Re:Linux really does have serious issues
on
Linux Sucks (Video)
·
· Score: 1
Note: I am not the grandparent.
hardware manufacturers could just write the Linux driver once for the lifetime of the ABI just like they do for Windows.
Until you install a service pack and then it breaks, as it has for me.
An unstable kernel API
The kernel API is generally stable. Generally, when it's broken, this is unfavourable.
Free and proprietary ideologies can co-operate, the problem is the free side doesn't want to make any concessions in order to foster that co-operation and then they get upset when the proprietary side just gives them the finger.
Except that the kernel licensed by Linus allows use of proprietary binary blobs to make this possible, so concessions have been made. In fact, because the kernel contains some binary blob, some people have provided tools to remove the blobs from the kernel.
Stop being such a religious absolutist and realize that not everybody bends to your point of view
This may come as a surprise, but your view clearly isn't exactly absolute or accurate.
FOSS world does exactly that, a culture of exclusion based on ideology.
I don't really have a problem with this difference to exclude something using ideology as opposed to legal licensing or company interests. It's obvious that FOSS is ideology based, but I don't really see what the point is you're trying to drive forward by identifying this, especially when compared to other software in the industry.
I definitely HAVE seen guys with paper certs NOT be able to solve problems I could
As have I, but the specific certifications I noted haven't disappointed. Some certifications are more equal than others, maybe?
They told me they were out to take MY job & those of my fellow workers... I could have NO GREATER INCENTIVE & never failed
What do you do exactly?
As far as how outright crookery goes in companies for bonuses and such? Well - personally, I don't feel that anyone who doesn't DO THE ACTUAL JOB IN DESIGN & PRODUCTION should get a cent (as they didn't DO any REAL ACTUAL WORK...).
Yea, well - I know PLENTY of "paper MCSEs" in my day - all the certs in the WORLD didn't make them experienced hands-on or even GOOD @ problem solving... yes, it happens, & I am SURE You know that.
Generally speaking, I haven't met someone with a CCNP, CCIE, Novell Certificated Linux Engineer, MCSE that didn't have the know how to do their job. But maybe that's because those certification also have a practical element to them. I suspect you're confusing MCSE with MSCE, which is deprecated and previously had no practical element to them.
See subject-line: Since you've got 1 thing absolutely right - what CAUSES most of the hassles in this world? Money... there's a reason "Follow the Money" exists as a phrase (it's true).
If I follow the money, I find that in corporate culture, very few appear to be using alternative non-corporate vendors. Most of the time in large enterprises, you end up with companies almost exclusively buying from one company due to having a support contract that pretty much covers everything they provide. This does come at the detriment that other solutions might be better in various circumstances, but because support is already paid for, approval is automatic, you still go ahead with company X's offering.
"Management NEEDS THAT BONUS" is usually who gets the biggest slices of the pie
And they still get it, even when the company is doing poorly.
As far as certs go, if something gets the job done and the person adminning it has proven himself, why bother with a cert that costs the company money sending an employee to get it if they don't need it since they understand it fully!
Because decreasing the risk in employing more people to handle the systems is fairly important. Especially in today's corporate climate where people tend don't tend to stick around and have a long term career in a single company. You also generally want it to be easy to look for replacements and understand that the person is capable without having to be an expert in the matter yourself. Also depending on your industry, you may have compliance requirements that require certain types of certifications to prove eligibility.
Ash-Fox: What are corporate bodies out to do and make?
Sense tells me you could sell a router cheaper using Linux onboard than licensing ones to raise the per unit cost of said routers.
While cost is often a reason for many things in big corporations, certifications and training are too. There is no universal "Linux router", many specialized Linux distributions for routing purposes do a lot of configuration and setup vastly different from each other. IOS on the other hand is pretty uniform and will likely have a wider selection of employable candidates with Cisco certification than Linux Router specific certification.
I'm saying the likelyhood of that being an avenue to be exploited seems really unlikely and the fact that I have never seen this done against a DNS server, but I have with hosts files.
That's YOUR puny SINGLE line of attack on me... answer it. It's now being used against you & there IS NO DEFENSE (according to of ALL people, you... lol!).
I countered other points just fine.
P.S.=> You fail - you doubled overheads on DNS using TCP vs. UDP where by comparison using hosts I save CPU cycles, RAM, & other forms of I/O on a SLOW usermode faulty + limited Windows' dnscache service ( & you're "bolting on more moving parts + complexity" to do it - I don't & lessen THAT too) - LESS IS MORE = GOOD ENGINEERING...
Sure, there is more overhead with TCP due to the need to exchange a few more packets, however the majority of packets... SYN, SYN-ACK, ACK etc. are certainly more. However, they are not doubling the bandwidth requirements, I'm not convinced the CPU load is notably changing etc. Calling this 'doubling the overhead' seems a bit of a stretch.
LESS IS MORE = GOOD ENGINEERING...
Less also just means 'less'. In this case, less security.
YOU ON THE OTHER HAND LITERALLY DOUBLED YOUR OVERHEADS using TCP vs. UDP... period!
Maybe, but I don't even notice the difference and it's definitely secured against issues. Your method is not.
Lastly: ANYTHING ANY ROOTKIT CAN DO TO HOSTS CAN BE DONE TO A DNS SERVER PROGRAM PAL - so your SINGLE "point"?
Except DNS servers don't have a fixed configuration like hosts files, so the complexity is greater and I have not seen anything like that in the wild compared to hosts files.
You also "bolt on more" complexity AND ROOM FOR BREAKDOWN!
You mean like the windows DNS cache or PAM on Linux? No, I don't really see it being that bad.
(In fact, I got RID of a known issue as efficiently as possible - you didn't & MADE IT WORSE, lol (so any overheads I *may* introduce? Moot & made up for by my disabling usermode SLOW faulty dnscache)... apk
You don't even block malicious domains as a whole, just a few select subdomains from what is a known malicious domain which is why you have sub-GB hosts files. You are really making a bad case for security with host files and your 'lower' overhead doesn't excuse it.
Are you trying to tell us rootkits can't affect DNS too?
It's going to be fairly more complex to target a DNS server with a rootkit than it is to intercept an API call for reading the hosts file. I'm also unaware of anything in the wild that does that with DNS servers.
By way of comparison - what did YOU do? YOU DOUBLE OVERHEADS ON DNS faulty & security issue riddled as it is in recursion + vs. botnets that abuse it as well as DNS Amplifiaiton attacks... by going from UDP to TCP, you literally doubled your overhead, literallly!
You can't do DNS amplification attacks over TCP... For one, spoofing the IP address means you won't be able to even establish a connection to do the request in the first place. The size of a SYN-ACK packet is tiny, so there wouldn't even be any advantage to even try to exploit TCP based service in this way.
I don't "break" anything: I literally FIX A PROBLEM AS EFFICIENTLY AS POSSIBLE by saving CPU cycles, RAM, & other forms of I/O wasted on a FAULTY SLOW USERMODE service (dnscache).
But by having a large hosts file to block for example, an entire domain, you then require massive amounts of disk space, RAM and even CPU to process such a thing plus hammering the hosts file with a hi-res timer...
P.S.=> Answer that - it's going to be YOUR undoing (since I can direct it RIGHT BACK AT YA easily) & you KNOW it... lol!
You really shouldn't be saying this stuff in every post, when I keep showing you up.
You introduce overheads (DOUBLE in fact, as TCP is double the calls of UDP, & 2 way, UDP = 1 way outbound broadcast only).
Indeed and it's not vulnerable. Unlike the hosts file workaround that will only work for certain for any site part of the hosts file.
I break NOTHING & fix a problem... you "fix it" alright (lol, by introducing FAR MORE overheads, double in fact!).
Your methods break DNS caching and apparently generate overhead by running a hi-res timer and it still doesn't assure the situation is completely resolved.
I fix it more EFFICIENTLY, you do not (AND I WROTE MY OWN, unlike a puny,b>mere "user" of the work of others like you...)
Not very efficient if you have to manually maintain that stuff honestly.
P.S.=> Lastly - You miss a lookup? YOU GO INTO RECURSION too, & THAT introduces problems as well as slowness overheads (are your upstream updaters DNSSEC secured? If not, there you go...)
No, my DNS server uses TCP for performing queries. It is not vulnerable to DNS spoofing.
* YOU have to be STUPID to use something so full of holes in security!
As opposed to stuff like hosts file hijacking?
(AS WELL AS "bolting on more moving parts" to waste electricity, cpu cycles, RAM, & other forms of I/O locally, when hosts can do the job in combination with a remote SECURE dns (actually secure, OpenDNS = DNSSEC + updated vs. Kaminsky too, unlike you)).
Because my tiny zone file that blocks an entire domain is going to use less CPU cycles, RAM and other forms of I/O over the multi-GB hosts file? I don't think so. Also, it's less likely to randomly break other stuff too (see: Dnscache, PAM) etc.
perfectly protected vs. those threats (the worst ARE fastflux &/or dynDNS botnets)...
As is my setup.
P.S.=> For ANYONE to have a hosts as large as mine would take 15++ yrs. (that's how long it took me)
I think it took 15 minutes to get to 35GB here, when trying to block an entire domain through generating every single combination because I can't do something like wildcards.
Per my subject: HOW did you "counter" for the FACT my app locks hosts against hijack?
I mentioned exactly which API call was being intercepted by a rootkit.
You still introduced overheads - Thus, your "fix" != efficient. Mine for dnscache is saving CPU cycles, RAM, & other forms of i/O wasted on a FAULTY service (with large hosts files).
My 'overheads' resolve the security issue complete. Yours does not and breaks things.
THAT usage of TCP (vs. UDP) introduced callback overheads udp doesn't have!
But pretty much resolves the security issue, instead of risking that your hosts file might not have the address in question.
The REST of "sealing your coffin" is here -> http://tech.slashdot.org/comme... [slashdot.org] (I save CPU cycles, RAM, & other forms of I/O wasted on a broken service that MY TECHNIQUE FIXES)
I already countered this non-sense.
and here too before it -> http://tech.slashdot.org/comme... [slashdot.org] (my app locks hosts vs. write corruption hijack).
And that too.
P.S.=> Every SINGLE ONE of your "objections" = overcome & DESTROYED easily, by "yours truly"... but YOURS are still @ issue in using DNS (full of security holes in Kaminsky flaw redirection, & being ABUSED DAILY BY "fastflux" &/or "dynDNS" using botnets & also recursion dangers AND OVERHEADS as well + more...) - you FAIL, yet again, vs. myself...
I don't just mark it once - it's kept up by a hi-res timer (thus not locking the OS out of reads of hosts)
What... If you're going to have an application running in the background, why not just use a write lock? Your method sounds like it's wasting a lot of CPU cycles.
IF my original hosts were SOMEHOW to get 'poisoned' is what (not that it can, see above)!
Considering some of the ones I encountered involved rootkits that intercepted native reads (NtReadFile) and for most usermode applications would return the original file, that doesn't help.
It's a GREAT SOLUTION (better than toying with the faulty local USERMODE SLOW dnscache service TTL) since that service IS BROKEN WITH LARGER HOSTS FILES!
Or a bad solution because it breaks a service that works normally just fine until your hosts thing is involved.
I also saved RAM, CPU cycles, & other forms of I/O wasted
And waste it on a hi-res timer that messes with the hosts file instead...
(& I make up indexing by placing my fav. sites @ the TOP of hosts which equates to 2-3 million indexed entries, cached into RAM now by a FASTER SUBSYSTEM IN KERNELMODE - diskcache!)
Except the hosts file I generated was larger than the amount of RAM I had, for one domain. So, I don't see how that would work.
These facts in turn will do the rest & seal your coffin
See subject & WRONG: My app LOCKS hosts against that
Cool story. However, I have seen enough apps mark the hosts file as read only and modify by SYSTEM only through malware protection software like spybot. Doesn't help against the more vicious malware.
(& when it makes the hosts file, it does so from a PRISTINE backup).
I don't see what moving/copying files has to do with this discussion.
P.S.=> That "default service" was one I confronted Microsoft on YEARS ago - it's not MY fault they don't fix it!
I never said it was, I just don't think a good solution is one that involves breaking services on Windows and the only way to get around it is to give up things like DNS caching.
E.G.-> Linux has no such issues, for example, with LARGE hosts files!
Actually if your hosts file exceeds 3.4GiB on a 32bit Linux system, you can end up prevented from logging in at the console because PAM can't handle the hostname look up for the local system. I don't even know if it's possible to load a hosts file if you don't have a RAM to hold it on Linux either. The file size I generated trying to block a single domain was far larger than that.
USERMODE SLOW dnscache service
Resolution of cached stuff seems faster than querying 8.8.8.8 here?
But, for the majority of cases, I would. One of the few exceptions is a dyndns service website and those tend to get the issues sorted quickly on their own before I become aware of an issue.
Redirect from recursion is a problem in DNS.
I resolved that problem years ago by setting the preference for resolution over TCP while people were arguing about making dnssec a standard.
He's right on that much as well as a hosts being less parts complexity and less room for breakdown (or in DNS' case, exploit).
I've come across plenty of malware on other people's machines that modified the hosts file on Windows XP, Vista and 7 (I haven't given 'free help' to people since Windows 8 came out). I'm pretty certain the hosts file can be exploited exactly the same as before to direct people to malicious sites. That 'less parts complexity' didn't help there. Hell, making a large hosts file causes a default Windows service to 'breakdown' reliably.
You use MORE POWER, cpu cycles, RAM, + other forms of I/O by STUPIDLY "piling on more" when a native part of the OS itself (hosts & the IP stack) can do the job MORE than adequately for all of the benefits noted above (that you can't disprove AND YOU KNOW IT, lol).
Because apparently a zone file that is less than a kilobyte to block an entire domain verses generating a multi-GB hosts file to come up with every single hostname combination to block a domain fully and then using that multi-GB hosts file requires less "cpu cycles, RAM, + other forms of I/O" etc.
HEY STUPID: It's widely KNOWN & DOCUMENTED that with LARGE hosts files you MUST turn off the local USERMODE SLOW dns clientside cache service in Windows...
Exactly, because it breaks it. Thanks for proving my point yet again.
Yes, and my statement still applies with regards to using my DNS solution:
You have very selective reading. I've clearly stated numerous times now that in practice, it essentially doesn't matter. There is no notable difference taking any effect here. You choose to ignore it, repeatedly.
You also forgot the other post where I tried your hosts file solution, which in turn generated multi-GB text file to do the equiv of a wildcard block on a domain for your preferred platform (Windows) and it broke windows services preventing DNS resolution from working. Not simply 'just working' as you would have us believe. Additionally, memory consumption was up.
P.S.=> Which I know (and you know, as would anyone reading here) you CAN'T DO, since it's impossible to do (& you know it, & you'll "Run, Forrest: RUN!!! from that challenge as per your usual, you zero accomplishment in coding little troll... lmao!
Horrible decision, a standard isn't being honored "EVERYWHERE" so you decide to undermine it entirely without replacement? What's the REAL reason, money?
If you do not have a good (!) formal education in CS, what you can do is quite limited.
To be honest, my own experience with people whom have had 'good formal education' in CS has been very disappointing.
Algorithmic complexity, security, competent use of crypto, advanced data-structures, etc. remain a mystery to those without that formal education
And people with that education in my experience.
they suck badly and produce things that are best thrown away instead of being implemented.
And it becomes problematic when they have some qualification backing them, because they create a false sense of quality and security.
One problem is that they often do not even realize that they are missing skills and think stupid things like "crypto is easy", or "hashing is always constant time" and the like
My own experience with such people is the mentality is closer along the lines of "I did what I know, not my problem if there is an issue."
This is not saying all people that have a decent CS degree are like this, I just don't understand how some people have them to begin with and unfortunately, they tend to be the vast majority.
Slashdot Mirror
Note: I am not the grandparent.
Until you install a service pack and then it breaks, as it has for me.
The kernel API is generally stable. Generally, when it's broken, this is unfavourable.
Except that the kernel licensed by Linus allows use of proprietary binary blobs to make this possible, so concessions have been made. In fact, because the kernel contains some binary blob, some people have provided tools to remove the blobs from the kernel.
This may come as a surprise, but your view clearly isn't exactly absolute or accurate.
I don't really have a problem with this difference to exclude something using ideology as opposed to legal licensing or company interests. It's obvious that FOSS is ideology based, but I don't really see what the point is you're trying to drive forward by identifying this, especially when compared to other software in the industry.
There are some forks, but nobody really uses them due to lacking significant functionality of OS X.
As have I, but the specific certifications I noted haven't disappointed. Some certifications are more equal than others, maybe?
What do you do exactly?
World doesn't revolve around what we want sadly.
Generally speaking, I haven't met someone with a CCNP, CCIE, Novell Certificated Linux Engineer, MCSE that didn't have the know how to do their job. But maybe that's because those certification also have a practical element to them. I suspect you're confusing MCSE with MSCE, which is deprecated and previously had no practical element to them.
If I follow the money, I find that in corporate culture, very few appear to be using alternative non-corporate vendors. Most of the time in large enterprises, you end up with companies almost exclusively buying from one company due to having a support contract that pretty much covers everything they provide. This does come at the detriment that other solutions might be better in various circumstances, but because support is already paid for, approval is automatic, you still go ahead with company X's offering.
And they still get it, even when the company is doing poorly.
Because decreasing the risk in employing more people to handle the systems is fairly important. Especially in today's corporate climate where people tend don't tend to stick around and have a long term career in a single company. You also generally want it to be easy to look for replacements and understand that the person is capable without having to be an expert in the matter yourself. Also depending on your industry, you may have compliance requirements that require certain types of certifications to prove eligibility.
In my experience, red tape.
While cost is often a reason for many things in big corporations, certifications and training are too. There is no universal "Linux router", many specialized Linux distributions for routing purposes do a lot of configuration and setup vastly different from each other. IOS on the other hand is pretty uniform and will likely have a wider selection of employable candidates with Cisco certification than Linux Router specific certification.
I'm saying the likelyhood of that being an avenue to be exploited seems really unlikely and the fact that I have never seen this done against a DNS server, but I have with hosts files.
I countered other points just fine.
Sure, there is more overhead with TCP due to the need to exchange a few more packets, however the majority of packets... SYN, SYN-ACK, ACK etc. are certainly more. However, they are not doubling the bandwidth requirements, I'm not convinced the CPU load is notably changing etc. Calling this 'doubling the overhead' seems a bit of a stretch.
Less also just means 'less'. In this case, less security.
Maybe, but I don't even notice the difference and it's definitely secured against issues. Your method is not.
Except DNS servers don't have a fixed configuration like hosts files, so the complexity is greater and I have not seen anything like that in the wild compared to hosts files.
You mean like the windows DNS cache or PAM on Linux? No, I don't really see it being that bad.
You don't even block malicious domains as a whole, just a few select subdomains from what is a known malicious domain which is why you have sub-GB hosts files. You are really making a bad case for security with host files and your 'lower' overhead doesn't excuse it.
It's going to be fairly more complex to target a DNS server with a rootkit than it is to intercept an API call for reading the hosts file. I'm also unaware of anything in the wild that does that with DNS servers.
You can't do DNS amplification attacks over TCP... For one, spoofing the IP address means you won't be able to even establish a connection to do the request in the first place. The size of a SYN-ACK packet is tiny, so there wouldn't even be any advantage to even try to exploit TCP based service in this way.
But by having a large hosts file to block for example, an entire domain, you then require massive amounts of disk space, RAM and even CPU to process such a thing plus hammering the hosts file with a hi-res timer...
You really shouldn't be saying this stuff in every post, when I keep showing you up.
Indeed and it's not vulnerable. Unlike the hosts file workaround that will only work for certain for any site part of the hosts file.
Your methods break DNS caching and apparently generate overhead by running a hi-res timer and it still doesn't assure the situation is completely resolved.
Not very efficient if you have to manually maintain that stuff honestly.
No, my DNS server uses TCP for performing queries. It is not vulnerable to DNS spoofing.
Not an issue with my setup.
Not an issue with my setup.
Not an issue with my setup.
Not an issue with my setup.
As opposed to stuff like hosts file hijacking?
Because my tiny zone file that blocks an entire domain is going to use less CPU cycles, RAM and other forms of I/O over the multi-GB hosts file? I don't think so. Also, it's less likely to randomly break other stuff too (see: Dnscache, PAM) etc.
As is my setup.
I think it took 15 minutes to get to 35GB here, when trying to block an entire domain through generating every single combination because I can't do something like wildcards.
I mentioned exactly which API call was being intercepted by a rootkit.
My 'overheads' resolve the security issue complete. Yours does not and breaks things.
But pretty much resolves the security issue, instead of risking that your hosts file might not have the address in question.
I already countered this non-sense.
And that too.
Woha, you're scaring me!
What... If you're going to have an application running in the background, why not just use a write lock? Your method sounds like it's wasting a lot of CPU cycles.
Considering some of the ones I encountered involved rootkits that intercepted native reads (NtReadFile) and for most usermode applications would return the original file, that doesn't help.
Or a bad solution because it breaks a service that works normally just fine until your hosts thing is involved.
And waste it on a hi-res timer that messes with the hosts file instead...
Except the hosts file I generated was larger than the amount of RAM I had, for one domain. So, I don't see how that would work.
I wanna run away and never come back!
Cool story. However, I have seen enough apps mark the hosts file as read only and modify by SYSTEM only through malware protection software like spybot. Doesn't help against the more vicious malware.
I don't see what moving/copying files has to do with this discussion.
I never said it was, I just don't think a good solution is one that involves breaking services on Windows and the only way to get around it is to give up things like DNS caching.
Actually if your hosts file exceeds 3.4GiB on a 32bit Linux system, you can end up prevented from logging in at the console because PAM can't handle the hostname look up for the local system. I don't even know if it's possible to load a hosts file if you don't have a RAM to hold it on Linux either. The file size I generated trying to block a single domain was far larger than that.
Resolution of cached stuff seems faster than querying 8.8.8.8 here?
But, for the majority of cases, I would. One of the few exceptions is a dyndns service website and those tend to get the issues sorted quickly on their own before I become aware of an issue.
I resolved that problem years ago by setting the preference for resolution over TCP while people were arguing about making dnssec a standard.
I've come across plenty of malware on other people's machines that modified the hosts file on Windows XP, Vista and 7 (I haven't given 'free help' to people since Windows 8 came out). I'm pretty certain the hosts file can be exploited exactly the same as before to direct people to malicious sites. That 'less parts complexity' didn't help there. Hell, making a large hosts file causes a default Windows service to 'breakdown' reliably.
Because apparently a zone file that is less than a kilobyte to block an entire domain verses generating a multi-GB hosts file to come up with every single hostname combination to block a domain fully and then using that multi-GB hosts file requires less "cpu cycles, RAM, + other forms of I/O" etc.
Exactly, because it breaks it. Thanks for proving my point yet again.
Yes, and my statement still applies with regards to using my DNS solution:
You also forgot the other post where I tried your hosts file solution, which in turn generated multi-GB text file to do the equiv of a wildcard block on a domain for your preferred platform (Windows) and it broke windows services preventing DNS resolution from working. Not simply 'just working' as you would have us believe. Additionally, memory consumption was up.
I don't need to respond when you prove my case.
Calm down APK, I've already lost count of the amount of spam posts you made on this article (which use points I have already refuted long ago).
The standard approach is not to honour it.
DOJ can pay for their patches like the IRS does.
You can't even compile windows xp with regular compilers.
One word, explain.
I can agree with this observation with rare exceptions to the rule.
To be honest, my own experience with people whom have had 'good formal education' in CS has been very disappointing.
And people with that education in my experience.
And it becomes problematic when they have some qualification backing them, because they create a false sense of quality and security.
My own experience with such people is the mentality is closer along the lines of "I did what I know, not my problem if there is an issue."
This is not saying all people that have a decent CS degree are like this, I just don't understand how some people have them to begin with and unfortunately, they tend to be the vast majority.