you're making the assumption that everything coming through needs to be validated the same way. you should not do this. Instead, you should be validating incoming variables on a per-variable basis.
A common method for doing this in the OOP fashion is to use SET methods in your object framework. This is to say, that when you pass something from the global space in to your object space you first pass it to a handler function that performs the appropriate checks and preperation ahead of time. In most OOP aware languages, it's generally agreed that you should not directly set your attributes for this very reason.
Not all data that comes though is going to be a blog post, so why do all that?
Also, you're assuming that you need to stripslashes() your input even before you TEST to see if it needs to be done or not. You should be using something like this:
function prepSlashes($var) {
if (get_magic_quotes_gpc() == 1)
{
return stripslashes($var);
}
else
{
return $var;
} }
Then you only use it when you need to, not on every element in the incoming array.
This function will normalize anything you pass to it so it has no extra slashes, but only if it is required. This way, you don't inadvertantly lose slashes if they were meant to be there.
to maintain consistancy, you can also use {} when interpolating complex variable types.
ex: echo "blah blah {$array['key']} blah blah";
it's bad to use $array[key]; outside of interpolation though, because PHP will first look for a constant called 'key' before it decides you're using a string. if you have a defined constant named 'key' it will use that first, which may not be desierable.
a better way to do this is to cast your integers. Seems a little redundant, but then you can always be sure you've got a number, and not anything else.
$var = (int)$var;// look ma, i'm an integer!
range and permission checking would definatly be a required element here too. Can't be too careful!
First of all, register_globals being on is not in and of itself a danger. The danger is when people turn off undefined variable warnings and then fail to declare variables before use. There is no way to overload a variable if you initialize it first. While most languages force this, PHP does not, but that doesn't mean you shouldn't do it.
In the most recent versions of PHP, register_globals is off by default. What this means is you need to access incoming variables through the $_GET, $_POST and $_COOKIE superglobal arrays. In other words, if you had an input with a name 'foo', instead of using $foo, you'd use $_POST['foo'] (or optionally $_REQUEST['foo']). Always, always, _always_ run with full error reporting during development, and _never_ disregard warnings. They are there for your protection.
This is not an issue dealing with PHP and MySQL, this is an issue with weak programmers writing bad code, and I'm sorry to say, you find it in every language. As a regular in #php on freenode, we are constantly correcting bad coding practices.
In fact, it's not uncommon to find people using GET and POST variables straight out of the box without any kind of validation whatsoever. Many people do not learn the de-facto first rule of web programming: the user can not, and should never be trusted.
To make matters worse, applications like PHP-Nuke spring up which are notorious for sloppy coding practices, and people tend to see them as reflect on the PHP community as a whole. That's like blaming the C language because someone, one day, wrote some bad code in it that got someone else hacked. This happens all the time, but we don't make claims like "C security is weak". Instead, we worry about the truth of it, that the programmer in question did a bad job, or just flat out missed something.
One of the key points that seems to trip most novices up (and granted, this is one of the stupider moves presented by the PHP Core Development team) was a thing called magic_quotes_gpc, which attempts to auto-escape incoming GET, POST and COOKIE variables in an attempt to sanitize user input. This is usually a double-edge sword because newbies are typicly not aware if it is, or isn't on. In later versions, this is on by default, and does prevent many SQL injections from occuring. However, for the more experienced user, having your input auto-munged can be something of a pain. Unfortunatly, to write truely portable code one must test this value and normalize data accordingly.
The issues don't stop there though. I've seen many a more serious faux pas committed by the newbie. Another more serious flaw that I see happen on a regular basis is the use of user data within include statements without proper path checking. This is probably one of the more disasterous errors I see occuring because it typicly exposes sensitive data. There has been more than one occasion where i've shown a user their own passwd file in a browser to make my point.
Anyhow, to the newbies: we, the more experienced people of PHP are on our own quest to educate people, many times in a one-on-one basis on Freenode. If you're not sure about a particular issue, grab an IRC client and ASK US (irc://irc.freenode.net). We're there to help!
You are absolutely correct, however PEAR and PECL are definatly trying to fix this. Granted, they are nowhere near the size of CPAN, but Rome wasn't built in a day;)
IMO Perl is rapidly losing steam due to the enormous popularity of PHP. PHP is easier to learn, faster to master and less confusing to begin with. Not to mention, PHP's online documentation is really hard to beat sporting many easy to follow examples, a very functional layout, and features (such as the http://php.net/ search) that i'm pretty sure i've only seen mysql.com adopt.
Granted, PHP is not great for everything, but for small to medium websites (and arguably large websites as well, I know of some corporations that use PHP, see bravenet.com, one of the largest providers of ready-to-run webmaster tools. They use PHP quite extensively.). For rapid application development, it's a dream.
As we come closer to PHP5 (which is RC2 now) we're also seeing the integration of sqlite as an option which may appeal to people who just want to write small blogs and other applications which simply do not demand the need of mammoths like mysql or postgresql. This means less headache for budding programmers, and easier migration of applications since sqlite does not require an SQL server.
This kinda reminds me of cornstarch and water mixtures we used to play with as kids. It's liquid if you move slowly through it, but it hardens into a solid when forcefully agitated.
Great stuff at parties, you can put your hand under it an hit it with a hammer, and the properties of the mix are surprisingly effective at absorbing the shock and preventing broken digits;)
...that nvidia does anything for linux at all. Seriously, there is no real game market for linux, and these cards are designed for gamers. You don't see people running out to buy the latest and greatest badass video card to run their office applications.
I'm really suprised that they spend any amount of time trying to cater to people who in most cases could just use some grossly outdated 8mb card to do what they'd normally do. Linux is not a gaming OS, it never has been, it may never be.
This is a real chicken and the egg thing; in order for game makers (and subsequently, video card manufacturers who are geared towards gamers) to take linux seriously, it needs the home userbase. However, before linux has a home userbase worth noting, it needs to be usable to the average home user. Since the vast majority of home users want games, they won't use linux, and you're all the way back to the beginning. And please, don't say "but you can use winex!" this process is hit and miss, and is often more aggrevation than it's worth. Only die hard geeks would have the tolerance for that.
Only with linux is it some kind of major event when a worthwhile game gets released for it. If you love games, but love linux too, you should dual boot linux/windows, it's the only sane solution to the problem. Anything else is going to waste your time that you could be using to kill another bad guy in your favorite game:)
- Full source code for all Microsoft products released under the GPL.
GPL is a bad licence to begin with. the BSD licence would be a lot better, if they were to adopt anything at all.
- All protocols, APIs and data formats fully documented.
They are documented, that documentation is not always free though.
- All security holes disguised as features closed, permanently, and no new ones added, ever.
Exactly which security holes did MS disguise as features?
- Dump Trusted Computing. It is about restricting the rights of the end user.
Ok, at least we can agree on something. I concur, trusted computing is a bad idea.
- A tool set comparable to Linux, free. That is, compilers and interpreters for C, C++, Fortran, Ada, Pascal, Objective C, Prolog, Haskell, Lisp, Perl, Python, Awk, lex, yacc, Basic, etc., etc. Debuggers, libraries, editors, profilers. Libraries for test scaffolding like CppUnit and JUnit.
Point is, the compilers ARE free. You can download C#, visual basic and others WITHOUT paying for them. It's the IDEs that typicly cost the money. You also don't need to use a MS language, there are other langauges available for windows for a variety of purposes that MS had nothing to do with, which work fine under windows. Java comes to mind, as does Delphi, PHP, Python, Perl and many others which are too numerous to list. In fact, there probably isn't a language that you listed which is not also available for windows. Many of these GNU tools you want have windows ports as well.
- A promise that existing formats will be readable and losslessly convertable to future formats, forever.
You're not very clear here. Formats for what?
- A repudiation of their old EULAs and conversion of all of them to the GPL.
The GPL isn't the answer to everything. I don't blame MS for not using the GPL, I wouldn't either.
- No forced upgrades.
Upgrading is inevitable. MS does not force you to upgrade. If no one ever had to upgrade in the Linux world, we'd all be using kernels from 1990. MS doesn't force anyone to upgrade, people upgrade because they want the new offerings included in those upgrades. Hell, if you still want to use windows 98 these days, most software will still run under it.
- # No coerced upgrades, where existing users have to plead with people who have already upgraded to jump through hoops to avoid sending unreadable new formats.
This isn't MS's problem, it's yours. If you want to cling to old formats, outdated software and outmoded formats, that's your problem.
- Choices. Under Linux, I can choose Gnome, KDE, plain X with a variety of window managers etc. I can also choose AbiWord or OpenOffice or many others. I don't want a world where one company maintains a de facto standard and actively hinders anyone else's attempts to interact with it.
You really don't know a lot about windows, do you? You DO have choices under windows. How about blackbox for windows? How about Litestep? how about geoshell? There is a MASSIVE list of shell replacements (which could be likened to window managers) for windows. I don't NEED to use MS office either. I can get openoffice and/or abiword for windows. I can use any one of a dozen other office suites as well. The fact that MS office just happens to be superior to most of them is the reason most people will buy office instead of using something opensource.
Quit trying to blame Microsoft for coming up with a STANDARDIZED model for which to do things. It's proven that it works. KDE and GNOME are still trying to agree on standards for interoperability between them, and it has only worked with limited success.
I suggest you learn something about the operating system you intend to bash, it might help to make your arguments a little better.
"I wonder what Steve Jobs would say if he sees people doing such things to his machines!!"
Steve Jobs would probably come up with some grossly inaccurate statement about how superior macs are.
...that the process isn't two ways. Linux developers should be taking a look at,and studying how windows does some things. Security might not be microsoft's strong point, but they did excel in the area of integration and user interfaces. Linux distrobutions could _really_ use help in both these areas.
Many other protocols existed between Kermit and Zmodem that made Kermit obsolete long before.
How about XModem? Or YModem? There protocols are both post Kermit and pre ZModem. Kermit was a 7 bit protocol (only capable of uppercase characters) which is why something as simple as XModem could replace it. Not to mention, XModem had extra error checking.
I read slashdot because for every 1000th person who has nothing useful to add there is someone who has something worthwhile to say. I read it because the articles are generally interesting, and it is a good place to find them consolidated in one place.
At no point did I say anything like "linux and unix are inferior, we should all use windows". I'm entirely pro-choice in what your run. What I'm trying to advocate here is that slashdot could be a lot better if people at least attempted to be more objective. Some people are, most are not. If we see only Micorosoft's flaws, and not what they've done right we're running with blinders on.
Windows has a place, and it has solved problems that Unix, Apple, X, NeXT, Amiga, et als. still has not solved. Lets face it, they have a dominant market share for a reason, and to say it's only because of shady marketing practices is a fairly shortsighted view of things.
You may have plenty of bad things to say about Microsoft, Ballmer and Gates, but just try to do what they did. Most of us will not accomplish anything so impressive in our lifetimes.
It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.
What's more, the moderators encourage this lack of constructive talk by modding up things purely because they decry microsoft. How many days in a row are we going to hear the same old tired MS jokes?
Just because you run linux/bsd doesn't mean you're safe. Hell, by being connected to the internet at all you're at risk. Anyone with enough time, education and willingness to exploit you is going to eventually find a way in.
Anyone running any operating system can be attacked and comprimized. Security is only as good as the people who maintain the machines. You people sometimes seem to forget that despite MS's faults, they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do.
Personally, I think that if linux were a home desktop platform that had enough popularity to be a significant enough player in that market you'd be seeing a whole lot more hackers focusing specificly on linux. Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish? Especially when the majority of people running the big fish's stuff couldn't secure _any_ box to begin with, regardless of what it was running.
Same thing with the mac. I love it when macos users say "I never get viruses/worms!" well, who would write a virus/worm for such a miniscule percentage of computer users? The whole point of a virus/worm is to propigate, and if you don't have the userbase for it to propigate well, what's the point?
I apologise if I've offended people here, but I really felt this needed to be said. This persistant catscrap between linux and windows users doesn't help anything, or anyone.
Linux/BSD ARE good operating system MacOS/OSX ARE good operating systems Windows IS a good operating system
Slashdot Mirror
yes, but why?
you're making the assumption that everything coming through needs to be validated the same way. you should not do this. Instead, you should be validating incoming variables on a per-variable basis.
A common method for doing this in the OOP fashion is to use SET methods in your object framework. This is to say, that when you pass something from the global space in to your object space you first pass it to a handler function that performs the appropriate checks and preperation ahead of time. In most OOP aware languages, it's generally agreed that you should not directly set your attributes for this very reason.
Not all data that comes though is going to be a blog post, so why do all that?
Also, you're assuming that you need to stripslashes() your input even before you TEST to see if it needs to be done or not. You should be using something like this:
function prepSlashes($var)
{
if (get_magic_quotes_gpc() == 1)
{
return stripslashes($var);
}
else
{
return $var;
}
}
Then you only use it when you need to, not on every element in the incoming array.
This function will normalize anything you pass to it so it has no extra slashes, but only if it is required. This way, you don't inadvertantly lose slashes if they were meant to be there.
to maintain consistancy, you can also use {} when interpolating complex variable types.
ex: echo "blah blah {$array['key']} blah blah";
it's bad to use $array[key]; outside of interpolation though, because PHP will first look for a constant called 'key' before it decides you're using a string. if you have a defined constant named 'key' it will use that first, which may not be desierable.
a better way to do this is to cast your integers. Seems a little redundant, but then you can always be sure you've got a number, and not anything else.
// look ma, i'm an integer!
$var = (int)$var;
range and permission checking would definatly be a required element here too. Can't be too careful!
Ok, lets back this up a second.
First of all, register_globals being on is not in and of itself a danger. The danger is when people turn off undefined variable warnings and then fail to declare variables before use. There is no way to overload a variable if you initialize it first. While most languages force this, PHP does not, but that doesn't mean you shouldn't do it.
In the most recent versions of PHP, register_globals is off by default. What this means is you need to access incoming variables through the $_GET, $_POST and $_COOKIE superglobal arrays. In other words, if you had an input with a name 'foo', instead of using $foo, you'd use $_POST['foo'] (or optionally $_REQUEST['foo']). Always, always, _always_ run with full error reporting during development, and _never_ disregard warnings. They are there for your protection.
you could try this piece of code that i wrote to do that. It's fairly straight forward.
This is not an issue dealing with PHP and MySQL, this is an issue with weak programmers writing bad code, and I'm sorry to say, you find it in every language. As a regular in #php on freenode, we are constantly correcting bad coding practices.
In fact, it's not uncommon to find people using GET and POST variables straight out of the box without any kind of validation whatsoever. Many people do not learn the de-facto first rule of web programming: the user can not, and should never be trusted.
To make matters worse, applications like PHP-Nuke spring up which are notorious for sloppy coding practices, and people tend to see them as reflect on the PHP community as a whole. That's like blaming the C language because someone, one day, wrote some bad code in it that got someone else hacked. This happens all the time, but we don't make claims like "C security is weak". Instead, we worry about the truth of it, that the programmer in question did a bad job, or just flat out missed something.
One of the key points that seems to trip most novices up (and granted, this is one of the stupider moves presented by the PHP Core Development team) was a thing called magic_quotes_gpc, which attempts to auto-escape incoming GET, POST and COOKIE variables in an attempt to sanitize user input. This is usually a double-edge sword because newbies are typicly not aware if it is, or isn't on. In later versions, this is on by default, and does prevent many SQL injections from occuring. However, for the more experienced user, having your input auto-munged can be something of a pain. Unfortunatly, to write truely portable code one must test this value and normalize data accordingly.
The issues don't stop there though. I've seen many a more serious faux pas committed by the newbie. Another more serious flaw that I see happen on a regular basis is the use of user data within include statements without proper path checking. This is probably one of the more disasterous errors I see occuring because it typicly exposes sensitive data. There has been more than one occasion where i've shown a user their own passwd file in a browser to make my point.
Anyhow, to the newbies: we, the more experienced people of PHP are on our own quest to educate people, many times in a one-on-one basis on Freenode. If you're not sure about a particular issue, grab an IRC client and ASK US (irc://irc.freenode.net). We're there to help!
You are absolutely correct, however PEAR and PECL are definatly trying to fix this. Granted, they are nowhere near the size of CPAN, but Rome wasn't built in a day ;)
IMO Perl is rapidly losing steam due to the enormous popularity of PHP. PHP is easier to learn, faster to master and less confusing to begin with. Not to mention, PHP's online documentation is really hard to beat sporting many easy to follow examples, a very functional layout, and features (such as the http://php.net/ search) that i'm pretty sure i've only seen mysql.com adopt.
Granted, PHP is not great for everything, but for small to medium websites (and arguably large websites as well, I know of some corporations that use PHP, see bravenet.com, one of the largest providers of ready-to-run webmaster tools. They use PHP quite extensively.). For rapid application development, it's a dream.
As we come closer to PHP5 (which is RC2 now) we're also seeing the integration of sqlite as an option which may appeal to people who just want to write small blogs and other applications which simply do not demand the need of mammoths like mysql or postgresql. This means less headache for budding programmers, and easier migration of applications since sqlite does not require an SQL server.
This kinda reminds me of cornstarch and water mixtures we used to play with as kids. It's liquid if you move slowly through it, but it hardens into a solid when forcefully agitated.
;)
Great stuff at parties, you can put your hand under it an hit it with a hammer, and the properties of the mix are surprisingly effective at absorbing the shock and preventing broken digits
No market share, no viruses. I guess there is an upside to apple not dominating any market.
That's like asking "do you feel guilty for using a phillips screwdriver over a robson?"
Use the right tool for the job. If OSX does what you need it to do, use it! The same goes for linux, or any other operating systems for that matter.
for a company that is pulling a last-ditch effort to prevent bankruptcy they appear to have a fairly sizeable amount of cash left over for headhunting.
in case you want to give this poor guy's server a break, here is a bittorrent link for the footage.
...that nvidia does anything for linux at all. Seriously, there is no real game market for linux, and these cards are designed for gamers. You don't see people running out to buy the latest and greatest badass video card to run their office applications.
:)
I'm really suprised that they spend any amount of time trying to cater to people who in most cases could just use some grossly outdated 8mb card to do what they'd normally do. Linux is not a gaming OS, it never has been, it may never be.
This is a real chicken and the egg thing; in order for game makers (and subsequently, video card manufacturers who are geared towards gamers) to take linux seriously, it needs the home userbase. However, before linux has a home userbase worth noting, it needs to be usable to the average home user. Since the vast majority of home users want games, they won't use linux, and you're all the way back to the beginning. And please, don't say "but you can use winex!" this process is hit and miss, and is often more aggrevation than it's worth. Only die hard geeks would have the tolerance for that.
Only with linux is it some kind of major event when a worthwhile game gets released for it. If you love games, but love linux too, you should dual boot linux/windows, it's the only sane solution to the problem. Anything else is going to waste your time that you could be using to kill another bad guy in your favorite game
- Full source code for all Microsoft products released under the GPL.
GPL is a bad licence to begin with. the BSD licence would be a lot better, if they were to adopt anything at all.
- All protocols, APIs and data formats fully documented.
They are documented, that documentation is not always free though.
- All security holes disguised as features closed, permanently, and no new ones added, ever.
Exactly which security holes did MS disguise as features?
- Dump Trusted Computing. It is about restricting the rights of the end user.
Ok, at least we can agree on something. I concur, trusted computing is a bad idea.
- A tool set comparable to Linux, free. That is, compilers and interpreters for C, C++, Fortran, Ada, Pascal, Objective C, Prolog, Haskell, Lisp, Perl, Python, Awk, lex, yacc, Basic, etc., etc. Debuggers, libraries, editors, profilers. Libraries for test scaffolding like CppUnit and JUnit.
Point is, the compilers ARE free. You can download C#, visual basic and others WITHOUT paying for them. It's the IDEs that typicly cost the money. You also don't need to use a MS language, there are other langauges available for windows for a variety of purposes that MS had nothing to do with, which work fine under windows. Java comes to mind, as does Delphi, PHP, Python, Perl and many others which are too numerous to list. In fact, there probably isn't a language that you listed which is not also available for windows. Many of these GNU tools you want have windows ports as well.
- A promise that existing formats will be readable and losslessly convertable to future formats, forever.
You're not very clear here. Formats for what?
- A repudiation of their old EULAs and conversion of all of them to the GPL.
The GPL isn't the answer to everything. I don't blame MS for not using the GPL, I wouldn't either.
- No forced upgrades.
Upgrading is inevitable. MS does not force you to upgrade. If no one ever had to upgrade in the Linux world, we'd all be using kernels from 1990. MS doesn't force anyone to upgrade, people upgrade because they want the new offerings included in those upgrades. Hell, if you still want to use windows 98 these days, most software will still run under it.
- # No coerced upgrades, where existing users have to plead with people who have already upgraded to jump through hoops to avoid sending unreadable new formats.
This isn't MS's problem, it's yours. If you want to cling to old formats, outdated software and outmoded formats, that's your problem.
- Choices. Under Linux, I can choose Gnome, KDE, plain X with a variety of window managers etc. I can also choose AbiWord or OpenOffice or many others. I don't want a world where one company maintains a de facto standard and actively hinders anyone else's attempts to interact with it.
You really don't know a lot about windows, do you? You DO have choices under windows. How about blackbox for windows? How about Litestep? how about geoshell? There is a MASSIVE list of shell replacements (which could be likened to window managers) for windows. I don't NEED to use MS office either. I can get openoffice and/or abiword for windows. I can use any one of a dozen other office suites as well. The fact that MS office just happens to be superior to most of them is the reason most people will buy office instead of using something opensource.
Quit trying to blame Microsoft for coming up with a STANDARDIZED model for which to do things. It's proven that it works. KDE and GNOME are still trying to agree on standards for interoperability between them, and it has only worked with limited success.
I suggest you learn something about the operating system you intend to bash, it might help to make your arguments a little better.
"I wonder what Steve Jobs would say if he sees people doing such things to his machines!!" Steve Jobs would probably come up with some grossly inaccurate statement about how superior macs are.
...that the process isn't two ways. Linux developers should be taking a look at,and studying how windows does some things. Security might not be microsoft's strong point, but they did excel in the area of integration and user interfaces. Linux distrobutions could _really_ use help in both these areas.
Why trouble yourself running around in circles trying to find games that work under linux when you can run any of them under windows?
I mean, if it's just for the holiday, bite the bullet. Windows, at the very least, is good for games.
Some of our local favorites (from the FPS action catergory):
Medal of Honor: allied assault
Battlefield 1942
Unreal Tournament
Vietcong
Halo
As far as I know, only UT would run under Linux (natively). I say, use the right tool for the right job. Linux is not a good gaming solution.
---
When all you have is a hammer, everything looks like a nail.
Except that is exactly what microsoft does. However, after a time, they consolidate their patches in to single "mega patches" as you'd call it.
The FUD generated by the Linux community with this is amazing.
No, kermit was indeed not spurned to use ZModem.
Many other protocols existed between Kermit and Zmodem that made Kermit obsolete long before.
How about XModem? Or YModem? There protocols are both post Kermit and pre ZModem. Kermit was a 7 bit protocol (only capable of uppercase characters) which is why something as simple as XModem could replace it. Not to mention, XModem had extra error checking.
security by obscurity is not security at all.
because most slashbots are the little guys.
I read slashdot because for every 1000th person who has nothing useful to add there is someone who has something worthwhile to say. I read it because the articles are generally interesting, and it is a good place to find them consolidated in one place. At no point did I say anything like "linux and unix are inferior, we should all use windows". I'm entirely pro-choice in what your run. What I'm trying to advocate here is that slashdot could be a lot better if people at least attempted to be more objective. Some people are, most are not. If we see only Micorosoft's flaws, and not what they've done right we're running with blinders on. Windows has a place, and it has solved problems that Unix, Apple, X, NeXT, Amiga, et als. still has not solved. Lets face it, they have a dominant market share for a reason, and to say it's only because of shady marketing practices is a fairly shortsighted view of things. You may have plenty of bad things to say about Microsoft, Ballmer and Gates, but just try to do what they did. Most of us will not accomplish anything so impressive in our lifetimes.
I appreciate some of your points, but I'm afraid I just can't take the bait. You know :)
It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.
What's more, the moderators encourage this lack of constructive talk by modding up things purely because they decry microsoft. How many days in a row are we going to hear the same old tired MS jokes?
Just because you run linux/bsd doesn't mean you're safe. Hell, by being connected to the internet at all you're at risk. Anyone with enough time, education and willingness to exploit you is going to eventually find a way in.
Anyone running any operating system can be attacked and comprimized. Security is only as good as the people who maintain the machines. You people sometimes seem to forget that despite MS's faults, they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do.
Personally, I think that if linux were a home desktop platform that had enough popularity to be a significant enough player in that market you'd be seeing a whole lot more hackers focusing specificly on linux. Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish? Especially when the majority of people running the big fish's stuff couldn't secure _any_ box to begin with, regardless of what it was running.
Same thing with the mac. I love it when macos users say "I never get viruses/worms!" well, who would write a virus/worm for such a miniscule percentage of computer users? The whole point of a virus/worm is to propigate, and if you don't have the userbase for it to propigate well, what's the point?
I apologise if I've offended people here, but I really felt this needed to be said. This persistant catscrap between linux and windows users doesn't help anything, or anyone.
Linux/BSD ARE good operating system
MacOS/OSX ARE good operating systems
Windows IS a good operating system
and they ALL have faults.