Linked by Eugenia Loli on Wed 8th Dec 2004 20:48 UTC, submitted by Nicholas
Editorial I just spent the last several days reading the lengthy essay "Ying and Yang of Security" which explores the origins of security on the personal computer and explains why the current models are outdated. It seems to argue that security systems designed to keep the system safe are relics of the days of mainframes when the system was more important than the user, but for a personal computer the user is more important than the system.
Order by: Score:
lol
by Duffman on Wed 8th Dec 2004 20:56 UTC

"you could make a damn good argument that Windows could be called a *nix"

I think that this news is some feed for trolls ...

Rubbish Pretty Much
by David on Wed 8th Dec 2004 21:10 UTC

The problem for Microsoft is that they could make their systems a heck of a lot more secure and still not inconvenience the user. How does not having ActiveX designed in the way it is inconvenience a user? Java applets have never functioned the same way in a browser that ActiveX components have, and they are every bit as functional. People can use Thunderbird, Kontact/Kmail and Evolution and read mail in exctly the same way as those using Outlook, and yet the people who develop these non-Outlook e-mail clients think about security in a way that in no way inconveniences the user. These concepts are the results of some hard thinking done on the implications of programming and system design on security.

He then proceeds to make excuses for Microsoft in how they stupidly never thought ahead with what Windows was actually going to be used for and designed, and never comprehended how Windows would have to be built in a networked environment. Microsoft has never understood networks, and in the way they talk about security, sometimes purely, in terms of firewalling and patching they still don't get what is required. Unix and Linux based systems understand today's networked environment that they are in, and have been designed that way for years - period. This idiot also still doesn't seem to get that security doesn't necessarily mean inconveniencing users - you just don't make stupid bone-headed decisions when developing, and you think and plan ahead. He seems to think we should be impressed that Microsoft knocked something up on a whiteboard in five minutes and then spent billions hitting it with a hammer when they realised they had to fix large parts of it.

If this article was written on paper I wouldn't use it for bog roll, and this twit should think twice before producing so much of it.

False Pretense
by Bryan S on Wed 8th Dec 2004 21:19 UTC

*Sigh* Every 6 months or so comes a post that says, "We need to start from the ground up on technology issue X"

Yes, yes, re-inventing the wheel is always fun. But how practical is it? If the computer industry ever wants to become as reliable as say mechanical engineering, we need to focus on improving what has come before, instead of reflexively thinking that we can code up a 'radical new approach' everytime we face hardship.

Fact is, security is hard. No different than the real world. No matter what fancy security system you have for your house, you still need things like doors, walls, locks, and security lights.

Same with computers - any new system you seek to design needs to deal with user & group permissions, user roles, and capabilities.

OS's (see VMS) have had this for a long time. New ideas arent needed. What we do need, however, is better tools to manage what we already have.



v Learn from windows ????????????????????
by SÚrgio Machado on Wed 8th Dec 2004 21:57 UTC
Perspective..
by kme on Wed 8th Dec 2004 22:12 UTC

"...the system was more important than the user, but for a personal computer the user is more important than the system."

For point and click folks, checking for recipes at foodnetwork.com, or ripping off the latest songs from Kazaa, this is true. But from *nix perspective, this is completely untrue. Not only that, but I don't believe that I am being "inconvenienced" from the operating system I choose to run, that puts its system security first.

Mmm, I'm tempted to go on.. but you get the point.

Where he lost me
by I'm not telling on Wed 8th Dec 2004 22:37 UTC

I tried to be objective, but then I got to:
Let's say you have something like Apache running as a web server, serving out lots of virtual websites. 'Virtual Hosts' are what allow you to have ungodly amounts of sites on one server, and as far as the system is concerned are the equivalent of users. This is so that, ideally, person x can't FTP into their site and then have access to person y's files... that sort of thing.

But Apache needs to have access to them all, as well as higher-level files that no other users can get to to do things like write to its log files. In order to be able to do this, Apache has to have escalated privledges, which is about the same as saying Apache is running as the equivalent of 'root'. Apache is just one of many examples you could give, but it poses some real problems. Namely, if you are able to exploit Apache, the system is your playground, because of what Apache is able to access.


I'm runnng Apache as 'www' in a chroot jail, and that it without any effort on my part, OpenBSD ships that way. Furthermore, 'www' has a lot fewer privilidges that 'root', so the premise that owning Apache will comprimise the 'system' is hardly true; you are going to have to find a way to escalate your prividges, and /bin/noshell isn't going to help you much. If you want to make sure users of different sites don't endanger other users, I suppose you can run multiple instances of Apache under users 'www01', 'www02', etc. Next, put Squid, running as '_squid', on port 80 and redirect all requests to the correct instance of Apache. So, I agree that 'virtual sites' can be the equivalent as 'users', but that is the key to locking down each site, not an barrier to security. You will have to exploit squid just to get to Apache, and then you will find that owning site 1 doesn't help you get to site 2. The key to all of this was the *nix model of priviledge.

PS. If I was really worried about security, I would try Pound instead of Squid. Pound is found at
http://www.apsis.ch/pound/

First question
by Smartpatrol on Wed 8th Dec 2004 22:50 UTC

For all those that are critical of Windows security you need to answer this question. If Windows was as secure or more secure than say Unix. would you pay $299 to run it? If your answer is no why bother posting?

Impressed!
by Thom Holwerda on Wed 8th Dec 2004 22:57 UTC

Read the whole thing without stopping, and I must say that I'm very much impressed. This massive article didn't really teach me new facts, but it did bring all those facts I knew together, with security at its center.

Great job, and a must read for everyone. Chop it into pieces for later, print it out as reading material in the bathroom, whatever.

Now, for now I think I have to agree with the general points the author brought up. It's difficult to take out individual parts and lines, since you then completely destroy the context in which they were said (destoyong the overall purpose of this article).

mac ad
by sociopatanonymous on Wed 8th Dec 2004 23:23 UTC

All of the various chat clients uses their own standard set of ports to communicate to their various servers, and if they find them to blocked both inbound and outbound will usually try to drop back to port 80 and go out over http. This isn't ideal, but it often isn't blocked.

How can something reach the im server via port tcp 80 when both inbound and outbound is blocked.I supose you forgot to mention that there are default blocking policies and additional rules that open only the ports one needs,being port 80 in this case.

Good that you mentioned listening services,if you would use nmap for nt and would scan your network address or your local loopback you will discover there is quite a lot listening of which services some can't being stopped to listen even if you wanted it on a default install.On lets say Linux,xBSD,Solaris to name a few (and all i forgot to mention) it's pretty simple to get a all closed or even all ports closed + try nmap -P0 <host> cause the host doesn't listen to icmp message.One could assume that if one would like to setup a webserver he/she knows something has to be done in order the server can be reached.As we like you said are talking about end-user systems it's not good for business to be disproportional.It's however in my opinion not only a paradigm but a myth that user-convenience is disproportional to the learning curve of a particular OS.

but find they can't do so because incoming connections over that port are blocked by the firewall.

Simple task for the developer to provide the user both a wizzard or manual configuration option.There is a line you could draw when considering how user convenient an desktop OS has to be.The society as a whole is becoming complexer so are the machines options and equipment we work with.At shool most childeren get in touch with computers at a young age.It
doesn't take very long till you are just as illiterate when you know absolutely nothing about PC's as when you can't read and write.If you can chat with some im client and add contacts to your list you could configure with an good implemented firewall.

To give an example, an eight-character password is much more secure than a four-character password, yet much harder to remember. If your computer required you to enter two separate passwords before you did anything, it would again be much more secure, but again more of a hassle.

Why not a USB stick as some sort of encrypted key?Nobody complains that it's a burden to wear the key of your house,or car in order to enter or start the engine.If you loose your password you can't get in, if you loose your car keys and don't have the spare one at hand you can't drive.


If your computer required you to enter two passwords, plugin a dongle, then required your thumbprint, then a retina scan while a second person turned a key in exact time with your own from ten feet away,

You can make a joke of it all in any way you like.But what about the buffer overflows with which you don't have to have a password at all because it takes advantage of an opportunity to feed instructions when there should be read data.You stated listening services but didn't mention with what credentials they are running,as setuid root,user etc.

This is somewhat at odds with the idea of 'sane defaults', because unfortunately, just like in real life, sanity has a habit of being relative.[i]

It's pretty sane default to not go on the internet logged in as admin.

[i]In a system like Mac OS X, and some of the newer Linux distros, the default user is called an 'administrator'. Some of the capabilities get blurred between what a 'historical' administrator might be able to do, but suffice to say they're able to act globally through the command line interface via the use of a sudo command after they've given their password.[i]


I don't know the mac unfortunately but on Linux you don't use sudo in order to get root.That's only an option ( nessecity) for the users in the wheel group.

[i]However, there isn't really a 'sudo' functionality built in via the GUI, where if the user does want to mess with things globally they can by entering their password.


Wrong,press the windows key + F2 and type in: runas /user:admin "cmd /k "C:Documents and SettingsUserDesktopBatch.bat,it will start a batch file that's on the users desktop with admin right in fact quite similar to sudo or dosu.

False Pretense
by japp on Wed 8th Dec 2004 23:23 UTC

>>*Sigh* Every 6 months or so comes a post that says, "We need >>to start from the ground up on technology issue X"

>>we need to focus on improving what has come before, instead >>of reflexively thinking that we can code up a 'radical new >>approach' everytime we face hardship.

You are right. That is a good approach. But what happens when the base is flawed. Do you keep going? or you restructure from the ground base?

RE: sociopatanonymous
by Thom Holwerda on Wed 8th Dec 2004 23:32 UTC

I don't know the mac unfortunately but on Linux you don't use sudo in order to get root.That's only an option ( nessecity) for the users in the wheel group.

Ubuntu uses Sudo system-wide, just like OSX does.

RE: Rubbish Pretty Much
by Morin on Wed 8th Dec 2004 23:36 UTC

> The problem for Microsoft is that they could make their
> systems a heck of a lot more secure and still not
> inconvenience the user.

VERY true. But I'd counter that everyone's allstar Linux could be much more convenient without compromising security.

I guess what users *really* need is a crippled system, that is, above all, NOT EXTENDABLE. Extendability is the root of all security problems, and normal users don't need it. Advanced users could then have extendability in exchange for some vulnerabilities.

RE: sociopatanonymous
by Morin on Wed 8th Dec 2004 23:39 UTC

> Ubuntu uses Sudo system-wide, just like OSX does.

IMO ubuntu goes a step in the right direction, but only one step. Whenever I wanted to deal with the system (installing things with APT for example) I ended up with "sudo bash".

And again with the "Explorer was better than Netscape thing"
by Groshong on Wed 8th Dec 2004 23:45 UTC

It's a matter of opinion, but like some of our regulars here, he states it as fact. Another reminder that though it's a good piece, it's just one man's opinion. After jumping ship from Explorer 2.0, I'd have never used it again if hadn't come bundled with Windows. Let's face it, MS never needed to get into the browser market, they just have this incessant need to try and dominate all aspects of the IT industry.

Features
by Groshong on Wed 8th Dec 2004 23:47 UTC

I really don't understand how some geeks translate "feature" into "bloat". When did features become a bad thing?

re:perspective
by andrew on Thu 9th Dec 2004 00:04 UTC

"...the system was more important than the user, but for a personal computer the user is more important than the system."

For point and click folks, checking for recipes at foodnetwork.com, or ripping off the latest songs from Kazaa, this is true. But from *nix perspective, this is completely untrue.


No - that is BOFH's perspective. Professional sys admin who gets paid to tend to the machine, and views users as pests that have to be tolerated because without them, there would be no paycheck... But nowadays many desktop and small office users like myself are also their own sys admins. We need to tend to our systems to keep them running, but DATA is what truly matters. System, be it Windows or Unix, is completely expandable. I would much prefer to reinstall my system than to have my credit card details stolen... Writer of this article is right on the money there.

System vs. User
by Mike on Thu 9th Dec 2004 00:11 UTC

I'm thinking that aproaching the issue of security from such an abstract pov does not much good. Alway explaining the extremely concrete and rational computer by using metaphores withtheit own real-world weaknesses and ambiguities is misleading. How about saying: "what's up with this or that Active X control? Remove that service. Don't auto-open these files, etc. etc." That should give results now, while this whole abstraction leads to very long discussions and 'starting over' that doesn't really get us anywhere. Therefore I think SP2 is a good thing, although not enough.

Soooo, I think less talk, and more concrete solutions to todays security issues.

Re: Features
by Chris on Thu 9th Dec 2004 00:40 UTC

I really don't understand how some geeks translate "feature" into "bloat". When did features become a bad thing?

Features aren't always synonomous with bloat, but often the way they're implemented means they are.

v wow
by Anonymous on Thu 9th Dec 2004 01:17 UTC
Not bad
by Archangel on Thu 9th Dec 2004 01:23 UTC

Quite a read, but not a bad article. He did miss a few bits like RPC, which has turned out to be crucial to Windows (in)security.

Mike: That's all very well, but that method of addressing security doesn't actually fix problems. XP SP2 does a good job of masking a lot of issues by turning the firewall on, but doesn't explain why those ports were listening in the first place. Seriously, a port listening for remote users to execute code on that machine, or one for them to alter the registry? Gonna cause trouble...

Groshong: They're referred to as features when they're something users want. Bloat is a feature users don't want.
Tabbed browsing and IE's Media sidebar would be a good example of each.
If anyone wants to argue, remember that the definition of bloat is 99% of the time personal; obviously not everyone considers it unnecessary or the developers wouldn't have put it in in the first place.

sociopatanonymous: Win+F2 has no effect on here, beyond generating a normal F2 event. Even if it did, it's almost completely useless because it's 60 characters long; nobody's going to seriously type that or anything similar when they want to su.
Windows would benefit hugely from prompting users to su in the GUI, ala KDE or just about anything else.

Re: Archangel (IP: ---.adsl.ihug.co.nz)
by drsmithy on Thu 9th Dec 2004 03:01 UTC

Quite a read, but not a bad article. He did miss a few bits like RPC, which has turned out to be crucial to Windows (in)security.

The big problem wasn't RPC in and of itself, it was (mostly) that RPC ran with unnecsarily high privileges and that it had buffer overflows in the code.

Seriously, a port listening for remote users to execute code on that machine, or one for them to alter the registry? Gonna cause trouble...

These things are enabled in XP Pro because it's meant to be used in corporate environments - they're used for some remote administration tasks.

Certainly, this doesn't justify them being bound to external network adapters in XP home, but IMHO they're justified in having them on by default in XP Pro.

Win+F2 has no effect on here, beyond generating a normal F2 event. Even if it did, it's almost completely useless because it's 60 characters long; nobody's going to seriously type that or anything similar when they want to su.

I suspect he meant Win+R (which is equivalent to Start -> Run), but the command is needlessly long. The equivalent of 'sudo' is 'runas'.

Eg: 'runas /user:Administrator cmd' will open a command prompt as Administrator.

Or just right click an executable or shortcut (or shift-right-click control panel applets) and select "Run As".

Windows would benefit hugely from prompting users to su in the GUI, ala KDE or just about anything else.

As usual, this is a developer issue. The facility exists (and has done for years) for application developers to prompt the user for a password when higher privileges are temporarily required (eg: installation), but few of them use it.

Features, automation, and choice lead to security issues...
by Anonymous on Thu 9th Dec 2004 03:55 UTC

Add complexity to any system and it will be more likely to fail.

That one rule is the main reason the computers on NASA's space shuttle are largely unchanged -- and are dwarfed by the laptops the crew uses -- while the software running on those comparitively simple computers is as perfect for the task of running the shuttle as humanly possible.

Features added to an operating system are added complxity. Having the software guess your intent also adds complexity. Having to make a decision also adds complexity.

Security holes are only one form of defect caused by complexity.

Yet, we want these complex systems. To handle the negitive impact of complity, make the system less integrated, more modular, and isolate the modules from each other.

Without these steps, you get hijacked systems spewing out spam, malware infestations, identity theft, cats living with dogs (er...maybe not the last one).

Security is difficult on any system. It takes hours not minutes unless you're well prepaired. Security is not a magic pill found in a boxed tool or a fix pack. Microsoft doesn't help with the way they have Windows configured by default. There is no balence between security and features.

The attitude some have here is that the admins are overreacting. Unfortunately, it's really bad out there...if not, why use anti-virus, anti-spyware, 3rd party firewalls and other tools? These tools *AREN'T SECURITY*. They are extra complexity -- needlessly bothering the user, zapping processing power, and occasionally causing problems of thier own.

Here's something simple to consider;

http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

It's not perfect and is not magic. It's just a tool to use if you can't be bothered with all this scarry or senseless security talk.

Re: Groshong (IP: ---.dialup.mindspring.com)
by drsmithy on Thu 9th Dec 2004 04:09 UTC

It's a matter of opinion, but like some of our regulars here, he states it as fact. Another reminder that though it's a good piece, it's just one man's opinion. After jumping ship from Explorer 2.0, I'd have never used it again if hadn't come bundled with Windows.

That's pretty impressive - very few people were ever on the Explorer 2.0 ship to jump off ;) .

IE 1.x and 2.x sucked, I don't think anyone has ever tried to argue otherwise.
IE 3.x was generally considered on par with Navigator 3.x
IE 4.x was generally considered *far* better than Nav 4.x

Most people jumped from Navigator to IE during 1997, just after IE4 was released. Coincidentally, this was about the time Navigator started sucking a great deal and Netscape went off on their doomed attempt to rewrite Navigator from scratch (which begot Mozilla, which begot Firefox).

Let's face it, MS never needed to get into the browser market, they just have this incessant need to try and dominate all aspects of the IT industry

There's a fairly high probability that if Microsoft hadn't gotten into the browser market, Netscape would be in the same position Microsoft is today with a 90%+ market share and significant use of non-standard HTML. That was, after all, their business plan.

Comments
by drsmithy on Thu 9th Dec 2004 04:55 UTC

It all comes back to the multi-user permissions system that is locked in, and just plain expected. That permissions system, in terms of security, sets something a *nix apart from Windows in terms of inherent technology. This is a fairly basic concept, and just means not everything runs with the same privledges.

The multiuser aspect of NT is just as inherent and just as expected. It was designed from the beginning and from the ground up as a multiuser OS.

In fact to a degree, you could make a damn good argument that Windows could be called a *nix, even if it's not actually on the family tree. It all depends on how you are going to choose to define a *nix.

[...]

At the kernel level, the differences aren't vast and certainly aren't show-stoppers.


By my understanding at the kernel level the differences _are_ pretty vast.

Microsoft was designing winNT back in the very early 90's, I believe it was announced in 1991, & WindowsNT (NT=new technology) was released in beta in 1992 with a full release in 1993.

The NT project began in 1988.

WindowsNT was Microsoft's first full 32bit OS, and was originally supposed to be based on IBM's OS2/Warp technology.

This is wrong, NT and OS/2 Warp have nothing in common (apart from NT's OS/2 API personality).

Personally I'd say 10.3 is where I'd make this cutoff, but many would say 10.2... and some would say 10.4 and I wouldn't really disagree strongly with them for it. Which means depending on how you look at it, it was either 6 to 7 years to almost a decade or more from the time Apple bought their OS from NeXT until they had something solid that the majority of their users could were good to go on.

In contrast, many would say WindowsNT 4.0 was when Microsoft hit that point technologically, with many saying Windows 2000 was where they hit that point in terms of compatibility, with WindowsXP being the endgame. WindowsNT 4.0 shipped in 1996, with 2000 shipping in, well, 2000, and WindowsXP shipping in 2001. Depending on how you look at it, Microsoft either took 8, 3, or 9 years to get to around the same relativistic place.


The primary differences in this comparison being Microsoft started from scratch while Apple bought a fully-functional OS and did little more than slap a new display system and GUI on top of it.

Mac users used to joke about Windows needing an 'uninstaller', while they could just drag something to the trash, but this is quickly becoming an untrue concept for a lot of software. Pick any particular program on the Mac, and your average can only make a best guess as to where the hell it's writing out it's data and preferences files.

This isn't really true either. IME OS X apps are excellent at restricting themselves to the appropriate parts of the system (/Applications and ~/Preferences mainly).

As mentioned, MU paradigms are designed to the keep the system safe, and to minimze the damage one user can do. The 'system' is of very, very little value to most users. All of their value is locked up in their 'user' files: their music, their term papers, their emails, their IM histories, their images and their movies.

This really is bang on the money. So few "geeks" seem to grasp this concept - one need look no further than Slashdot and the multitude of "but under Linux the user can only delete their own files" comments.

A word on disproportionally [...]

This is good. He "gets it".

I mentioned several times that NT+ has the same sort of permissions style systems that the various *nixes have, but that they aren't really imposed.

This is not true at all. The permissions *are* imposed, it's just the default configuration leaves the typical user as an Administrator (roughly analagous to 'root').

However, there isn't really a 'sudo' functionality built in via the GUI, where if the user does want to mess with things globally they can by entering their password. They have to log in as an admin user to do what they want, then go back to the other user.

This is incorrect. The GUI has "Run As" (right click an executable or shortcut, or shift-right-click a Control Panel applet). The GUI aspect has been builtin since Windows 2000 and available for free download from Microsoft for earlier versions.

well...
by Anonymous on Thu 9th Dec 2004 05:06 UTC

The author could stop smoking all that Opium and do real analytical research on his topics of writting.

v Just the facts
by Anonymous on Thu 9th Dec 2004 05:47 UTC
win-win situation
by raptor on Thu 9th Dec 2004 09:41 UTC

> For all those that are critical of Windows security you need to answer this question. If Windows was as secure or more secure than say Unix. would you pay $299 to run it? If your answer is no why bother posting? <

]- they just dont buy it.. 99.99% of ppl I know didn't brought windows. If MS find a way to "make" all these ppl pay, linux adoption rate will skyrocket...
So in the both cases linux is in a WIN-WIN situation :")) at all cases..

Correction....
by JSplice on Thu 9th Dec 2004 15:02 UTC

It's "Yin Yang" not "Ying Yang."

absurd
by Joshua Brindle on Thu 9th Dec 2004 15:11 UTC

The underlying premise of this article is that filesystem permissions (and other security mechanisms that are inconvenient to the user) are outdated and not worthwhile in modern computing. This is dead wrong, not only are permissions entirely desirable (how many people share computers with others) but more access control (eg., Mandatory access) is necessary.

In a current Linux system (or just about any other OS you are running on a personal computer) the applications you run (for the most part) assume the same rights as you, and therefore can do anything you'd do (with any of your data).

A good essay rebuting this idea is The Inevitability of Failure available at http://www.jya.com/paperF1.htm

Just the real facts
by raptor on Thu 9th Dec 2004 15:21 UTC

Multi-media (codecs, players) without having to search
download and pray that it works
- mplayer plays whatever u feed him.. no such case about Media Player

Applications that work without SEGV errors
- on the contrary application that does not cause BSOD

The biggest headache of all:
Distro's that disappear after they have a following,
segmenting the Linux cause even more.
- go with the big boys then, they doesnt disappear

Standards - Dependencies ARGG
- oopsi... if u think MSWord is standard. Standards are
inteoperable i.e. available to anyone to "fiddle" with them.
Not closed. HTTP is standard, SMTP is standard, TCP/IP is standard...

Only thing linux lack at the moment are the games

my 5c

@ drsmithy
by dpi on Thu 9th Dec 2004 19:59 UTC

IE 1.x and 2.x sucked, I don't think anyone has ever tried to argue otherwise.
IE 3.x was generally considered on par with Navigator 3.x
IE 4.x was generally considered *far* better than Nav 4.x


Considered by who? Whats your source got that 'generally'.

There's a fairly high probability that if Microsoft hadn't gotten into the browser market, Netscape would be in the same position Microsoft is today with a 90%+ market share and significant use of non-standard HTML. That was, after all, their business plan.

Why is that probable and why was that their business plan. Your source?

How the *nixes will be the next target.
by The MESMERIC on Thu 9th Dec 2004 20:17 UTC

For a while I was thinking.
It is so damn difficult to write a virus for say Linux.
So how will they get round it.

Easy.

It's true to say that in Linux (I will keep to this OS) there is no common address book, window manager, activex / vbscripting etc.

But everyone uses a browser.
Everyone.

And what do browser have?
A Plugin.

The vulnerabilities affecting the family of browsers and plugin is scalating.

We are got a recent java vulnerability prety much OS-independant.
Image vulnerabilities still plague Linux - even though they are patched.
Unaware to some RealPlayer - that clumsy video that now come preinstalled with many Linux packages - have a recent bad vulnerability.

Join all that with various cross-browser spoof vulnerabilities.
We will see the birth of the first cross-platform online virus.

Still things are hazy.
And I have no experience (nor want to have) in writing viruses.
But am just wondering even Flash could be used maliciously - another popular requested cross-browser/cross-platform plugin.

It will happen one day.
Window users will laugh at us -
"Where is your God now?"
(the point they will be affected too wont bother them).

The damage will be mitigated because Linux users run in user mode - but still ... security was the foremost reason I jumped OSes.

Before it was pure paranoia surfing the web - how sad if we have to experience all that again.

Re: How the *nixes will be the next target.
by dpi on Thu 9th Dec 2004 21:03 UTC

Good point although i've never seen a virus for *NIX. I've seen worms and trojans though. Actually, the first worm on the Internet was a Sendmail worm in 1989.

I call 'Emacs versus VI' here. The problem is that Realplayer should not be allowed to execute say /bin/ls because its normally of no use unless the user says so. It shouldn't have that capability. Another example is, the browser should not be able listen to a port and spawn a shell to someone who connects to and types in a password unless the user says so precisely because its normally of no use. Users don't use Gopher anymore, so why enable support for this protocol by default? Even proclaimed secure OSes such as OpenBSD do not apply these basis security measures by default.

PS: 3rd party plugin for ActiveX support in Mozilla exists.

Re: dpi (IP: ---.ipv4.freeshell.bofx.net)
by drsmithy on Thu 9th Dec 2004 21:17 UTC

Considered by who?

Pretty much anyone who wasn't a Netscape fanboy or an anti-Microsoft zealot.

Whats your source got that 'generally'.

Pretty much anything that wasn't written by Netscape fanboys or anti-Microsoft zealots.

Why is that probable [...]

Because that was Netscape's objective.

[...] and why was that their business plan. Your source?

Numerous articles, interviews and quotes from the people who ran Netscape.

Anyone who was actually in the industry at the time would remember this. However, since I have no interest in digging out all my old boxes of magazines just to appease a troll on a web forum, you'll have to take my word for it if you really don't remember.

Re: The MESMERIC (IP: ---.as15444.net)
by drsmithy on Thu 9th Dec 2004 21:19 UTC

It is so damn difficult to write a virus for say Linux.

What makes it so hard ?

It's true to say that in Linux (I will keep to this OS) there is no common address book, window manager, activex / vbscripting etc.

This is where the unix communities' love affair with text files comes into play. Just grep / looking for text strings with '@' in them to get a list of email addresses.

you haven't read what I wrote
by The MESMERIC on Thu 9th Dec 2004 22:13 UTC

drsmithy

it is so damn difficult to write a virus for say linux
(and then I go on explaining that perhaps not anymore)

as to grep
sure also you can send quick emails via the console
or better still
pipe it into an external mail server
(funny thing is I know how to do that in DOS but not in Linux :/ )

messaging programs could be used as a carrier.
most Linux user have Gaim installed.
wether they use that stuff - is another thing.

@ drsmithy
by dpi on Thu 9th Dec 2004 22:26 UTC

Pretty much anyone who wasn't a Netscape fanboy or an anti-Microsoft zealot.

Thats an authentic statistic which you got from... *rolleyes*.

Because that was Netscape's objective.

Says who? So far, thats you. I read different views from people who were high at Netscape though.

Numerous articles, interviews and quotes from the people who ran Netscape.

Please refer to them.

If you have nothing to back up your statements or are not interested to make back them up, then don't make such statements however instead of backing up your statements, you abuse various fallacies (argument of authority, argumentum ad hominem). In contrast, in this thread, i never went as low as calling names or refusing to back up statement with sources when requested.

Re: dpi (IP: ---.ipv4.freeshell.bofx.net)
by drsmithy on Thu 9th Dec 2004 22:59 UTC

Thats an authentic statistic which you got from...

Experience.

Says who? So far, thats you. I read different views from people who were high at Netscape though.

Dating from when ? Netscape tried to reinvent itself several times after foolishly bringing the wrath of Microsoft down on themselves.

Please refer to them.

I would, but most of them are in dead-tree format a thousand kilometres away.

If you have nothing to back up your statements or are not interested to make back them up, then don't make such statements [...]

To the best of my knowledge this is a forum wherein I'm allowed to relate my opinions, beliefs, understanding, experience and knowledge.

[...] however instead of backing up your statements, you abuse various fallacies (argument of authority, argumentum ad hominem). In contrast, in this thread, i never went as low as calling names or refusing to back up statement with sources when requested.

Given your low level of participation in "this thread", that's probably an easy statement to make.

I don't believe I directed any spurious name calling straight at you. However, quite frankly I'm not going to feel any guilt over writing what I think - if I think someone's acting foolishly I'm going to say so.

My memory of the period 1997 - 1999 is of just about every industry pundit, journalist and analyst criticising Netscape's products and praising Microsoft's, accompanied by a large migration away from Navigator to IE (this was, I might add, a massive reversal of the period 1994 - 1996 when Netscape was the industry darling and Microsoft were "too far behind the curve to ever recover"). Yours might be different, so be it. Anyone else who was around at the time is either going to agree with you or agree with me and nothing either of us is going to say will change their minds. People who weren't actually there will get most of their knowledge from people who were and will probably never see any primary sources.

Most of my memory comes from a wide variety of *printed* material and from on-line sources that have almost certainly since either been shut down or moved around too much to be findable in any reasonable timeframe. As previously mentioned, I'm not going to spend hours, if not days, digging them up to appease someone on a web forum whose mind is already made up.

@ drsmithy
by dpi on Fri 10th Dec 2004 18:58 UTC

IOW, beyond a lot of blabla and assumptions, you're not able to provide your sources. Why not post that instead of a long defense?

(And, my source is Frank Hecker, said in 2001, in the movie 'Revolution OS'.)