After 10.2 is out? Or does the support of people with 10.1's stop once 10.2 is avail? I'm referring to software updates, security patches, etc.
I just purchased OSX a few months ago to put on an old second hand iBook I bought, and Steve, I don't really wanna pay more money for it just yet. How's about making us pay for OS XI?
I'm actually looking for a good reason to put OpenBSD on my iBook and just hone it down with WMaker, OpenOffice, Opera, etc.
I love OSX, but if I have to fork out money every year for the latest patches then you can get fucked (Karma = Excellent is boring).
Plus, if need be, my next notebook will be one that supports OpenBSD the best (hint hint) and will not be the TiBook I really have been wanting.
I think you've been given a bit of a bad wrap here.
Script kiddying is nothing to be proud of, but I don't think it's anything to be ashamed of either. People who take care of servers on the net, who don't keep them patched should be ashamed. Before someone jumps down my throat, I'm not refering to the Honeypot, it did what it was supposed to do, I'm refering to real production servers.
If it were'nt for root kits, there would be less desire to keep secure, as a believe real hackers are a rarity amongst all the script kids. Script kids keep admins on their toes. Kids will be kids.
Hey, there are even gays on the other side of the fence, so to speak...
Here is Theo de Raadt slamming into Darren Reed over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole that led to a remote exploit in the default install.
I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough
I posted an answer, titled "Gloria Foster, RIP," almost immediately after you posted your question. It got modded down. Twice. WTF?
Exactly devphil. I was wondering myself WTF at the logic of the moderators on that one.
I think the moderation system is pretty stuffed up. I think anyone who hasn't posted on a news item should be able to moderate within that item with only a limit on being able to moderate a single post once with one point.
Perhaps this would allow the results of each posts moderation to be more indicative of a broader opinion base, rather than being judged by TWO moderators who don't know what offtopic means.
Moderators, can someone please mod devphil's informative post back up out of the offtopic hole it's been put in?
Anyone heard news that there will be a new actress to play the Oracle?
I was in the National Geographic shop in Darling Harbour Sydney, browsing, when a lady with a Yankee accent came in. The guy behind the desk asked her where she was from, if she was a tourist, etc, etc.
She claimed that she was working on a new movie, the guy behind the counter asked which, she replied The Matrix. The guy and the girl behind the counter were impressed, they asked what she had to do with it and she said she plays the role of the Oracle, since the actress who played the Oracle in the first movie has passed away.
Can anyone confirm that the origial Oracle actress has passed on?
What doy you need >100Mbps for, anyway? Until you have an answer, just leave it alone.
My old seagate drives sustain 17MB/s on their own, however they're in RAID-0 so they do a fair bit more than that. New IDE drives typicaly do around 25MB/s+.
So if you want to copy data from one machine to another, why not get rid of the 10MB/s bottleneck if the price is worthwhile? 1000Mbit is getting pretty cheap now.
Until I have an answer? A full 650MB CD takes 66 seconds over 100Mb and about 7 seconds over gig. There's an answer. ; )
ethernet however saturates at 60% so you can only get real transfer of about 60 Mbps
At 10Mbps with a 3C509B (nice card if 10Mb ISA is your bag), I get actual transfer rates of ~1.14MB/s (1,200,000bytes/sec (96%)). I guess the rest is protocol overhead.
On my 100Mbps connections (iBook OS X - PII300 OpenBSD) I get 9.8MB/s with ftp transfers.
Too bad that an OpenBSD system only exposing ssh to the internet would have been vulnerable to a remote root hole for years now.
A system with a hole, is not vulnerable until someone discovers that hole.
No intrusions were announced before ISS found the hole, if they were it would mean that ISS was not the first to find it and it would have been patched before the ISS discovery also.
So at the end of the day, the default OpenBSD install had a hole, but was not vulnerable because Theo warned people vaguely how to temporarily fix the hole until the full patch was released. So ultimately, no default OpenBSD install was vulnerable that was kept up to date with security patches. If Theo was specific, he would have put a spotlight on 500 lines of OpenSSH code out of 27,000. Which would have led to a quick exploit.
Cancer can be cured, but without a cure for cancer or knowing how to cure cancer can you cure it?
This is propellor head stuff, but it is not overly technical.
This guy is basically plotting pseudo random number sequences so that a human could look for patterns. Computers can not be trusted to find patterns in all circumstances, whereas a visual pattern can easily stand out to human eyes. Of course, there would be patterns that a human could not detect that would require a computer to find (witness MP3). The question is, how do you plot 32bit numbers which pretty much represent 1 dimensional data of very wide proportions between low and high values?
Break the 32bit numbers up into smaller parts to be viewed as points in 3D space!
I have been interested in LFSR (Linear Feedback Shift Register) PRNG's for a few years, starting out designing them in hardware and then finding out through reading Bruce Schneiers "Applied Cryptography", that I was actually onto something.
I wanted to view my streams broken up into 2D dots as postscript to find patterns that showed weak (and thus the possibly strong) LFSR designs in the hope that I may find some high quality designs that have astronomical stream lengths before repetition.
Though I wonder if 2D would be as good as 3D for finding patterns. It seems being able to rotate the sampled data in real time would be better for finding a pattern that can be missed with a single 2D picture. Or is this the authors way to simply represent very high resolution numbers on relatively low resolution screens?
I have also been thinking of plotting streams to 2D images which I would then blur to greyscale to search for patches of light and dark to show low quality designs and save designs that show the best uniform shade of grey as possible candidates to be considered strong and thus used in designs that make up multiple hashed LFSR designs that provide stream lengths greater than the bit depth of the output itself.
Yes, I like open source as well. But whether it leads to better products in any particular aspect depends on a person's needs and wants
As an example I'm sure you've probably already seen, here is an example of open source software being more secure than closed source, where convenience is not hurt.
Security here, is basically ranked as highest to lowest, which turns out to be open to closed. Naturally, as one would expect, the open source project which focuses on security is at the top of the lot.
In the open source world, someone might implement a PRNG thinking it is strong. One day, someone discovers that it is not very strong by looking at the source or looking at the output statistically. They might complain that it is not strong, leading to a better PRNG being written by the original author, or as is typical with open source, someone with greater expertise may submit code that is stronger, which gets used.
In the closed source world, someone (or a team) might typically be hired to program a PRNG as an "expert" of math programming. So his expertise is trusted, he implements his expertise, his random streams turn out to be VERY pseudo, as analysed, spoofing attack tools become available and the admins and closed source programmers scratch their heads in wonder at these attacks. Finally, after it becomes publicly known that the closed source is weak (usually through open source advocates who present analytical evidence), the closed source programmers embrace the BSD license as a "God send" and then proclaim industry leadership through innovation. ; )
This is just a bag of disjointed tools that might, with effort, be coaxed into doing what needs to done -- I say this as a user of some of the tools you've mentioned.
Because most of them do an excellent job without graphs? : ) I kinda prefer getting SMS paged with critical alerts and emailed with all alerts greater than "odd behaviour". Sitting looking a graphs 24/7, or having some team paid to do this is not my idea of effective event monitoring.
For example, Windows NT (just to give an example) allows you to monitor the behaviour of virtually every kernel object and graph them against time. I am not aware of similar capabilities in any of the tools you have mentioned
Some people who go further than waiting for the next service pack, don't need graphs. Where they are useful, they are usually present.
Or what about auditing trails, such as who accessed what how when?
Proper admin would advocate the usage of sudo, which logs nicely and proper usage of file permissions. If you're sufficiently concerned about security then logs can be made impossible to tamper with electronically. Printing logs to line printers is very common in Bank and Stock Exchange data centers. Been there, done that. Or if this is over the top for your systems, you might like to log to an OpenBSD syslog server which is configured to only allow appending to logs even for the root user. Doing that via a serial connection that does not accept logins for that little extra security? Or perhaps logging to WORM is more your style?
It's already happened. We started the whole #!/bin/sh thing after all. All we need now is a a convenient way of preserving file attributes and a convenient way of opening email attachments and we are in a world of hurt.
If a Unix user logs in as a normal user on a system that has been kept up to date with security patches, little can be damaged. Perhaps some of their own files will be lost or exposed if they use an insecure mail reader. If they're logging in as root, on a system that is not up to date security wise, while reading mail with an insecure mail reader, then they deserve what they get. I'm guess the point between discovery of this weak mail reader and the fix would be a very thin slice of time if the history of open source security is anything to go by.
Have you used Star Office 6 or open office? I have used SO6 beta, it is pretty amazingly just about there. All we need now is decent groupware and I think an MS free World will be much easier to swallow for people who "need" the features.
I am confident that they will initially run into similar security issues.
You are confident. I am confident. I don't think the open guys will fall into traps that allow a document to execute (via interpretation or otherwise) code not related to the app that document is intended for.
So maybe you can point me in the right direction.
I'm sure you've seen the goings on by now.
People like him are exceptional, not the norm.
Yes, however there are a lot of exceptional coders in this World who do look at open source. The types who tend to read code and contribute patches, tend to be above the norm anyway. There are plenty of them.
The point is it happens on the closed source side of the fence as well, and there is less of a dependance on Great Leaders there.
The point is, that the exceptional video driver developers who normally write closed drivers for Windows of one of the largest most respected video card makers, had their open source driver improved by an uninvited outsider, thanks to the driver being open source.
You are the one who claimed security and open source go hand in hand. But apparently they don't.
I never said OSS is a guarantee of security. My stance is that open source allows security and stability to be easier to implement than closed source. Unless you include obscurity as a security measure, which I don't.
It means that there is no open source software that is certified for use in some of the most security-conscious environments, despite your insistence that open source development must lead to more secure software.
Yeah, and NT4 was certified to the point where it could not be connected to any network, must have no removable media and have the POSIX layer removed! Software gets certified through payment for that certification. Who has paid to have a free BSD or a Linux distro certified? Lack of this does not show lack of security.
The point is, what is the cost of having your network go down once every so often,
It's not just network downtime, it could be corporate IP loss or exposure, public embarassment, loss or exposure of customer property leading to liability, etc.
versus lacking all the features Outlook & Office provide in the mean time.
People and companies serious about security, who use MS products for example, end up disabling and avoiding many of these "features".
Well, tell me about it. This is all about sharing, right?
I actually do read through source, along with books like Applied Cryptography (I've been into digital electronics since the 80's, starting with Navy Weapon systems) and have an unhealthy interest in building hardware pseudo random number generators. I read the source because I am interested. I didn't find the hole because software security is not my forte, but I am but one person. Someone did find the hole, which is easy to close.
No, it was perfected via painstaking attention to detail. In all those years nobody ever found the bug, which pretty much kills your "hundreds of thousands of eyes" theory.
But it was found, outside of the OpenBSD developers. We are looking at a single uncommon incident here too. Though the hole is uncommon, the discovery, quick workaround and subsequent fix is not.
My stance is that open source makes finding and fixing bugs easier and I have seen it first hand as a beta tester of open source video card drivers. Where people outside of the developers where submitting code or pointers to broken code. John Carmack made an extended visit to our list, fixed code and made the drivers faster. He was not invited personally, he just dived in to open code. Something he or anyone else would not have been able to do if they were not a part of it as a closed source project. I've heard he did this for other cards which have open source drivers also.
I have every reason to believe that this kind of review never actually happens.
I watch it happen regularly in the mailing lists I am subscribed to.
Linux, which has far more people working on it than OpenBSD, is not more secure than OpenBSD
You are comparing two open source systems, one which is focused on security and the other which is not. Two very different code bases. You need to ask why Linux is not as secure as OpenBSD? You should be asking why the Microsoft World is regularly damaged by viruses and exploits and the open source World is less so.
Which shows that proper administration is much more important to the security of a system than the question whether that system runs open or closed source software.
Of course admin is the most important aspect of any sites security and stability. But choosing systems that you need to assume to be secure is not a good admin choice.
Personally I believe that even if this were true, closed source software easily makes up for it in features and support (e.g. documentation).
OpenBSD has great docco. Pitty people don't use it.
Does that "average" include all the stillborn projects at Sourceforge?
Obviously it includes mature projects that mirror closed source applications.
You want to posit this kind of argument that there is such as thing as "perfect security", and that OpenBSD (and other open source software) exemplifies this.
I have never stated anything that slightly suggests that I beleive there is any such thing as "perfect security". There is no such thing.
But that is bunk. Unix security is lackluster at best. It is the typical "good enough" type system. Windows NT, Solaris and AIX offer far more flexible and powerful security models -- if you need them.
Does this mean that you put OpenBSD and/or Linux under the umbrella of "Unix" but not Solaris and AIX?
Would you like to elaborate on these more flexible and powerful security models?
Does Windows crash when you load in Mozilla?
Windows networks come crashing to their knees when a user receives an infected email. You have got to be joking.
Like, such as, irony of ironies, with the current OpenSSH hole? Did you check the source to see where the alleged vulnerability is at? Do you know people who did? I'd be interested to hear.
Rare occurance. Yes. Yes. And it has been fixed quick smart too.
Furthermore it is interesting to note that SSH, the topic under discussion, was originally conceived and delivered as a commercial product. Not a strictly "open source" one.
And looking at the track record, perfected by the OpenBSD crew via open source.
Not because I "believe" it to be secure, or even because I necessarily think it is "best of breed".
Closed systems at my local stock exchange proved to be unreliable while I supported their backup site. I don't think or believe (in the religious sense) in OSS security or stability, I know it from experience.
So what? That might mean that closed source software has wider deployment.
It is actually a statistic of holes, not a statistic of reported exploits.
It might mean that closed source software is scrutinized more closely.
Open source is an easier target to find holes but also to fix holes. Closed source gets security via the wrong reasons. Obscurity.
It might even mean that closed source software is used in more places where security matters.
Once again, it is a statistic of holes, not a statistic of reported exploits.
The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.
And guns don't kill people, it just makes it easier for people to kill people. Open source doesn't make security, it just makes it easier for people to make secure code. Do you think hundreds of thousands of eyes reviewing code is not better than a typical corporate team of eyes?
alldas.org defacement statistics [alldas.org] per OS place Linux, an open source OS, at 22%, while Solaris, which is closed source, clocks in at 4%.
These are incidents and worst case ones at that. Anyone can baddly admin a server and chances are that those that do are doing it with Linux more than Solaris. You can after all, accidentally get into Linux from a visit to your local newsagent.
The numbers I have been giving show capabilities of software. Unless the admins fixed broken code without giving it back, the admins here are irrelevant. You are showing worst cases which can easily be bad admin.
I also note that you failed to answer my question: if open source makes for secure software, then why do we need something like OpenBSD at all? Why are not all open source OS's as secure as OpenBSD?
Not all open source projects are focused on security to those levels. I firmly beleive that the average open source software is more secure and has less bugs than closed source, it does not need OpenBSD, some people do though because OpenBSD takes security to a step above everything else. OpenBSD is an extra move forward in security.
The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.
Any particular installation that uses open source, has the source to scrutinize and fix. Any particular installation that uses closed source, has to hope there are no holes and then when holes do become apparent they have to hope for a quick fix, which rarely happens.
Again, irrelevant. It might mean that open source people will go to great lengths to avoid rebooting their machines.
If those systems were exploitable, they would have been exploited. A server with almost 4 years uptime shows stability if you ask me.
It might even mean that open source software is conservative/stagnant.
Conservative as in putting security before features? They get the jobs done. Mail gets relayed, web pages get served, files get downloaded. Yet they don't get owned anywhere near as much.
Unless the reboots actually hurt business there is no inherent advantage to long uptimes.
Some installations required stable systems 24/7.
Great stability and security are achieved by paying a lot of attention to stability and security.
Of course.
The development method is strictly secondary.
The development method can either make the job easy or hard.
What can I say. Try harder. For example take a look at how Linux MM will happily let a process run amok with a high probability of wrecking the box.
Are we still speaking comparitively? If you choose a worst case I will choose Microsoft. But please, look at my.sig for my opinion of Linux MM. My primary OS of choice is OpenBSD, but Linux has been very reliable for me, even with occasional broken MM, much more reliable than I have experienced with closed source OS'.
That might be true, but is hardly any consolation if OpenBSD does not do what you need it to do.
OpenBSD is a secure foundation for running some open source services that have shown to be more secure than their closed source counterparts.
What about the 13 Apache vulnerabilities [apacheweek.com] since 1999?
33% were Win32 specific, how interesting that an open source project has a hard time becoming secure running in a closed source environment. 40% were specific to modules or other support programs. 27% were Apache itself.
Easy. Ping of death was fixed within 48 hours on Windows. I'll grant that the Linux fix got there faster.
Most people take "hours" to mean hours less than 24, since 24 becomes "days".
So what?
You're either exposed or out of action until the hole is fixed. Thats what.
Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.
Stability? Netcraft shows that the web servers with the top 10 average and the top 19 maximum uptimes are Open Source.
Open source allows people who are passionate about coding to code great things in large groups. They get great stability and security through honest desire and mass co-operation.
Closed source allows people who are passionate about money to code profitable things in small groups. They get money through marketing. Being closed allows them to brush problems under the carpet in the hope that they won't get noticed until after that products lifetime. Or even claim that problems are merely "theoretical", until someone posts a "BeSysAdm.exe".
source availability has little to do with the security or reliability of software.
I have been supporting closed source software for the past 9 years and I've been using open source software for about 5 years, supporting for about 3.
Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances (I have managed to make Linux crash when tweaking and building custom kernels). I could never say this about any closed source software I've supported. Netware is pretty stable, but can't touch FreeBSD from what I've seen.
OpenBSD is secure because Theo and friends
Of course, but plenty of fixes and alerts come from people who are simply able to read the source and "friends" come into the stable due to being able to read it in the first place.
this security comes at a steep cost ((re)training, missing features, maintenance).
Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.
Very few machines can be made useful running only the "default install".
Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since. Then there's Qmail...
Compare, what?
Oh I don't know, compare the comparative?
IIS? NT/2000?
Open source also allows fixes to come very quickly. Often the person who was able to find the exploit, also supplies a patch to fix it. If not, it often comes within a day or even hours. Can you find a closed source hole that was fixed in hours?
Would you like to elaborate and become the first person with cryptanalysis which shows a weakness in Blowfish and thus enjoy the spoils of your elite mental power? You are about to knock Bruce of his pedestal and render his works suspect?
No? I thought not.
PS, moderators, the parent post is not "Insightful", it is one of either "Funny" or "Troll" depending on your mood and knowledge of Blowfish and typical Slashdot Anonymous Coward posts. I would lean towards Troll and moderate him down into the rest of the noise.
1. OpenBSD does not start httpd by default. 2. The exploit opens up a terminal that appears to be a root term, but is actually a fake. It only has nobody privs.
If you don't read the lists, then look at the archives. The exploit is humorous, but against Apache. The OpenBSD crew don't write Apache, they just fix it when it breaks.
The most stable OS to be running it on, would be OpenBSD.
If you are going to make a blanket statement comparing security and reliability of open vs. closed source software, then I think you should compare the best of both Worlds.
I'll start with the open source World and suggest OpenBSD, 5 years without a remote hole in the default install. You can read that as, an extremely secure kernel, with an extremely secure network stack and general system layout.
I'll leave the closed source contender up to you to present to us. ; )
Anyone idiot can look at "Open Source Done Wrong (tm)" and then say look, OSS is shite, but then any idiot can be a source of open source (or closed for that matter).
The best of breeds should be shown before the average and worst.
This shows that the G4 has easily kept up and is showing everyone else how to design a CPU, ie not in a braindead fashion. Intel designs CPU's so that they can crank the MHz up as much as possible. The PPC gets speed with smarts.
With the G4 being on average in that test around 3 times faster than the PIII with a 20% faster internal clock tick, the G4 it would seem is on average 3.6x faster than the PIII, clock for clock. Driving home Apples sentiment that deciding on MHz alone is ignorant at best.
So a 1GHz G4 is about a 3.6GHz PIII.
I would like to see those tests too! But bear in mind, the G4 is nearing the end of it's life as the top CPU in the PPC World, so I would like to see the tests of the G5 agaist whatever Intel and AMD's current CPU is.
that's right, it won't stop a determined hacker. If they want what's on your machine, and they have physical access, they'll get it.
I think we are considering the wrong tools for different jobs here.
The OpenFirmware password should be used to disallow usage of your machine as a whole (hardware stolen etc) and disallow a weak attempt at theft of private info from the machine (most attempts would be weak, the average joe is not an elite cracker or even script kiddie).
High protection of your valuable information should be kept inside an AES-128 encrypted disk image. If they can get your data out of that (stored with a strong password), then they are pretty damned determined!
At the end of the day, suffering a loss of hardware can be something hard to avoid. You need to decide how much you are willing to spend to prevent the theft of hardware. Securing the data is the easy part.
If everyone secured their Macs with the OpenFirmware password, thieves might soon avoid stealing them since their value to purchasers plummet. Theives would not be able to demonstrate that "they own the machine" and that the machine is usable to a private buyer, money-lent shop, etc. I know many stolen goods are sold on the street without any demonstration, though theives selling useless hardware will soon get a bad reputation for supplying useless goods and thus avoid those goods.
It should come pre-enabled with OSX, since the BIOS queries for a password, allowing the rightful owner to protect their hardware.
Bruce Schneier states that "I am wary of using MD5", due to a "weakness in the compression function". "one of the basic design principals of MD5 - to design a collision-resistant compression function - has been violated", though "this has no practical impact on the security of the hash function".
However, the full MD4 algorithm could not be attacked.
So I wonder how much better MD5 is over MD4? More complex might not mean better at the end of the day.
SHA1 seems to be better and has not had any successful cryptanalysis attacks yet. But the original SHA spec had a flaw that the NSA refused to elaborate on, which has most likely been fixed in SHA1.
Slashdot Mirror
After 10.2 is out? Or does the support of people with 10.1's stop once 10.2 is avail? I'm referring to software updates, security patches, etc.
I just purchased OSX a few months ago to put on an old second hand iBook I bought, and Steve, I don't really wanna pay more money for it just yet. How's about making us pay for OS XI?
I'm actually looking for a good reason to put OpenBSD on my iBook and just hone it down with WMaker, OpenOffice, Opera, etc.
I love OSX, but if I have to fork out money every year for the latest patches then you can get fucked (Karma = Excellent is boring).
Plus, if need be, my next notebook will be one that supports OpenBSD the best (hint hint) and will not be the TiBook I really have been wanting.
I think you've been given a bit of a bad wrap here.
Script kiddying is nothing to be proud of, but I don't think it's anything to be ashamed of either. People who take care of servers on the net, who don't keep them patched should be ashamed. Before someone jumps down my throat, I'm not refering to the Honeypot, it did what it was supposed to do, I'm refering to real production servers.
If it were'nt for root kits, there would be less desire to keep secure, as a believe real hackers are a rarity amongst all the script kids. Script kids keep admins on their toes. Kids will be kids.
As of the 13th of July, our script kid friend wants to hide his screenshots section for some reason.
Too bad Google has it cached.
Hey, there are even gays on the other side of the fence, so to speak...
Here is Theo de Raadt slamming into Darren Reed over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole that led to a remote exploit in the default install.
I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough
I love reading Theo's posts.
I posted an answer, titled "Gloria Foster, RIP," almost immediately after you posted your question. It got modded down. Twice. WTF?
Exactly devphil. I was wondering myself WTF at the logic of the moderators on that one.
I think the moderation system is pretty stuffed up. I think anyone who hasn't posted on a news item should be able to moderate within that item with only a limit on being able to moderate a single post once with one point.
Perhaps this would allow the results of each posts moderation to be more indicative of a broader opinion base, rather than being judged by TWO moderators who don't know what offtopic means.
Moderators, can someone please mod devphil's informative post back up out of the offtopic hole it's been put in?
Anyone heard news that there will be a new actress to play the Oracle?
I was in the National Geographic shop in Darling Harbour Sydney, browsing, when a lady with a Yankee accent came in. The guy behind the desk asked her where she was from, if she was a tourist, etc, etc.
She claimed that she was working on a new movie, the guy behind the counter asked which, she replied The Matrix. The guy and the girl behind the counter were impressed, they asked what she had to do with it and she said she plays the role of the Oracle, since the actress who played the Oracle in the first movie has passed away.
Can anyone confirm that the origial Oracle actress has passed on?
Damn, she was uber cool.
What doy you need >100Mbps for, anyway? Until you have an answer, just leave it alone.
My old seagate drives sustain 17MB/s on their own, however they're in RAID-0 so they do a fair bit more than that. New IDE drives typicaly do around 25MB/s+.
So if you want to copy data from one machine to another, why not get rid of the 10MB/s bottleneck if the price is worthwhile? 1000Mbit is getting pretty cheap now.
Until I have an answer? A full 650MB CD takes 66 seconds over 100Mb and about 7 seconds over gig. There's an answer. ; )
ethernet however saturates at 60% so you can only get real transfer of about 60 Mbps
At 10Mbps with a 3C509B (nice card if 10Mb ISA is your bag), I get actual transfer rates of ~1.14MB/s (1,200,000bytes/sec (96%)). I guess the rest is protocol overhead.
On my 100Mbps connections (iBook OS X - PII300 OpenBSD) I get 9.8MB/s with ftp transfers.
Where did you get this 60% number?
Too bad that an OpenBSD system only exposing ssh to the internet would have been vulnerable to a remote root hole for years now.
A system with a hole, is not vulnerable until someone discovers that hole.
No intrusions were announced before ISS found the hole, if they were it would mean that ISS was not the first to find it and it would have been patched before the ISS discovery also.
So at the end of the day, the default OpenBSD install had a hole, but was not vulnerable because Theo warned people vaguely how to temporarily fix the hole until the full patch was released. So ultimately, no default OpenBSD install was vulnerable that was kept up to date with security patches. If Theo was specific, he would have put a spotlight on 500 lines of OpenSSH code out of 27,000. Which would have led to a quick exploit.
Cancer can be cured, but without a cure for cancer or knowing how to cure cancer can you cure it?
Funny I agree,
This is propellor head stuff, but it is not overly technical.
This guy is basically plotting pseudo random number sequences so that a human could look for patterns. Computers can not be trusted to find patterns in all circumstances, whereas a visual pattern can easily stand out to human eyes. Of course, there would be patterns that a human could not detect that would require a computer to find (witness MP3). The question is, how do you plot 32bit numbers which pretty much represent 1 dimensional data of very wide proportions between low and high values?
Break the 32bit numbers up into smaller parts to be viewed as points in 3D space!
I have been interested in LFSR (Linear Feedback Shift Register) PRNG's for a few years, starting out designing them in hardware and then finding out through reading Bruce Schneiers "Applied Cryptography", that I was actually onto something.
I wanted to view my streams broken up into 2D dots as postscript to find patterns that showed weak (and thus the possibly strong) LFSR designs in the hope that I may find some high quality designs that have astronomical stream lengths before repetition.
Though I wonder if 2D would be as good as 3D for finding patterns. It seems being able to rotate the sampled data in real time would be better for finding a pattern that can be missed with a single 2D picture. Or is this the authors way to simply represent very high resolution numbers on relatively low resolution screens?
I have also been thinking of plotting streams to 2D images which I would then blur to greyscale to search for patches of light and dark to show low quality designs and save designs that show the best uniform shade of grey as possible candidates to be considered strong and thus used in designs that make up multiple hashed LFSR designs that provide stream lengths greater than the bit depth of the output itself.
It's not technical if you are really into it. ; )
Yes, I like open source as well. But whether it leads to better products in any particular aspect depends on a person's needs and wants
As an example I'm sure you've probably already seen, here is an example of open source software being more secure than closed source, where convenience is not hurt.
Open source on top.
Security here, is basically ranked as highest to lowest, which turns out to be open to closed. Naturally, as one would expect, the open source project which focuses on security is at the top of the lot.
In the open source world, someone might implement a PRNG thinking it is strong. One day, someone discovers that it is not very strong by looking at the source or looking at the output statistically. They might complain that it is not strong, leading to a better PRNG being written by the original author, or as is typical with open source, someone with greater expertise may submit code that is stronger, which gets used.
In the closed source world, someone (or a team) might typically be hired to program a PRNG as an "expert" of math programming. So his expertise is trusted, he implements his expertise, his random streams turn out to be VERY pseudo, as analysed, spoofing attack tools become available and the admins and closed source programmers scratch their heads in wonder at these attacks. Finally, after it becomes publicly known that the closed source is weak (usually through open source advocates who present analytical evidence), the closed source programmers embrace the BSD license as a "God send" and then proclaim industry leadership through innovation. ; )
This is just a bag of disjointed tools that might, with effort, be coaxed into doing what needs to done -- I say this as a user of some of the tools you've mentioned.
Because most of them do an excellent job without graphs? : ) I kinda prefer getting SMS paged with critical alerts and emailed with all alerts greater than "odd behaviour". Sitting looking a graphs 24/7, or having some team paid to do this is not my idea of effective event monitoring.
For example, Windows NT (just to give an example) allows you to monitor the behaviour of virtually every kernel object and graph them against time. I am not aware of similar capabilities in any of the tools you have mentioned
Some people who go further than waiting for the next service pack, don't need graphs. Where they are useful, they are usually present.
Or what about auditing trails, such as who accessed what how when?
Proper admin would advocate the usage of sudo, which logs nicely and proper usage of file permissions. If you're sufficiently concerned about security then logs can be made impossible to tamper with electronically. Printing logs to line printers is very common in Bank and Stock Exchange data centers. Been there, done that. Or if this is over the top for your systems, you might like to log to an OpenBSD syslog server which is configured to only allow appending to logs even for the root user. Doing that via a serial connection that does not accept logins for that little extra security? Or perhaps logging to WORM is more your style?
It's already happened. We started the whole #!/bin/sh thing after all. All we need now is a a convenient way of preserving file attributes and a convenient way of opening email attachments and we are in a world of hurt.
If a Unix user logs in as a normal user on a system that has been kept up to date with security patches, little can be damaged. Perhaps some of their own files will be lost or exposed if they use an insecure mail reader. If they're logging in as root, on a system that is not up to date security wise, while reading mail with an insecure mail reader, then they deserve what they get. I'm guess the point between discovery of this weak mail reader and the fix would be a very thin slice of time if the history of open source security is anything to go by.
Maybe not, but the lack of even fairly rudimentary auditing and event monitoring tools and the lack of software to make sense of this data does.
SWATCH, NOCOL/NetConsole, LogSurfer, Netlog, Analog, Snort, HostSentry, Shadow, MOM, The Hummingbird System, AAFID.
Are you serious?
"living on the fringe"
Have you used Star Office 6 or open office? I have used SO6 beta, it is pretty amazingly just about there. All we need now is decent groupware and I think an MS free World will be much easier to swallow for people who "need" the features.
I am confident that they will initially run into similar security issues.
You are confident. I am confident. I don't think the open guys will fall into traps that allow a document to execute (via interpretation or otherwise) code not related to the app that document is intended for.
So maybe you can point me in the right direction.
I'm sure you've seen the goings on by now.
People like him are exceptional, not the norm.
Yes, however there are a lot of exceptional coders in this World who do look at open source. The types who tend to read code and contribute patches, tend to be above the norm anyway. There are plenty of them.
The point is it happens on the closed source side of the fence as well, and there is less of a dependance on Great Leaders there.
The point is, that the exceptional video driver developers who normally write closed drivers for Windows of one of the largest most respected video card makers, had their open source driver improved by an uninvited outsider, thanks to the driver being open source.
It wasn't just Carmack stamping out bugs either.
You are the one who claimed security and open source go hand in hand. But apparently they don't.
I never said OSS is a guarantee of security. My stance is that open source allows security and stability to be easier to implement than closed source. Unless you include obscurity as a security measure, which I don't.
It means that there is no open source software that is certified for use in some of the most security-conscious environments, despite your insistence that open source development must lead to more secure software.
Yeah, and NT4 was certified to the point where it could not be connected to any network, must have no removable media and have the POSIX layer removed! Software gets certified through payment for that certification. Who has paid to have a free BSD or a Linux distro certified? Lack of this does not show lack of security.
The point is, what is the cost of having your network go down once every so often,
It's not just network downtime, it could be corporate IP loss or exposure, public embarassment, loss or exposure of customer property leading to liability, etc.
versus lacking all the features Outlook & Office provide in the mean time.
People and companies serious about security, who use MS products for example, end up disabling and avoiding many of these "features".
Well, tell me about it. This is all about sharing, right?
I actually do read through source, along with books like Applied Cryptography (I've been into digital electronics since the 80's, starting with Navy Weapon systems) and have an unhealthy interest in building hardware pseudo random number generators. I read the source because I am interested. I didn't find the hole because software security is not my forte, but I am but one person. Someone did find the hole, which is easy to close.
No, it was perfected via painstaking attention to detail. In all those years nobody ever found the bug, which pretty much kills your "hundreds of thousands of eyes" theory.
But it was found, outside of the OpenBSD developers. We are looking at a single uncommon incident here too. Though the hole is uncommon, the discovery, quick workaround and subsequent fix is not.
Here's a single incident that also proves nothing... Windows NT Cripples US Navy Cruiser
My stance is that open source makes finding and fixing bugs easier and I have seen it first hand as a beta tester of open source video card drivers. Where people outside of the developers where submitting code or pointers to broken code. John Carmack made an extended visit to our list, fixed code and made the drivers faster. He was not invited personally, he just dived in to open code. Something he or anyone else would not have been able to do if they were not a part of it as a closed source project. I've heard he did this for other cards which have open source drivers also.
I have every reason to believe that this kind of review never actually happens.
I watch it happen regularly in the mailing lists I am subscribed to.
Linux, which has far more people working on it than OpenBSD, is not more secure than OpenBSD
You are comparing two open source systems, one which is focused on security and the other which is not. Two very different code bases. You need to ask why Linux is not as secure as OpenBSD? You should be asking why the Microsoft World is regularly damaged by viruses and exploits and the open source World is less so.
Which shows that proper administration is much more important to the security of a system than the question whether that system runs open or closed source software.
Of course admin is the most important aspect of any sites security and stability. But choosing systems that you need to assume to be secure is not a good admin choice.
Personally I believe that even if this were true, closed source software easily makes up for it in features and support (e.g. documentation).
OpenBSD has great docco. Pitty people don't use it.
Does that "average" include all the stillborn projects at Sourceforge?
Obviously it includes mature projects that mirror closed source applications.
You want to posit this kind of argument that there is such as thing as "perfect security", and that OpenBSD (and other open source software) exemplifies this.
I have never stated anything that slightly suggests that I beleive there is any such thing as "perfect security". There is no such thing.
But that is bunk. Unix security is lackluster at best. It is the typical "good enough" type system. Windows NT, Solaris and AIX offer far more flexible and powerful security models -- if you need them.
Does this mean that you put OpenBSD and/or Linux under the umbrella of "Unix" but not Solaris and AIX?
Would you like to elaborate on these more flexible and powerful security models?
Does Windows crash when you load in Mozilla?
Windows networks come crashing to their knees when a user receives an infected email. You have got to be joking.
Like, such as, irony of ironies, with the current OpenSSH hole? Did you check the source to see where the alleged vulnerability is at? Do you know people who did? I'd be interested to hear.
Rare occurance. Yes. Yes. And it has been fixed quick smart too.
Furthermore it is interesting to note that SSH, the topic under discussion, was originally conceived and delivered as a commercial product. Not a strictly "open source" one.
And looking at the track record, perfected by the OpenBSD crew via open source.
Not because I "believe" it to be secure, or even because I necessarily think it is "best of breed".
Closed systems at my local stock exchange proved to be unreliable while I supported their backup site. I don't think or believe (in the religious sense) in OSS security or stability, I know it from experience.
So what? That might mean that closed source software has wider deployment.
.sig for my opinion of Linux MM. My primary OS of choice is OpenBSD, but Linux has been very reliable for me, even with occasional broken MM, much more reliable than I have experienced with closed source OS'.
It is actually a statistic of holes, not a statistic of reported exploits.
It might mean that closed source software is scrutinized more closely.
Open source is an easier target to find holes but also to fix holes. Closed source gets security via the wrong reasons. Obscurity.
It might even mean that closed source software is used in more places where security matters.
Once again, it is a statistic of holes, not a statistic of reported exploits.
The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.
And guns don't kill people, it just makes it easier for people to kill people. Open source doesn't make security, it just makes it easier for people to make secure code. Do you think hundreds of thousands of eyes reviewing code is not better than a typical corporate team of eyes?
alldas.org defacement statistics [alldas.org] per OS place Linux, an open source OS, at 22%, while Solaris, which is closed source, clocks in at 4%.
These are incidents and worst case ones at that. Anyone can baddly admin a server and chances are that those that do are doing it with Linux more than Solaris. You can after all, accidentally get into Linux from a visit to your local newsagent.
The numbers I have been giving show capabilities of software. Unless the admins fixed broken code without giving it back, the admins here are irrelevant. You are showing worst cases which can easily be bad admin.
I also note that you failed to answer my question: if open source makes for secure software, then why do we need something like OpenBSD at all? Why are not all open source OS's as secure as OpenBSD?
Not all open source projects are focused on security to those levels. I firmly beleive that the average open source software is more secure and has less bugs than closed source, it does not need OpenBSD, some people do though because OpenBSD takes security to a step above everything else. OpenBSD is an extra move forward in security.
The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.
Any particular installation that uses open source, has the source to scrutinize and fix. Any particular installation that uses closed source, has to hope there are no holes and then when holes do become apparent they have to hope for a quick fix, which rarely happens.
Again, irrelevant. It might mean that open source people will go to great lengths to avoid rebooting their machines.
If those systems were exploitable, they would have been exploited. A server with almost 4 years uptime shows stability if you ask me.
It might even mean that open source software is conservative/stagnant.
Conservative as in putting security before features? They get the jobs done. Mail gets relayed, web pages get served, files get downloaded. Yet they don't get owned anywhere near as much.
Unless the reboots actually hurt business there is no inherent advantage to long uptimes.
Some installations required stable systems 24/7.
Great stability and security are achieved by paying a lot of attention to stability and security.
Of course.
The development method is strictly secondary.
The development method can either make the job easy or hard.
What can I say. Try harder. For example take a look at how Linux MM will happily let a process run amok with a high probability of wrecking the box.
Are we still speaking comparitively? If you choose a worst case I will choose Microsoft. But please, look at my
That might be true, but is hardly any consolation if OpenBSD does not do what you need it to do.
OpenBSD is a secure foundation for running some open source services that have shown to be more secure than their closed source counterparts.
What about the 13 Apache vulnerabilities [apacheweek.com] since 1999?
33% were Win32 specific, how interesting that an open source project has a hard time becoming secure running in a closed source environment.
40% were specific to modules or other support programs.
27% were Apache itself.
Easy. Ping of death was fixed within 48 hours on Windows. I'll grant that the Linux fix got there faster.
Most people take "hours" to mean hours less than 24, since 24 becomes "days".
So what?
You're either exposed or out of action until the hole is fixed. Thats what.
Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.
Stability? Netcraft shows that the web servers with the top 10 average and the top 19 maximum uptimes are Open Source.
Open source allows people who are passionate about coding to code great things in large groups. They get great stability and security through honest desire and mass co-operation.
Closed source allows people who are passionate about money to code profitable things in small groups. They get money through marketing. Being closed allows them to brush problems under the carpet in the hope that they won't get noticed until after that products lifetime. Or even claim that problems are merely "theoretical", until someone posts a "BeSysAdm.exe".
source availability has little to do with the security or reliability of software.
I have been supporting closed source software for the past 9 years and I've been using open source software for about 5 years, supporting for about 3.
Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances (I have managed to make Linux crash when tweaking and building custom kernels). I could never say this about any closed source software I've supported. Netware is pretty stable, but can't touch FreeBSD from what I've seen.
OpenBSD is secure because Theo and friends
Of course, but plenty of fixes and alerts come from people who are simply able to read the source and "friends" come into the stable due to being able to read it in the first place.
this security comes at a steep cost ((re)training, missing features, maintenance).
Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.
Very few machines can be made useful running only the "default install".
Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since. Then there's Qmail...
Compare, what?
Oh I don't know, compare the comparative?
IIS? NT/2000?
Open source also allows fixes to come very quickly. Often the person who was able to find the exploit, also supplies a patch to fix it. If not, it often comes within a day or even hours. Can you find a closed source hole that was fixed in hours?
Hey, that is neato. Can you supply it with your own random stream for the keys? I was think of something like this recently.
I would like a real, strong key that I could plug in and out as I need to use my machines and sessions.
Can you supplement it's usage with an extra password to avoid the usage of that key if it gets stolen?
Would you like to elaborate and become the first person with cryptanalysis which shows a weakness in Blowfish and thus enjoy the spoils of your elite mental power? You are about to knock Bruce of his pedestal and render his works suspect?
No? I thought not.
PS, moderators, the parent post is not "Insightful", it is one of either "Funny" or "Troll" depending on your mood and knowledge of Blowfish and typical Slashdot Anonymous Coward posts. I would lean towards Troll and moderate him down into the rest of the noise.
Yeah, a fake root term that is actually run as nobody via a service they don't enable by default.
1. OpenBSD does not start httpd by default.
2. The exploit opens up a terminal that appears to be a root term, but is actually a fake. It only has nobody privs.
If you don't read the lists, then look at the archives. The exploit is humorous, but against Apache. The OpenBSD crew don't write Apache, they just fix it when it breaks.
The most stable OS to be running it on, would be OpenBSD.
If you are going to make a blanket statement comparing security and reliability of open vs. closed source software, then I think you should compare the best of both Worlds.
I'll start with the open source World and suggest OpenBSD, 5 years without a remote hole in the default install. You can read that as, an extremely secure kernel, with an extremely secure network stack and general system layout.
I'll leave the closed source contender up to you to present to us. ; )
Anyone idiot can look at "Open Source Done Wrong (tm)" and then say look, OSS is shite, but then any idiot can be a source of open source (or closed for that matter).
The best of breeds should be shown before the average and worst.
If your *nix doesn't use ssh by default for remote logins, maybe it's not worth using that *nix, if that is a measure of their security policies.
This shows that the G4 has easily kept up and is showing everyone else how to design a CPU, ie not in a braindead fashion. Intel designs CPU's so that they can crank the MHz up as much as possible. The PPC gets speed with smarts.
With the G4 being on average in that test around 3 times faster than the PIII with a 20% faster internal clock tick, the G4 it would seem is on average 3.6x faster than the PIII, clock for clock. Driving home Apples sentiment that deciding on MHz alone is ignorant at best.
So a 1GHz G4 is about a 3.6GHz PIII.
I would like to see those tests too! But bear in mind, the G4 is nearing the end of it's life as the top CPU in the PPC World, so I would like to see the tests of the G5 agaist whatever Intel and AMD's current CPU is.
that's right, it won't stop a determined hacker. If they want what's on your machine, and they have physical access, they'll get it.
I think we are considering the wrong tools for different jobs here.
The OpenFirmware password should be used to disallow usage of your machine as a whole (hardware stolen etc) and disallow a weak attempt at theft of private info from the machine (most attempts would be weak, the average joe is not an elite cracker or even script kiddie).
High protection of your valuable information should be kept inside an AES-128 encrypted disk image. If they can get your data out of that (stored with a strong password), then they are pretty damned determined!
At the end of the day, suffering a loss of hardware can be something hard to avoid. You need to decide how much you are willing to spend to prevent the theft of hardware. Securing the data is the easy part.
If everyone secured their Macs with the OpenFirmware password, thieves might soon avoid stealing them since their value to purchasers plummet. Theives would not be able to demonstrate that "they own the machine" and that the machine is usable to a private buyer, money-lent shop, etc. I know many stolen goods are sold on the street without any demonstration, though theives selling useless hardware will soon get a bad reputation for supplying useless goods and thus avoid those goods.
It should come pre-enabled with OSX, since the BIOS queries for a password, allowing the rightful owner to protect their hardware.
Bruce Schneier states that "I am wary of using MD5", due to a "weakness in the compression function". "one of the basic design principals of MD5 - to design a collision-resistant compression function - has been violated", though "this has no practical impact on the security of the hash function".
However, the full MD4 algorithm could not be attacked.
So I wonder how much better MD5 is over MD4? More complex might not mean better at the end of the day.
SHA1 seems to be better and has not had any successful cryptanalysis attacks yet. But the original SHA spec had a flaw that the NSA refused to elaborate on, which has most likely been fixed in SHA1.