I guess you never heard about an IT worker who was sending classified company documents to the outside world by encrypting the data inside images and sent to his hotmail.com account. The FBI helped catch him. Maybe they were pictures of Britney! Why target individuals, when you can target many more?
What percentage of linux users do you actually think can come close to actually security auditing code? If Linus renamed linux.h to backdoor.h (and no actual changes in the code), how many people would actually find it on their own?
But, the main point still goes over to motive. *WHY* would a government agency, who primary concern is nation al security (supposedly only outside of American soil), mess with a 'grass roots' OS, modify its kernel, then *RELEASE* it to the public? Use a strlen incorrectly and it's a bug. The shit happens all the time. Suppose for an instant, that someone wanted to allow this bug, since it could be used to gain unauthorized access. OpenBSD patches shit things "that could *never* be exploited!!!", but somehow, in a few years, comes back and bites everyone *else* in the ass. And OpenBSD still gets bit in the ass, just not as often as everyone else. You wouldn't need to include 'backdoor.h' to do something like that. Just use a buffer of size n-1 where it actually needs one of size n. Make it reference through about 20 libraries and function calls (laundry it) and make it only occur after certian other specific events. Nevertheless, if mr. nobody makes something like this and puts it on freshmeat, your risk of discovering the application, installing the application, and he finding you and exploiting said bug would be much smaller than a branch of the US government concerned with national security.
I see no valid reason to trust the NSA, FBI, CIA, etc. without *extreme* caution and scrutiny. Besides, they have no valid reason to trust us, without *extreme* caution and scrutiny.
Yes, you might say that the NSA can't legally operate on American soil or on it's citizens (on natural soil).
Then I just mention a thing called the '60s - '70s and the CIA. Just ask JFK, MLK, and RFK. heh Of course you could say that many of these 'one person' applications are actually run by a cadre of devious hax0rs to infiltrate my box! But, still...I doubt they would still compare to the mass of the NSA
Before downloading this software, you must accept the warranty exclusion and limitation of liability which appears below.
Warranty Exclusion
I expressly understand and agree that this software is a non-commercially developed program that may contain "bugs" (as that term is used in the industry) and that it may not function as intended. The software is licensed "as is". NSA makes no, and hereby expressly disclaims all, warranties, express, implied, statutory, or otherwise with respect to the software, including noninfringement and the implied warranties of merchantability and fitness for a particular purpose.
Limitation of Liability
In no event will NSA be liable for any damages, including loss of data, lost profits, cost of cover, or other special, incidental, consequential, direct or indirect damages arising from the software or the use thereof, however caused and on any theory of liability. This limitation will apply even if NSA has been advised of the possibility of such damage. I acknowledge that this is a reasonable allocation of risk.
hmmm. "bugs", clear this up will ya? Software glitches or electronic listening devices? Plus, they use "may contain"...Are they giving it permission? My software isn't allowed to have bugs. If it does, it is an error! "it may not function as intended" hmm you mean...like...the 'security' part? "In no event will NSA be liable for any damages, including...or other special, incidental, conseqential...damages...arising from the software"
special: backdoors we forgot about that we find later incidental: backdoors we internally documented direct: What we break/steal from you indirect: What l33t hax0rs break/steal from you after our direct methods post on Bugtraq.
and finally...."This limitation will apply even if NSA has been advised of the possibility of such damage" if we 'accidentally' left our public ssh identity in/root/.ssh/authorized_keys and someone points this out...we'll we don't need to explain it, you kids have played Counter-Strike enough to figure it out. 'Hostage Down' hahah
Hell yea. It kicks ass. The things I like the most are random Pids and client ports. I am a die-hard OpenBSD fanatic and I've actually been weighing the pros/cons of a switch. Roll out my own distro from scrath + grsecurity patch. Wonder why I havn't seen any/. press for grsecurity....If you havn't checked it out, DO IT.
oh yea, one of the coolest features hides processes of other users from each other. e.g. top or ps will only show your processes. It doesn't *completly* hide other users that are online though. like i said, go try it out.
or rather, doesn't capture capitalism's ideal of everyone fighting fairly...
Define 'fairly.' You don't want true laissez faire capitalism. The actual aspects here in america that help citizens (notice the trend: s/"citizens"/"consumers"/ ) are socialistic in nature. Do you have to pay a toll everytime you drive on another street? no. When you buy meat at the supermarket, you know that it was federally inspected so you get fresh meat from healthy cows. The obvious other-side to this appears if you've ever seen a 'public' restroom. I'm not talking about those in the restaurants or stores. I'm talking about perhaps those in a park. Not the cleanest things you've ever seen.
now to bring this into context over this netbsd situation, netbsd is linking to this 'threatening' project. I compare this type of linking to telling someone where to buy illegal drugs, or whatever. The latter may be illegal, but in no way does the former go against any legal boundaries. To say that hyperlinks are freespeech is a bit of a stretch in my opinion. But I still think such things should be protected. But Dolby owns their shit and should be able to do anything they want to it. Same with the DVD controversy. If they don't want to make a linux player, that is their right. Is it fair? no.
I hate capitalism, but I still want to own my own stuff!
Then perhaps you should take a second look at socialism. Your free market capitalism thought allows one type of freedom, but tramples the other. Freedom comes in to forms: Freedom to and Freedom from. You should be smart enough to see which ones are which. Because freedom from takes the back seat in a purely capitalistic society. Imagine having to wonder if your doctor is actually medically trained. Since the government wouldn't interfere, anyone would be able to practice medicine. There goes your freedom from pertinent information about such situations. Public schools, public roads, federally inspected food and drugs, career licensing (doctors, lawyers, hairdressers, etc.) are all socialistic in nature.
Of course they can. That's the whole idea behind a EULA. Whether it would actually stand up in court is a different story. But, legally it would be a contract of sorts I would think. You can't use GPL code in proprietary software without making it GPL or something like that. Sounds pretty similar to me. Once again, I don't defend their actions, i'm just defending their right to make them:)
that's almost as bad as BSD banning 'non-free' code from being in their systems. I don't think linux puts proprietary/closed-source code in their kernel either. Seriously, these posts about the MS/everyone else double standard really stand out now. So they ban Open Source code with their toolkit. What's the problem? As evil as they are, they still have the right to do whatever they want. I'm sure someone can find an alternative. If not, someone will create an alternative.
And well, you have to ask yourself...what is more annoying? MS banning OpenSource with their little toolkit or Slashdot's inability to remember their old stories?
This guy bought the Tivo unit and it has functionality that works in both the subscription and non-subscription scenarios. So, this guy has function X without the subscription and now function X has been disabled.
Look at it this way. Say you buy Microsoft Visual C++. But not the professional version. After a year of use, a new *upgrade* disables 'saving' and tells you that you need to upgrade to Professional or subscribe to TechNet. (or whatever the hell it's called) Clearly that is *unethical*.
Now if you download shareware (you hanv't paid them a dime) and they want to disable features after a certain amount of time, then no problem. But this guy BOUGHT the tivo and now it less functional than when he bought it.
It doesn't matter at all that they are a business with the interest of making money. The change is bogus. If i were him, I'd buy another Tivo unit and do the old swap/return deal, then figure out a way to mess with the unit so that shit doesn't upgrade. The swap/return idea isn't ethical either, but sometimes one must fight fire with fire:)
no, i can't 'register' it. But wtf did i get offtopic for? hehe the Civ series has bounced through more hands than well, something that bounces through a lot of hands. fucking moderators are stupid.
That they don't get bought by Microsoft like the Bungie network did. I bought Myth II for linux the other day and magically my serial number to play online (on Bungie.net) doesn't work.
Of course, systems inside a suitable firewall are exempt from most of these requirements, which means that "suitable firewall" must be defined.
Hmm. Think how hard it would be to make a trojan like program where it contacts a http server (which would most likely have no problems with a firewall) and then gets instructions from the attacker's site. Perhaps downloading tools to attack the firewaill from the inside (not everyone secures the firewall from the inside) or perhaps sends the contents of a directory listing inside a form.
Such is the problem with security. Kinda reminds me of Dubbyah's missle defense system. Build a rock-solid defense and not many will test it out. Instead, they'll try to get around it. Plus, if any ISP were to create 'mandatory security' policies, one of two things would happen: People would secure their boxes or AOL would gain quite a few more customers.:) Not even getting hacked will convince people to take security seriously.
Well, obviously it isn't that simple. But, what can you do? It really isn't easy to protect against exploits that aren't public. But keeping up-to-date with patches is a start. The goal is to make yourself a harder target. I did oversimplify it, but hell this is/.
A good firewall, good admins who keep up with security, encrypted communication, Intrusion detection systems, physically secure machines, and proper management of services won't make you 'unhackable', but you quickly seed out most of the script kiddies like you mentioned. I could talk about security all night and I still would leave things out. Like minimizing effectiveness of a hack (chroot jails, physically read only binaries, etc) or even transparent bridging where the machine doesn't have an ip. We can both agree that 'security' is an unreachable goal, but every step away from 'insecurity' reaps positive results. Besides, you know how it works and my comment wasn't directed at you. It was directed at those who really have no idea about the importance of security. (which is fear is a *large* percentage of the/. crowd)
Well, I did kind of misread your post to be suggesting something of a 'autopatching' idea. But, you misread my response as a 'make it difficult' patching system. But, we can find problems with *any* level of patching system. What happens if someone sets off your car alarm everynight, but doesn't break in the car? After a while, you start ignoring it. The real problem is the software itself. Many software products have this 'more more more' mantra and don't worry about things like bugs. I'd suggest a weekly 'patch check' for systems. Not often enough for someone to get annoyed by it (windoze critical update fails that one) and still often enough to stay current. (I'd suggest more often, but once again, people get numb.) I think this would be a good 'Ask Slashdot' question. What kind of patching system provides the best balance of security and effectiveness.
And yes, I agree that hacking a patch server would be a considerable challenge, but the risk is too high. I think the best 'fix' is to stop shipping distros with services enabled. If you need it, you'll turn it on. If you don't, you won't. Not a great solution, but it would blanket quite a few of those 'lazy' users. Essentially, I don't think it should be 'difficult', but it shouldn't be 'trivial', since, given the word, would make it something that didn't matter.
Look at RedHat's errata page (hmm. I havn't in years) and you'll find a bajillion patches. Who the fuck wants to download a bajillion patches? Personally, I *wouldn't* spend 2 hours downloading and applying patches, it just isn't worth it. I'd quickly find something better. I better stop now, since I am rambling...
I agree with most of your points except one, which I *really* disagree with.
Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.
Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.
Sorry, I wouldn't say that Debian is more secure than Win2k. Find a Win2k admin that thinks security is an important issue and compare him with a debian admin who doesn't. The results will show up. It works both ways. Look at OpenBSD. 4 Years without a remote exploit in the default install. This comes from 2 things: a source audit for bugs (any bugs. since exploits can appear from places previously thought unexploitable.) and they don't have a base install that turns *everything* on by default. I seriously think linux security would jump a few notches if they just didn't turn all that crap on by default. I've seen people install RedHat and have DNS, Web, Mars, Samba, nntp, ntpd, nfsd, ftpd, telnetd, and countless other services and they couldn't even tell me what 4 of them did. "why not, I might need them later." is the usual response. what the fuck? Learn what it is, then learn how to turn it on. Maybe in that step, you'll realize that you don't need DNS running from every box on the network (especially that nasty, bug-filled bind 8.) I've said it many times: There is no absolute security. The only thing you can do limit access, run only what is necessary, and keep up with patches and the like. I figure your comment was just for humor, but Debian ain't a uber-secure system either. Shit, it responds to pings sent to the broadcast addy by default. Just what we need.
Slashdot Mirror
I guess you never heard about an IT worker who was sending classified company documents to the outside world by encrypting the data inside images and sent to his hotmail.com account. The FBI helped catch him. Maybe they were pictures of Britney! Why target individuals, when you can target many more?
What percentage of linux users do you actually think can come close to actually security auditing code? If Linus renamed linux.h to backdoor.h (and no actual changes in the code), how many people would actually find it on their own?
But, the main point still goes over to motive. *WHY* would a government agency, who primary concern is nation al security (supposedly only outside of American soil), mess with a 'grass roots' OS, modify its kernel, then *RELEASE* it to the public? Use a strlen incorrectly and it's a bug. The shit happens all the time. Suppose for an instant, that someone wanted to allow this bug, since it could be used to gain unauthorized access. OpenBSD patches shit things "that could *never* be exploited!!!", but somehow, in a few years, comes back and bites everyone *else* in the ass. And OpenBSD still gets bit in the ass, just not as often as everyone else. You wouldn't need to include 'backdoor.h' to do something like that. Just use a buffer of size n-1 where it actually needs one of size n. Make it reference through about 20 libraries and function calls (laundry it) and make it only occur after certian other specific events. Nevertheless, if mr. nobody makes something like this and puts it on freshmeat, your risk of discovering the application, installing the application, and he finding you and exploiting said bug would be much smaller than a branch of the US government concerned with national security.
I see no valid reason to trust the NSA, FBI, CIA, etc. without *extreme* caution and scrutiny. Besides, they have no valid reason to trust us, without *extreme* caution and scrutiny.
Lets assume the worst:
both want to spy on us.
who has more resources?
Yes, you might say that the NSA can't legally operate on American soil or on it's citizens (on natural soil).
Then I just mention a thing called the '60s - '70s and the CIA. Just ask JFK, MLK, and RFK. heh Of course you could say that many of these 'one person' applications are actually run by a cadre of devious hax0rs to infiltrate my box! But, still...I doubt they would still compare to the mass of the NSA
Before downloading this software, you must accept the warranty exclusion and limitation of liability which appears below.
/root/.ssh/authorized_keys and someone points this out...we'll we don't need to explain it, you kids have played Counter-Strike enough to figure it out. 'Hostage Down' hahah
Warranty Exclusion
I expressly understand and agree that this software is a non-commercially developed program that may contain "bugs" (as that term is used in the industry) and that it may not function as intended. The software is licensed "as is". NSA makes no, and hereby expressly disclaims all, warranties, express, implied, statutory, or otherwise with respect to the software, including noninfringement and the implied warranties of merchantability and fitness for a particular purpose.
Limitation of Liability
In no event will NSA be liable for any damages, including loss of data, lost profits, cost of cover, or other special, incidental, consequential, direct or indirect damages arising from the software or the use thereof, however caused and on any theory of liability. This limitation will apply even if NSA has been advised of the possibility of such damage. I acknowledge that this is a reasonable allocation of risk.
hmmm. "bugs", clear this up will ya? Software glitches or electronic listening devices? Plus, they use "may contain"...Are they giving it permission? My software isn't allowed to have bugs. If it does, it is an error! "it may not function as intended" hmm you mean...like...the 'security' part? "In no event will NSA be liable for any damages, including...or other special, incidental, conseqential...damages...arising from the software"
special: backdoors we forgot about that we find later
incidental: backdoors we internally documented
direct: What we break/steal from you
indirect: What l33t hax0rs break/steal from you after our direct methods post on Bugtraq.
and finally...."This limitation will apply even if NSA has been advised of the possibility of such damage" if we 'accidentally' left our public ssh identity in
Hell yea. It kicks ass. The things I like the most are random Pids and client ports. I am a die-hard OpenBSD fanatic and I've actually been weighing the pros/cons of a switch. Roll out my own distro from scrath + grsecurity patch. Wonder why I havn't seen any /. press for grsecurity....If you havn't checked it out, DO IT.
oh yea, one of the coolest features hides processes of other users from each other. e.g. top or ps will only show your processes. It doesn't *completly* hide other users that are online though. like i said, go try it out.
Can i apt-get install Carnivore? :)
or do i have to use their rpm?
Isn't this *after* they started moving a lot of servers to windoze from FreeBSD
:)
Yes, probably flame bait...it's in the hostmail system...so no blame on the OS
when you have to deal with another stupid language every 6 months. You should only need 3 languages:
Pick one from each of the following:
(C/C++)
(Perl/Tcl)
(sh,ksh)
Now for the 'bonus' round. [pass go and collect $200 more a month]
(php,python)
and for the MS route, you only get 3:
(C++/C#)
(Visual Basic/there is no other option)
(Java/no other language is as useless to compete with Java)
Now...how far off am I?
or rather, doesn't capture capitalism's ideal of everyone fighting fairly...
Define 'fairly.' You don't want true laissez faire capitalism. The actual aspects here in america that help citizens (notice the trend: s/"citizens"/"consumers"/ ) are socialistic in nature. Do you have to pay a toll everytime you drive on another street? no. When you buy meat at the supermarket, you know that it was federally inspected so you get fresh meat from healthy cows. The obvious other-side to this appears if you've ever seen a 'public' restroom. I'm not talking about those in the restaurants or stores. I'm talking about perhaps those in a park. Not the cleanest things you've ever seen.
now to bring this into context over this netbsd situation, netbsd is linking to this 'threatening' project. I compare this type of linking to telling someone where to buy illegal drugs, or whatever. The latter may be illegal, but in no way does the former go against any legal boundaries. To say that hyperlinks are freespeech is a bit of a stretch in my opinion. But I still think such things should be protected. But Dolby owns their shit and should be able to do anything they want to it. Same with the DVD controversy. If they don't want to make a linux player, that is their right. Is it fair? no.
I hate capitalism, but I still want to own my own stuff!
Then perhaps you should take a second look at socialism. Your free market capitalism thought allows one type of freedom, but tramples the other. Freedom comes in to forms: Freedom to and Freedom from. You should be smart enough to see which ones are which. Because freedom from takes the back seat in a purely capitalistic society. Imagine having to wonder if your doctor is actually medically trained. Since the government wouldn't interfere, anyone would be able to practice medicine. There goes your freedom from pertinent information about such situations. Public schools, public roads, federally inspected food and drugs, career licensing (doctors, lawyers, hairdressers, etc.) are all socialistic in nature.
I buy OpenBSD twice a year. $30 + shipping every six months...
Debian costs me 2 blank cds (sparc & x86)
Windoze...I got the 3.11 version with my old computer...that's about it.
You'd think his skin wasn't *white* !!!!
/. crowd as the american public and one of Katz's movie reviews as the story about this guy.
You'd think his last name was Peltier!!!
You'd think his last name was _____!!! (umm, that DJ in philly..oh i forgot..)
Seriously...the american public doesn't give a shit
Julia Roberts back with Lyle lovett! now that is news the american public wants!!!
Imagine the
see...
you know what they say about a man with small shoes?
small computer
I've made a bunch of skins for xmms. Havn't gotten a dime :(
Of course they can. That's the whole idea behind a EULA. Whether it would actually stand up in court is a different story. But, legally it would be a contract of sorts I would think. You can't use GPL code in proprietary software without making it GPL or something like that. Sounds pretty similar to me. Once again, I don't defend their actions, i'm just defending their right to make them :)
Uh Oh! Here comes the Dot-com Liquidator.
that's almost as bad as BSD banning 'non-free' code from being in their systems. I don't think linux puts proprietary/closed-source code in their kernel either. Seriously, these posts about the MS/everyone else double standard really stand out now. So they ban Open Source code with their toolkit. What's the problem? As evil as they are, they still have the right to do whatever they want. I'm sure someone can find an alternative. If not, someone will create an alternative.
And well, you have to ask yourself...what is more annoying? MS banning OpenSource with their little toolkit or Slashdot's inability to remember their old stories?
Did you read from the linke?
:)
Paying for the service isn't the issue.
This guy bought the Tivo unit and it has functionality that works in both the subscription and non-subscription scenarios. So, this guy has function X without the subscription and now function X has been disabled.
Look at it this way. Say you buy Microsoft Visual C++. But not the professional version. After a year of use, a new *upgrade* disables 'saving' and tells you that you need to upgrade to Professional or subscribe to TechNet. (or whatever the hell it's called) Clearly that is *unethical*.
Now if you download shareware (you hanv't paid them a dime) and they want to disable features after a certain amount of time, then no problem. But this guy BOUGHT the tivo and now it less functional than when he bought it.
It doesn't matter at all that they are a business with the interest of making money. The change is bogus. If i were him, I'd buy another Tivo unit and do the old swap/return deal, then figure out a way to mess with the unit so that shit doesn't upgrade. The swap/return idea isn't ethical either, but sometimes one must fight fire with fire
no, i can't 'register' it. But wtf did i get offtopic for? hehe the Civ series has bounced through more hands than well, something that bounces through a lot of hands. fucking moderators are stupid.
That they don't get bought by Microsoft like the Bungie network did. I bought Myth II for linux the other day and magically my serial number to play online (on Bungie.net) doesn't work.
It's the rest of us who don't want to buy or rent movies.
Of course, systems inside a suitable firewall are exempt from most of these requirements, which means that "suitable firewall" must be defined.
:) Not even getting hacked will convince people to take security seriously.
Hmm. Think how hard it would be to make a trojan like program where it contacts a http server (which would most likely have no problems with a firewall) and then gets instructions from the attacker's site. Perhaps downloading tools to attack the firewaill from the inside (not everyone secures the firewall from the inside) or perhaps sends the contents of a directory listing inside a form.
Such is the problem with security. Kinda reminds me of Dubbyah's missle defense system. Build a rock-solid defense and not many will test it out. Instead, they'll try to get around it. Plus, if any ISP were to create 'mandatory security' policies, one of two things would happen: People would secure their boxes or AOL would gain quite a few more customers.
Well, obviously it isn't that simple. But, what can you do? It really isn't easy to protect against exploits that aren't public. But keeping up-to-date with patches is a start. The goal is to make yourself a harder target. I did oversimplify it, but hell this is /.
/. crowd)
A good firewall, good admins who keep up with security, encrypted communication, Intrusion detection systems, physically secure machines, and proper management of services won't make you 'unhackable', but you quickly seed out most of the script kiddies like you mentioned. I could talk about security all night and I still would leave things out. Like minimizing effectiveness of a hack (chroot jails, physically read only binaries, etc) or even transparent bridging where the machine doesn't have an ip. We can both agree that 'security' is an unreachable goal, but every step away from 'insecurity' reaps positive results. Besides, you know how it works and my comment wasn't directed at you. It was directed at those who really have no idea about the importance of security. (which is fear is a *large* percentage of the
Well, I did kind of misread your post to be suggesting something of a 'autopatching' idea. But, you misread my response as a 'make it difficult' patching system. But, we can find problems with *any* level of patching system. What happens if someone sets off your car alarm everynight, but doesn't break in the car? After a while, you start ignoring it. The real problem is the software itself. Many software products have this 'more more more' mantra and don't worry about things like bugs. I'd suggest a weekly 'patch check' for systems. Not often enough for someone to get annoyed by it (windoze critical update fails that one) and still often enough to stay current. (I'd suggest more often, but once again, people get numb.) I think this would be a good 'Ask Slashdot' question. What kind of patching system provides the best balance of security and effectiveness.
And yes, I agree that hacking a patch server would be a considerable challenge, but the risk is too high. I think the best 'fix' is to stop shipping distros with services enabled. If you need it, you'll turn it on. If you don't, you won't. Not a great solution, but it would blanket quite a few of those 'lazy' users. Essentially, I don't think it should be 'difficult', but it shouldn't be 'trivial', since, given the word, would make it something that didn't matter.
Look at RedHat's errata page (hmm. I havn't in years) and you'll find a bajillion patches. Who the fuck wants to download a bajillion patches? Personally, I *wouldn't* spend 2 hours downloading and applying patches, it just isn't worth it. I'd quickly find something better. I better stop now, since I am rambling...
I know :)
I agree with most of your points except one, which I *really* disagree with.
Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.
Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.
Sorry, I wouldn't say that Debian is more secure than Win2k. Find a Win2k admin that thinks security is an important issue and compare him with a debian admin who doesn't. The results will show up. It works both ways. Look at OpenBSD. 4 Years without a remote exploit in the default install. This comes from 2 things: a source audit for bugs (any bugs. since exploits can appear from places previously thought unexploitable.) and they don't have a base install that turns *everything* on by default. I seriously think linux security would jump a few notches if they just didn't turn all that crap on by default. I've seen people install RedHat and have DNS, Web, Mars, Samba, nntp, ntpd, nfsd, ftpd, telnetd, and countless other services and they couldn't even tell me what 4 of them did. "why not, I might need them later." is the usual response. what the fuck? Learn what it is, then learn how to turn it on. Maybe in that step, you'll realize that you don't need DNS running from every box on the network (especially that nasty, bug-filled bind 8.) I've said it many times: There is no absolute security. The only thing you can do limit access, run only what is necessary, and keep up with patches and the like. I figure your comment was just for humor, but Debian ain't a uber-secure system either. Shit, it responds to pings sent to the broadcast addy by default. Just what we need.