If you use MS apps on Linux, or whatever this is, you're still using MS apps. You're still voting for MS with dollars (just slightly less so than using MS apps on windows). You're still endorsing MS 'extended' protocols and closed file formats.
I'm not even a big conceptual fan of WINE - I think it's a clever idea, I'm sure the programmers have good intentions - but with WINE, we've got real talent chasing the MS API moving target - which they'll never catch because MS will conceal or lie about it - when they could be working on native apps. Maybe I'm wrong - maybe this is a good strategy, because with one fell swoop you open up a new world of apps for Opensource/Free software - but I just don't see it that way.
Second, once people are on Linux, MS Office will have to compete on it's own quality against the open source office apps,
When people's first impression of Linux is an intentionally crappy MS app (even crappier than on Windows), they'll stay away in droves.
ALso, if MS apps are available on Linux, does the development of native, free apps continue? All MS has to do is pre-announce it, then never deliver or deliver crap, to do real harm. Actually, I'm surprised they haven't done it already - probably afraid to lgitimize the enemy that much. I'm against this almost as much as I'm against WINE. At least with this, it's MS wasting their time - with WINE, we've got real talent chasing the MS API moving target - which they'll never catch because MS will conceal or lie - when they could be working on native apps.
But I still go back to my main point - if you use MS apps on Linux, you're still using MS apps. You're still voting for MS with dollars. You're still endorsing MS 'extended' protocols and closed file formats. It's just slightly less so than using MS apps on windows.
I believe "Office for Linux" has the potential to break the MS desktop OS monopoly,
I believe "Office for Linux" has the potential to break the Linux desktop.
Remember that many major security holes are in MS apps, not just the OS. Also remember that you'll be inviting VB macros, spyware, etc onto your desktop. Finally, remember that MS will have negative incentive to produce a reliable, stable product for Linux - and they don't do that good a job of that for their own OS.
Inviting MS software onto your desktop is like inviting a vampire into your home. It might have seemed like a good idea at the time...
A 1984 reference. So obligatory... are you really so paranoid that you don't see any practical upside to this technology? And what in the world keeps people from replacing/altering hard copies of historical records?
So if the reference is so obligatory, how come I'm the first of several hundred (at least those at >=1) to make it? Yes there are advantages and yes paper can be modified, destroyed or replaced. But think how much easier it when when it's dynamic. Just as hi-res graphics and powerfuil computers are destroying the probative nature of photographs, this trechnology undermines paper evidence. And no, I'm not a Luddite, but I do wonder where we're headed.
If the author PGP signs his or her work, then you can be sure of its authenticity.
No, all you can be sure of is that someone with access to the private key you think belongs to the author has signed it. The record companies have used their oligopoly power to make all but the most famous and powerful sign away the rights to their music. If this catches on in other branches of the publishing world, the publishers, not the authors, would have the signing keys. Or the publishers would have a contract with the authors requiring the authors to sign whatever the publishers dictate. There are solutions, but technology by itself isn't necessarily it.
What happens when documents can be changed at will, including copies already 'printed'? Orwell said: "He who controls the past controls the future. He who controls the present controls the past." If all documents a published on this stuff, a level of control becomes possible that was previously unthought of. Give me documents that are immutable, please.
And how about windows NT? I installed the package that allows printing from NT to an IP printer. (I'd been doing this for years, but it magically stopped working. Wierd shit Just Happens in MS crapware...). After the mandatory reboot ("windows has detected a parameter change somewhere in known space. please reboot") NT automagically created a new profile for the same userID I ALWAYS login as. All attempts to switch back to re-using the previous profile (including those with the GUI tools) failed utterly to have any effect. Palm Pilot Desktop stopped working altogether and had to be re-installed. Ditto Notes (oh oh, there's another piece of hard-drive sewage, but that's another rant...). All other apps reverting to the revolting default behaviours (e.g. typeing "PCs" in MSWORD yields "Pcs" because some moronic asshole of a programmer thinks he knows what I want to type better than I do, and buried the nerd-knob that undoes this offensive behaviour behind seven layers of incomprehensible menus in 3 different places).
Summary: Linux may not be ready for the enterprise, but NEITHER IS WINDOWS.
If MS didn't lose their shirt over putrid crap like win3.x or win9x
And while I'm at it, how about a business app that caused measurable damage in the workplace: MS Word. I don't even want to think about how much time I've lost fighting that piece of shit because a file became unprintable after I inserted a graphic or because a line of '=' characters became some sort of non-deleteable meta-section break bullshit or because the formatting of one file was hopelessly and irreparably ruined because I had the temerity to copy and paste text from another file or....
I've lost days of my life fighting the wierd horse-shit that just happens when you use MS shitware. (All of this would be fixable if they would just implement the "Reveal Codes" function that workdperfect has (had?) so you could get at the formatting codes, but it's clear they never will. 4 years after conversion to MS Word, my co-workers (who are not geeks) still long for wordperfect for this one feature alone.) This, along with their despicable business practices, is why I hate them and all their works.
a better question is: if things go wrong with widget x, what are my options to get it fixed? with closed s/w, the only option is the vendor you got it from (and really, knowing that, do you want to sue them?). with free software you can use your vendor, another vendor, your own staff, or private contractors
(Some is also legal... if you run into a snafu with kernel 2.6.1, who can you sue??).
You sound like you've got a good view of the issue, but this sentence cries for rebuttal. When, oh WHEN, will pople stop parroting this nonsense? Any CIO that uses this as an argument against OpenSource/Free software is a moron. I challenge anyone, anywhere, to give evidence that anyone has ever collected a single penny from suing a mass-market software maker for shoddy code. If MS didn't lose their shirt over putrid crap like win3.x or win9x, with it's dll-hell and semi-annnual re-install schedule, how can anyone get sued?
When you buy a distribution and install it, then your box ought to be secure. Sure, to build a distribution that actually provides that is a very difficult task, but it's really not fair to blame software errors on the user.
I see your point. I think some vendors are moving this way from what I hear, with the option to installl packet filters at install time and fewer services on by default (I haven't installed a distro since rh6.2, so this is from what I hear, not from what I know).
If distros turned up with all services off, (the OpenBSD approach) and the instructions/tools used to turn them on contained information and warnings, that would help.
You permit packets from anywhere to get through as long as they have port 80 as the source port?
I run apache, so I permit sessions initiated to my destination port 80.
If you diddn't recently initiate the connection to port 80, you don't want traffic from port 80 coming back to you!
If you didn't initate a connection to port 80, if a "response" comes back from port 80, the tcp/ip stack will reject it. You don't need a firewall for that.
Actually, step 2 should have been step 1 - it's quicker with less risk of turning off something you need. (but do it in console mode untill you;'ve got a firewall script that permits everything on lo0 (127.0.0.1, internal interface) - otherwise, X dies and your GUI doesn't like that.
I run my own box for personal use, and learning anything more than basic security takes more time than it's worth.
Maybe to YOU, how about all the other people who will get nailed when YOUR box is hacked and used in Distributed Denial of Service attacks? How about the emabarassment of discovering your box being used as a drop point for many megs of porn for sexuality other than your own? How about all the webmasters who have to put up with probes (at least) from your box after it catches the latest worm? How about your ISP being notified that you've committed criminal activity against another computer because a cracker cracked you and used your box as a springboard?
If you can't be bothered, take your box of the internet, PLEASE.
Steps to a (more) secure box:
issue netstat -apn (adjust for parms allowed in your netstat, but if -a doesn't work, get a new one; if -p doesn't work and you're running a recent version of Linux, you've probably *already* been cracked). Understand every single tcp or udp entry. Turn off any you don't need.
set up a firewall on your machine. Deny all incoming connections by default, then permit only the protocols you need from the endpoints you need to permit them from. For example, I permit http from anywhere. I permit ssh on my home box only from the outer address of the firewalls at work - and this is a good thing because ssh at one point had a hole, so I'd cut my vulnerability way down.
Turning off unneeded services, then firewalling (actually, packet filtering) to allow only known-good protocols is 'defense in depth' - the odds of screwing up in both places the same way are smaller than for either one singly.
if you're using Linux, Bastille Linux is a useful script (or set of scripts) that will help you secure your machine and teach you about the process at the same time.
Subscribe to a security mailing list or two (CERT and Bugtraq are good). When you see something you're using there, fix it.
Interesting story: I was doing work on a box for a guy who only had *dial-up* access and only used it to send/receive email and browse a little. He was cracked, which I discovered when his netstat wouldn't take the -p option (his version had been replaced after he was cracked, which is common - the crackers replace common utilities with versions specifically written to *not* show their activities on your machine). Ooops - time to reformat and re-install. The fact that you are on a slow link or you are obscure doesn't help much - the script kiddies pick a block of IP addressess at random and scan them all for their vulnerability du jour - if you have it, you're toast.
Until 5 mins ago I was a beleiver in complete disclosure, But with 6 wu-ftpd boxes to admin I'm not so sure any more.
I understand your pain, but the problem is wu-ftpd, not full disclosure. wu-ftpd has a very long, sorry history of bad security holes. I don't use it on any server accessible by anyone but me.
For anonymous ftp, I'd recommend looking at publicfiles by D.J Bernstein. I haven't used it, but he's serious about security.
For file transfer amongst a community where you can enforce client choice, use scp/sftp, as provided by OpenSSH (or commercial SSH, I guess - ssh inc. has a nice windows ssh/sftp client if you need that, and it works with the free OpenSSH server).
If you must use an ftpd with non anonymous logins (not recommended in a time of freely available packet sniffers), I'd look long and hard to find anything BUT wu-ftpd.
I looked at the screenshot. I'd spent extra to make this NOT happen. This just a way to make displays more confusing. Having windows bleed through each other sucks, IMNSHO.
Admins have no one to blame but themselves for this one, it's not some fancy buffer overflow, it's a blank password. Duh.
And how about the case (distressingly frequesnt) where the installation of some software other than SQL server installs SQL server with a blank admin password, or (as Visio2000 does) installs MSDE, a stripped down SQL server, with a blank password? Visio2000 is a desktop app - how is this sysadmin negligence as opposed to gross programmer stupidity?
Cable from line-out of CD player to line-in jack of sound-card
Start sound-to-wav converter and CD player.
Encode wav to mp3.
wavrec and bladeenc work good under linux for steps 3 and 4, but there has to be something similar for windoze.
It's easier to rip straight from the CD, but the quality difference probably isn't noticeable after MP3 encoding (this is a guess). This method guarantees that there will be MP3 on the net of any decent tracks 20 minutes after the CD hits the shelf. And once the first one's out, that's all she wrote baby. Eat my dust, RIAA!
But while we're doing this, don't forget to oppose the SSSCA absolutely and to agitate for the repeal of DMCA. The real danger lies in the next generation of hardware and formats, where more protection is built into the hardware.
Actually, the packet filters on my linux box have reported several instances of an apparent DNS DDOS - many packets addressed to port 53 from several different IP addresses over a relatively short period of time. The first instance I have of this is Oct 15, but that's all the farther back my logs go. Seems a little odd, though, since I don't run any DNS and haven't for months.
Already available is djbdns, written by D. J. Bernstein with security as a design goal. In fact, he offers rewards to anyone who can find a vulnerability.
I have a BSEE. I was doing network monitoring and troubleshooting and started writing shell/sed/awk scripts (prior to learning perl - wish I had that time back) on SunOs 4.something to make sense out of our Timeplex t3/t1 mux network. Then I went to my next job, where HR had kludged together a frankenstein's computer running SCO Unix to run Oracle and PeopleSoft. My boss said "You know Unix, right?". I said "A little". (That boss had the opinion that when I said "I know a little about that", I meant that that my knowledge was limited by the fact that I hadn't actually written the code in question. Flattering, but occasionally inconvenient.) So I was was made sysadmin on that box, which I continued to be after the system in question moved to Solaris 2.5.1. (I was also one our main router admins at this point, so I was very busy, but the combination was really good for learning stuff.)
I had a good rep, in spite of not being the most organized person in the world, mainly because I'm very conservative - if I change something, it's with lots of off-time ahead to recover and full, verified backups in hand. Not everyone believes in that, amazingly enough. Also, if users had problems or questions, I would do my best to get them an answer, or send them to the person that should have the answer.
These days I 've been instructed to concentrate on router/network issues, but I still keep a Linux box up for MRTG (for serial link statisitics via SNMP) and to run perl scripts to monitor various network functions.
This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).
There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.
This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.
The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.
Slashdot Mirror
If you use MS apps on Linux, or whatever this is, you're still using MS apps. You're still voting for MS with dollars (just slightly less so than using MS apps on windows). You're still endorsing MS 'extended' protocols and closed file formats.
I'm not even a big conceptual fan of WINE - I think it's a clever idea, I'm sure the programmers have good intentions - but with WINE, we've got real talent chasing the MS API moving target - which they'll never catch because MS will conceal or lie about it - when they could be working on native apps. Maybe I'm wrong - maybe this is a good strategy, because with one fell swoop you open up a new world of apps for Opensource/Free software - but I just don't see it that way.
That's a bogus argument.
At least it's an argument, not a lame put-down.
Second, once people are on Linux, MS Office will have to compete on it's own quality against the open source office apps,
When people's first impression of Linux is an intentionally crappy MS app (even crappier than on Windows), they'll stay away in droves.
ALso, if MS apps are available on Linux, does the development of native, free apps continue? All MS has to do is pre-announce it, then never deliver or deliver crap, to do real harm. Actually, I'm surprised they haven't done it already - probably afraid to lgitimize the enemy that much. I'm against this almost as much as I'm against WINE. At least with this, it's MS wasting their time - with WINE, we've got real talent chasing the MS API moving target - which they'll never catch because MS will conceal or lie - when they could be working on native apps.
But I still go back to my main point - if you use MS apps on Linux, you're still using MS apps. You're still voting for MS with dollars. You're still endorsing MS 'extended' protocols and closed file formats. It's just slightly less so than using MS apps on windows.
I believe "Office for Linux" has the potential to break the MS desktop OS monopoly,
I believe "Office for Linux" has the potential to break the Linux desktop.
Remember that many major security holes are in MS apps, not just the OS. Also remember that you'll be inviting VB macros, spyware, etc onto your desktop. Finally, remember that MS will have negative incentive to produce a reliable, stable product for Linux - and they don't do that good a job of that for their own OS.
Inviting MS software onto your desktop is like inviting a vampire into your home. It might have seemed like a good idea at the time...
A 1984 reference. So obligatory... are you really so paranoid that you don't see any practical upside to this technology? And what in the world keeps people from replacing/altering hard copies of historical records?
So if the reference is so obligatory, how come I'm the first of several hundred (at least those at >=1) to make it? Yes there are advantages and yes paper can be modified, destroyed or replaced. But think how much easier it when when it's dynamic. Just as hi-res graphics and powerfuil computers are destroying the probative nature of photographs, this trechnology undermines paper evidence. And no, I'm not a Luddite, but I do wonder where we're headed.
If the author PGP signs his or her work, then you can be sure of its authenticity.
No, all you can be sure of is that someone with access to the private key you think belongs to the author has signed it. The record companies have used their oligopoly power to make all but the most famous and powerful sign away the rights to their music. If this catches on in other branches of the publishing world, the publishers, not the authors, would have the signing keys. Or the publishers would have a contract with the authors requiring the authors to sign whatever the publishers dictate. There are solutions, but technology by itself isn't necessarily it.
What happens when documents can be changed at will, including copies already 'printed'? Orwell said: "He who controls the past controls the future. He who controls the present controls the past." If all documents a published on this stuff, a level of control becomes possible that was previously unthought of. Give me documents that are immutable, please.
From the linked post: free implementations are of course recommended and cygwin is proven
to work fine on wine.
So I run Linux to run wine to run debian? Am I missing something here? What kind of computer pervert do you think I am?
And how about windows NT? I installed the package that allows printing from NT to an IP printer. (I'd been doing this for years, but it magically stopped working. Wierd shit Just Happens in MS crapware...). After the mandatory reboot ("windows has detected a parameter change somewhere in known space. please reboot") NT automagically created a new profile for the same userID I ALWAYS login as. All attempts to switch back to re-using the previous profile (including those with the GUI tools) failed utterly to have any effect. Palm Pilot Desktop stopped working altogether and had to be re-installed. Ditto Notes (oh oh, there's another piece of hard-drive sewage, but that's another rant...). All other apps reverting to the revolting default behaviours (e.g. typeing "PCs" in MSWORD yields "Pcs" because some moronic asshole of a programmer thinks he knows what I want to type better than I do, and buried the nerd-knob that undoes this offensive behaviour behind seven layers of incomprehensible menus in 3 different places).
Summary: Linux may not be ready for the enterprise, but NEITHER IS WINDOWS.
If MS didn't lose their shirt over putrid crap like win3.x or win9x
And while I'm at it, how about a business app that caused measurable damage in the workplace: MS Word. I don't even want to think about how much time I've lost fighting that piece of shit because a file became unprintable after I inserted a graphic or because a line of '=' characters became some sort of non-deleteable meta-section break bullshit or because the formatting of one file was hopelessly and irreparably ruined because I had the temerity to copy and paste text from another file or....
I've lost days of my life fighting the wierd horse-shit that just happens when you use MS shitware. (All of this would be fixable if they would just implement the "Reveal Codes" function that workdperfect has (had?) so you could get at the formatting codes, but it's clear they never will. 4 years after conversion to MS Word, my co-workers (who are not geeks) still long for wordperfect for this one feature alone.) This, along with their despicable business practices, is why I hate them and all their works.
a better question is: if things go wrong with widget x, what are my options to get it fixed? with closed s/w, the only option is the vendor you got it from (and really, knowing that, do you want to sue them?). with free software you can use your vendor, another vendor, your own staff, or private contractors
Someone, please, mod this up some more.
(Some is also legal... if you run into a snafu with kernel 2.6.1, who can you sue??).
You sound like you've got a good view of the issue, but this sentence cries for rebuttal. When, oh WHEN, will pople stop parroting this nonsense? Any CIO that uses this as an argument against OpenSource/Free software is a moron. I challenge anyone, anywhere, to give evidence that anyone has ever collected a single penny from suing a mass-market software maker for shoddy code. If MS didn't lose their shirt over putrid crap like win3.x or win9x, with it's dll-hell and semi-annnual re-install schedule, how can anyone get sued?
When you buy a distribution and install it, then your box ought to be secure. Sure, to build a distribution that actually provides that is a very difficult task, but it's really not fair to blame software errors on the user.
I see your point. I think some vendors are moving this way from what I hear, with the option to installl packet filters at install time and fewer services on by default (I haven't installed a distro since rh6.2, so this is from what I hear, not from what I know).
If distros turned up with all services off, (the OpenBSD approach) and the instructions/tools used to turn them on contained information and warnings, that would help.
You permit packets from anywhere to get through as long as they have port 80 as the source port?
I run apache, so I permit sessions initiated to my destination port 80.
If you diddn't recently initiate the connection to port 80, you don't want traffic from port 80 coming back to you!
If you didn't initate a connection to port 80, if a "response" comes back from port 80, the tcp/ip stack will reject it. You don't need a firewall for that.
Tip for MSCEs: Samba and SSH will allow you to remotely administer a Windows network better than any Windows tool.
Actually, IIS does a pretty good job of letting *everyone* remotely administer your Windows system.
Actually, step 2 should have been step 1 - it's quicker with less risk of turning off something you need. (but do it in console mode untill you;'ve got a firewall script that permits everything on lo0 (127.0.0.1, internal interface) - otherwise, X dies and your GUI doesn't like that.
Maybe to YOU, how about all the other people who will get nailed when YOUR box is hacked and used in Distributed Denial of Service attacks? How about the emabarassment of discovering your box being used as a drop point for many megs of porn for sexuality other than your own? How about all the webmasters who have to put up with probes (at least) from your box after it catches the latest worm? How about your ISP being notified that you've committed criminal activity against another computer because a cracker cracked you and used your box as a springboard?
If you can't be bothered, take your box of the internet, PLEASE.
Steps to a (more) secure box:
Turning off unneeded services, then firewalling (actually, packet filtering) to allow only known-good protocols is 'defense in depth' - the odds of screwing up in both places the same way are smaller than for either one singly.
Interesting story: I was doing work on a box for a guy who only had *dial-up* access and only used it to send/receive email and browse a little. He was cracked, which I discovered when his netstat wouldn't take the -p option (his version had been replaced after he was cracked, which is common - the crackers replace common utilities with versions specifically written to *not* show their activities on your machine). Ooops - time to reformat and re-install. The fact that you are on a slow link or you are obscure doesn't help much - the script kiddies pick a block of IP addressess at random and scan them all for their vulnerability du jour - if you have it, you're toast.
I understand your pain, but the problem is wu-ftpd, not full disclosure. wu-ftpd has a very long, sorry history of bad security holes. I don't use it on any server accessible by anyone but me.
I looked at the screenshot. I'd spent extra to make this NOT happen. This just a way to make displays more confusing. Having windows bleed through each other sucks, IMNSHO.
Admins have no one to blame but themselves for this one, it's not some fancy buffer overflow, it's a blank password. Duh.
And how about the case (distressingly frequesnt) where the installation of some software other than SQL server installs SQL server with a blank admin password, or (as Visio2000 does) installs MSDE, a stripped down SQL server, with a blank password? Visio2000 is a desktop app - how is this sysadmin negligence as opposed to gross programmer stupidity?
- Put cd in regular CD player.
- Cable from line-out of CD player to line-in jack of sound-card
- Start sound-to-wav converter and CD player.
- Encode wav to mp3.
wavrec and bladeenc work good under linux for steps 3 and 4, but there has to be something similar for windoze.It's easier to rip straight from the CD, but the quality difference probably isn't noticeable after MP3 encoding (this is a guess). This method guarantees that there will be MP3 on the net of any decent tracks 20 minutes after the CD hits the shelf. And once the first one's out, that's all she wrote baby. Eat my dust, RIAA!
But while we're doing this, don't forget to oppose the SSSCA absolutely and to agitate for the repeal of DMCA. The real danger lies in the next generation of hardware and formats, where more protection is built into the hardware.
(Of course, I wasn't always this enlightened.)
Actually, the packet filters on my linux box have reported several instances of an apparent DNS DDOS - many packets addressed to port 53 from several different IP addresses over a relatively short period of time. The first instance I have of this is Oct 15, but that's all the farther back my logs go. Seems a little odd, though, since I don't run any DNS and haven't for months.
Already available is djbdns, written by D. J. Bernstein with security as a design goal. In fact, he offers rewards to anyone who can find a vulnerability.
I have a BSEE. I was doing network monitoring and troubleshooting and started writing shell/sed/awk scripts (prior to learning perl - wish I had that time back) on SunOs 4.something to make sense out of our Timeplex t3/t1 mux network. Then I went to my next job, where HR had kludged together a frankenstein's computer running SCO Unix to run Oracle and PeopleSoft. My boss said "You know Unix, right?". I said "A little". (That boss had the opinion that when I said "I know a little about that", I meant that that my knowledge was limited by the fact that I hadn't actually written the code in question. Flattering, but occasionally inconvenient.) So I was was made sysadmin on that box, which I continued to be after the system in question moved to Solaris 2.5.1. (I was also one our main router admins at this point, so I was very busy, but the combination was really good for learning stuff.)
I had a good rep, in spite of not being the most organized person in the world, mainly because I'm very conservative - if I change something, it's with lots of off-time ahead to recover and full, verified backups in hand. Not everyone believes in that, amazingly enough. Also, if users had problems or questions, I would do my best to get them an answer, or send them to the person that should have the answer.
These days I 've been instructed to concentrate on router/network issues, but I still keep a Linux box up for MRTG (for serial link statisitics via SNMP) and to run perl scripts to monitor various network functions.
This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).
There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.
This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.
The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.