Oh, you meant 2005? That's not a fair comparison -- you're asking about a specific version of a product. A new version, of course.
Note: It's only 2007 -- SQL Server 2005 has only been out two years. SQL Server 2000 was the version targeted by SQL Slammer, as far as I can tell, and that was out three years before it was found.
Now, I did not say Gentoo Linux 2007.0, or Ubuntu Feisty. I said, ANY Linux.
As I said, Microsoft has gotten better at security -- however, I'm not sure they're quite there yet. Linux, however, has a solid track record of more than a decade. Total number of virus/worm outbreaks, I can count on one hand.
Unfortunately, it is a harsh reality, & more than a few folks out there would agree, they DO DRIVE SECURITY IMPROVEMENTS!
That they do, again, in the sense that terrorism drives physical security improvements.
Your wording was that they are "doing the world a favor". Would you also say that terrorism does the world a favor?
Maybe our security is better, and maybe reality is harsh, but I would not say that this is a good thing. After all, I'm not sure we could ever have world peace, or a complete end to crime -- but I would never say that crime is a good thing, or that a serial rapist is doing the world a favor. Would you?
I'm not sure we actually disagree here, I'm just trying to get you to be a little more careful what you say. It wouldn't kill you to proofread a little before you run your mouth.
thinking the multiplatform CIS TOOL security test is malware
Please stop putting words in my mouth.
I said that it could be malware. I don't think it is, and I don't think it isn't. I simply have no reason to believe anything about it, one way or the other.
That's one blatant misconstruction here, so I'm ignoring the rest of your post. You know the drill.
It does matter when you say "AND LATER THIS", in caps, as if it does matter.
After all - YOU ASKED FOR WHERE YOU CONTRADICTED YOURSELF
Do you understand what it means to contradict ones self?
I said one thing, which was not true -- it was a mistake, and also quite a ways back in the discussion.
I then discovered that it was not true, and corrected myself. (That's why the second post was later -- between the two posts, I discovered I was wrong.) But rather than you saying I should get modded up for being so honest, this time, you bashed me for contradicting myself. I didn't.
Didn't you TRY to evade taking CIS Tool as a test, period, saying it is "malware" etc., more-OR-less?
"Evade" is simply not true here. I chose not to take it. Were it a completely bulletproof test, ridiculously easy to take, and verified by God himself that it would not harm my computer, I might still choose not to take it.
But you insisted on a reason, so I gave you some.
It's a bit like saying "Here, have a smoke." If I say "no", that should be enough. If you want reasons, I can say "Because my lung capacity will drop like a rock, because they'll eventually kill me, because it doesn't even taste that good, and because I already get a high from caffeine." But the reasons are irrelevant -- they're just to get you to shut the hell up and go away.
They are not "evasions".
As for malware? I said it could be malware, which you must admit is true -- it is possible -- unless you have analyzed every single byte of its bytecode yourself.
SANS & COMPUTERWORLD
Why should I trust them any more than I trust CIS?
It's a basic concept you seem to be missing -- security starts by assuming no trust at all. You then trust the absolute minimum number of entities that you reasonably can in order to get the job done. You do this because trust is a weakness -- every act of trust, in security, is a potential avenue of attack.
In fact, that's pretty close to the definition of the word "trust" as used in security: The act of "trusting" an entity means I am granting that entity the ability to compromise me in some way.
Your initial argument is shot, it's NOT "rogueware/malware" of ANY kind apparently, yes?
I've got absolutely no evidence from any entity I trust that it's not.
It may be perfectly reasonable for me to trust the sources you give, but why should I if I don't have to?
I still don't have a single good reason for running your program in the first place, other than to get you to shut up.
Other folks from the *NIX world as shown as trying it, in a FreeBSD guy in my post parent to yours @ its termination as well!
In that same link, someone is quoted as saying: "I tried it some weeks ago on 5.3-RC1. It's a good tool to use as a checklist but don't use the score to rank your systems."
As for the "proof", there's even less here than your screenshot -- someone simply posted their score, in plaintext. But let's forget that for a moment...
Once again, you're assuming I refuse to take the test because I'm afraid of getting a bad score. I don't believe the scores it gives are particularly meaningful, except measured against the same system -- as he said, he started at 5.88 and increased his score to 8.0.
THAT is a fair comparison -- assuming the tool measures things that are worth measuring, an 8.0 on BSD is better than a 5.88 on BSD. But that's not an indicator that 8.0 on BSD is better or worse than whatever score you got on Windows.
Chroot jails via impersonation methods in code don't sound that impervious, w/ out SeLinux in place as layered security over them (for BOTH sockets &/or filesystem control
It may still be a smaller target than desktop Windows, but the fact that it has had close to ZERO compromises in the wild, even with a decent amount of marketshare on the server, says something about its security.
2.) Those same "hacker/cracker" types are getting their attack surface areas ROBBED by techniques like I list in this URL below
Sorry, not by much. I imagine you've gotten about as many people to lock down their systems as I've gotten people to switch to Linux.
No, what's really causing problems is that Microsoft is finally starting to develop secure software. Starting to -- I don't think they're quite there yet, but we'll see.
once discovered OR USED & reverse engineered? ARE DOING THE WORLD A FAVOR
This is a truly moronic statement. If there were no "Hacker/Crackers" in the world, wouldn't there also be no need for security?
That's like saying the terrorists did us a favor on 9/11 by forcing us to tighten airport security. Sorry, but no -- I truly hope that we, as a species, have evolved to the point where we can tighten airport security (at least as much as we need to) without somebody having to die first.
But consider: Suppose I were to discover a flaw in an open source project. I can fix it myself, maybe even get a bounty for it, but in the absolute worst case, I've made my own system more secure.
Now, suppose I were to discover a flaw in Windows. I can't reasonably fix it myself, all I can do is tell Microsoft about it -- and Microsoft has been known to sit on this kind of report for months without doing anything about it. I could get the flaw fixed faster -- and make a little money on the side -- by creating a botnet with it.
I don't actually do either of these things, though I am sure you're going to imply that I implied that I have or will. I'm just pointing out, perhaps one reason security is better on Linux isn't even because of the actual tech, but because of the way in which we deal with security holes.
I think that in 5-7 years time in fact, you will see almost NO OS or BROWSER LEVEL/APPLICATION LEVEL attacks anymore
I think that's half bullshit.
OS-level attacks may not happen anymore, if by "os-level" you mean things like ping-of-death. I also doubt there will be many attacks in which something escapes the browser and attacks the rest of the user's own system.
However, I think we'll see just as many stupid application-level attacks, because there will be stupid applications out there -- we just won't see as many against Microsoft's own products, because they have to keep getting better, so they can keep saying we're "more secure [than we were two years ago]" and keep people from migrating to other systems. I believe we'll also see far more attacks of the cross-site variety -- as in, one script running in the browser attacking another script running in the browser.
First, the 90% was pulled out of someone's ass. I hope it wasn't mine, I don't remember.
Second, if Linux has 5% marketshare, fine, it also has close to NO viruses. The last time I bothered to look, there had been a grand total of two worms for ANY Unix, EVER, Linux included. Maybe now it's up to five!
Arguing viruses as a good thing? Maybe so, but that does not make Windows a more secure platform, even if it makes it better job security for you.
You do have a couple of almost-decent points:
The fact they're based on sample sets, which can be skewed!
That is true, so you have to look at how they are skewed.
For instance, how is market share determined? How about total number of viruses? Vulnerabilities, etc?
Every time a statistical study is posted to Slashdot, we get a ton of comments about how it might be flawed, or how we know it's flawed. I invite you to find a statistical study that backs your claim, and I'll punch holes in it. Or I'll pick one that backs my claim, and you can punch holes in that.
But "arguing with numbers" strikes me as quite a lot better than downloading one test suite, because it at least eliminates a few major ways in which that suite could be skewed:
The test you propose comes with no source code, and so it may be biased by the organization putting it out. Public studies must name their sources to be credible, so at least if it's biased, we know it.
The test you propose requires some amount of work to participate in, meaning it's a self-selected survey. Public studies need not be self-selected.
Regarding self-selection: The only incentive to take your test is to get you to shut the hell up. Self-selected surveys often provide incentives, and sometimes, being able to write an opinion is incentive enough. But I can write all the opinion I want without taking your test.
The test you propose has only your own screenshot as "proof". Public studies can actually be verified, and usually are verified, by more than one source.
Uninstalling Norton? Easier said than done, if I remember right, though maybe he didn't try.
Anyway, it was his decision, not mine. I keep a Windows partition for the games I need it for, but we both still spend probably 95% of our gaming time on Linux. The difference is, he borrows a computer for the other 5%, while I boot my Windows partition.
Deliberate or not, I'm tired of these mistruths from you:
Didn't you state this:
Yes, I did say that.
AND LATER, THIS:
No, that was earlier. You're the one who brought up modification times, though they're insufficient. Go ahead and look at the post times on those. Here's the timestamp from the first one you quoted:
SanityInAnarchy (655584) on Friday August 10, @12:52AM
And here's the second:
SanityInAnarchy (655584) on Thursday August 09, @10:34PM
I'm not even looking up the quotes -- by your own admission (you copied and pasted those timestamps into your own post), the second one, which you claim was "later" than the first, is actually earlier by at least three hours.
Benchmarks are the best initial comparisons we have
No, statistics are.
That's why, for example, if you want to compare how much power a given CPU uses in the real world, you don't run SuperPI. You stick that CPU in a server, attach a meter to its power, and measure. Or you look at the electric bill -- whatever.
If you want to compare security, collect data on actual attacks and compromises. And as the other poster says, Windows has been compromised far more than we'd like, even considering its market share.
Take your typical botnet. How many of its nodes are Windows? How many botnets are entirely Windows-based? How many have ANY Linux or OS X nodes?
had nothing but evasions
I've got a story for you...
The other day, I walked up to a girl in the bar and said "Nice shoes, wanna fuck?" She said "No. Get lost."
Can you believe it? The bitch was evading me!!!!111!one
Or maybe -- just maybe -- she actually wasn't interested, or didn't have the time.
If Linux rises to desktop prominence, against a competitor that has a 95% market share on the desktop (a practical monopoly), then the next logical step must be a duopoly
I respectfully disagree.
I don't think the market is really big enough to support more than one platform, unless we, as developers, get REALLY good at crossplatform. Which is going to happen one of two ways: Either the two platform will become similar enough that something like POSIX can be created, making them essentially one platform, or something like Java/wxwidgets/QT (or even AJAX, god forbid) will rise -- a "cross-platform platform" -- again, making it essentially one platform.
That's assuming it doesn't completely flip the other way -- 95% Linux / 5% Microsoft -- which has happened before.
it is doubtful that Microsoft will ever "go away." They will likely change the way they do business, like IBM did.
Well, if they did what IBM did, I don't think I'd mind.
That is, IBM used to have a hardware monopoly. They stupidly gave that up by signing a deal with Microsoft, so that Microsoft had a software monopoly, and IBM's hardware became commodity. IBM had to move into a completely different market, even though I believe they still sell something resembling a desktop computer, if they haven't spun it off into a separate company.
That would be like my cross-platform-platform example above -- for example, if Java became THE platform to develop for, OS really would be irrelevant. Some would continue to buy Microsoft, and almost no one would switch overnight just cause they can, but many would, when looking at their upgrade options, consider saving a few bucks by buying a new computer with Linux instead of Windows, since most of their old stuff will work.
Or, if you look a few years later, IBM sort of tried and failed with OS/2.
But take another look at Microsoft -- they've done this themselves, sort of. I wonder what Apple's marketshare was at the time? Probably close to 100%, right? Microsoft made something so much cheaper, even if it sucked, that it completely flipped around, and it did so very quickly. And at the time, the Mac sucked almost as much anyway, so it was really a pissing contest to say who was better.
We could do the same thing now, but I think Microsoft may be too smart to let us get away with it entirely. Still, there's a chance -- for example, a $200 or $300 laptop with Linux on it. No one's going to pay an extra $100 to put Vista on it, and many people are just going to buy a laptop, plug it in, and see if they like it the way it is before they install another (even pirated) OS onto it.
It also creates an entirely new market -- the disposable laptop. Take it anywhere you feel like carrying it (it's 3 lbs), and don't baby it -- even if you break one every year or two, so what? You can buy a newer, better one.
Try winning a fair fight against a guy who is willing to kick you in the crotch and throw sand in your face some time.
In such a fight, once he has done those things, it's no longer a fair fight, and I'm free to do the same. And I probably can win, because if I got into that fight in the first place, the guy I'm fighting probably isn't as creative as I can be with ways to "cheat".
The question isn't what I'm willing to do, or what the other guy's willing to do, but rather, what are the rules? Who makes them? Who enforces them?
If the ref's just lazy, then we'll both kick sand in each other's faces, then blindly fumble to kick at each other's crotches...
If the ref's fair, then the second he kicks me and throws sand in his face, the whole crowd watching descends on him and kicks the shit out of him. I sit back and watch -- or not, I'm still screaming and trying to get sand out of my eyes, but I still call it a win.
If this fight is being reffed by a bunch of guys from the same gang as the guy throwing sand in my face, I should probably run. That's the situation right now -- Microsoft donates to campaigns, politicians write legislation for Microsoft... and so on. Best bet is to stay as far away as you can.
Ian Carmack made an observation about DirectX 10 and Microsoft in general -- they rush things to market, do their corporate bullying to ensure that their product dominates, but it sucks for a long time.
Then, eventually, either on their own or directly as a result of outside pressure, they make it better.
They do, in fact, have the developers and resources to make the best tech available anywhere, to really innovate, to, in short, do all the things they claim to do.
But unless you force them to, they're going to give you the worst product they can possibly sell.
Windows sucked until Windows 2000, and probably still sucked for a few years after that. XP sucked until service pack 2. Visual Studio sucked for years and years. DirectX used to suck, then it was sort of a big fat "meh" between DirectX and OpenGL/SDL, with the only concrete difference being that GL is cross-platform and DirectX is Windows-only -- and now, finally, DirectX is starting to be good enough that if you're developing a Windows-only game, it actually makes sense to do DirectX instead of OpenGL.
And so on and so forth.
This, folks, is why I don't mind Apple's proprietary stuff so much. Apple much more often adds features and functionality, or even fixes broken stuff, just to make a better product, and not because they "have to" -- although this may be due to market pressure from Microsoft so that Apple's products have to be perfect or better. But whatever the reason, I can usually live with a Mac, and I usually cannot live with a Windows box.
I believe it is actually possible to survive with very little nitrogen or none at all -- just oxygen -- but I could be entirely wrong about that.
Microsoft, however, is much easier.
Not easy, I know. I'm applying for a job with a place which relies on a few apps that are Windows-only, and not likely to be ported. It's a pretty much entirely-Microsoft shop -- they use Visual Studio (and also some variant of Eclipse, for other things), and the only Linux in the office is in the HD-DVD simulator box.
But at the same time, I run Linux at home, on my own servers, and in some other mostly-Microsoft places I've had contract work -- in little dedicated servers, but such that I don't have to deal with Windows much. And I have worked with a community project which uses entirely open software -- Ubuntu on the desktop, FreeBSD on the server -- and refuses to use any proprietary software, to the extent that they can help it. To my knowledge, the only evidence that they're even aware of Windows is they provide instructions on how to connect to their radio with WinAMP -- but they also provide instructions for xmms on Linux, among other things.
Accepting it and being willing to work with it is not respect.
I don't like Microsoft as a company. Most Microsoft products are an absolute pain to work with, and if asked to work with them, I will immediately ask if there's an alternative.
If there isn't, I'll try my best not to bitch about it, and I'll work with what I have to. But that's not because I respect Microsoft, it's because I respect that I have to have a job, and sometimes that I even respect the decision management made, or had to make.
As for getting people to switch, I generally do that by being an example. My college roommate constantly had to deal with Norton AntiVirus and Norton Firewall lagging him out of games, even though he didn't have a proper subscription. I had no such problems, and laughed at him when he did -- which was fine, he was laughing (and crying) himself. Eventually, he just gave up and had me install Kubuntu for him, so he didn't have to deal with it anymore.
Of course, price never hurts. (And yes, TCO -- managers love it when, as a contractor, I say "I'll keep monitoring it for free as long as you leave me with access -- it takes less than a minute for me to install upgrades.")
Are two-dimensional textures, quadtrees, etc more efficient than traditional octrees and LoD applied to 3D objects?
That was the one thing that actually bothered me about this "megatexture" concept, that I think it could be generalized so easily...
Well, that, and I also want to see more games use procedurally generated content (saving disk space and RAM) rather than just throwing some gigantic satellite-photo-sized texture at the problem.
This one's not worth replying to, because you open with such a blatant misunderstanding. A deliberate one?
I simply choose not to. There's no need for more advanced SELinux than the default policy -- I simply don't let things into my computer which don't need to be there.
I thought you said you did not have SeLinux in place, & did not want to learn its complexities here
I did not know I had any kind of SELinux in place, because I had never installed it, and certainly never checked for it. Now I know it comes by default with Ubuntu.
And that is correct -- I do not want to learn its complexities.
There's no contradiction there. You're just trying to find contradictions to "trap" me and make me look bad, rather than address the actual issues I've brought up.
There's no point in bringing them up again if you're just going to pretend not to understand, or evade them again. For example, the race condition. Some of what you say about race conditions is wrong, some of it's good advice, and none of it addresses the race condition in this particular app.
(Hell, there is even ipchains on LINUX, but haven't used them myself AND PACKET FILTERING
Once again, you don't know what you're talking about. (ipchains IS packet filtering, and advanced mangling and routing and such. However, no one has used ipchains since the 2.2 kernel, probably five years ago or more -- we use iptables now.)
Also, iptables without something more (probably SELinux) is incapable of blocking based on user or application. It only operates on packets and hosts. So I could block my entire box from accessing the Internet, but it would take a much more complex policy to block a single sandboxed app.
Do you, OR don't you? Make up your mind man... I strongly suggest that IF you do? Learn it then.
No need. My other post explains why there's no need.
If I start to make a habit of downloading random executables from the Internet and running them with some sort of limited access, then I might put some effort into learning it. But until then, it makes life a lot simpler not having to deal with it.
by making calls to chroot again from itself running under a superuser/root's user context.
Wow, you really don't know, do you...
If I remember right, chroot itself can only be called by root. The easy way for root to break out again is by doing things like creating device nodes and directly accessing the hard disk, among other things. But none of these are available to non-root users.
Don't "run it as root" (superuser etc.), IF POSSIBLE
It's apparently not possible, at least within that chroot environment.
Install & properly setup SELinux (which it is funny you DON'T have it in place configured for your system & needs, since you are SO CONCERNED ABOUT YOUR SECURITY
Well, I'm concerned about physical security, too. But I live in a small town, so I don't feel the need to have an alarm system.
I also don't own a gun. It's not that I'm opposed to guns, I just don't think I need that amount of security.
Now, if I was in an inner-city neighborhood, then I'd have an entirely different approach. Just as if I was running Windows primarily, and it was a server or some other really juicy target, I'd probably seek out advice like yours -- though maybe from another source -- and implement the tightest security I possibly could.
Hey - I am only asking you take this test, & post a result vs. mine, this is all.
You weren't willing to try my "test" involving a random piece of spam, so why should I take yours?
Yup... You are "YAWGA" (in the spirit of yacc) - "yet another webmaster graphic artist"
Probably not unconfigured. All Ubuntu setups come with default SELinux policies.
You are the one here, ranting on how this test would make you unsecure, yet you don't even HAVE SeLINUX IN PLACE THERE
So under what restrictions did this test run on your system? I bet it "made you insecure" also.
No, I am not - it was part of a "trap" more or less
And you have the nerve to call me dishonest?
I don't think it was a trap at all. I think that, backed into a corner, your only defense is "I lost on purpose!" -- in other words, once I pointed out how insecure chroot alone is (compared to chroot with other forms of security), your only choice was to claim you knew all along, and just wanted to see if I knew.
Funny, I am the "Windows guy" here, NOT the LINUX guy (you are): & I had to point out SPECIFIC techniques & details of them
can't even setup your system using SELinux(or chmod/chown/chroot + IPTables/IPChains usages)
I simply choose not to.
There's no need for more advanced SELinux than the default policy -- I simply don't let things into my computer which don't need to be there.
You also have no idea how iptables works -- and ipchains hasn't been the default since the 2.2 kernel. Come back when you do. (Short story? There's not an easy way to run untrusted software and deny it access to the Internet, without also denying access to the rest of my system. SELinux may allow for this, but SELinux is a much more complex approach that is simply overkill for the vast majority of systems.)
(That being chroot jails which I had to suggest to you
You really do have an ego trip going, don't you?
I know about chroot jails. I've had to deal with them when setting up Postfix, which ends up chrooting and dropping privileges for some twenty or so processes it runs, leaving an absolutely bare minimum running as root -- or even with access to the mail spool.
For that matter, I used to use Gentoo, which is installed via a chroot "jail" -- a very convenient way of doing it, by the way, as it means you can install from any Linux environment, not just Gentoo's own livecds.
Furthermore, I tried a chroot jail. It didn't work, because your tool doesn't like such a minimal environment. (Or hell, maybe it just had a bad hair day -- not my job to debug it, especially if they give no source code.)
The only reason I didn't start with a chroot jail is that it's a hassle to set one up for a program that isn't designed to run that way.
KNEW & stated what the faults are in it, programmatically via a technique commonly referred to as impersonation (programmatic impersonation & privelege level escalation thereof)!
Where'd you state that they were broken, other than right here?
"Programmatic Impersonation" is a Windows technique, and from a quick glance, it looks to be similar to setuid -- and I have no insecure setuid apps, period, much less in that minimal chroot. Privilege escalation is not an exploit, it's a class of exploit -- that's like saying there might have been a buffer overflow, which is true. But I'm not likely to be vulnerable to either at all, much less inside that chroot jail.
All that, vs. your only saying "sandbox" no less + other methods of "layered security"
I use a sandbox for programs I flatly do NOT trust. "Layered security" makes sense with things like postfix (which I described), but I feel no need to discuss them when they aren't relevant to being able to run your program.
It seems you throw "quotes" around "words" that you don't actually understand, and are just using because they are buzzwords that you read about somewhere.
Especially when I can show Windows folks how to do a LAYERED SECURITY SETUP, and IN DETAIL via an easy to use & implement 12 step guide here that WORKS...
Tell me, what capabilities did your testing program have when you ran it? Can you tell me what entities you had to trust in order to run it, and what capabilities you had to trust them with?
LOL! Ummmm - when it shows one post coming from USA (mine, & the REAL ME, because I am in the states), & say, another from Brazil, not even a few minutes later?
There are anonymizing proxies in the US. There are also people who surf Slashdot from Tor, using completely random IP addresses. I'm not one of them, but it's certainly possible.
NO administrator worth his salt would be fooled by THAT first of all!
Once again: Do you actually think the admins are getting involved? Do you actually think Zonk or CmdrTaco are going to come to your rescue and prove which post is yours and which isn't?
Well, if you can do it, I am surprised you won't (suddenly though, those chroot jails don't sound all that secure, along with Linux's native security though)...
They can only be broken out of by root, which is why I won't run this program as root, even chroot'ed.
LOL... I am not the one talking about faking a result here
No, you're just the one who may have faked it. I wouldn't call something so easily faked "proof", would you?
Think back to my impersonation of you. That's proof you're homosexual, right?
Oh wait -- it's not proof of anything. It was faked.
(and, if my photograph was a fake, why wouldn't I just post a 100/100 score?)
To make it more believable.
You're not fooling anybody here with your evasions!
Yes, and how goes that spyware I told you to install?
Firstly, I think the whole retarded bit of your comment is unnecessary, regardless of it being true; it's just insensitive and insulting.
It would have been more insensitive and insulting not to mention it, I think. Because I do find his actions here pretty stupid -- at least if he's actually retarded, there's an excuse.
Or would it have been more sensitive to say something like "mentally challenged"?
He's a gamer, he's upgraded his console. That has seen him gain some tangible benefits, he can continue to play his old favourite games, and he's also ready to play the newer games as well.
That benefit isn't really tangible -- it's actually pretty abstract, considering he pretty much never plays any PS3 games. Thus, the only benefit to him is the internal memory card, which he didn't understand until I finally made it work. (He was playing without saving because he thought he would have to buy an internal memory card -- never occurred to him to click the "create" button and see what happened.)
So, if anything, while playing his older games, it was a loss -- he lost the ability to save. In fact, there was a point where he went back to his PS2 for most things, until we finally got it through his head how to use the "virtual memory card" system.
Now, he has actually started renting some PS3 games -- he never seems to buy games, even when he rents them for long enough that it costs him more -- but mostly, it's his brother, and mostly, he's still playing older games on it. He's also not exactly rolling in money -- he's got government support for just about everything -- which is not his fault, there's not a lot of work he can do. But this means his parents had to buy it for him...
He'd be a perfect poster child for me to make a case about late adoption.
Looking specifically at the PS3, it has a lot of benefits over a PS2, even if you only played old games on it. PSN for starters.
Which he doesn't use.
When people buy a new HDTV, are they idiots to ever watch standard definition again because they could have done that on their old TV?
They are if:
They don't get any HD channels, and don't plan to
They don't have a PS3, Xbox 360, or standalone HD-DVD/Blu-Ray player
They haven't hooked up their computer to it, don't plan to, may not even know it's possible
In that case, I would say that they were idiots to buy a new HDTV in the first place, because it offers no added value over standard definition, and maybe even a loss (not all HDTVs scale SD well).
I could understand if they were planning to buy at least something to go with it -- maybe even a computer. But other than that, the only excuse that makes sense is, the HDTV wasn't going to cost them any more than a similar SDTV.
I think the iPhone analogy fits. There's nothing wrong with making POTS calls on it, but I think it's kind of a waste of money if that's all you do with it.
if you turn out to be dumber than a bag of hammers, I'm just going to hang up and call back in twenty and see if I can get someone better than you.
Well, you can be up front about it without being an asshole -- and he might actually say "You know what, you're right, I can't handle this -- lemme get my supervisor."
Or you can specifically ask for the supervisor, etc... Point is, my goal is to get the problem solved, and if the first tech I call can't help me, I probably want the next tier up.
Asking flat-out can, in fact, work with some of the larger companies. I remember calling Apple about a hardware issue, and the support person who told me they wouldn't be fixing my Powerbook for free was more than happy to send me up the chain until I finally got a manager type who could actually give me the real reason and the policy behind it.
I'm not really interested in helping them improve their metrics or even their quality, particularly since most companies seem so disinterested in doing anything about it themselves. All I want is to get the resolution I'm looking for as quickly as I can.
The two are related. You might get that resolution quicker next time if the "dumber than a bag of hammers" people get fired, especially if they get fired quickly enough that management notices and tightens their standards, maybe starts to pay more for it.
Also, I imagine with your attitude (refusing to follow instructions, hanging up, lying, etc), even if it's all very well justified, it's got to make a tech's life hell -- which makes people want to get the hell out of there -- which makes it even more likely that the next time you call, you'll get someone even dumber.
If the easiest way to do that is to hang up and call back and get a different tech, that's what I'm going to do.
I just don't find that to be more effective. ALL the first-line guys are going to be somewhat dumb, except the ones that are overdue for a promotion (which are pretty rare). Second best are those who know how inept they are, so they know when to escalate you.
I figure, I want this problem solved as quickly as possible -- in wall time -- not in as little of MY time as possible. So if I can be on the phone for 20 minutes doing bullshit, and get escalated at the end of it, it's better than calling back in 20 mins and getting another moron, trying again in 20 mins for another moron -- waiting on hold, too, most likely -- and in maybe an hour or two, I get someone who knows what they're talking about.
Although if I'm talking to someone that I know is a complete idiot, and they start doing something that's ridiculous or is going to cause me problems later ("okay, now let's try reformatting your hard drive...")
Well, I know how to take a disk image, so reformatting isn't as huge a deal. Time consuming, yes, and I will fight it as long as I can -- but it won't actually cause problems.
I do this for two reasons: Sometimes they are right, and if I flat-out refuse, the next tech might ask the same thing -- it helps a lot if they really and truly can cross it off for the entire issue.
I'm going to dry-lab it and tell them the results that will get them to check off that line on their script and keep going towards the resolution I want.
See, the reason I don't do that -- pretty much ever -- is that you don't really know what results to tell them. You can probably fake it pretty well, but there's also a good chance you're fucking with their process -- for example, what if that reformat actually did fix the issue? (I mean, if smoke's coming out of it, maybe not, but other issues...) So now, even if they send you a new piece of hardware and that works, you've now fucked with their processes -- they are now confused about a perfectly good solution not working, and may have to pick an even more retarded one.
Alright, correction: I do, in fact, have selinux installed. Apparently it comes out of the box on Ubuntu, along with ACLs and all the rest. It's still not something I look forward to learning about, for a single-user system.
Where am I WRONG about chroot jail usage on your end, for securing you as you run this program?
Well, first of all, it is possible to break out of a chroot jail, when running as root. So I did create a very minimal chroot jail and attempt to run this as a user...
It didn't work. The installer complained that it could not find where to install to, so I pointed it to the only place it was allowed to write to -- the home directory of a sandbox user I created for this experiment. It then attempted to install, and failed miserably.
Why it can't run from the jar file (keeping tempfiles somewhere else) is beyond me. Unprofessional as hell. No useful error messages, either -- just an exception thrown.
THIS is the only program you can use as "proof" of your system's superiority?
(Hint: Give. It. Up. Only complete newbies to the field of security have delusions of any kind of "proof" of security. You can prove a system insecure; you can't prove a system secure unless you're willing to algebraically verify it, and that's really impossible to do with a desktop system.)
Your screenshot would be a lot more credible if it weren't for the obvious transformation it's undergone already -- apparently, some sort of free image host added a watermark to it, if you can really call it a watermark.
But let's talk about where you were wrong:
You were wrong about the chroot jail; your program doesn't like running under a chroot jail, with the restrictions I used. (This also would not have prevented it from sending spam, now that I think of it -- shouldn't have even gone that far.)
You're wrong about etc:
checks for things like folders & files security under say,/etc (state keeping files)
No,/etc is primarily configuration. State would likely be somewhere in/var/lib, or in users' home directories.
You've been wrong several times about what I was intending to say, in very big ways.
You're still wrong about why I, and others, refuse to take your "test". Maybe when you get it, you'll know what to look for the next time you look for such a test.
And you're wrong that such a test can ever be a fair comparison between completely different OSes.
A chroot jail would help, yes, if done the way I did. Unfortunately, that doesn't work. A chroot jail that's just a fresh install of Ubuntu Minimal isn't going to give me any kind of advantage, other than making it difficult (though not impossible) for anything to get out to my main system.
If you're really that curious, let me know, and I'll do some full virtualization (completely sandboxed, with networking disabled, of course), although qemu does seem a bit unstable for me lately. Just realize that at that point, it's no easier for me than it is for you -- they make virtualizers for Windows, also, even free ones (like qemu), and you can download a CD image as easily as I can. In fact, I'm running kind of low on disk space now...
As for filesystems, ext2 is slightly faster than ext3, and it might make a huge difference under emulation. ext3 will protect you from data loss from crashes, but you can do that somewhat with qemu's snapshot mode, and a corrupted VM isn't really the end of the world. I know XFS supports ACLs also, I'm not sure about ReiserFS, JFS, etc.
(glad to see YOU have the latter in fact, & compiled into place)!
When did I say that?
No, I don't have it compiled or installed. And since I don't normally run programs I don't trust, I see no reason to compile it and learn its intricacies (and very possibly cripple the rest of my system) just to satisfy your curiosity.
I could setup a chroot jail, or something similar. However, chroot jails can be broken out of, and they are a hassle to setup -- and I actually know how to do those. I don't know how to do SELinux.
If you are so curious, it is not difficult to download and install Ubuntu, and you can probably even find a Qemu image to use.
Go for it... as THIS setup would actually make it an "even test" in theory @ least, vs. my setup using NTFS ACL's... perfect comparison in fact.
SELinux is more than just ACLs, which is why I'm reluctant to do it. I doubt ACLs alone are sufficient to sandbox this program, and I don't feel like experimenting with what they might do to the rest of that system.
By the way, I did mention that a perfect comparison between OSes is impossible.
It lets you know things need or HAVE changed, which I feel is a good, needed, & decent feature!).
I have a tool for that, too:
apt-get update && apt-get dist-upgrade
It won't detect a rootkit, maybe, but what's to stop a rootkit from targeting your tool as well?
It wouldn't be hard, if it creates world-writable files during installation.
However: KEEP THIS IN MIND - Doing a "rembrandt class" fake, might be tough, when the right person's looking @ it, with a fine-toothed comb, remember that!
Oh, please. It's a JPEG file, a snapshot of a bunch of text in a table.
I bet I could fake one with HTML, even, in less time than it'd take me to properly configure SELinux. Take a screenshot, give it just the right amount of jpeg compression, and no one would know the difference.
Oh, maybe there's a watermark or something in there... So what? You've mentioned nothing of the kind, yet you hold it up as "proof!!" -- even though you yourself admit it's inaccurate.
At least be honest with that big cut-and-paste troll. Stop calling it "proof" of anything.
Everyone is looking to spend as little as possible. It's called "business".
Found one! It's called SQL Slammer.
Oh, you meant 2005? That's not a fair comparison -- you're asking about a specific version of a product. A new version, of course.
Note: It's only 2007 -- SQL Server 2005 has only been out two years. SQL Server 2000 was the version targeted by SQL Slammer, as far as I can tell, and that was out three years before it was found.
Now, I did not say Gentoo Linux 2007.0, or Ubuntu Feisty. I said, ANY Linux.
As I said, Microsoft has gotten better at security -- however, I'm not sure they're quite there yet. Linux, however, has a solid track record of more than a decade. Total number of virus/worm outbreaks, I can count on one hand.
That they do, again, in the sense that terrorism drives physical security improvements.
Your wording was that they are "doing the world a favor". Would you also say that terrorism does the world a favor?
Maybe our security is better, and maybe reality is harsh, but I would not say that this is a good thing. After all, I'm not sure we could ever have world peace, or a complete end to crime -- but I would never say that crime is a good thing, or that a serial rapist is doing the world a favor. Would you?
I'm not sure we actually disagree here, I'm just trying to get you to be a little more careful what you say. It wouldn't kill you to proofread a little before you run your mouth.
Please stop putting words in my mouth.
I said that it could be malware. I don't think it is, and I don't think it isn't. I simply have no reason to believe anything about it, one way or the other.
That's one blatant misconstruction here, so I'm ignoring the rest of your post. You know the drill.
It does matter when you say "AND LATER THIS", in caps, as if it does matter.
Do you understand what it means to contradict ones self?
I said one thing, which was not true -- it was a mistake, and also quite a ways back in the discussion.
I then discovered that it was not true, and corrected myself. (That's why the second post was later -- between the two posts, I discovered I was wrong.) But rather than you saying I should get modded up for being so honest, this time, you bashed me for contradicting myself. I didn't.
"Evade" is simply not true here. I chose not to take it. Were it a completely bulletproof test, ridiculously easy to take, and verified by God himself that it would not harm my computer, I might still choose not to take it.
But you insisted on a reason, so I gave you some.
It's a bit like saying "Here, have a smoke." If I say "no", that should be enough. If you want reasons, I can say "Because my lung capacity will drop like a rock, because they'll eventually kill me, because it doesn't even taste that good, and because I already get a high from caffeine." But the reasons are irrelevant -- they're just to get you to shut the hell up and go away.
They are not "evasions".
As for malware? I said it could be malware, which you must admit is true -- it is possible -- unless you have analyzed every single byte of its bytecode yourself.
Why should I trust them any more than I trust CIS?
It's a basic concept you seem to be missing -- security starts by assuming no trust at all. You then trust the absolute minimum number of entities that you reasonably can in order to get the job done. You do this because trust is a weakness -- every act of trust, in security, is a potential avenue of attack.
In fact, that's pretty close to the definition of the word "trust" as used in security: The act of "trusting" an entity means I am granting that entity the ability to compromise me in some way.
I've got absolutely no evidence from any entity I trust that it's not.
It may be perfectly reasonable for me to trust the sources you give, but why should I if I don't have to?
I still don't have a single good reason for running your program in the first place, other than to get you to shut up.
In that same link, someone is quoted as saying: "I tried it some weeks ago on 5.3-RC1. It's a good tool to use as a checklist but don't use the score to rank your systems."
As for the "proof", there's even less here than your screenshot -- someone simply posted their score, in plaintext. But let's forget that for a moment...
Once again, you're assuming I refuse to take the test because I'm afraid of getting a bad score. I don't believe the scores it gives are particularly meaningful, except measured against the same system -- as he said, he started at 5.88 and increased his score to 8.0.
THAT is a fair comparison -- assuming the tool measures things that are worth measuring, an 8.0 on BSD is better than a 5.88 on BSD. But that's not an indicator that 8.0 on BSD is better or worse than whatever score you got on Windows.
Kindly giv
Apache, at least, enjoys quite a bit of market share, and Linux is probably still at at least 20-30%, if not 50% of web servers.
It may still be a smaller target than desktop Windows, but the fact that it has had close to ZERO compromises in the wild, even with a decent amount of marketshare on the server, says something about its security.
Sorry, not by much. I imagine you've gotten about as many people to lock down their systems as I've gotten people to switch to Linux.
No, what's really causing problems is that Microsoft is finally starting to develop secure software. Starting to -- I don't think they're quite there yet, but we'll see.
This is a truly moronic statement. If there were no "Hacker/Crackers" in the world, wouldn't there also be no need for security?
That's like saying the terrorists did us a favor on 9/11 by forcing us to tighten airport security. Sorry, but no -- I truly hope that we, as a species, have evolved to the point where we can tighten airport security (at least as much as we need to) without somebody having to die first.
But consider: Suppose I were to discover a flaw in an open source project. I can fix it myself, maybe even get a bounty for it, but in the absolute worst case, I've made my own system more secure.
Now, suppose I were to discover a flaw in Windows. I can't reasonably fix it myself, all I can do is tell Microsoft about it -- and Microsoft has been known to sit on this kind of report for months without doing anything about it. I could get the flaw fixed faster -- and make a little money on the side -- by creating a botnet with it.
I don't actually do either of these things, though I am sure you're going to imply that I implied that I have or will. I'm just pointing out, perhaps one reason security is better on Linux isn't even because of the actual tech, but because of the way in which we deal with security holes.
I think that's half bullshit.
OS-level attacks may not happen anymore, if by "os-level" you mean things like ping-of-death. I also doubt there will be many attacks in which something escapes the browser and attacks the rest of the user's own system.
However, I think we'll see just as many stupid application-level attacks, because there will be stupid applications out there -- we just won't see as many against Microsoft's own products, because they have to keep getting better, so they can keep saying we're "more secure [than we were two years ago]" and keep people from migrating to other systems. I believe we'll also see far more attacks of the cross-site variety -- as in, one script running in the browser attacking another script running in the browser.
First, the 90% was pulled out of someone's ass. I hope it wasn't mine, I don't remember.
Second, if Linux has 5% marketshare, fine, it also has close to NO viruses. The last time I bothered to look, there had been a grand total of two worms for ANY Unix, EVER, Linux included. Maybe now it's up to five!
Arguing viruses as a good thing? Maybe so, but that does not make Windows a more secure platform, even if it makes it better job security for you.
You do have a couple of almost-decent points:
That is true, so you have to look at how they are skewed.
For instance, how is market share determined? How about total number of viruses? Vulnerabilities, etc?
Every time a statistical study is posted to Slashdot, we get a ton of comments about how it might be flawed, or how we know it's flawed. I invite you to find a statistical study that backs your claim, and I'll punch holes in it. Or I'll pick one that backs my claim, and you can punch holes in that.
But "arguing with numbers" strikes me as quite a lot better than downloading one test suite, because it at least eliminates a few major ways in which that suite could be skewed:
Uninstalling Norton? Easier said than done, if I remember right, though maybe he didn't try.
Anyway, it was his decision, not mine. I keep a Windows partition for the games I need it for, but we both still spend probably 95% of our gaming time on Linux. The difference is, he borrows a computer for the other 5%, while I boot my Windows partition.
Deliberate or not, I'm tired of these mistruths from you:
Yes, I did say that.
No, that was earlier. You're the one who brought up modification times, though they're insufficient. Go ahead and look at the post times on those. Here's the timestamp from the first one you quoted:
And here's the second:
I'm not even looking up the quotes -- by your own admission (you copied and pasted those timestamps into your own post), the second one, which you claim was "later" than the first, is actually earlier by at least three hours.
No, statistics are.
That's why, for example, if you want to compare how much power a given CPU uses in the real world, you don't run SuperPI. You stick that CPU in a server, attach a meter to its power, and measure. Or you look at the electric bill -- whatever.
If you want to compare security, collect data on actual attacks and compromises. And as the other poster says, Windows has been compromised far more than we'd like, even considering its market share.
Take your typical botnet. How many of its nodes are Windows? How many botnets are entirely Windows-based? How many have ANY Linux or OS X nodes?
I've got a story for you...
The other day, I walked up to a girl in the bar and said "Nice shoes, wanna fuck?" She said "No. Get lost."
Can you believe it? The bitch was evading me!!!!111!one
Or maybe -- just maybe -- she actually wasn't interested, or didn't have the time.
I respectfully disagree.
I don't think the market is really big enough to support more than one platform, unless we, as developers, get REALLY good at crossplatform. Which is going to happen one of two ways: Either the two platform will become similar enough that something like POSIX can be created, making them essentially one platform, or something like Java/wxwidgets/QT (or even AJAX, god forbid) will rise -- a "cross-platform platform" -- again, making it essentially one platform.
That's assuming it doesn't completely flip the other way -- 95% Linux / 5% Microsoft -- which has happened before.
Well, if they did what IBM did, I don't think I'd mind.
That is, IBM used to have a hardware monopoly. They stupidly gave that up by signing a deal with Microsoft, so that Microsoft had a software monopoly, and IBM's hardware became commodity. IBM had to move into a completely different market, even though I believe they still sell something resembling a desktop computer, if they haven't spun it off into a separate company.
That would be like my cross-platform-platform example above -- for example, if Java became THE platform to develop for, OS really would be irrelevant. Some would continue to buy Microsoft, and almost no one would switch overnight just cause they can, but many would, when looking at their upgrade options, consider saving a few bucks by buying a new computer with Linux instead of Windows, since most of their old stuff will work.
Or, if you look a few years later, IBM sort of tried and failed with OS/2.
But take another look at Microsoft -- they've done this themselves, sort of. I wonder what Apple's marketshare was at the time? Probably close to 100%, right? Microsoft made something so much cheaper, even if it sucked, that it completely flipped around, and it did so very quickly. And at the time, the Mac sucked almost as much anyway, so it was really a pissing contest to say who was better.
We could do the same thing now, but I think Microsoft may be too smart to let us get away with it entirely. Still, there's a chance -- for example, a $200 or $300 laptop with Linux on it. No one's going to pay an extra $100 to put Vista on it, and many people are just going to buy a laptop, plug it in, and see if they like it the way it is before they install another (even pirated) OS onto it.
It also creates an entirely new market -- the disposable laptop. Take it anywhere you feel like carrying it (it's 3 lbs), and don't baby it -- even if you break one every year or two, so what? You can buy a newer, better one.
In such a fight, once he has done those things, it's no longer a fair fight, and I'm free to do the same. And I probably can win, because if I got into that fight in the first place, the guy I'm fighting probably isn't as creative as I can be with ways to "cheat".
The question isn't what I'm willing to do, or what the other guy's willing to do, but rather, what are the rules? Who makes them? Who enforces them?
If the ref's just lazy, then we'll both kick sand in each other's faces, then blindly fumble to kick at each other's crotches...
If the ref's fair, then the second he kicks me and throws sand in his face, the whole crowd watching descends on him and kicks the shit out of him. I sit back and watch -- or not, I'm still screaming and trying to get sand out of my eyes, but I still call it a win.
If this fight is being reffed by a bunch of guys from the same gang as the guy throwing sand in my face, I should probably run. That's the situation right now -- Microsoft donates to campaigns, politicians write legislation for Microsoft... and so on. Best bet is to stay as far away as you can.
Ian Carmack made an observation about DirectX 10 and Microsoft in general -- they rush things to market, do their corporate bullying to ensure that their product dominates, but it sucks for a long time.
Then, eventually, either on their own or directly as a result of outside pressure, they make it better.
They do, in fact, have the developers and resources to make the best tech available anywhere, to really innovate, to, in short, do all the things they claim to do.
But unless you force them to, they're going to give you the worst product they can possibly sell.
Windows sucked until Windows 2000, and probably still sucked for a few years after that. XP sucked until service pack 2. Visual Studio sucked for years and years. DirectX used to suck, then it was sort of a big fat "meh" between DirectX and OpenGL/SDL, with the only concrete difference being that GL is cross-platform and DirectX is Windows-only -- and now, finally, DirectX is starting to be good enough that if you're developing a Windows-only game, it actually makes sense to do DirectX instead of OpenGL.
And so on and so forth.
This, folks, is why I don't mind Apple's proprietary stuff so much. Apple much more often adds features and functionality, or even fixes broken stuff, just to make a better product, and not because they "have to" -- although this may be due to market pressure from Microsoft so that Apple's products have to be perfect or better. But whatever the reason, I can usually live with a Mac, and I usually cannot live with a Windows box.
I believe it is actually possible to survive with very little nitrogen or none at all -- just oxygen -- but I could be entirely wrong about that.
Microsoft, however, is much easier.
Not easy, I know. I'm applying for a job with a place which relies on a few apps that are Windows-only, and not likely to be ported. It's a pretty much entirely-Microsoft shop -- they use Visual Studio (and also some variant of Eclipse, for other things), and the only Linux in the office is in the HD-DVD simulator box.
But at the same time, I run Linux at home, on my own servers, and in some other mostly-Microsoft places I've had contract work -- in little dedicated servers, but such that I don't have to deal with Windows much. And I have worked with a community project which uses entirely open software -- Ubuntu on the desktop, FreeBSD on the server -- and refuses to use any proprietary software, to the extent that they can help it. To my knowledge, the only evidence that they're even aware of Windows is they provide instructions on how to connect to their radio with WinAMP -- but they also provide instructions for xmms on Linux, among other things.
Accepting it and being willing to work with it is not respect.
I don't like Microsoft as a company. Most Microsoft products are an absolute pain to work with, and if asked to work with them, I will immediately ask if there's an alternative.
If there isn't, I'll try my best not to bitch about it, and I'll work with what I have to. But that's not because I respect Microsoft, it's because I respect that I have to have a job, and sometimes that I even respect the decision management made, or had to make.
As for getting people to switch, I generally do that by being an example. My college roommate constantly had to deal with Norton AntiVirus and Norton Firewall lagging him out of games, even though he didn't have a proper subscription. I had no such problems, and laughed at him when he did -- which was fine, he was laughing (and crying) himself. Eventually, he just gave up and had me install Kubuntu for him, so he didn't have to deal with it anymore.
Of course, price never hurts. (And yes, TCO -- managers love it when, as a contractor, I say "I'll keep monitoring it for free as long as you leave me with access -- it takes less than a minute for me to install upgrades.")
Ok, now I've got a question:
Are two-dimensional textures, quadtrees, etc more efficient than traditional octrees and LoD applied to 3D objects?
That was the one thing that actually bothered me about this "megatexture" concept, that I think it could be generalized so easily...
Well, that, and I also want to see more games use procedurally generated content (saving disk space and RAM) rather than just throwing some gigantic satellite-photo-sized texture at the problem.
This one's not worth replying to, because you open with such a blatant misunderstanding. A deliberate one?
I did not know I had any kind of SELinux in place, because I had never installed it, and certainly never checked for it. Now I know it comes by default with Ubuntu.
And that is correct -- I do not want to learn its complexities.
There's no contradiction there. You're just trying to find contradictions to "trap" me and make me look bad, rather than address the actual issues I've brought up.
There's no point in bringing them up again if you're just going to pretend not to understand, or evade them again. For example, the race condition. Some of what you say about race conditions is wrong, some of it's good advice, and none of it addresses the race condition in this particular app.
"Safe" my ass.
Yes, because of course I'd know exactly what size a file should be the instant it's created.
You do know date/time stamps can be modified, right? Manually set? You can also modify a file and avoid using these...
Or are you completely clueless?
Or -- don't tell me -- this was another "trap" for me?
Yes, good point. So please tell me where I can find checksums for this app? I can't even find a checksum for the installer.
I know it's hard, but please try to understand the difference between can't and won't.
I don't know...
I find dynamically loading stuff to be pretty textbook by now. It's always nice when someone does it, but I mostly notice that most people don't.
Now, maybe I'm wrong, and maybe making it one huge texture does make it harder, but I don't think so.
Once again, you don't know what you're talking about. (ipchains IS packet filtering, and advanced mangling and routing and such. However, no one has used ipchains since the 2.2 kernel, probably five years ago or more -- we use iptables now.)
Also, iptables without something more (probably SELinux) is incapable of blocking based on user or application. It only operates on packets and hosts. So I could block my entire box from accessing the Internet, but it would take a much more complex policy to block a single sandboxed app.
No need. My other post explains why there's no need.
If I start to make a habit of downloading random executables from the Internet and running them with some sort of limited access, then I might put some effort into learning it. But until then, it makes life a lot simpler not having to deal with it.
Wow, you really don't know, do you...
If I remember right, chroot itself can only be called by root. The easy way for root to break out again is by doing things like creating device nodes and directly accessing the hard disk, among other things. But none of these are available to non-root users.
It's apparently not possible, at least within that chroot environment.
Well, I'm concerned about physical security, too. But I live in a small town, so I don't feel the need to have an alarm system.
I also don't own a gun. It's not that I'm opposed to guns, I just don't think I need that amount of security.
Now, if I was in an inner-city neighborhood, then I'd have an entirely different approach. Just as if I was running Windows primarily, and it was a server or some other really juicy target, I'd probably seek out advice like yours -- though maybe from another source -- and implement the tightest security I possibly could.
You weren't willing to try my "test" involving a random piece of spam, so why should I take yours?
I'd like to think that I'm a bit more than that. In fact, I'm not a good graphic artist at all.
Probably not unconfigured. All Ubuntu setups come with default SELinux policies.
So under what restrictions did this test run on your system? I bet it "made you insecure" also.
And you have the nerve to call me dishonest?
I don't think it was a trap at all. I think that, backed into a corner, your only defense is "I lost on purpose!" -- in other words, once I pointed out how insecure chroot alone is (compared to chroot with other forms of security), your only choice was to claim you knew all along, and just wanted to see if I knew.
I simply choose not to.
There's no need for more advanced SELinux than the default policy -- I simply don't let things into my computer which don't need to be there.
You also have no idea how iptables works -- and ipchains hasn't been the default since the 2.2 kernel. Come back when you do. (Short story? There's not an easy way to run untrusted software and deny it access to the Internet, without also denying access to the rest of my system. SELinux may allow for this, but SELinux is a much more complex approach that is simply overkill for the vast majority of systems.)
You really do have an ego trip going, don't you?
I know about chroot jails. I've had to deal with them when setting up Postfix, which ends up chrooting and dropping privileges for some twenty or so processes it runs, leaving an absolutely bare minimum running as root -- or even with access to the mail spool.
For that matter, I used to use Gentoo, which is installed via a chroot "jail" -- a very convenient way of doing it, by the way, as it means you can install from any Linux environment, not just Gentoo's own livecds.
Furthermore, I tried a chroot jail. It didn't work, because your tool doesn't like such a minimal environment. (Or hell, maybe it just had a bad hair day -- not my job to debug it, especially if they give no source code.)
The only reason I didn't start with a chroot jail is that it's a hassle to set one up for a program that isn't designed to run that way.
Where'd you state that they were broken, other than right here?
"Programmatic Impersonation" is a Windows technique, and from a quick glance, it looks to be similar to setuid -- and I have no insecure setuid apps, period, much less in that minimal chroot. Privilege escalation is not an exploit, it's a class of exploit -- that's like saying there might have been a buffer overflow, which is true. But I'm not likely to be vulnerable to either at all, much less inside that chroot jail.
I use a sandbox for programs I flatly do NOT trust. "Layered security" makes sense with things like postfix (which I described), but I feel no need to discuss them when they aren't relevant to being able to run your program.
It seems you throw "quotes" around "words" that you don't actually understand, and are just using because they are buzzwords that you read about somewhere.
Tell me, what capabilities did your testing program have when you ran it? Can you tell me what entities you had to trust in order to run it, and what capabilities you had to trust them with?
There are anonymizing proxies in the US. There are also people who surf Slashdot from Tor, using completely random IP addresses. I'm not one of them, but it's certainly possible.
Once again: Do you actually think the admins are getting involved? Do you actually think Zonk or CmdrTaco are going to come to your rescue and prove which post is yours and which isn't?
They can only be broken out of by root, which is why I won't run this program as root, even chroot'ed.
No, you're just the one who may have faked it. I wouldn't call something so easily faked "proof", would you?
Think back to my impersonation of you. That's proof you're homosexual, right?
Oh wait -- it's not proof of anything. It was faked.
To make it more believable.
Yes, and how goes that spyware I told you to install?
It would have been more insensitive and insulting not to mention it, I think. Because I do find his actions here pretty stupid -- at least if he's actually retarded, there's an excuse.
Or would it have been more sensitive to say something like "mentally challenged"?
That benefit isn't really tangible -- it's actually pretty abstract, considering he pretty much never plays any PS3 games. Thus, the only benefit to him is the internal memory card, which he didn't understand until I finally made it work. (He was playing without saving because he thought he would have to buy an internal memory card -- never occurred to him to click the "create" button and see what happened.)
So, if anything, while playing his older games, it was a loss -- he lost the ability to save. In fact, there was a point where he went back to his PS2 for most things, until we finally got it through his head how to use the "virtual memory card" system.
Now, he has actually started renting some PS3 games -- he never seems to buy games, even when he rents them for long enough that it costs him more -- but mostly, it's his brother, and mostly, he's still playing older games on it. He's also not exactly rolling in money -- he's got government support for just about everything -- which is not his fault, there's not a lot of work he can do. But this means his parents had to buy it for him...
He'd be a perfect poster child for me to make a case about late adoption.
Which he doesn't use.
They are if:
In that case, I would say that they were idiots to buy a new HDTV in the first place, because it offers no added value over standard definition, and maybe even a loss (not all HDTVs scale SD well).
I could understand if they were planning to buy at least something to go with it -- maybe even a computer. But other than that, the only excuse that makes sense is, the HDTV wasn't going to cost them any more than a similar SDTV.
I think the iPhone analogy fits. There's nothing wrong with making POTS calls on it, but I think it's kind of a waste of money if that's all you do with it.
Well, you can be up front about it without being an asshole -- and he might actually say "You know what, you're right, I can't handle this -- lemme get my supervisor."
Or you can specifically ask for the supervisor, etc... Point is, my goal is to get the problem solved, and if the first tech I call can't help me, I probably want the next tier up.
Asking flat-out can, in fact, work with some of the larger companies. I remember calling Apple about a hardware issue, and the support person who told me they wouldn't be fixing my Powerbook for free was more than happy to send me up the chain until I finally got a manager type who could actually give me the real reason and the policy behind it.
The two are related. You might get that resolution quicker next time if the "dumber than a bag of hammers" people get fired, especially if they get fired quickly enough that management notices and tightens their standards, maybe starts to pay more for it.
Also, I imagine with your attitude (refusing to follow instructions, hanging up, lying, etc), even if it's all very well justified, it's got to make a tech's life hell -- which makes people want to get the hell out of there -- which makes it even more likely that the next time you call, you'll get someone even dumber.
I just don't find that to be more effective. ALL the first-line guys are going to be somewhat dumb, except the ones that are overdue for a promotion (which are pretty rare). Second best are those who know how inept they are, so they know when to escalate you.
I figure, I want this problem solved as quickly as possible -- in wall time -- not in as little of MY time as possible. So if I can be on the phone for 20 minutes doing bullshit, and get escalated at the end of it, it's better than calling back in 20 mins and getting another moron, trying again in 20 mins for another moron -- waiting on hold, too, most likely -- and in maybe an hour or two, I get someone who knows what they're talking about.
Well, I know how to take a disk image, so reformatting isn't as huge a deal. Time consuming, yes, and I will fight it as long as I can -- but it won't actually cause problems.
I do this for two reasons: Sometimes they are right, and if I flat-out refuse, the next tech might ask the same thing -- it helps a lot if they really and truly can cross it off for the entire issue.
See, the reason I don't do that -- pretty much ever -- is that you don't really know what results to tell them. You can probably fake it pretty well, but there's also a good chance you're fucking with their process -- for example, what if that reformat actually did fix the issue? (I mean, if smoke's coming out of it, maybe not, but other issues...) So now, even if they send you a new piece of hardware and that works, you've now fucked with their processes -- they are now confused about a perfectly good solution not working, and may have to pick an even more retarded one.
Also, have y
Alright, correction: I do, in fact, have selinux installed. Apparently it comes out of the box on Ubuntu, along with ACLs and all the rest. It's still not something I look forward to learning about, for a single-user system.
Well, first of all, it is possible to break out of a chroot jail, when running as root. So I did create a very minimal chroot jail and attempt to run this as a user...
It didn't work. The installer complained that it could not find where to install to, so I pointed it to the only place it was allowed to write to -- the home directory of a sandbox user I created for this experiment. It then attempted to install, and failed miserably.
Why it can't run from the jar file (keeping tempfiles somewhere else) is beyond me. Unprofessional as hell. No useful error messages, either -- just an exception thrown.
THIS is the only program you can use as "proof" of your system's superiority?
(Hint: Give. It. Up. Only complete newbies to the field of security have delusions of any kind of "proof" of security. You can prove a system insecure; you can't prove a system secure unless you're willing to algebraically verify it, and that's really impossible to do with a desktop system.)
Your screenshot would be a lot more credible if it weren't for the obvious transformation it's undergone already -- apparently, some sort of free image host added a watermark to it, if you can really call it a watermark.
But let's talk about where you were wrong:
You were wrong about the chroot jail; your program doesn't like running under a chroot jail, with the restrictions I used. (This also would not have prevented it from sending spam, now that I think of it -- shouldn't have even gone that far.)
You're wrong about etc:
No, /etc is primarily configuration. State would likely be somewhere in /var/lib, or in users' home directories.
You've been wrong several times about what I was intending to say, in very big ways.
You're still wrong about why I, and others, refuse to take your "test". Maybe when you get it, you'll know what to look for the next time you look for such a test.
And you're wrong that such a test can ever be a fair comparison between completely different OSes.
A chroot jail would help, yes, if done the way I did. Unfortunately, that doesn't work. A chroot jail that's just a fresh install of Ubuntu Minimal isn't going to give me any kind of advantage, other than making it difficult (though not impossible) for anything to get out to my main system.
If you're really that curious, let me know, and I'll do some full virtualization (completely sandboxed, with networking disabled, of course), although qemu does seem a bit unstable for me lately. Just realize that at that point, it's no easier for me than it is for you -- they make virtualizers for Windows, also, even free ones (like qemu), and you can download a CD image as easily as I can. In fact, I'm running kind of low on disk space now...
As for filesystems, ext2 is slightly faster than ext3, and it might make a huge difference under emulation. ext3 will protect you from data loss from crashes, but you can do that somewhat with qemu's snapshot mode, and a corrupted VM isn't really the end of the world. I know XFS supports ACLs also, I'm not sure about ReiserFS, JFS, etc.
When did I say that?
No, I don't have it compiled or installed. And since I don't normally run programs I don't trust, I see no reason to compile it and learn its intricacies (and very possibly cripple the rest of my system) just to satisfy your curiosity.
I could setup a chroot jail, or something similar. However, chroot jails can be broken out of, and they are a hassle to setup -- and I actually know how to do those. I don't know how to do SELinux.
If you are so curious, it is not difficult to download and install Ubuntu, and you can probably even find a Qemu image to use.
SELinux is more than just ACLs, which is why I'm reluctant to do it. I doubt ACLs alone are sufficient to sandbox this program, and I don't feel like experimenting with what they might do to the rest of that system.
By the way, I did mention that a perfect comparison between OSes is impossible.
I have a tool for that, too:
apt-get update && apt-get dist-upgrade
It won't detect a rootkit, maybe, but what's to stop a rootkit from targeting your tool as well?
It wouldn't be hard, if it creates world-writable files during installation.
Oh, please. It's a JPEG file, a snapshot of a bunch of text in a table.
I bet I could fake one with HTML, even, in less time than it'd take me to properly configure SELinux. Take a screenshot, give it just the right amount of jpeg compression, and no one would know the difference.
Oh, maybe there's a watermark or something in there... So what? You've mentioned nothing of the kind, yet you hold it up as "proof!!" -- even though you yourself admit it's inaccurate.
At least be honest with that big cut-and-paste troll. Stop calling it "proof" of anything.
Let's stick to this thread, especially if you're just going to copy and paste.
In fact, we can let this thread die, unless you want to talk some more about why it's good to admit when you're wrong...