Errmm, while I don't know how exactly many patents IBM holds, 500 is by no means, nowhere near, not even vaguely close to being "most of its IP portfolio".
40000 patents worldwide, apparently. So a little over 1%! I'll keep the champagne of ice, for now.
Ha! Got me there! Aye, there has to be some secret element, much like root's password. My point is more that obscurity prevents analysis by white-hats rather than hindering attacks by black-hats. To continue your point, however, I suppose we could argue that keeping a cipher key or root password secret prevents a white-hat from determining that the password sucks.
/me slinks off to re-read security-through-obscurity.
Aye, I'd agree with that. Provided obscurity is additional to "real" security mechanisms. However, I'd add that adding additional "obscuring" steps may serve to make analysis of the "real" security more difficult. Though obviously not in this case;)
If it is revealed that a plaintext was encrypted using AES, a known (ie. not obscure) cipher, it is still not possible to reveal the plaintext. In other words, AES does not rely on obscurity, it relies on other mechanisms.
...and yes, if those mechanisms are compromised then so is AES.
My point is that obscurity is easy to compromise. Secure design much less so.
Not at all. I'm saying keep it in proportion: "one swallow does not a summer make", and a limited number of bugs do not an insecure system make. Truth is, no system is - or can be - totally secure unless you encase it in steel and disconnect it from the 'net.
Windows is insecure. Linux is also insecure. So's Trusted Solaris. It's a question of degrees: how far are you prepared to trust Windows with different levels of secure data? How far would you trust Linux? Solaris? For my part, I'd use Windows. Hell, I do use Windows, daily. I even like it. I just wouldn't use it on, say, an eCommerce server. I wouldn't use Solaris to rip CDs, either, but that's no slur aganist Solaris.
The development work is still "voluntary" - IBM (say) choose to fund a developer or three. And IBMs priorities may very well be quite different to ours: I'd suggest that IBM might be more concerned about inter-operability with non-Linux systems, and regard security as the domain on AIX?
The responsibility for "itches" in any Free/Open Source project lies with the person who wants/needs to scratch that itch;)
Security through obscurity is the first layer, nothing more, but nothing less either.
Security-thru'-obscurity shouldn't even be the first layer: as soon as the obscurity evaporates, so does any security it supposedly provided. Hence my comment about military intelligence: if you have the resources to keep something obscure, then it's practicle to rely on security-thru'-obscurity. Problem is, the only people with those kind of resources are some intelligence agencies. I'd offer the NSA and their Russian and Chinese counterparts as possible examples, and suggest that there are very few others (the Communications-Intel bureau of the Republic of Elbonia, for example, simply can't compete with the NSA - Elbonia does not have enough mathematicians to guarentee that Elbonian ciphers can't be broken by the NSA). Commercial cryptography (and security in general) tends to go with known algorithms and documented code.
Either accept the responsibility or don't. It get's old hearing how much more secure, full featured, etc. etc. OSS is, and then watching people backtrack to "They're doing it in their own time, leave them alone!" whenever something measurably negative arises.
You're right, it is old. Of course, it's just one argument of many (see higher in this thread), and the retort is: it gets tiring listening to people complain about issues which they make no effort to do anything about.
The problem with the current Linux community is that they want to be known.
Nowt wrong with that, surely?
Troll am I not, but drunk ass mofo who loves open source and is a bit pissed off am I.
I hear you, brother! Apologies for the troll-slur.
The prolblem with secuity through obscuirty is that it's exaclty the course that people who code for Open Source are following. They think that because the free coding loving people are the only ones who inspect what they are doing, that little things like security trenches are ingsnfigant (fuck spelling, it just gets in the way) to the end result.
Well, I'm not sure how true that is. The BSDs, which are arguably true open-source (as opposed to free-software, which I personally prefer) have an enviable reputation for security exploits: holes in single digits almost! Maybe you're right about the people reviewing code; but surely that's now their fault - it's the fault of the people not reviewing code.
I take your point about the asswipes, but the asswipes need to contribute too.
By the way, "Troll am I not..." is one of the best lines I've seen on Slashdot! Love it! Angry Yoda become you on beer!
Having the source to an OS doesn't make it more secure if you don't read (or understand) every line of it. (my emphaisis)
Having the source available for anyone to read can lead to the OS (app, library, whatever) being more secure. Assuming that a wide-enough group of people do actually read the code. I'm confident that this happens with Linux, the *BSDs, etc.
Most people tend to equate OSS with secure, I'd guess, because security-through-obscurity is largely a false promise, and we recall that many-eyes-make-bugs-shallow. Both concepts that appeal to the type of geeks who are interested in security;)
holes in the kernel have been allowed to go on as long as they have?
Allowed to go as long as they have...by whom? By the volunteers devoting their time to kernel hacking? I'll give you the benefit of the doubt and assume you're an active kernel hacker...
You compared Linux to Windows in your original post: how many security holes in Windows still remain, years after they were first reported? (For that matter, how many holes are we still unaware of, because the source-code is closed?) Why have these security holes been allowed to go on as long as they have? (Answer: because resources are finite; and Microsoft has other things to focus on. Likewise for Linux. If you feel that too few resources are devoted to security in the kernel: volunteer. Or criticize and offer no helpful solutions. I choose option A).
If I read you correctly you're saying that Linux's new-found popularity will cause lots of previously unknown security flaws to become evident. Do you believe either (a) Linux will ultimately have a similar number of security flaws as the Windows kernel, or (b) Linux will ultimately have a similar number of security flaws as Apache (an open-source, industry-leading application)?
What I'm getting at is: security through obscurity is largely regarded as flawed (outside military intelligence circles), and the open-source/free-software development model has - time and again - resulted in bugs being shallow (IIS is closed-source and buggy. Apache is open-source and - relatively - secure).
Everytime - everytime! - there's a security issue with Linux a troll pops up and says "ha! ha!" in their best Nelson Muntz voice: as if Linux was somehow perfect, but has now spectacularly fallen from grace. I don't know whether you're trolling as you don't really say much, and I found it difficult to understand much of what you did say, so my apologies if I'm way off base here, but...are you suggesting that Windows is "more secure than Linux", or what?
Whoa, not so fast, eggfellow! The original poster bet that the bugs would be fixed within 24 hours! S/he's in with a chance, but until the (remaining) bugs get fixed, my wallet's staying firmly in my pocket!
(Maybe this could be a new bounty scheme for Mozilla bugs - fix quickly to make dumb saps like me pay up on wagers...)
Dammit, knew someone would! I've not long caught the Gentoo bug, and I'm "emerge --sync", etc pretty much every two days! Not yet got around to installing Gentoo on the "real" boxes yet, so your advice is pretty timely.
If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.
Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!
While the remainder of your comment is sound, if you're talking about "classic" ASP (as opposed to ASP.NET) I'd caution against learning ASP (disclaimer: I'm an ASP developer): ASP is deprecated in favour of ASP.NET on Microsoft's web-server (IIS), and horrendously expensive on any other platform (we've just moved from ChiliSoft ASP/Cobalt RaQ-Linux to SunONE ASP/Sparc-Solaris, and it was the software, not the hardware, that made our bean-counters cry;)
ASP is old-fashioned, and rarely used for new projects. If you ever find yourself having to use ASP, it's easy enough to pick up if you've got experience in something similar, like PHP.
...and, of course, ASP will get you very few geek points here on slashdot!
java script and active x websites force people to surf randomly with that stuff turned on.
Good use of Javascript should complement server-side code, not replace it. In other words, generally a web-app should not rely on client-side scripting, but client-side scripting - if available - should enhance the user experience.
An example: form validation should be performed on the server-side. However, client-side validation is a nice bonus, to prevent a round-trip to the web-server only for the user to be told that they made a mistake.
I understand why you avoid Javascript sites - I avoid sites that require Javascript. But understand that this is the fault of the web developer, not Javascript. Web developers who fail to appreciate that their users have different browsers don't deserve to call themselves developers.
Sorry, I'm not sure if I read that right? There's a political party in the Knesset that operates pirate radio stations?
Out of curiousity, is pirate radio used to promote the party, or is the party used to promote pirate radio? Or did I just completely misunderstand you;)
(Just curious - I have little knowledge of Israeli domestic politics)
For the sarcasm impaired: this post seems to be a facaetious comment parodying the attitude of the corporate media towards blogs, which is that they're a threat to be bought out and quashed.
OK, I'll hold my hands up and admit that maybe, just maybe, I'm sarcasm-impaired. Maybe.
...but, and it's a big but, there's a strong elitist grouping on Slashdot who argue that blogs are the devil, and I read the OP in that light. The subsequent replies seem to bear out that train of thought...
I'm also not sure if Corporate Media [TM] (you forgot to trademark that phrase, hah, beat you!) want to buy out and squash blogs - another possibility is that Corporate Media is just waking up to the money-making potential, and will milk blogs rather than squash them.
Anyhoo, back to my parents' basement...;)
Disclaimer: I do not now, nor have I ever, maintained my own blog. I do, however, post on Slashdot and similar forums (fora?) and I find many blogs incredibly useful. Obviously I ignore the "I h8 my parents they are teh su><ors!"-type blogs...
No [Slashdot isn't a blog]. A blog is where one person makes journal entries, and other people read it. Slashdot is a news discussion site. That's a lot different in content and format than a blog. Blogs are all about one person, Slashdot is about a the geek world around us.
I guess that's maybe subjective; byolinux has already suggested that there are blogs with multiple posters, and I'd add that Slashdot was nominated for - and won - an award in the most recent "bloggies". I can - maybe - see a difference between one (or more) posters posting articles, and others reading said articles, but factor in replying to articles and I'm blowed if I can see a difference between Slashdot and Mezzoblue: they're both news, just one has one poster and a narrow focus, t'other has multiple posters and a wider focus. Neither are especially about one person or multiple people; they both carry geek articles.
Well said. My first thought was "isn't Slashdot kindof a blog? Maybe? You know, being a forum where articles are posted and people reply?
Bah! It reminds me of all the elitist crap in the "old days" (mid-90s) about the easy availability of webspace meaning that "our" Internet was being "swamped" by newbies. And I can't walk the streets without tripping over real people. Poor me.
Slashdot Mirror
Errmm, while I don't know how exactly many patents IBM holds, 500 is by no means, nowhere near, not even vaguely close to being "most of its IP portfolio".
40000 patents worldwide, apparently. So a little over 1%! I'll keep the champagne of ice, for now.
Ha! Got me there! Aye, there has to be some secret element, much like root's password. My point is more that obscurity prevents analysis by white-hats rather than hindering attacks by black-hats. To continue your point, however, I suppose we could argue that keeping a cipher key or root password secret prevents a white-hat from determining that the password sucks.
/me slinks off to re-read security-through-obscurity.
Perhaps you should have made your point less... obscurely.
It's a fair cop, guv'nor!
There doesn't have to be a contradiction...
Aye, I'd agree with that. Provided obscurity is additional to "real" security mechanisms. However, I'd add that adding additional "obscuring" steps may serve to make analysis of the "real" security more difficult. Though obviously not in this case ;)
If it is revealed that a plaintext was encrypted using AES, a known (ie. not obscure) cipher, it is still not possible to reveal the plaintext. In other words, AES does not rely on obscurity, it relies on other mechanisms.
...and yes, if those mechanisms are compromised then so is AES.
My point is that obscurity is easy to compromise. Secure design much less so.
Not at all. I'm saying keep it in proportion: "one swallow does not a summer make", and a limited number of bugs do not an insecure system make. Truth is, no system is - or can be - totally secure unless you encase it in steel and disconnect it from the 'net.
Windows is insecure. Linux is also insecure. So's Trusted Solaris. It's a question of degrees: how far are you prepared to trust Windows with different levels of secure data? How far would you trust Linux? Solaris? For my part, I'd use Windows. Hell, I do use Windows, daily. I even like it. I just wouldn't use it on, say, an eCommerce server. I wouldn't use Solaris to rip CDs, either, but that's no slur aganist Solaris.
The development work is still "voluntary" - IBM (say) choose to fund a developer or three. And IBMs priorities may very well be quite different to ours: I'd suggest that IBM might be more concerned about inter-operability with non-Linux systems, and regard security as the domain on AIX?
The responsibility for "itches" in any Free/Open Source project lies with the person who wants/needs to scratch that itch ;)
Security through obscurity is the first layer, nothing more, but nothing less either.
Security-thru'-obscurity shouldn't even be the first layer: as soon as the obscurity evaporates, so does any security it supposedly provided. Hence my comment about military intelligence: if you have the resources to keep something obscure, then it's practicle to rely on security-thru'-obscurity. Problem is, the only people with those kind of resources are some intelligence agencies. I'd offer the NSA and their Russian and Chinese counterparts as possible examples, and suggest that there are very few others (the Communications-Intel bureau of the Republic of Elbonia, for example, simply can't compete with the NSA - Elbonia does not have enough mathematicians to guarentee that Elbonian ciphers can't be broken by the NSA). Commercial cryptography (and security in general) tends to go with known algorithms and documented code.
Either accept the responsibility or don't. It get's old hearing how much more secure, full featured, etc. etc. OSS is, and then watching people backtrack to "They're doing it in their own time, leave them alone!" whenever something measurably negative arises.
You're right, it is old. Of course, it's just one argument of many (see higher in this thread), and the retort is: it gets tiring listening to people complain about issues which they make no effort to do anything about.
The problem with the current Linux community is that they want to be known.
Nowt wrong with that, surely?
Troll am I not, but drunk ass mofo who loves open source and is a bit pissed off am I.
I hear you, brother! Apologies for the troll-slur.
The prolblem with secuity through obscuirty is that it's exaclty the course that people who code for Open Source are following. They think that because the free coding loving people are the only ones who inspect what they are doing, that little things like security trenches are ingsnfigant (fuck spelling, it just gets in the way) to the end result.
Well, I'm not sure how true that is. The BSDs, which are arguably true open-source (as opposed to free-software, which I personally prefer) have an enviable reputation for security exploits: holes in single digits almost! Maybe you're right about the people reviewing code; but surely that's now their fault - it's the fault of the people not reviewing code.
I take your point about the asswipes, but the asswipes need to contribute too.
By the way, "Troll am I not..." is one of the best lines I've seen on Slashdot! Love it! Angry Yoda become you on beer!
I pretty much agree with you, but... (!)
Having the source to an OS doesn't make it more secure if you don't read (or understand) every line of it. (my emphaisis)
Having the source available for anyone to read can lead to the OS (app, library, whatever) being more secure. Assuming that a wide-enough group of people do actually read the code. I'm confident that this happens with Linux, the *BSDs, etc.
Most people tend to equate OSS with secure, I'd guess, because security-through-obscurity is largely a false promise, and we recall that many-eyes-make-bugs-shallow. Both concepts that appeal to the type of geeks who are interested in security ;)
holes in the kernel have been allowed to go on as long as they have?
Allowed to go as long as they have...by whom? By the volunteers devoting their time to kernel hacking? I'll give you the benefit of the doubt and assume you're an active kernel hacker...
You compared Linux to Windows in your original post: how many security holes in Windows still remain, years after they were first reported? (For that matter, how many holes are we still unaware of, because the source-code is closed?) Why have these security holes been allowed to go on as long as they have? (Answer: because resources are finite; and Microsoft has other things to focus on. Likewise for Linux. If you feel that too few resources are devoted to security in the kernel: volunteer. Or criticize and offer no helpful solutions. I choose option A).
If I read you correctly you're saying that Linux's new-found popularity will cause lots of previously unknown security flaws to become evident. Do you believe either (a) Linux will ultimately have a similar number of security flaws as the Windows kernel, or (b) Linux will ultimately have a similar number of security flaws as Apache (an open-source, industry-leading application)?
What I'm getting at is: security through obscurity is largely regarded as flawed (outside military intelligence circles), and the open-source/free-software development model has - time and again - resulted in bugs being shallow (IIS is closed-source and buggy. Apache is open-source and - relatively - secure).
Everytime - everytime! - there's a security issue with Linux a troll pops up and says "ha! ha!" in their best Nelson Muntz voice: as if Linux was somehow perfect, but has now spectacularly fallen from grace. I don't know whether you're trolling as you don't really say much, and I found it difficult to understand much of what you did say, so my apologies if I'm way off base here, but...are you suggesting that Windows is "more secure than Linux", or what?
Aye, I should probably have said "the latest apps from portage...
> > is there anyone running Gentoo with anything other that the very latest apps?!
> No but I will be any minute now!
I'm a user of, and great admirer of, Gentoo, but using phrases like "any minute now" in relation to "emerge", well, that's just inviting trouble!
so he wins the bet. pay up...
Whoa, not so fast, eggfellow! The original poster bet that the bugs would be fixed within 24 hours! S/he's in with a chance, but until the (remaining) bugs get fixed, my wallet's staying firmly in my pocket!
(Maybe this could be a new bounty scheme for Mozilla bugs - fix quickly to make dumb saps like me pay up on wagers...)
Dammit, knew someone would! I've not long caught the Gentoo bug, and I'm "emerge --sync", etc pretty much every two days! Not yet got around to installing Gentoo on the "real" boxes yet, so your advice is pretty timely.
If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.
Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!
ASP (to try the Microsoft set of tools)
While the remainder of your comment is sound, if you're talking about "classic" ASP (as opposed to ASP.NET) I'd caution against learning ASP (disclaimer: I'm an ASP developer): ASP is deprecated in favour of ASP.NET on Microsoft's web-server (IIS), and horrendously expensive on any other platform (we've just moved from ChiliSoft ASP/Cobalt RaQ-Linux to SunONE ASP/Sparc-Solaris, and it was the software, not the hardware, that made our bean-counters cry ;)
ASP is old-fashioned, and rarely used for new projects. If you ever find yourself having to use ASP, it's easy enough to pick up if you've got experience in something similar, like PHP.
...and, of course, ASP will get you very few geek points here on slashdot!
(Just my 2% of a Scottish pound note)
java script and active x websites force people to surf randomly with that stuff turned on.
Good use of Javascript should complement server-side code, not replace it. In other words, generally a web-app should not rely on client-side scripting, but client-side scripting - if available - should enhance the user experience.
An example: form validation should be performed on the server-side. However, client-side validation is a nice bonus, to prevent a round-trip to the web-server only for the user to be told that they made a mistake.
I understand why you avoid Javascript sites - I avoid sites that require Javascript. But understand that this is the fault of the web developer, not Javascript. Web developers who fail to appreciate that their users have different browsers don't deserve to call themselves developers.
Sorry, I'm not sure if I read that right? There's a political party in the Knesset that operates pirate radio stations?
;)
Out of curiousity, is pirate radio used to promote the party, or is the party used to promote pirate radio? Or did I just completely misunderstand you
(Just curious - I have little knowledge of Israeli domestic politics)
For the sarcasm impaired: this post seems to be a facaetious comment parodying the attitude of the corporate media towards blogs, which is that they're a threat to be bought out and quashed.
OK, I'll hold my hands up and admit that maybe, just maybe, I'm sarcasm-impaired. Maybe.
...but, and it's a big but, there's a strong elitist grouping on Slashdot who argue that blogs are the devil, and I read the OP in that light. The subsequent replies seem to bear out that train of thought...
I'm also not sure if Corporate Media [TM] (you forgot to trademark that phrase, hah, beat you!) want to buy out and squash blogs - another possibility is that Corporate Media is just waking up to the money-making potential, and will milk blogs rather than squash them.
Anyhoo, back to my parents' basement... ;)
Disclaimer: I do not now, nor have I ever, maintained my own blog. I do, however, post on Slashdot and similar forums (fora?) and I find many blogs incredibly useful. Obviously I ignore the "I h8 my parents they are teh su><ors!"-type blogs...
No [Slashdot isn't a blog]. A blog is where one person makes journal entries, and other people read it. Slashdot is a news discussion site. That's a lot different in content and format than a blog. Blogs are all about one person, Slashdot is about a the geek world around us.
I guess that's maybe subjective; byolinux has already suggested that there are blogs with multiple posters, and I'd add that Slashdot was nominated for - and won - an award in the most recent "bloggies". I can - maybe - see a difference between one (or more) posters posting articles, and others reading said articles, but factor in replying to articles and I'm blowed if I can see a difference between Slashdot and Mezzoblue: they're both news, just one has one poster and a narrow focus, t'other has multiple posters and a wider focus. Neither are especially about one person or multiple people; they both carry geek articles.
Well said. My first thought was "isn't Slashdot kindof a blog? Maybe? You know, being a forum where articles are posted and people reply?
Bah! It reminds me of all the elitist crap in the "old days" (mid-90s) about the easy availability of webspace meaning that "our" Internet was being "swamped" by newbies. And I can't walk the streets without tripping over real people. Poor me.
Roughly the same: "With a truncated wingspan of around three metres, for flying under the forest canopy" (at the higly-scientific conversion rate of 3-and-a-bit feet to the metre). Mind you, they've actually measured the wing-span of Haast's eagle ;)