Re: M$ attack on Common Sense
From: Max Burke (mlvburke_at_%$%#@.nz)
Date: 09/14/03
- Next message: Ed Murphy: "Re: M$ attack on Common Sense"
- Previous message: cfiene_at_nospam.iqueset.net: "RH 7.3 system crashing"
- In reply to: Ed Murphy: "Re: M$ attack on Common Sense"
- Next in thread: Ed Murphy: "Re: M$ attack on Common Sense"
- Reply: Ed Murphy: "Re: M$ attack on Common Sense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 14 Sep 2003 16:47:30 +1200
> Ed Murphy scribbled:
>> On Sun, 14 Sep 2003 10:21:15 +1200, Max Burke wrote:
>> I know. That doesn't however stop viruses being created for
>> Linux/OSS. Bottom line? Viruses can ONLY be created for computer
>> OS'es when there are flaws in the OS itself that enable the virus to
>> work. Linux/OSS is no more immune from that problem than Windows is,
>> as the websites I have listed (OFTEN) clearly show.
> Oh, for heaven's sake, the presence of a "delete file" command enables
> a virus to work! Look, here's a Linux virus:
> #!/bin/sh
> rm -rf ~/*
That would work in Linux without the user knowing it was working?
> There is a school of thought which holds that a virus doesn't mean a
> damn thing unless it has a reasonable chance of spreading.
>> But listen to many/most Linux/OSS users/advocates you'd think
>> Linux/OSS doesn't have flaws and vulnerabilities. It does, and
>> ANYONE who claims otherwise is spouting BS. It's certainly NOT
>> advocacy for Linux IMO.....
> If you *think* that, then either (a) you're not listening carefully
> enough, or (b) you're listening to people who aren't thinking
> carefully enough. Or both. Unfortunately, (b) does happen, yes.
Try reading COLA; Try talking to the likes of Alan, sinister midget,
etc,etc; Try reading the *numerous* websites that advocate Linux....
;-)
>>> 2) What's the delay time between introduction of a vulnerability
>>> and discovery/repair?
>> Irrelevant. See above as to why.
> Oh, it's quite relevant. Actually, there are four points in time
> that matter:
> a) Introduction
> b) Discovery by the black hats
> c) Discovery by the white hats
> d) Repair
>>> 3) They're *not* the same kind of vulnerabilities.
>> Yes they are: Buffer over runs/under runs. Flaws that can allow root
>> access. Badly written code in the OS and apps doing what it's NOT
>> supposed to do....
> Some of the causes (allowing root access) are the same; others
> (allowing viruses) aren't. The stuff that attacks these
> vulnerabilities (rootkits vs viruses) follow suit: rootkits affect
> Linux, viruses mostly don't.
They're all vulnerabilities and/or flaws in the OS due to bad
programming.....
>>> First,
>>> there are potentially more proofreaders.
>> Ahh the many 'eyeballs on the code' argument.
>> When is the last time YOU examined the code Ed? When is the last time
>> YOU found a vulnerability or flaw in the code? When is the last time
>> YOU fixed a flaw?
> In OSS? Couldn't tell you the last time. However:
In Linux itself then.....
> I make a living consulting for a business software package. (Yeah,
> it's proprietary. Unless you're offering me equal pay for OSS work,
> you can just shut up right now.) I have access to the source code;
> many other consultants for this package do not. Just being able to
> *see* the code gives me a *huge* advantage. Being able to *change*
> the code... that amplifies the effect, several times over.
> You're basically holding up a straw man. The 'many eyeballs' argument
> doesn't require that *every single user* of OSS must personally
> examine the code. It only requires that *sufficiently many* do. For
> the larger projects, that happens; for the smaller ones, perhaps it
> doesn't.
If it's a strawman it's not MY strawman argument. It an 'argument' that
*every* Linux/OSS advocate users. Strange how it becomes a strawman when
someone like me uses it huh......
I dont believe for one minute that every Linux/OSS user 'eyeballs' the
code to find, report, and/or fix the bugs. I do however believe that a
*LOT* of Linux/OSS users/advocates rely on others to do that for them,
and then claim they're safe because *SOMEONE ELSE* is eyeballing the
code....
> People who *understand* OSS, understand this. I'm sorry that you have
> been misled by those who wave around the phrase "many eyeballs"
> without sufficiently explaining it; perhaps without sufficiently
> understanding it themselves. It happens, I'm afraid.
I haven't been mislead by this belief that so many Linux user hold; Just
by reading numerous Linux/OSS websites stops any belief like that in
it's tracks. It's a shame so many Linux/OSS users/advocates are blinded
by their beliefs isn't it......
>> Because they DO exist. In abundance. Just check out the websites I
>> have listed for evidence of the ones that have been found.....
> Sure they do. I maintain a subscription to the Red Hat Network, and
> install security updates weekly.
>> That BS. I have been running MS Windows OS'es since 1991-92; I have
>> never had any virus, or worm on my various computers and OS'es.
> Count yourself lucky, then.
Luck has nothing to do with it.
I know how to maintain my computers and the OS'es I choose to run on
them. It's basic to using a computer.
>> There is a lot the ordinary user can do when running
>> Windows to make their computer and it's OS safe as possible without
>> needing to access/view the source code. In Windows it's as simple
>> and as basic as installing a firewall, and anti-virus program, and
>> keeping up to date with MS updates.
>> The 'ordinary' user in OSS/Linux has to do a damned sight more than
>> that to achieve the same result.....
> I installed a firewall, I don't need an anti-virus program (see
> previous discussion - not that you believe it), and I keep up to date
> with Red Hat updates. What's your point?
Well if you believe you dont need an anti-virus program then you will
need a considerable amount of luck.....
FYI
http://networking.earthweb.com/netos/article.php/625211
http://www.viruslist.com/eng/viruslistfind.asp?findWhere=011&findTxt=linux
http://www.claymania.com/unix-viruses.html
http://www.zdnet.com.au/itmanager/technology/story/0,2000029587,20275738,00.htm
http://www.virusbtn.com/magazine/archives/200304/linux.xml
> Okay, I had to hand-tweak the firewall, but only because my needs are
> considerably more exotic than Joe User. (I've got a small home
> network, plus I want to remote-control the box from work.) Joe
> User's needs are 100% met by a "Security Level" program: GUI, with
> one drop-down list and half a dozen check boxes.
>> Nothing like COLA. There are some real 'nutcases' in that forum
>> who 'advocate' for OSS/Linux.....
>> Saying things like OSS/Linux is going to save the whole world from
>> a new dark age, that using Linux set's you 'free,' that it's such a
>> liberating 'experience' to become a Linux user, etc, etc.....
> These are also oversimplifications.
>> They're the *EXACT* words of Linux 'advocates' it that forum. Perhaps
>> you should take their 'over simplifications' up with them huh.... ;-)
> As a matter of fact, that's exactly what we do. The last thing we
> want is for them to ruin the message by presenting a screwed-up
> version of it.
> Using Linux sets you free *if*
> you approach it in the right way. It doesn't magically implement
> the "Do What I Mean" chip instruction...
>> Set me free from *what exactly?* They're JUST computer operating
>> systems Ed......
> And you pay how much for 'em? Every how many months?
I'm quite willing pay for products and services that I want/need Ed.....
For The MS Os'es I have had installed on my computers the *one off*
purchase price has been very reasonable, especially as I have been using
some of them for 12+ years....
BTW you are aware that there is NO monthly payment for using MS OS'es
and applications.....
>> Or run their computer securely so they dont need to switch accounts
>> to maintain the computer.
> Please define what you mean by "run their computer securely".
>> Like I do.....
>> The basics; Firewall, up to date anti-virus protection, up to date
>> with updates and patches. That will take care of 99% of the risks.
> That's certainly a lot better. Running as non-administrator takes
> care of a decent chunk (viruses) of that last 1%.
> To be fair, while Outlook Express gets lots of flak for its history
> of laxity against viruses, a lot of viruses aren't OE's fault--
> they're the fault of users who just click on any damn thing that
> shows up in their e-mail. Let's fix *that* problem first.
Clueless users again. Cant blame the OS or app for that, especially as
OE6 automatically runs in the restricted zone, and blocks ALL
attachments to emails by default.
It also just takes one tick in a user selectable option to make all
emails and newsgroup message display as plain (ASCII) text.
A little bit more work on the part of the user also makes all sent
emails and newsgroup messages plain (ASCII) text as well.....
> Security by obscurity. Bad approach. (Trapdoor ciphers are a good
> counterexample: even with complete source code for the encryption
> and decryption algorithms, and an encoding key, it takes huge
> amounts of computation to find the corresponding decoding key.)
>> That 'security by obscurity must apply to Linux/OSS then, given all
>> the fixes that are listed on the Linux websites.... They're flaws
>> in the OS and apps that get discovered and fixed. No one knows about
>> them (not even the programmer apparently) until they are discovered
>> and fixed. Security by obscurity......
> Okay, a bit more explanation:
> 1) OSS authors can and do create bugs sometimes.
Sometimes?
The websites I list for Linux have WEEKLY updates. Often they're new
bugs, otherwise they're variations or repeats of old bugs....
> Nobody's perfect.
Then OSS/Linux advocates need to stop demanding that MS has to be
perfect, while they, Linux/OSS bugs are just because Linux/OSS
programmers are *only human.*
> But that's not "security", that's just bugs.
Which open vulnerabilities and security holes in the OS and apps......
> 2) Non-OSS authors have the temptation to *deliberately* invoke
> security through obscurity. "Eh, this code is messy / might
> contain a security hole somewhere, but how likely is it that
> anyone would actually find it?"
That's BS and simply bad OSS/Linux advocacy. What with the attention
paid to bugs, vulnerabilities, and security flaws in the Windows OS and
applications (even third party ones) there is a very strong disincentive
for that to happen. That's not saying it doesn't happen, just that it's
not a temptation....
> OSS authors don't really have
> this option; on the contrary, it feeds their ego to write good
> solid code, because some other people will end up reading it.
I could suggest that because of the belief that others can read the code
allows for that to happen; Write the code, let others who read the code
find the bugs to fix....
In fact going by the Linux websites that list all the bugs that would
seem to be the reality.......
http://www.securityfocus.com/news/19
http://news.com.com/2100-1001-830130.html
http://www.developer.com/open/article.php/983621
-- mlvburke@#%&*.net.nz Replace the obvious with paradise to email me. See Found Images at: http://homepages.paradise.net.nz/~mlvburke
- Next message: Ed Murphy: "Re: M$ attack on Common Sense"
- Previous message: cfiene_at_nospam.iqueset.net: "RH 7.3 system crashing"
- In reply to: Ed Murphy: "Re: M$ attack on Common Sense"
- Next in thread: Ed Murphy: "Re: M$ attack on Common Sense"
- Reply: Ed Murphy: "Re: M$ attack on Common Sense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
