Right, so you pointed to a couple of not very well known tools and plenty of forums slagging you off, great.
Where's the answer to the direct question regarding the CIS tool you were asking me to run?
So i ran the cis tool on a downloaded SUSE vmware image, followed the cis guide and got a score of 90.86, which beats your score or 86 or so. I could have continued and got a higher score, but why bother? You said you'd eat your words if someone posted a score higher than your 86, so i'm waiting.
And if you want more proof, and are willing to download a *LARGE* file, the vmware image will be on http://enigma.ev6.net/vmware-suse-cis.tar.bz2 Wait a while for it to upload, its big... check back tomorrow!
The CIS tool is installed in/opt/CISngtool, but feel free to download a fresh copy to make sure it hasnt been tampered with.
A few notes about the cis benchmark tool, which is an absolute pile of toss btw: The check for gdm is broken, looks for both/etc/X11/xdm/gdm.conf and/etc/X11/gdm/gdm.conf The check for bastille is broken, modern versions have an uppercase B in the package name, the guide even tells you to install one of these versions. Many parts of this benchmark are broken, and assume something to be more secure if it's installed and configured in a particular way, rather than not installed at all. The gdm config for instance, fails if it can't find the config, even if the gdm package is not installed at all (and thus the config would be redundant in any case).
I could go on, but why bother. I beat your score, i am uploading a vmware image as proof which is more than you ever did for your rather feeble score of 86. I could quite easily get a much higher score than 90, but as i said i stopped at the point by which you said you'd eat your words.
The listeners don't pay for content played on the radio directly, the radio station pays for the right to broadcast the music. The radio station then makes money from advertisers, who advertise because they consider the listener base a large enough for their commercials. The music being played on the radio is ALREADY LICENSED for people within range of the station to listen to it, and it's in the stations interest for more people to listen. Those people who are close enough to the garage to hear the radio, are obviously within range of the radio station and could use their own radio to listen to it if they wanted. The fact that they're not using their own radio is helping the environment in a small way by saving power. I would imagine that virtually all of the customers of this car servicing company own their own radio too, because it's a really long time since i saw any kind of car which didn't have a radio fitted as standard. Hopefully this ridiculous case will be thrown out with the servicing company being awarded compensation for the legal costs incurred defending against such a pointless suit.
Find the post yourself... Slashdot doesn't let non subscribers see full posting history anymore, or i'd look it up.
Your so-called development experience is is just talk, you've not backed it up with proof. I could post all kinds of stuff, but there would be no proof behind a slashdot posting anyway. I have worked for the last 9 years in security doing code audits and network audits, as a kid i used to crack games on the amiga as part of a cracking group that was fairly well known in those days. I run my own hosting company and have contributed to several open source products. I know many people who do security research on proprietary code, and with one exception they all use fuzzing tools. There is only one guy i know who routinely follows the raw disassembled code looking for security problems. So yes, for almost all people finding holes in a higher level language is much easier.
As to your other request, i am as we speak downloading a vmware image of suse enterprise server. When downloaded, i will configure it according to the CIS documentation and run the test. Then i will post the preconfigured image online so that you can download it to verify the results yourself. I would have used redhat, but the cis tool for redhat is broken, and i couldnt get the solaris one to work on a stock install of solaris 10 on either x86 or sparc. And they don't even have a tool for OSX.
Where is your answer to my direct question about X11?
Much "theoretically, THIS could happen, and you'd be screwed!" is often spouted from all sides... When doing a risk assessment you need to think of everything that *might* happen, then consider the likelihood of it happening and weigh it up against the cost if it did, as well as considering your contingency plan incase it does happen. A small chance of something happening is better than no chance of it happening.
What are the chances of falling down and hitting your head? How much does a helmet cost? How inconvenient and unsightly is it to wear a helmet? Does riding a bike increase the risk of hitting your head enough to overcome the points against wearing a helmet? Just because you consider the risk acceptable, doesn't make it any less of a risk or necessarily mean that others will agree with you. Risks are undeniable facts, how or if you choose deal with them is subjective.
A small chance of something catastrophic happening for which there is no contingency is very bad. A high chance of something bad happening for which there is a reasonably easy and well thought out contingency plan is nowhere near as bad. Some risks are simply unavoidable factors of doing business, but any other risks should be minimized when possible.
But to answer your point.// Vendors have to reinvent the wheel This is not theoretical, it is a fact. But it is not one that *directly* influences the user, and thus they may be less aware of it. It results in wasted development time as several sets of developers implement the same functions instead of making improvements.// Small companies and/or individuals have little chance of getting the features they want implemented into closed source software. This is not theoretical. Think of a few functions you want, and then shop around. Find out how much it will cost you to have microsoft implement them, vs paying some coders to implement the same functions into linux. I can guarantee microsoft will want more.// New hardware architectures are far less likely to succeed This is also not theoretical, Intel's IA64 has completely failed to take over from x86 as intel hoped it would, and a lot of this failure can be attributed to an inability to run closed source apps intended for x86. The same thing proved a major hinderence to apple too.// Matter of trust This is a fact. Look at the hoops microsoft jumped through to prevent countries like china from switching entirely to open source. Someone less influential than the government of china wouldn't be able to make microsoft bend over backwards like this.// Long term support - closed source software is at the mercy of it's vendor, so there is a chance of the product being discontinued, or the source code being lost. Users of closed source software have no fallback in situations like these. closed source software is at the mercy of it's vendor == fact a chance of the product being discontinued == risk the source code being lost == risk Users of closed source software have no fallback == fact// Multi vendor support This is also a fact, it is impossible to provide comprehensive support for a closed source application without the co-operation of it's vendor. How are you supposed to provide proper support without the ability to correct problems in the product your supporting?// Less lock-in, with open source you are far less likely to find your data locked away in a secret format known only to one company. This is a risk, there is no reason why a closed source vendor *couldnt* implement open standards, however it is often more profitable for them to use proprietary formats to keep their customers dependent.
I posted in early august, and replied the same day as your reply.
The reason no-one bothers to follow your CIS test is because it's pointless. It does not test security, it merely tests compliance with a predefined set of configurations. Getting a 100% score is a simple matter of following the guidelines in the PDF they supply with the tool, and the fact that you tried so hard and still only got 85% says a lot.
I don't dispute your secunia data, the data accurately shows the number of vulnerabilities publicly disclosed in various different pieces of software. What i dispute is how you are misinterpreting this data. All bugs discovered in open source software are disclosed and tracked. Trying to silently patch a vulnerability would be ultimately fruitless, as just in the example of the Linux kernel you give, you would need to justify to Linus and other kernel developers why your patch should be included, and if you silently patched a serious bug other people would notice. By contrast, it is not in the interest of a commercial vendor like Microsoft to disclose vulnerabilities they found during internal testing. It is highly likely that more issues are found during internal auditing than are found by external testing, but we can only speculate as to how many security vulnerabilities get silently fixed in closed source products.
I do not even remember all of the points as to why the CIS test is garbage, but you didn't answer the one example i did remember, i would like a direct answer to this:
The CIS test failed to detect the presence of an X11 configuration file configured to disable TCP listening and direct root login for X11, and thus reduced my score. I do not have X11 installed, and thus there are no X11 related configurations on my machine. The apparent goal of this is to ensure X11 is not listening on the network, and does not permit root logons, my system fulfills both of these criteria, but fails the CIS test because it does not check in an accurate way. Is it somehow more secure to have X11 installed and running, but without TCP or root logon support, than to not have X11 installed at all? I would be very interested to know how the mere presence of X11 improves the security of my system.
I could create a higher score simply by faking it, by creating the (redundant) configuration files it's looking for. Will this improve my security, or just my CIS score?
Oh it's you... I posted a thorough debunking of your CIS tool several months ago, you failed to respond to it at all. That tool does nothing to test security, it merely tests compliance with a set of specifications for how an OS should be configured. Infact, it gives you a LOWER score for removing X11 than for keeping it running while bound only to localhost.
Also i never mentioned spotting bugs, i made a large number of points about where closed source stifles progress and you have not responded to any of them.
The hardware support is already happening... With large OEMs like Dell selling systems with Linux preinstalled, manufacturers can't afford not to have Linux drivers anymore. No Linux support = no chance to sell millions of units of your product to the likes of Dell.
A half second delay in what apps? If she's running a lot of PPC apps on her macbook, there is likely to be such a delay because of the emulation. Running native apps cures these issues. I had such problems when i still had a couple of PPC apps on my macbook, but only in those apps so your problem might be different. Typing this in Safari on OSX, keystrokes appear on screen instantly.
Windows didn't achieve it's widespread use by attractive users in any of the ways that you described... It gained home users by being what they used at work. And it gained use in workplaces by being cheaper than the (superior) alternatives. It's corporate desktops where linux is more likely to take off first, not home users. They will come along afterwards as people want to use the same system they do at work. IBM compatibles started to take over the home market in the days of dos, an operating system so laughably inferior to amigaos (amigas were commonly used as home computers in those days) in virtually every way.
Closed source is negative because it stifles progress... Each vendor has to reinvent the wheel, and can't legally learn from the others. With open source you can reuse other people's code and build upon it. Closed source ensures that only vendors with enough cash to develop a complete application can enter the market, with open source it's easy to build upon an existing project.
Smaller companies or individuals who want particular features have very little chance of getting them in a closed source world, they would have to pay whatever fees a given vendor demanded *if* that vendor was even willing. With open source sufficiently capable people can implement those features, while other people can hire coders to do it for them.
New hardware architectures are far less likely to succeed, just look at IA64 as an example, failing miserably even with the backing of Intel and HP, because people can't run their closed-source apps on it. And vendors won't port those apps until there's a market, thus you have a catch-22. Therefore processor makers are constrained by choices Intel made 30 years ago, as they try to develop new chips while maintaining compatibility. As another example, Apple had to spend considerable time and effort on Rosetta to allow legacy PPC apps to run on their Intel based Macs. In an open source world many of those apps could be easily recompiled, and doing so for a large number of them would probably have taken Apple less time and effort than writing rosetta.
There's also the matter of trust, some large companies and governments are paranoid and want to see the source code and actually build it (so they can be 100% sure the binaries they have came from the source they've seen). A lot of people are equally paranoid, and some of them do have the capability to audit and compile the source.
Long term support - closed source software is at the mercy of it's vendor, so there is a chance of the product being discontinued, or the source code being lost. Users of closed source software have no fallback in situations like these.
Multi vendor support - with the source open, any vendor can begin providing support services around an open source application, customers are free to choose the vendor and support package that suits them, instead of being stuck with a single source of support. As a consequence, vendors are forced to compete. If you want a commercially supported linux you have plenty of choices, for commercially supported windows you have only one source.
Less lock-in, with open source you are far less likely to find your data locked away in a secret format known only to one company.
There are many negatives associated with closed source, and virtually no positives as far as the customers are concerned. If you have evidence to the contrary i'd like to hear it.
The breakthrough will be the point where people aren't so locked in to proprietary formats... That is, when the question of "will it read my files" goes away. Once you have a level playing field, linux will take off far more rapidly because you can choose it based on its merits (of which there are many), and microsoft will no longer be able to hold your data to ransom in proprietary formats.
But the point is also that he had a choice, many people have no choice at all, and the people taking their choice away have never (or often arent equipped to) evaluated all their options objectively.
If Amiga produced an OS that outshone everything else available, it would still fail and virtually no-one would use it. Why? Because people are stuck with proprietary single-platform apps and formats, they can't switch to a better platform even if they wanted to. If there were standards, standard ABIs so you could write once and run anywhere, with native performance (java is still sluggish), and it isn't too great a stretch to imagine since all the major vendors are x86 compatible today anyway. You really could choose the best os, the best hardware, the best apps, and have it all run together in a way that suits you. Instead, people are stuck with someone else's choices.
It may not have sold many systems alone, but it could easily have influenced the decision of someone who was going to buy a new machine anyway. Back in the days, Doom especially prompted people to buy x86 compatible running dos, which were otherwise typically just used for office-type applications. Prior to that, most people who wanted games systems bought Nintendo, Sega or Amiga systems. Running games on dos was a huge pain in the backside, the systems were much more expensive and most other games were simply not up to the same standard, or weren't ported at all.
Windows admins are just as lazy as unix admins, however if you leave a default system on the internet... A windows box will get owned by a worm, and it will then be very noisy scanning and trying to infect more. If a unix box gets owned, it's more likely to be by an active hacker who will try to be far less conspicuous than a worm.
You'd expect someone to have a right to complain if they buy some software which has security problems, but most commercial software requires users to give up that right as part of the licence agreement.
You also talk about "with a bigger market share comes increased motivation to crack/hack" but then talk about abandoned projects, if a project has market share it's far less likely to be abandoned, especially if it's open source. Also, if someone finds and publishes holes in an open project, they usually make patches available (its only responsible to produce a patch if you can). Similarly if the project is supported by a distro, they will patch it even if the original maintainers don't. Contrast this to a proprietary product that gets abandoned, and you simply can't patch it. Many companies are left in situations where they are stuck with legacy proprietary systems which are no longer supported but which cannot be easily replaced.
Also, while the default security of windows has improved, so has the default security of unix systems. Windows machines still come with a large number of network services, even workstations! Linux and OSX comes with very little open by default, and you have to go out of your way to enable things. Lazy admins will typically leave the defaults, they will not usually turn things off which are there by default, but they have no choice but to turn things on if they`re required.
And when it comes to patching, most linuxes have package managers which can auto update, and in a lot of cases the package manager will supply all the apps, so you can update everything in one place, windows still doesn't do that.
Your point about the command line is the primary differentiator... Most windows apps (including server apps) are usually set up to be installed from a gui, you'd need to create your own method of installing these programs, as you wouldnt want the installer popping up on the user's screen. Apps for unix are usually intended to be installed from the command line, making it much easier for someone to just grab them direct from a mirror site and install them.
Remember the hacker needs to get his programs onto the host somehow, downloading them from a public download site doesn't create a trace back to him, but having his own custom apps means he needs places to store and distribute them, ultimately providing a track back to where he keeps and develops the master copies. Also many windows programs don't have public download sites, a hacker would quite happily install a pirated copy (hes breaking the law anyway, so why not break another) but then he still needs to maintain a distribution site.
Many people bought the xbox specifically to play halo... A lot of those same people may have chosen a mac for the same reason. (personally i don't think halo is all that great of a game)
But their support costs are higher as a result of not informing their staff... Some ISPs play a prerecorded message informing users of any current outages before forwarding you to any support staff. Even non technical people would understand a message saying "broadband connections in $town are currently unavailable and expected to be restored within 2 hours", and wouldnt continue to bother the support bods. Instead, at least in this one case, someone spent several hours doing disruptive things to their machine which were always going to be fruitless because the underlying network was unavailable.
All of the Apache processes show up as/usr/sbin/apache2 A process just called "apache" or "./apache" would stick out like a sore thumb... Apache doesn't run as a single user either, each site runs under it's own userid. There is also trusted path execution enabled on the server, so the web users can only execute programs which are owned by root, and located inside a directory owned by root, so they can't upload and execute arbitrary binaries, all they could really leave running is a php script.
Well, the advantage of IRC, while you still need a TCP connection, if you have enough hacked boxes it's virtually impossible to differentiate your connection from the drones...
The disadvantage of an IRC based control bot, is the lack of flexibility. You can only use the functions offered by the bot, and if you need new functions you need to update your bots. Sure you could make the bot provide an interface to the underlying command line, but then your back to the original point of the windows cli sucking.
You also need one or more stable servers to run IRC, you could use public IRC networks but most legit irc admins don't take kindly to the presence of thousands of drones on their network, and will take measures to shut them down and report whoever is running them. Typically unix machines make far more stable hosts, and are usually easier to install IRC servers on. People are also using modified irc servers nowadays, so that you can't just connect and see the hostnames of all the bots...
I've not been dossed per se, but some of the ssh/ftp brute force attempts and scans for common website vulns are incredibly aggressive. My biggest problems stem from foolish users, i host a lot of customers who have the ability to run PHP apps and choose their own passwords. Fortunately, each user has their own account, so i can easily check which user owns any malicious processes or files that appear on the system.
This is nothing new, crackers have always preferred unix machines for a number of reasons. A few years ago many crackers wouldn't even bother trying to own windows machines. You never see many people who compromise a windows machine and manually set up anything on it, windows machines are typically mass hacked and used as throwaway systems, for spamming or dossing (once a large flood of dos or spam comes from a system, it very quickly gets noticed and the system usually gets shut down). The hassle of using windows remotely (half assed command line interface etc), lack of default tools and typical low uptimes/stability discourage them being used interactively or for any kind of non-throwaway uses.
Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows).
Crackers will often turn a compromised unix machine into their "home", and keep a set of tools/exploits in a hidden directory, and use the machine for manual probing, testing of new tools and launching of other attacks, but they will rarely use windows systems for anything other than dossing/spamming or defacing a website if it hosts one.
Right, so you pointed to a couple of not very well known tools and plenty of forums slagging you off, great.
/opt/CISngtool, but feel free to download a fresh copy to make sure it hasnt been tampered with.
/etc/X11/xdm/gdm.conf and /etc/X11/gdm/gdm.conf
Where's the answer to the direct question regarding the CIS tool you were asking me to run?
So i ran the cis tool on a downloaded SUSE vmware image, followed the cis guide and got a score of 90.86, which beats your score or 86 or so.
I could have continued and got a higher score, but why bother? You said you'd eat your words if someone posted a score higher than your 86, so i'm waiting.
You can see the results here:
http://enigma.ev6.net/benchmark-report.html
And if you want more proof, and are willing to download a *LARGE* file, the vmware image will be on
http://enigma.ev6.net/vmware-suse-cis.tar.bz2
Wait a while for it to upload, its big... check back tomorrow!
The CIS tool is installed in
A few notes about the cis benchmark tool, which is an absolute pile of toss btw:
The check for gdm is broken, looks for both
The check for bastille is broken, modern versions have an uppercase B in the package name, the guide even tells you to install one of these versions.
Many parts of this benchmark are broken, and assume something to be more secure if it's installed and configured in a particular way, rather than not installed at all. The gdm config for instance, fails if it can't find the config, even if the gdm package is not installed at all (and thus the config would be redundant in any case).
I could go on, but why bother. I beat your score, i am uploading a vmware image as proof which is more than you ever did for your rather feeble score of 86. I could quite easily get a much higher score than 90, but as i said i stopped at the point by which you said you'd eat your words.
They are technically committing an act of terrorism...
They are willfully subjecting other people to an airborne chemical agent known to cause harm.
The listeners don't pay for content played on the radio directly, the radio station pays for the right to broadcast the music.
The radio station then makes money from advertisers, who advertise because they consider the listener base a large enough for their commercials.
The music being played on the radio is ALREADY LICENSED for people within range of the station to listen to it, and it's in the stations interest for more people to listen.
Those people who are close enough to the garage to hear the radio, are obviously within range of the radio station and could use their own radio to listen to it if they wanted. The fact that they're not using their own radio is helping the environment in a small way by saving power. I would imagine that virtually all of the customers of this car servicing company own their own radio too, because it's a really long time since i saw any kind of car which didn't have a radio fitted as standard.
Hopefully this ridiculous case will be thrown out with the servicing company being awarded compensation for the legal costs incurred defending against such a pointless suit.
Interestingly, i installed the CIS tool just now, on a default suse install it failed on this:
6.6 Find Unauthorized World-Writable Files
i ran the accompanying command, and the files it complaints about are the cis files themselves (as installed by the default supplied installer)
Find the post yourself...
Slashdot doesn't let non subscribers see full posting history anymore, or i'd look it up.
Your so-called development experience is is just talk, you've not backed it up with proof. I could post all kinds of stuff, but there would be no proof behind a slashdot posting anyway.
I have worked for the last 9 years in security doing code audits and network audits, as a kid i used to crack games on the amiga as part of a cracking group that was fairly well known in those days. I run my own hosting company and have contributed to several open source products.
I know many people who do security research on proprietary code, and with one exception they all use fuzzing tools. There is only one guy i know who routinely follows the raw disassembled code looking for security problems. So yes, for almost all people finding holes in a higher level language is much easier.
As to your other request, i am as we speak downloading a vmware image of suse enterprise server. When downloaded, i will configure it according to the CIS documentation and run the test. Then i will post the preconfigured image online so that you can download it to verify the results yourself.
I would have used redhat, but the cis tool for redhat is broken, and i couldnt get the solaris one to work on a stock install of solaris 10 on either x86 or sparc. And they don't even have a tool for OSX.
Where is your answer to my direct question about X11?
Much "theoretically, THIS could happen, and you'd be screwed!" is often spouted from all sides...
// Vendors have to reinvent the wheel // Small companies and/or individuals have little chance of getting the features they want implemented into closed source software. // New hardware architectures are far less likely to succeed // Matter of trust // Long term support - closed source software is at the mercy of it's vendor, so there is a chance of the product being discontinued, or the source code being lost. Users of closed source software have no fallback in situations like these. // Multi vendor support // Less lock-in, with open source you are far less likely to find your data locked away in a secret format known only to one company.
When doing a risk assessment you need to think of everything that *might* happen, then consider the likelihood of it happening and weigh it up against the cost if it did, as well as considering your contingency plan incase it does happen. A small chance of something happening is better than no chance of it happening.
What are the chances of falling down and hitting your head?
How much does a helmet cost?
How inconvenient and unsightly is it to wear a helmet?
Does riding a bike increase the risk of hitting your head enough to overcome the points against wearing a helmet?
Just because you consider the risk acceptable, doesn't make it any less of a risk or necessarily mean that others will agree with you. Risks are undeniable facts, how or if you choose deal with them is subjective.
A small chance of something catastrophic happening for which there is no contingency is very bad.
A high chance of something bad happening for which there is a reasonably easy and well thought out contingency plan is nowhere near as bad.
Some risks are simply unavoidable factors of doing business, but any other risks should be minimized when possible.
But to answer your point.
This is not theoretical, it is a fact. But it is not one that *directly* influences the user, and thus they may be less aware of it. It results in wasted development time as several sets of developers implement the same functions instead of making improvements.
This is not theoretical. Think of a few functions you want, and then shop around. Find out how much it will cost you to have microsoft implement them, vs paying some coders to implement the same functions into linux. I can guarantee microsoft will want more.
This is also not theoretical, Intel's IA64 has completely failed to take over from x86 as intel hoped it would, and a lot of this failure can be attributed to an inability to run closed source apps intended for x86. The same thing proved a major hinderence to apple too.
This is a fact. Look at the hoops microsoft jumped through to prevent countries like china from switching entirely to open source. Someone less influential than the government of china wouldn't be able to make microsoft bend over backwards like this.
closed source software is at the mercy of it's vendor == fact
a chance of the product being discontinued == risk
the source code being lost == risk
Users of closed source software have no fallback == fact
This is also a fact, it is impossible to provide comprehensive support for a closed source application without the co-operation of it's vendor. How are you supposed to provide proper support without the ability to correct problems in the product your supporting?
This is a risk, there is no reason why a closed source vendor *couldnt* implement open standards, however it is often more profitable for them to use proprietary formats to keep their customers dependent.
I posted in early august, and replied the same day as your reply.
The reason no-one bothers to follow your CIS test is because it's pointless. It does not test security, it merely tests compliance with a predefined set of configurations. Getting a 100% score is a simple matter of following the guidelines in the PDF they supply with the tool, and the fact that you tried so hard and still only got 85% says a lot.
I don't dispute your secunia data, the data accurately shows the number of vulnerabilities publicly disclosed in various different pieces of software. What i dispute is how you are misinterpreting this data.
All bugs discovered in open source software are disclosed and tracked. Trying to silently patch a vulnerability would be ultimately fruitless, as just in the example of the Linux kernel you give, you would need to justify to Linus and other kernel developers why your patch should be included, and if you silently patched a serious bug other people would notice. By contrast, it is not in the interest of a commercial vendor like Microsoft to disclose vulnerabilities they found during internal testing.
It is highly likely that more issues are found during internal auditing than are found by external testing, but we can only speculate as to how many security vulnerabilities get silently fixed in closed source products.
I do not even remember all of the points as to why the CIS test is garbage, but you didn't answer the one example i did remember, i would like a direct answer to this:
The CIS test failed to detect the presence of an X11 configuration file configured to disable TCP listening and direct root login for X11, and thus reduced my score.
I do not have X11 installed, and thus there are no X11 related configurations on my machine.
The apparent goal of this is to ensure X11 is not listening on the network, and does not permit root logons, my system fulfills both of these criteria, but fails the CIS test because it does not check in an accurate way.
Is it somehow more secure to have X11 installed and running, but without TCP or root logon support, than to not have X11 installed at all? I would be very interested to know how the mere presence of X11 improves the security of my system.
I could create a higher score simply by faking it, by creating the (redundant) configuration files it's looking for. Will this improve my security, or just my CIS score?
Oh it's you...
I posted a thorough debunking of your CIS tool several months ago, you failed to respond to it at all. That tool does nothing to test security, it merely tests compliance with a set of specifications for how an OS should be configured. Infact, it gives you a LOWER score for removing X11 than for keeping it running while bound only to localhost.
Also i never mentioned spotting bugs, i made a large number of points about where closed source stifles progress and you have not responded to any of them.
The hardware support is already happening...
With large OEMs like Dell selling systems with Linux preinstalled, manufacturers can't afford not to have Linux drivers anymore.
No Linux support = no chance to sell millions of units of your product to the likes of Dell.
Also, "slash" is also British slang for "urinate".
A half second delay in what apps?
If she's running a lot of PPC apps on her macbook, there is likely to be such a delay because of the emulation. Running native apps cures these issues. I had such problems when i still had a couple of PPC apps on my macbook, but only in those apps so your problem might be different.
Typing this in Safari on OSX, keystrokes appear on screen instantly.
Windows didn't achieve it's widespread use by attractive users in any of the ways that you described...
It gained home users by being what they used at work.
And it gained use in workplaces by being cheaper than the (superior) alternatives.
It's corporate desktops where linux is more likely to take off first, not home users. They will come along afterwards as people want to use the same system they do at work.
IBM compatibles started to take over the home market in the days of dos, an operating system so laughably inferior to amigaos (amigas were commonly used as home computers in those days) in virtually every way.
Closed source is negative because it stifles progress...
Each vendor has to reinvent the wheel, and can't legally learn from the others. With open source you can reuse other people's code and build upon it. Closed source ensures that only vendors with enough cash to develop a complete application can enter the market, with open source it's easy to build upon an existing project.
Smaller companies or individuals who want particular features have very little chance of getting them in a closed source world, they would have to pay whatever fees a given vendor demanded *if* that vendor was even willing. With open source sufficiently capable people can implement those features, while other people can hire coders to do it for them.
New hardware architectures are far less likely to succeed, just look at IA64 as an example, failing miserably even with the backing of Intel and HP, because people can't run their closed-source apps on it. And vendors won't port those apps until there's a market, thus you have a catch-22. Therefore processor makers are constrained by choices Intel made 30 years ago, as they try to develop new chips while maintaining compatibility. As another example, Apple had to spend considerable time and effort on Rosetta to allow legacy PPC apps to run on their Intel based Macs. In an open source world many of those apps could be easily recompiled, and doing so for a large number of them would probably have taken Apple less time and effort than writing rosetta.
There's also the matter of trust, some large companies and governments are paranoid and want to see the source code and actually build it (so they can be 100% sure the binaries they have came from the source they've seen). A lot of people are equally paranoid, and some of them do have the capability to audit and compile the source.
Long term support - closed source software is at the mercy of it's vendor, so there is a chance of the product being discontinued, or the source code being lost. Users of closed source software have no fallback in situations like these.
Multi vendor support - with the source open, any vendor can begin providing support services around an open source application, customers are free to choose the vendor and support package that suits them, instead of being stuck with a single source of support. As a consequence, vendors are forced to compete. If you want a commercially supported linux you have plenty of choices, for commercially supported windows you have only one source.
Less lock-in, with open source you are far less likely to find your data locked away in a secret format known only to one company.
There are many negatives associated with closed source, and virtually no positives as far as the customers are concerned. If you have evidence to the contrary i'd like to hear it.
The breakthrough will be the point where people aren't so locked in to proprietary formats...
That is, when the question of "will it read my files" goes away.
Once you have a level playing field, linux will take off far more rapidly because you can choose it based on its merits (of which there are many), and microsoft will no longer be able to hold your data to ransom in proprietary formats.
But the point is also that he had a choice, many people have no choice at all, and the people taking their choice away have never (or often arent equipped to) evaluated all their options objectively.
If Amiga produced an OS that outshone everything else available, it would still fail and virtually no-one would use it.
Why? Because people are stuck with proprietary single-platform apps and formats, they can't switch to a better platform even if they wanted to.
If there were standards, standard ABIs so you could write once and run anywhere, with native performance (java is still sluggish), and it isn't too great a stretch to imagine since all the major vendors are x86 compatible today anyway. You really could choose the best os, the best hardware, the best apps, and have it all run together in a way that suits you. Instead, people are stuck with someone else's choices.
It may not have sold many systems alone, but it could easily have influenced the decision of someone who was going to buy a new machine anyway.
Back in the days, Doom especially prompted people to buy x86 compatible running dos, which were otherwise typically just used for office-type applications. Prior to that, most people who wanted games systems bought Nintendo, Sega or Amiga systems. Running games on dos was a huge pain in the backside, the systems were much more expensive and most other games were simply not up to the same standard, or weren't ported at all.
Windows admins are just as lazy as unix admins, however if you leave a default system on the internet...
A windows box will get owned by a worm, and it will then be very noisy scanning and trying to infect more.
If a unix box gets owned, it's more likely to be by an active hacker who will try to be far less conspicuous than a worm.
You'd expect someone to have a right to complain if they buy some software which has security problems, but most commercial software requires users to give up that right as part of the licence agreement.
You also talk about "with a bigger market share comes increased motivation to crack/hack" but then talk about abandoned projects, if a project has market share it's far less likely to be abandoned, especially if it's open source.
Also, if someone finds and publishes holes in an open project, they usually make patches available (its only responsible to produce a patch if you can).
Similarly if the project is supported by a distro, they will patch it even if the original maintainers don't.
Contrast this to a proprietary product that gets abandoned, and you simply can't patch it. Many companies are left in situations where they are stuck with legacy proprietary systems which are no longer supported but which cannot be easily replaced.
Also, while the default security of windows has improved, so has the default security of unix systems. Windows machines still come with a large number of network services, even workstations! Linux and OSX comes with very little open by default, and you have to go out of your way to enable things. Lazy admins will typically leave the defaults, they will not usually turn things off which are there by default, but they have no choice but to turn things on if they`re required.
And when it comes to patching, most linuxes have package managers which can auto update, and in a lot of cases the package manager will supply all the apps, so you can update everything in one place, windows still doesn't do that.
Your point about the command line is the primary differentiator...
Most windows apps (including server apps) are usually set up to be installed from a gui, you'd need to create your own method of installing these programs, as you wouldnt want the installer popping up on the user's screen.
Apps for unix are usually intended to be installed from the command line, making it much easier for someone to just grab them direct from a mirror site and install them.
Remember the hacker needs to get his programs onto the host somehow, downloading them from a public download site doesn't create a trace back to him, but having his own custom apps means he needs places to store and distribute them, ultimately providing a track back to where he keeps and develops the master copies.
Also many windows programs don't have public download sites, a hacker would quite happily install a pirated copy (hes breaking the law anyway, so why not break another) but then he still needs to maintain a distribution site.
Many people bought the xbox specifically to play halo...
A lot of those same people may have chosen a mac for the same reason. (personally i don't think halo is all that great of a game)
But their support costs are higher as a result of not informing their staff...
Some ISPs play a prerecorded message informing users of any current outages before forwarding you to any support staff.
Even non technical people would understand a message saying "broadband connections in $town are currently unavailable and expected to be restored within 2 hours", and wouldnt continue to bother the support bods. Instead, at least in this one case, someone spent several hours doing disruptive things to their machine which were always going to be fruitless because the underlying network was unavailable.
All of the Apache processes show up as /usr/sbin/apache2
A process just called "apache" or "./apache" would stick out like a sore thumb...
Apache doesn't run as a single user either, each site runs under it's own userid.
There is also trusted path execution enabled on the server, so the web users can only execute programs which are owned by root, and located inside a directory owned by root, so they can't upload and execute arbitrary binaries, all they could really leave running is a php script.
Well, the advantage of IRC, while you still need a TCP connection, if you have enough hacked boxes it's virtually impossible to differentiate your connection from the drones...
The disadvantage of an IRC based control bot, is the lack of flexibility. You can only use the functions offered by the bot, and if you need new functions you need to update your bots. Sure you could make the bot provide an interface to the underlying command line, but then your back to the original point of the windows cli sucking.
You also need one or more stable servers to run IRC, you could use public IRC networks but most legit irc admins don't take kindly to the presence of thousands of drones on their network, and will take measures to shut them down and report whoever is running them. Typically unix machines make far more stable hosts, and are usually easier to install IRC servers on.
People are also using modified irc servers nowadays, so that you can't just connect and see the hostnames of all the bots...
I've not been dossed per se, but some of the ssh/ftp brute force attempts and scans for common website vulns are incredibly aggressive.
My biggest problems stem from foolish users, i host a lot of customers who have the ability to run PHP apps and choose their own passwords. Fortunately, each user has their own account, so i can easily check which user owns any malicious processes or files that appear on the system.
This is nothing new, crackers have always preferred unix machines for a number of reasons. A few years ago many crackers wouldn't even bother trying to own windows machines.
You never see many people who compromise a windows machine and manually set up anything on it, windows machines are typically mass hacked and used as throwaway systems, for spamming or dossing (once a large flood of dos or spam comes from a system, it very quickly gets noticed and the system usually gets shut down). The hassle of using windows remotely (half assed command line interface etc), lack of default tools and typical low uptimes/stability discourage them being used interactively or for any kind of non-throwaway uses.
Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows).
Crackers will often turn a compromised unix machine into their "home", and keep a set of tools/exploits in a hidden directory, and use the machine for manual probing, testing of new tools and launching of other attacks, but they will rarely use windows systems for anything other than dossing/spamming or defacing a website if it hosts one.