Mod parent informative. He's dead on about the area. 25 miles south of TorC there's pretty much nothing. The White Sands test range is already there. Placing a spaceport in the same area seems completely sensible, if Virgin couldn't get a location closer to the equator.
He's *against* exactly what you quoted. You're knowingly taking it completely out of context. Do you troll for Microsoft or something, or are you the Prototype of All Idiots?
Thx for clarification. It saved me wasting time tomorrow, and things are going to be quite crazy enough.
I am now organizing my thoughts for a massive blast about how to get us FTL travel and a starbase at Alpha Centauri, as well as my pattented prior request for perfect docs and flying cars...damn. That won't work, either.
"...a study was done into which desktop was used by the most productive users."
Cyric, if it's allowed by the client, could the results, sample size, methodology, etc., of this study be made public? It would be an interesting read.
Your point about Godwin is certainly well taken. That is pretty surprising.
Many of us don't have the choice of not allowing any g* packages. I'm not a heavy user of keymapping, but I couldn't get my work done without Ethereal. So I'll have Gnome libs on my workstation for the foreseeable future. I'm sure many others will have at least libs, and perhaps the entire Gnome desktop, to run other vital apps. gEDA http://www.geda.seul.org/ comes to mind, after seeing it in this month's Linux Journal.
While I'm a KDE person, for reasons that seem good to me, I've nothing against any desktop. The fact that there are so many users of each means that there is room (and a need) for both. I really dislike the fact that major distros are choosing one, and giving short shrift to another. A matter of economics, I suppose, but that doesn't mean that I have to like it.
Wouldn't it be sweet if half the energy devoted to the flamewars could be channeled into fixing the remaining cross-desktop compatability issues? It'll never happen, of course, as the flamers aren't typically the developers. But I'd like to see developers in either system regard interoperability issues as important at a minimum, and preferably critical.
Next, we should have perfect docs, and of course flying cars.:)
"Judge a comment by it content and context, not by who ever wrote it."
IMHO, the author can often be an important part of the context. Nobody has time to chase down and test the assertions made in every post by an unknown author. We all make value judgments based on reputation, whether it be tech matters, which version of the popular news we might watch on evening television, or whether a CD might be worth buying.
Available user settings in Slashdot even support this, with friends, enemies, etc. I suspect it's been this way since our hunter-gatherer days, and we trusted Mog over Urk as to where the berries grew.
I do. So do about half the *IX people I know. It won't be obsolete any time soon.
Not everything needs objects, though Perl can certainly do that. Also, there are fairly large bodies of code written in Perl, which require maintenance. What most orgs use for an IT budget these days isn't going to allow a rewrite of running code unless there's a very clear reason for it. I most cases, you'd have to prove a stunning performance win, or some thumping great decrease in maintenance costs, etc. It would probably not be easy to do.
If you'd said less relevant, I'd probably have agreed with you, though with some exceptions, like system admin. But not relevant? Nah, I can't buy that at all.
Apparently not very hard. As I understand it, the Japanese were looking for a channel to open negotiations. That might have been a long and costly process, and the US had publicly stated that the surrender must be unconditional. Not terribly surprising, given the way that the war with Japan opened and was waged. After the weapons were used, the Japanese seem to have immediately gotten a lot better at that whole surrender thing.
Perhaps negotiations would have been short, but we'll never know that, or any other turns history might have taken in a peace negotiation. Perhaps there'd have been no Marshall Plan, or Japan might have lost more territory than the Kuriles to the Russians. Either of those results might have cost Japan more than the two atomic bombings. *Perhaps* many things. We'll simply never know.
"It may be useful to note that the US government will treat a catastrophic internet event in the same manner as they would a catastrophic attack on the telephone, electric, or even road infrastructure."
With incompetence? That may be just as well. Luckily you're incorrect. 'Telephone, electric, and road infrastructure' would imply a physical attack. We could probably handle that. Or what good has Dubya done us, even in his jingoistic home court?
As far as a catastrophic Internet even goes, we've arguable had those. From the Morris and Code Red worms, through Slammer, etc. In no case did we decide to nuke anyone.
"The internet itself is considered a critical system. As valuable (perhaps more) as the telephone and electricity utilities."
Surely you don't really believe this? The people that are making these value calls, whether they're military or politicians, understand (and value) phones and electricity far more than they do the Internet. These are people that print out all their e-mail (more likely have functionaries do even that much for them), etc.
Think Sec. State Rice understanding the ins and outs of DNS. I'm sure she could understand it, but does she? I'd be amazed--not part of her background or job description. In the event of any real emergency, we'll have staff at various levels signing things via trust in subordinates, which may not be well placed, or even considered.
Sec. State Rice may (or may not) have been entirely justified in signing an 'Internet Governance' doc she didn't understand. Pres. Bush apparently blew it when he appointed and supported the head of FEMA. These are issues of what's known as distributed trust in the security world. The most vital lessons may come from outside the field. Just another good reason to elect smart people, who are probably more likely to make smart appointments.
You just assume that the use of atomic weapons in 1956 was wrong. It's not that clear-cut.
At least 10^6 American lives were saved. Considering the nature of the Pacific war, begun by suprise attack, largely fought with no quarter given or asked, and that the atomic genie was *already* out of the bottle, I would have supported the use of these weapons. Particularly at the time--it was a very different world then. Newspapers could trumpet the destruction of an enemy city, and the general populace would applaud. WW2 was a nearly global fight to the death, where even the civilian populations of the combatant nations made enormous sacrifices in their day-to-day lives, not including family members who were killed, disfigured, or maimed, in support of the military. They simply wanted it over, ASAP, with as little additional sacrifice as possible.
That's not to say that any future use of these weapons is necessarily justified, or that proliferation isn't something to be avoided, or that jingoism is appropriate.
But it's possible that they may be used again, justifiably. In 1996 the International Court of Justice ruled that any use or threat of use of nuclear weapons, other than possibly in the case where the very survival of a nation was threatened, was against international law. Illegal use is more probable, of course. That's one of the things that concerns me about the B61 Mod 11 gravity bomb (nuclear bunker-buster), deployed under the Clinton administration. It seems to me that it's most likely use would be against non-nuclear nations. And it's an argument against deploying new weapons, which the Mod 11 at least arguably is. It was deployed under an administration unlikely to use it, but that made it immediately available to a later administration far more likely to use it illegally.
I'm all done apologizing. It doesn't seem to have helped.
BTW, I'm not a network admin. But I have enough sense to listen to them, not trash them. They're in the trenches every day, and have valuable insights. Sometimes the critical bit of info you need. Thank $DEITY not all coders came from your ranks, and now feel that they are somehow above them. In fact, *none* of the better coders I know have your attitude.
To make it very clear, I do code. In a dozen languages or so. You accuse me of not knowing much about security. Well, that's relative. There's always someone better, and you have to plan for that, in case they're a Bad Buy. But I have to wonder how you can be competent. More than one protocol has been broken because the API docs did not match what was actually seen on the wire, and network tools are valuable.
To avoid shouting in The Great Runes, let me just quietly state that you're not as cluefull as you imagine.
I'm pretty much done with this thread. Others will judge whether there's anything influential about it. There's certainly nothing important here, despite the fact that you seem to be all wound up about it. It's not going to change minds or anything. It's just Slashdot--the One True Home of religious arguments.
Dude, will you relax? None of this is meant to be any sort of personal attack or challenge. If it came off that way, I apologize.
I don't care what OS you use. I prefer Linux on the desktop, because I'm more used to it, and more productive in it. On the server, I use it a lot, and OpenBSD on rare occasions. If I have to, by the nature of the job, I'll use Solaris or HP-UX. I have little exposure to AIX. I own Microsoft Windows and Office, and use them when I have to. That's actually pretty frequently, as there are a couple of serious gaps in Open Source app coverage.
I much prefer Linux, all else being equal, but I am definitely not some raving Linux-only guy. Nor am I responsible for what some of the more adamant Linux fans here post.
I brought IE into this because of the cooincidence of yet another remote admin vulnerability, which was published the very same day, and because Microsoft *should not* have bundled it into the OS. Both for security reasons, and because IMHO, doing it abused a monopoly position in the market to destroy a competitor.
As far as some of the Secunia content not involving remote root, that's what the discussion is all about. That's what made the Cuckoos egg that you initially posted about so devastating. That's why we're talking about kernel exploits. Root access.
I still don't know why you're so upset about my original remark about your Cuckoo's Egg post. I've already explained why I hadn't dug deeply into the exploit--already patched. If you'd given overflow reference in your post, I'd have just read it, and thought, "Cool. Thanks, AC, whoever you are." I'd probably have posted to say thanks.
As it happens, you'd probably no idea that that would be a good thing to do, and made a casual post. I did the same thing--made a casual post, based on what I remembered was in the book. If I'd known this was going to turn into some sort of hostile punch and counter-punch, I'd have either checked very thoroughly, or more likely taken the easy way out and not posted at all. This is turning into way more of a time sink than I can deal with right now.
Nor am I ordering you to not post as an AC. I'm well aware I have no means of enforcing such an order, and wouldn't do it in any case. I'd have a really serious ethics problem with that. It just makes it easier to keep postings straight, when you're following a thread, if usernames are used. It's a politeness thing, like NOT SHOUTING IN ALL CAPS.
"Your OS just does not do as well as Microsoft offerings, period, & YOU KNOW IT!"
No, I don't. I know they've made a lot of progress. For example, their Web server is no longer a source of what seemed like weekly holes for quite some time. Eventually, they got enough heat that they had to fix that service, and they've largely done that. They took a lot of heat about buffer overflows, and now they're apparently coming along nicely with code sweeping tools to address that issue. Not a run-time system--this is a true code-sweeper.
I just wish they would do this sort of thing before they were forced into it. They're generating tons of distrust by doing that. Even amongst some very competent Windows developers and admins that I know. It's not like I know two people, and they're both complete Penguinistas. Long-term, this can't be good for them.
Personally, I hope their code-sweeping tools get amazingly good, very fast, and come into widespread use. Better for overall network health, protection of user's confidential data, etc. It would also generate more effort along corresponding lines in the Open Source world. It's good for everyone, and MS is more than welcome to any whatever good press the garner from it, IMHO.
In fact, I've just tried to give them some, with a link, and came up empty in a quick google. This has been in the news within the last couple of weeks. Maybe you can find it.
Again, none of this is meant as a personal attack or challenge. I think that we can agree that if the discussion devolves into a flame-war, it's no longer useful?
"Your "screwup" post was rated 3 & modded-up, & it had blatant "I read it in a book review/wikipedia/google" mistakes to it!"
My post was made from having read the book, as I replied above. When the event actually happened, I was a Unix user, not any sort of coder, beyond a bit of shell scripting. I had no security responsibilities. In 2000, when I read the book, there was little point in researching the root cause--it had long since been patched.
"P.S.=> Now, if you don't like that? Disprove what I wrote &/or quoted above! Pretty simple... somehow, I think that VENONA won't reply here again... apk"
And why wouldn't I reply? Because I didn't reply to a flurry of you replying to yourself, all in a 3 1/2 hour period, as an AC? I've been in !@#$ meetings all morning, not hanging on Slashdot! Given the subject of the meetings, I'd have accomplished as much either way. The discussion is valid, and useful.
I think it would be nice if any interested party with Linux experience would chase through that Secunia reference, for instance. I know that all critical systems I'm responsible for are fully patched, well hardened, and not 0wn3d. So I have nether the time nor a driving need to chase through the reference myself. Maybe I can shake lose for a couple of hours this evening, or by this weekend, at any rate. If anyone wants to look through it, start at the top. I'll start at the bottom, and we'll meet in the middle.
Look, I'll even give *you* a bit of ammunition. I have annecdotal evidence that at least one core kernel developer has some track record of fixing security bugs with no corresponding CVS entries. IMHO, that's wrong. It's security by obscurity. When bugs like that are found, they should be published so that people know to upgrade their kernel. I'm not saying this is some huge widespread thing. Just that I have some evidence that it's happened on a small scale.
"I have the novel, read it last year, do you? Or, did you just read some "synopsis" of it online?? I am curious, please answer that."
and
"Here's some reference material for you, a quote from a review (since you don't have this novel apparently)"
Yes, I own the novel. Read it years ago. Just dragged it from the shelf again, and found the reference to a permissions problem. I have the 2000 printing of the Pocket Books edition. In that edition, the explanation starts on page 27. From there to the end of the explanation on page 29 or so, there is no mention of a buffer overflow. The novel isn't written for a very technical audience. Explaining a buffer overflow was probably a bit much to expect.
I didn't worry too much about it, as the flaw had long since been patched. Just looked at the Gillette overflow paper you linked to. I won't have time to read it 'till tonight, but it looks interesting. Thanks for the link.
As to the presence of zero-day exploits in Linux, I say yes, there are. At any one time, there are probably several. Most any complex system will have them. A quote from Edsger Dijkstra: "I would therefore like to posit that computing's central challenge, viz. "How not to make a mess of it," has/not/ been met."
My take is that Linux has fewer of them, and they tend to be fixed more quickly--particularly the remote root exploits. The fixes also tend to be of higher quality. There are very few cases of the patch not really fixing the problem, and they tend to be more robust. You won't see many partial fixes, such as the many that have come out from Microsoft related to RPC/DCOM.
As to the Secunia reference--no way do I have time to chase all these down for a few days. I did check a couple, and they were DoS exploits, not remote root. Probably few if any are remote root.
"BOATLOADS OF SECURITY FLAWS STILL EXIST IN LINUX, local & remote exploitable, period, with various ratings from "critical", "less critical", to "not critical" (although, this last one is subject to opinion & discussion imo)."
MS is famous for claiming something isn't critical until exploit code is circulating in the wild. I expect you know this, and are now attempting to FUD a famous MS problem into something generic enough to apply to all operating systems.
Since you're generating "please answers", here's two points. 1- You haven't responded to anything I've said about Internet Explorer. A famous source of problems. 2- Quit posting as an AC if you want an ongoing discussion.
Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.
Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!
Good points about AMD64 power/performance. I thought they were still a good deal more expensive. Time to buy one and benchmark a couple of apps. I don't buy all of it, such as 64-bit integer ops contributing much to speed. In common apps, there's not much integer math being done that involves more than 32 bits, and floats are what, 80 bits internally?
But if the motherboard prices are down to just a 10-25% difference, it's time to buy one and start checking things out. All my 64-bit experience has been Intel and RISC.
Spoken like someone who has their entire career built around it.
I don't really believe those market share numbers. Where did Apple go, for one thing? For another thing, Windows is too weak on platforms to have those numbers.
So far as servers, yes they do run a fair amount of them. Too many, judging from all the data that's been lost at Choicepoint, etc.
As far the most flexible/powerful APIs in the world--you're raving.
I'm rather in favor of whatever hurts them. Ideally, that would be a criminal case filed prosecuted by the US DoJ, or it's Nipponese equivalent. But I don't think that's likely. The only criminal case I'm aware of is ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filing a complaint with Guardia di Finanza.
I'm hoping that Italians, or at least someone who speaks Italian, is planning to track this and file articles to our lame editors.
You may be right about Win 2003 Server. I'm not qualified to make a call. But that's a small percentage of Win machines. And it will happen with great regularity for most, who are running older versions, or client versions. Those are the people gaming, etc., as Admin, because the software requires it, or because they're simply consumers. No knowledge of security whatsoever, in many cases. They tend to just do whatever works at the moment, whether that's running as Admin, clicking mail attachments, or whatever.
We (security folk) have a perfect record of failure in solving that problem.
Microsoft has too poor a record, after the 'Get the Facts' campaign. There are simply too many cases where 'studies' have been found out to have been funded by MS. They don't have anything like enough credibility left that security guys will grab and believe a download from microsoft.com. Security is tough. There's a lot of demands on our time. Unless we already have an idea that it's not just another pack of lies, it's not going to be widely read.
A title like Reliability_Analys is_Security_Innovation.pdf, from MS, makes it doubly suspect. In the real world, MS is known far better for security FUD than for innovation.
Slashdot Mirror
Mod parent informative. He's dead on about the area. 25 miles south of TorC there's pretty much nothing. The White Sands test range is already there. Placing a spaceport in the same area seems completely sensible, if Virgin couldn't get a location closer to the equator.
Whoever modded this up obviously lacks the intelligence required to comprehend the mod FAQs.
He's *against* exactly what you quoted. You're knowingly taking it completely out of context. Do you troll for Microsoft or something, or are you the Prototype of All Idiots?
Thx for clarification. It saved me wasting time tomorrow, and things are going to be quite crazy enough.
I am now organizing my thoughts for a massive blast about how to get us FTL travel and a starbase at Alpha Centauri, as well as my pattented prior request for perfect docs and flying cars...damn. That won't work, either.
Shit!
"...a study was done into which desktop was used by the most productive users."
Cyric, if it's allowed by the client, could the results, sample size, methodology, etc., of this study be made public? It would be an interesting read.
Your point about Godwin is certainly well taken. That is pretty surprising.
:)
Many of us don't have the choice of not allowing any g* packages. I'm not a heavy user of keymapping, but I couldn't get my work done without Ethereal. So I'll have Gnome libs on my workstation for the foreseeable future. I'm sure many others will have at least libs, and perhaps the entire Gnome desktop, to run other vital apps. gEDA http://www.geda.seul.org/ comes to mind, after seeing it in this month's Linux Journal.
While I'm a KDE person, for reasons that seem good to me, I've nothing against any desktop. The fact that there are so many users of each means that there is room (and a need) for both. I really dislike the fact that major distros are choosing one, and giving short shrift to another. A matter of economics, I suppose, but that doesn't mean that I have to like it.
Wouldn't it be sweet if half the energy devoted to the flamewars could be channeled into fixing the remaining cross-desktop compatability issues? It'll never happen, of course, as the flamers aren't typically the developers. But I'd like to see developers in either system regard interoperability issues as important at a minimum, and preferably critical.
Next, we should have perfect docs, and of course flying cars.
"Judge a comment by it content and context, not by who ever wrote it."
IMHO, the author can often be an important part of the context. Nobody has time to chase down and test the assertions made in every post by an unknown author. We all make value judgments based on reputation, whether it be tech matters, which version of the popular news we might watch on evening television, or whether a CD might be worth buying.
Available user settings in Slashdot even support this, with friends, enemies, etc. I suspect it's been this way since our hunter-gatherer days, and we trusted Mog over Urk as to where the berries grew.
Yawn.
I do. So do about half the *IX people I know. It won't be obsolete any time soon.
Not everything needs objects, though Perl can certainly do that. Also, there are fairly large bodies of code written in Perl, which require maintenance. What most orgs use for an IT budget these days isn't going to allow a rewrite of running code unless there's a very clear reason for it. I most cases, you'd have to prove a stunning performance win, or some thumping great decrease in maintenance costs, etc. It would probably not be easy to do.
If you'd said less relevant, I'd probably have agreed with you, though with some exceptions, like system admin. But not relevant? Nah, I can't buy that at all.
Apparently not very hard. As I understand it, the Japanese were looking for a channel to open negotiations. That might have been a long and costly process, and the US had publicly stated that the surrender must be unconditional. Not terribly surprising, given the way that the war with Japan opened and was waged. After the weapons were used, the Japanese seem to have immediately gotten a lot better at that whole surrender thing.
Perhaps negotiations would have been short, but we'll never know that, or any other turns history might have taken in a peace negotiation. Perhaps there'd have been no Marshall Plan, or Japan might have lost more territory than the Kuriles to the Russians. Either of those results might have cost Japan more than the two atomic bombings. *Perhaps* many things. We'll simply never know.
"It may be useful to note that the US government will treat a catastrophic internet event in the same manner as they would a catastrophic attack on the telephone, electric, or even road infrastructure."
With incompetence? That may be just as well. Luckily you're incorrect. 'Telephone, electric, and road infrastructure' would imply a physical attack. We could probably handle that. Or what good has Dubya done us, even in his jingoistic home court?
As far as a catastrophic Internet even goes, we've arguable had those. From the Morris and Code Red worms, through Slammer, etc. In no case did we decide to nuke anyone.
"The internet itself is considered a critical system. As valuable (perhaps more) as the telephone and electricity utilities."
Surely you don't really believe this? The people that are making these value calls, whether they're military or politicians, understand (and value) phones and electricity far more than they do the Internet. These are people that print out all their e-mail (more likely have functionaries do even that much for them), etc.
Think Sec. State Rice understanding the ins and outs of DNS. I'm sure she could understand it, but does she? I'd be amazed--not part of her background or job description. In the event of any real emergency, we'll have staff at various levels signing things via trust in subordinates, which may not be well placed, or even considered.
Sec. State Rice may (or may not) have been entirely justified in signing an 'Internet Governance' doc she didn't understand. Pres. Bush apparently blew it when he appointed and supported the head of FEMA. These are issues of what's known as distributed trust in the security world. The most vital lessons may come from outside the field. Just another good reason to elect smart people, who are probably more likely to make smart appointments.
I missed a serious typo. In the first line, 1956 should obviously be 1945.
You just assume that the use of atomic weapons in 1956 was wrong. It's not that clear-cut.
At least 10^6 American lives were saved. Considering the nature of the Pacific war, begun by suprise attack, largely fought with no quarter given or asked, and that the atomic genie was *already* out of the bottle, I would have supported the use of these weapons. Particularly at the time--it was a very different world then. Newspapers could trumpet the destruction of an enemy city, and the general populace would applaud. WW2 was a nearly global fight to the death, where even the civilian populations of the combatant nations made enormous sacrifices in their day-to-day lives, not including family members who were killed, disfigured, or maimed, in support of the military. They simply wanted it over, ASAP, with as little additional sacrifice as possible.
That's not to say that any future use of these weapons is necessarily justified, or that proliferation isn't something to be avoided, or that jingoism is appropriate.
But it's possible that they may be used again, justifiably. In 1996 the International Court of Justice ruled that any use or threat of use of nuclear weapons, other than possibly in the case where the very survival of a nation was threatened, was against international law. Illegal use is more probable, of course. That's one of the things that concerns me about the B61 Mod 11 gravity bomb (nuclear bunker-buster), deployed under the Clinton administration. It seems to me that it's most likely use would be against non-nuclear nations. And it's an argument against deploying new weapons, which the Mod 11 at least arguably is. It was deployed under an administration unlikely to use it, but that made it immediately available to a later administration far more likely to use it illegally.
"Problem is, kids AREN'T going around shooting and killing each other, at least not in the US."
The real question is whether or not we can teach them to.
I'm all done apologizing. It doesn't seem to have helped.
BTW, I'm not a network admin. But I have enough sense to listen to them, not trash them. They're in the trenches every day, and have valuable insights. Sometimes the critical bit of info you need. Thank $DEITY not all coders came from your ranks, and now feel that they are somehow above them. In fact, *none* of the better coders I know have your attitude.
To make it very clear, I do code. In a dozen languages or so. You accuse me of not knowing much about security. Well, that's relative. There's always someone better, and you have to plan for that, in case they're a Bad Buy. But I have to wonder how you can be competent. More than one protocol has been broken because the API docs did not match what was actually seen on the wire, and network tools are valuable.
To avoid shouting in The Great Runes, let me just quietly state that you're not as cluefull as you imagine.
I'm pretty much done with this thread. Others will judge whether there's anything influential about it. There's certainly nothing important here, despite the fact that you seem to be all wound up about it. It's not going to change minds or anything. It's just Slashdot--the One True Home of religious arguments.
Dude, will you relax? None of this is meant to be any sort of personal attack or challenge. If it came off that way, I apologize.
I don't care what OS you use. I prefer Linux on the desktop, because I'm more used to it, and more productive in it. On the server, I use it a lot, and OpenBSD on rare occasions. If I have to, by the nature of the job, I'll use Solaris or HP-UX. I have little exposure to AIX. I own Microsoft Windows and Office, and use them when I have to. That's actually pretty frequently, as there are a couple of serious gaps in Open Source app coverage.
I much prefer Linux, all else being equal, but I am definitely not some raving Linux-only guy. Nor am I responsible for what some of the more adamant Linux fans here post.
I brought IE into this because of the cooincidence of yet another remote admin vulnerability, which was published the very same day, and because Microsoft *should not* have bundled it into the OS. Both for security reasons, and because IMHO, doing it abused a monopoly position in the market to destroy a competitor.
As far as some of the Secunia content not involving remote root, that's what the discussion is all about. That's what made the Cuckoos egg that you initially posted about so devastating. That's why we're talking about kernel exploits. Root access.
I still don't know why you're so upset about my original remark about your Cuckoo's Egg post. I've already explained why I hadn't dug deeply into the exploit--already patched. If you'd given overflow reference in your post, I'd have just read it, and thought, "Cool. Thanks, AC, whoever you are." I'd probably have posted to say thanks.
As it happens, you'd probably no idea that that would be a good thing to do, and made a casual post. I did the same thing--made a casual post, based on what I remembered was in the book. If I'd known this was going to turn into some sort of hostile punch and counter-punch, I'd have either checked very thoroughly, or more likely taken the easy way out and not posted at all. This is turning into way more of a time sink than I can deal with right now.
Nor am I ordering you to not post as an AC. I'm well aware I have no means of enforcing such an order, and wouldn't do it in any case. I'd have a really serious ethics problem with that. It just makes it easier to keep postings straight, when you're following a thread, if usernames are used. It's a politeness thing, like NOT SHOUTING IN ALL CAPS.
"Your OS just does not do as well as Microsoft offerings, period, & YOU KNOW IT!"
No, I don't. I know they've made a lot of progress. For example, their Web server is no longer a source of what seemed like weekly holes for quite some time. Eventually, they got enough heat that they had to fix that service, and they've largely done that. They took a lot of heat about buffer overflows, and now they're apparently coming along nicely with code sweeping tools to address that issue. Not a run-time system--this is a true code-sweeper.
I just wish they would do this sort of thing before they were forced into it. They're generating tons of distrust by doing that. Even amongst some very competent Windows developers and admins that I know. It's not like I know two people, and they're both complete Penguinistas. Long-term, this can't be good for them.
Personally, I hope their code-sweeping tools get amazingly good, very fast, and come into widespread use. Better for overall network health, protection of user's confidential data, etc. It would also generate more effort along corresponding lines in the Open Source world. It's good for everyone, and MS is more than welcome to any whatever good press the garner from it, IMHO.
In fact, I've just tried to give them some, with a link, and came up empty in a quick google. This has been in the news within the last couple of weeks. Maybe you can find it.
Again, none of this is meant as a personal attack or challenge. I think that we can agree that if the discussion devolves into a flame-war, it's no longer useful?
"Your "screwup" post was rated 3 & modded-up, & it had blatant "I read it in a book review/wikipedia/google" mistakes to it!"
My post was made from having read the book, as I replied above. When the event actually happened, I was a Unix user, not any sort of coder, beyond a bit of shell scripting. I had no security responsibilities. In 2000, when I read the book, there was little point in researching the root cause--it had long since been patched.
"P.S.=> Now, if you don't like that? Disprove what I wrote &/or quoted above! Pretty simple... somehow, I think that VENONA won't reply here again... apk"
And why wouldn't I reply? Because I didn't reply to a flurry of you replying to yourself, all in a 3 1/2 hour period, as an AC? I've been in !@#$ meetings all morning, not hanging on Slashdot! Given the subject of the meetings, I'd have accomplished as much either way. The discussion is valid, and useful.
I think it would be nice if any interested party with Linux experience would chase through that Secunia reference, for instance. I know that all critical systems I'm responsible for are fully patched, well hardened, and not 0wn3d. So I have nether the time nor a driving need to chase through the reference myself. Maybe I can shake lose for a couple of hours this evening, or by this weekend, at any rate. If anyone wants to look through it, start at the top. I'll start at the bottom, and we'll meet in the middle.
Look, I'll even give *you* a bit of ammunition. I have annecdotal evidence that at least one core kernel developer has some track record of fixing security bugs with no corresponding CVS entries. IMHO, that's wrong. It's security by obscurity. When bugs like that are found, they should be published so that people know to upgrade their kernel. I'm not saying this is some huge widespread thing. Just that I have some evidence that it's happened on a small scale.
"I have the novel, read it last year, do you? Or, did you just read some "synopsis" of it online?? I am curious, please answer that."
/not/ been met."
and
"Here's some reference material for you, a quote from a review (since you don't have this novel apparently)"
Yes, I own the novel. Read it years ago. Just dragged it from the shelf again, and found the reference to a permissions problem. I have the 2000 printing of the Pocket Books edition. In that edition, the explanation starts on page 27. From there to the end of the explanation on page 29 or so, there is no mention of a buffer overflow. The novel isn't written for a very technical audience. Explaining a buffer overflow was probably a bit much to expect.
I didn't worry too much about it, as the flaw had long since been patched. Just looked at the Gillette overflow paper you linked to. I won't have time to read it 'till tonight, but it looks interesting. Thanks for the link.
As to the presence of zero-day exploits in Linux, I say yes, there are. At any one time, there are probably several. Most any complex system will have them. A quote from Edsger Dijkstra: "I would therefore like to posit that computing's central challenge, viz. "How not to make a mess of it," has
My take is that Linux has fewer of them, and they tend to be fixed more quickly--particularly the remote root exploits. The fixes also tend to be of higher quality. There are very few cases of the patch not really fixing the problem, and they tend to be more robust. You won't see many partial fixes, such as the many that have come out from Microsoft related to RPC/DCOM.
As to the Secunia reference--no way do I have time to chase all these down for a few days. I did check a couple, and they were DoS exploits, not remote root. Probably few if any are remote root.
"BOATLOADS OF SECURITY FLAWS STILL EXIST IN LINUX, local & remote exploitable, period, with various ratings from "critical", "less critical", to "not critical" (although, this last one is subject to opinion & discussion imo)."
MS is famous for claiming something isn't critical until exploit code is circulating in the wild. I expect you know this, and are now attempting to FUD a famous MS problem into something generic enough to apply to all operating systems.
Since you're generating "please answers", here's two points.
1- You haven't responded to anything I've said about Internet Explorer. A famous source of problems.
2- Quit posting as an AC if you want an ongoing discussion.
Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.
5 2212&tid=113&tid=128&tid=172&tid=218
Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!
http://it.slashdot.org/article.pl?sid=05/11/22/13
They wired their browser in largely as a tactic for defeating Netscape. Once again, their customers are paying the price.
Good points about AMD64 power/performance. I thought they were still a good deal more expensive. Time to buy one and benchmark a couple of apps. I don't buy all of it, such as 64-bit integer ops contributing much to speed. In common apps, there's not much integer math being done that involves more than 32 bits, and floats are what, 80 bits internally?
But if the motherboard prices are down to just a 10-25% difference, it's time to buy one and start checking things out. All my 64-bit experience has been Intel and RISC.
Spoken like someone who has their entire career built around it.
I don't really believe those market share numbers. Where did Apple go, for one thing? For another thing, Windows is too weak on platforms to have those numbers.
So far as servers, yes they do run a fair amount of them. Too many, judging from all the data that's been lost at Choicepoint, etc.
As far the most flexible/powerful APIs in the world--you're raving.
I'm rather in favor of whatever hurts them. Ideally, that would be a criminal case filed prosecuted by the US DoJ, or it's Nipponese equivalent. But I don't think that's likely. The only criminal case I'm aware of is ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filing a complaint with Guardia di Finanza.
I'm hoping that Italians, or at least someone who speaks Italian, is planning to track this and file articles to our lame editors.
You may be right about Win 2003 Server. I'm not qualified to make a call. But that's a small percentage of Win machines. And it will happen with great regularity for most, who are running older versions, or client versions. Those are the people gaming, etc., as Admin, because the software requires it, or because they're simply consumers. No knowledge of security whatsoever, in many cases. They tend to just do whatever works at the moment, whether that's running as Admin, clicking mail attachments, or whatever.
We (security folk) have a perfect record of failure in solving that problem.
Microsoft has too poor a record, after the 'Get the Facts' campaign. There are simply too many cases where 'studies' have been found out to have been funded by MS. They don't have anything like enough credibility left that security guys will grab and believe a download from microsoft.com. Security is tough. There's a lot of demands on our time. Unless we already have an idea that it's not just another pack of lies, it's not going to be widely read.
A title like Reliability_Analys is_Security_Innovation.pdf, from MS, makes it doubly suspect. In the real world, MS is known far better for security FUD than for innovation.
Part of me wants to say the whole Win security thing is no laughing matter, but *damn* that was funny.