it's possible to run linux binaries on freebsd and solaris, for the same reason as before - linux is now the biggest x86 unix and gets the lions share of the closed source apps.
Attempts to remap the windows api (wine) still dont work very well, even after many thousands of man hours of coding time.
As to the cleanliness of windows apis, the first example i can pull off the top of my head is winsock.. current versions of windows support at least 2 different winsock apis, from winsock.h and ws2_32.h. They both do much the same thing, and both still work for basic socket operations. this is just pure cruft, and wouldnt have been needed if whoever decided to write winsock2 had felt winsock1 was well designed enough in the first place that it could be updated rather than scrapped and replaced.
By contrast, linux has gone through several tcp stack implementations (arent they now upto net4?) but the api has remained constant, and there is never more than 1 api and 1 backend implementation at a time. And even so, i can take a program i compiled many years ago on redhat 4 using a 2.0.x kernel (net2) and run it on a current system with a 2.6.x kernel (net4)
Unix apis may get extended for new functionality, but the developers dont generally feel the old api is so flawed it cant be updated, and better to replace it from scratch (and have to leave the old one there unmodified for backwards compatibility)
All this extra complexity, legacy cruft and multiple revisions of apis floating around doesn't help security or performance either...
The backwards compatibility cruft is only necessary because the original system it's intended to be backwards compatible with was so poorly designed to begin with...
Linux is backwards compatible at the binary level to the early 1.x series kernels (tho support for a.out binaries is optional nowadays), many distributions don't include the necessary backwards compatibility libraries anymore primarily because most programs are distributed as source and thus simply get recompiled, but there's nothing to stop you loading older libs.
It's also source compatible to a large number of even older systems, I have C code that was originally written for old unixes running on vax systems which can still be compiled and executed on modern linux, because the source API for unix has largely remained compatible.
Contrast with the windows API which differs hugely between releases, but also keeps the old incompatible APIs on newer versions, and cant easily be removed even if people don't intend to run older programs.
I doubt they would care about vmware, while it is emulation of a kind it emulates the hardware so the os can run unmodified. Perhaps paravirtualization like xen, or even higher level virtualization like virtuozzo would have more of an impact.
Even so, vmware esx is very commonly used in server deployments these days so it is a perfectly valid configuration to test.
The windows test is much larger, this is mostly to do with windows itself being a far more complex beast.. It has layers upon layers of backwards compatibility cruft, many instances where multiple APIs do the same thing in slightly different ways or with slightly different options etc. Unix by contrast runs off a simple philosophy, everything is a file and is accessed through the single VFS layer, and it has always been like this. By having a good design in the first place, they've not needed to fundamentally change anything in an incompatible way.
This also brings up another point against closed source, had windows and the apps running atop it being open source, the old backwards compatible apis could have been removed long ago as programs could easily have been updated to use the newer apis instead.
As to why the default install is so weak, it's because people are lazy. They want everything to work out of the box with no hassle to configure (and hence why they dont bother turning off the default crap most of the time). That said, the diversity of open source operating systems has resulted in plenty of distributions which do have a secure-by-default approach, but these have limited mass market appeal for the reason stated above. Windows by contrast tries to be one size fits all, and thus caters to the largest body of users (the lazy ones).
Well, it could spur drive makers to create a replacement technology to get round the ban.
But more likely they'd just revert to some older non infringing technology, resulting in inferior drives for any country which enforces the patent.
// 2.I'm really glad you aren't in charge of setting sentencing guidelines.
Why? you plan on committing some serious crimes and want to get off lightly?
From the "CREDITS" file distributed with current linux kernel versions:
N: Raymond Chen
E: raymondc@microsoft.com
D: Author of Configure script
S: 14509 NE 39th Street #1096
S: Bellevue, Washington 98007
S: USA
So yes, at least some do or have done.
Were that the case, microsoft would have been bankrupted many years ago.
But his server is headless, as servers should be. What is he going to be directly rendering to?
He also stated the videocard was built in, so he cant even put it to good use in another machine.
That's a very good idea, and some window managers try to do it...
Unfortunately while they can restart the same app in the same workspace, they can't configure it so you'l get a bunch of apps in their default startup state. Firefox's restore session feature works nicely here, but very few apps have anything like that.
Ok...
/etc/permissions.local, or the suse specific locations for configuration files. The actual goals sought to be achieved by the tests are for the most part implemented on this system, just not in the same way as the cis test expects, for instance:
// I could not understand in your init. post HOW ON EARTH you could say that "closed source stifles progress", & especially vs. those looking for security holes in code...
I still fail to see how vmware can have any effect on the things tested by the cis tool... None of the things tested would be in any way effected by the use of vmware, in which case creating a vmware image was both much quicker.
As i noted, a default install of SUSE 10.3 gets a score of around 60, i forget the exact number.
The issues you have with windows 2003 are very similar to things i encountered with suse 10, in that the tool was intended for an earlier version and things have changed. In the case of suse it's possible to comply with the test by rolling back the applications it fails on (bastille, syslog etc) although this actually decreases security while increasing your test score.
You mention Ubuntu and SELinux, the cis test doesn't support Ubuntu. It only supports SUSE 9 and aparrently RedHat, but i couldn't get the RH version working. That said, i did run the suse test on a gentoo box and the results are here:
http://enigma.ev6.net/result2.html
The score was 46, and is incredibly misleading, most of the tests fail because they cannot find suse specific files such as
3.4 Disable GUI Login If Possible Failed
I don't have any form of GUI installed on the system whatsoever, no X11 nothing.
But i have no doubt that an install of suse 9 could get a 100% score simply by cutting+pasting the help provided in the html output. I would imagine windows 2000 or any other supported os would be exactly the same. However I'm also certain that i could configure suse 9 in a more secure way but which would fail this test.
I believe suse 9 supports selinux by default btw, tho it's not enabled and the cis test doesnt make any mention of it.
-----
I said in the original post how closed source stifles progress, not in relation to bug finding, but in relation to several other points. Your points about bug finding are correct, it is easier to find bugs but also easier to fix them too. This can be a plus or down side depending on who you are, what your requirements are and who you're scared of etc. It's also important to remember that not all bugs are security related, a majority of them have no security impact whatsoever but are still incredibly annoying to users.
I would say that overall it's a plus to have the source, because blackhats will search for bugs in any case, but with the bugs being easier to find the chance of white hats finding and fixing those bugs is also higher. Then you have the advantage that you and/or others can fix non security related "annoying" bugs.
You are also missing out on another interesting point. With closed source there will only be a small number of "builds", so the memory layout will often be the same or predictable. Conversely, programs compiled by hand can be compiled in many different ways, different compiler flags, different configure options, making an exploit coder's work that much harder.
I _NEVER_ made the point your trying to argue against, please reread the original post. It stifles the general advancement of computing as a whole. Although finding and fixing bugs could also be considered a form of advancement too.
Yeah, i come from the school of leaving your machine running 24/7, and I always liked the convenience of all my apps immediately available when i started work in the morning. I never had a laptop, and i always had a lot of programs running. If i ever had to reboot for whatever reason it was a HUGE annoyance having to reload everything. Not just the loading time, but the time spent laying my apps out just how i like them on all the virtual workspaces i had.
I will quote the original post i made, which you are seemingly unable to read:
----
Closed source is negative because it stifles progress...
Each vendor has to reinvent the wheel, and can't legally learn from the others. With open source you can reuse other people's code and build upon it. Closed source ensures that only vendors with enough cash to develop a complete application can enter the market, with open source it's easy to build upon an existing project.
Smaller companies or individuals who want particular features have very little chance of getting them in a closed source world, they would have to pay whatever fees a given vendor demanded *if* that vendor was even willing. With open source sufficiently capable people can implement those features, while other people can hire coders to do it for them.
New hardware architectures are far less likely to succeed, just look at IA64 as an example, failing miserably even with the backing of Intel and HP, because people can't run their closed-source apps on it. And vendors won't port those apps until there's a market, thus you have a catch-22. Therefore processor makers are constrained by choices Intel made 30 years ago, as they try to develop new chips while maintaining compatibility. As another example, Apple had to spend considerable time and effort on Rosetta to allow legacy PPC apps to run on their Intel based Macs. In an open source world many of those apps could be easily recompiled, and doing so for a large number of them would probably have taken Apple less time and effort than writing rosetta.
There's also the matter of trust, some large companies and governments are paranoid and want to see the source code and actually build it (so they can be 100% sure the binaries they have came from the source they've seen). A lot of people are equally paranoid, and some of them do have the capability to audit and compile the source.
Long term support - closed source software is at the mercy of it's vendor, so there is a chance of the product being discontinued, or the source code being lost. Users of closed source software have no fallback in situations like these.
Multi vendor support - with the source open, any vendor can begin providing support services around an open source application, customers are free to choose the vendor and support package that suits them, instead of being stuck with a single source of support. As a consequence, vendors are forced to compete. If you want a commercially supported linux you have plenty of choices, for commercially supported windows you have only one source.
Less lock-in, with open source you are far less likely to find your data locked away in a secret format known only to one company.
There are many negatives associated with closed source, and virtually no positives as far as the customers are concerned. If you have evidence to the contrary i'd like to hear it.
----
And i was replying to an anonymous poster who said:
----
Explain how closed source is so negative? Sure, you don't have the option of multiple people looking at things and fixing bugs, but when it comes to an end user only thing, does that really matter?
Be serious with yourself here - no mom-and-pop is gonna see "ooh, this program has a bug, we better look at the source and fix it" - at BEST you'd find then posting, on a forum, the bug, and someone else fixing it. Other times, they just deal with the bug and continue.
*** how long are we going to have to wait for the big breakthrough?" ***
There won't ever be a big breakthrough until there are games out SOLELY for Linux systems that can compete against the mainstream games out there nowadays....games that make people WANT to run linux and NEED to run it in order to play the games.
Once that happens, then you'll see your breakthrough.
Too bad we'll all be dead before it happens.
----
Can you point out where i talked about finding vulnerabilities/bugs? The AC i posted to mentioned it, I mentioned seve
When doing security work of any kind, the companies you work for don't like the information being made public. I don't want or need people on slashdot knowing who i am, so i am quite happy for people to believe i'm unemployed.
Also what you call "proof" merely proves that someone exists, it doesnt prove that the user on slashdot is the same person as mentioned on the sites posted.
Why is vmware not legitimate? Many companies run a large number of servers under vmware these days. How exactly does being executed under vmware make a difference to the cis test? If you can show me a valid reason why vmware makes a difference i will re-run it on native hardware. I used vmware so i could post the image online, so that the results could be verified.
Yes obviously html can be edited, you should be smart enough to realise that for yourself without me having to point it out. Again, i posted the vmware image online for the express purpose of allowing people to verify that this wasnt the case. Did you bother to do so?
I stated that closed source stifles progress, and then listed a number of reasons why i believe that to be the case. I did not list the ability to find bugs as a reason. None of the replies have addressed any of the reasons that i did post, and have completely strayed from the point. If you believe any of the original reasons i posted are not valid, please explain why. They were (in a nutshell):
Cant port to new architectures, vendors wont until there are users, users wont use the new arch until there is software, this has contributed greatly to the failure of ia64 and the slow transition from 16->32 bit.
You have only one proper source of support
If vulnerabilities / bugs are found, only one vendor can really fix them
Incidentally, i believe you are apk. Few other people would bother still reading this story, your just trying to fool me into thinking your not a single pathetic loser.
Modern bioses have to:
Probe for more hardware
Test more memory (although the memory is faster)
Support booting from more types of hardware
Test more processors/cores
And some things (like the wait time for hard drives to spin up) hasnt decreased..
Apple's "safesleep" is good...
It suspends to ram, but also writes out the memory to disk as if it was hibernating. So if you lose power while in sleep mode, the machine comes back online properly (it just takes longer).
It should only swap out the whole 8GB if your actually using all that memory, at least software suspend on linux works this way.
I figure if i'm running so many apps that i'm using 8gb of ram, then loading memory from disk will actually be quicker than loading all those apps manually.
Also, at least with software suspend it can compress the image and it resumes fairly quickly, because it swaps the core kernel back in and swaps all the apps back in later (chances are you wont be actively using every app your running on an 8gb system).
You have it the wrong way round...
The A1000 loaded kickstart from disk, and used 256Kb of it's 512KB of ram to store it. Later machines (except the A3000) had kickstart in rom. Kickstart includes most crucial parts of the OS, but you still needed a floppy or some other media to boot from. Although workbench was in rom, you needed the "loadwb" command which was disk based. Although the A4000T had the workbench.library on the hard drive.
My amiga would take about 6 seconds to boot, that includes drive spin up/detection time and loading of lots of third party utilities.
Now come on, all you can do is accuse me of cheating without having downloaded the vmware image to prove how i cheated. As i said before, i simply followed the recommendations within the cis tool itself. If you would bother to read the output, you would find that it actually provides COMMANDS WHICH YOU CAN CUT AND PASTE alongside any "fail" results, have you ever even tried running it on a unix system? Did you even bother reading the HTML which i posted?
/etc/init.d/$FILE stop /bin/false $USERID
Behold:
3.6 Disable Standard Boot Services Check Type: Status:
OVAL5 Failed
Description
Action:
for FILE in apache2 apache apmd autofs fbset gpm hotplug \
hwscan joystick lpd mars-new named nfs portmap smb snmpd \
ypbind ypserv yppasswdd; do
chkconfig $FILE off
done
for USERID in lp apache named mysql; do
usermod -L -s
done
Discussion:
If you merely execute the commands posted in the HTML output, you will usually achieve a pass in that area.
You challenged people to point out flaws in the cis test? not to me you didnt, but here you go anyway:
1.5 Install and Run Bastille
Current versions of bastille (3.x and higher) have an upper case B in the package name, the cis tool checks for it's presence with a lowercase b (as version 2.x) but the tool tells you to install 3.x
2.2 Configure TCP Wrappers and Firewall to Limit Access
It checks for the presence of tcp wrappers, most people use firewalls instead of tcp wrappers these days as theyre less susceptible to dos attacks, the tool doesnt check for firewalls
5.1 Capture Messages Sent To Syslog AUTHPRIV Facility
Modern linux systems no longer use syslog, preferring to use a superior alternative such as syslog-ng, the cis tool checks only for a syslog config,
5.2 Turn On Additional Logging For FTP Daemon
It also says to turn *OFF* ftp.. I would remove ftp completely, in which case the configuration file enabling logging wouldnt be present and this test would fail.
5.3 Confirm Permissions On System Log Files
This test explicitely tests the permissions of several system log files, and will fail if the permissions are wrong or those files DONT EXIST... if you run something other than syslog, or dont run all of the log-generating programs (as the cis test recommends) then the files wont exist and you'l fail.
5.4 Configure syslogd to Send Logs to a Remote LogHost
same as 5.1
7.2 Create ftpusers Files
What is the point of this if you dont run ftp, cis recommend you dont run ftp but then demand that you create an ftpusers file (which would be redundant without ftp running)
7.3 Prevent X Server From Listening On Port 6000/tcp
this checks for the presence of certain configuration files too, not only that but it checks for the exact formatting within those files, a space or a comment in the wrong place and it fails. I would secure a server by removing X11, in which case it wouldnt be listening on port 6000, cis would fail me for this even tho not having X at all is more secure.
7.4 Restrict at/cron To Authorized Users
I never run at/atd, therefore the cis would fail on my systems due to the lack of an at.deny/at.allow, i would probabl configure cron by setting permissions on the executable rather than using cron.allow/deny as this is more secure (you cant execute it at all, vs the crontab program executing and following the code path to parse the cron.deny file)
7.6 Configure xinetd Access Control
not running xinetd at all is surely more secure than configuring it in any way, cis test fails if this configuration is not found
7.11 Only Enable syslog To Accept Messages If Absolutely Necessary
see 5.1
9.2 Create Warnings For GUI-Based Logins
this requires warning banners to be configured for all the graphical login programs, if you dont have them installed the config files wont exist so you fail.
Many of the tests are also flawed in that they check for particularly for
It isn't, but its also not something that makes it "unable to compete with word", it's just an area where it isn't any better.
Nor does microsoft word...
Surely the use of native widgets would make cross platform apps much harder to develop...
That said, could they write a cross platform back end, and then a frontend for each supported system?
So you bring it back to the point that closed source stifles innovation, where i quoted several reasons for this.
Not one of those reasons made any reference to being able to reverse engineer the code, I made several other points none of which you have addressed.
Instead you have fabricated a point that I didn't make, and then used that to try and argue against me. Have you got mental problems or are you just trying to be annoying? I really do pity someone who's so incapable of intelligent debate as to fabricate both sides of an argument himself.
Shouldn't some of the linux vendors sue microsoft for libel?
If they're making such threats, shouldn't they be required to prove them, and subsequently to pursue their rights (if any) in the matter?
I'm sure if a large company made such threats and claims against microsoft products they would try to do something about it...
Chances are microsoft has little or no claim, and they know if they pursued it they'd get little or no money, the offending code (if any) would be replaced and linux would go on but with the patent threat now lifted. Someone should force their hand by suing them for libel.
Microsoft are infringing upon my unspecified patents too, you have an obligation to compensate me...
Mr Ballmer, if your listening, i would like $504,000,000 as-well please, you do have to respect unspecified intellectual property remember.
5 individual replies, i feel honored.
Have you no idea what vmware is?
It simulates a physical machine, no part of the cis test ever tests for being installed in a virtual. I could dd the vmware image to a physical host and get the exact same score. The reason i used a vmware image was so that you could download it and verify the results, but you obviously have no idea how vmware works so i dont hold much hope of you being able to actually run it.
You still think i used photoshop on an HTML file? I suggest you go and read photoshop for dummies...
And you still think i cheated? I did not "cheat" as you put it. Cheating would be to modify the test program (which is trivially easy to do, the test parameters are an xml file) or modify the results (in a text editor, not photoshop). Instead, i merely implemented the configuration changes suggested by the tool's output. Had you downloaded my vmware image you would be able to see that, but your more concerned with making yourself look stupid than actually try to prove your point.
I also did some searching around the information you posted earlier about yourself, and it seems you do this all over the place... Post garbage, cry like a spoilt child when your proven wrong. A very brief search on google basically makes you out to be a laughing stock with virtually nothing positive to be said about you.
I haven't read any of the articles you mentioned, simply because they are in old printed magazines which are at least several years old. It seems that some years ago you at least had some respect and a few worthwhile tools published, it's sad to see how far you've sunk and i truly feel sorry for you. I would liken you to SCO, once respected but due to some back luck, stupidity, errors etc, you've become a laughing stock that everyone looks down upon and pities.
Without "cheating" as you put it, you could make a system far more secure and it would get a very low score on the cis test. I have already pointed out multiple flaws in this test and you have failed to answer them, why should anyone bother pointing out more when you have yet to answer the few that have been posted already?
// Funniest part is, ALL I ever asked for was a valid result from *NIX folks, & asking them to discuss where they felt this test was in error on their OS, & if possible, to share know-how.
// Think anyone believes you, now, Bert64... After you stated that which I quote from you above & your "VMWare testing methods" & PROBABLY PHOTOSHOP JOB ON YOUR "RESULTS", too??
You challenged people to get a higher score than you, which is what i have done, nowhere did you ask for the flaws to be pointed out, but that has also been done too, and now you are trying to backpedal.
But i will reiterate what i have said already.
CIS DOES NOT TEST "SECURITY", IT IS MERELY A COMPLIANCE TEST
Since you failed to understand that, CIS publish a set of configuration guidelines and this test merely checks if your system complies with these configuration guidelines. Because of the flexibility of linux, there are often multiple ways to achieve the same goals, and the cis guidelines only specify a small subset of those.
This is what i did the first time, my system scored 60.something, and i went through the points where it failed one by one and pointed out why they were incorrect, i write it in response to one of your posts in august. I wrote the response within 12 hours of your original post, but i can't locate it now because slashdot no longer lets me see my entire posting history.
As for cheating, i did not cheat, i merely implemented the configuration changes as specified by CIS. I wouldn't say the resulting box is as secure as it could be made, but it complies with the cis test 90%.
I notice from the web logs that you didn't bother downloading the test results, they are at:
http://enigma.ev6.net/benchmark-report.html
Nor did you download the vmware image, it is at:
http://enigma.ev6.net/vmware-suse-cis.tar.bz2
The fact you could only get 86%, even tho full instructions on how to comply with the cis configuration is supplied both as a PDF and within the output from the testing tool, suggests a high level of incompetence on your part. I am certain that a score of 100% would be easily achievable on any supported system, including windows. After all, someone at cis must have configured a machine in the described way when writing the test.
Before you accuse me of cheating, why don't you actually read the results and have a look at the 90% compliant machine?
This is the funniest part... Can i have a copy of your version of photoshop which edits HTML files and VMware images?
The results i submitted are in HTML format, that stands for "Hyper Text Markup Language" and is plain text with markup for formatting. When you run the CIS tool it creates output in HTML and XML formats, i chose to post the HTML form so it would be convenient to browse from the web.
Photoshop on the other hand is for editing IMAGE files, there are absolutely NO IMAGE FILES in the results I posted.
Obviously i could have edited the HTML results, but i would have done this using a TEXT EDITOR and not PHOTOSHOP. And because the HTML is so easy to change, i posted a vmware image so that you could verify the results.
So face it, your argument has been proven wrong and like a cocky little child, having been proven wrong your trying to deny ever making the argument in the first place. You remind me of someone i used to work with, he used to go away and cry when people would see through his bullshit.
Your writing style is very childish too, hardly what you'd expect from someone with supposedly 20+ years experie