Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Wed, Aug 08, 2001 at 10:34:33PM -0400, David Kramer wrote: > On Wed, 8 Aug 2001, Derek Martin wrote: > >> AT&T now filters all requests to port 80 across their entire >> network. > > Funny, mine was not changed. Maybe they're doing it area by area. Too > bad DSL sucks. Not many options. Interesting... I think you may be right. Several sites of friends in my area are down, but at least one that I know of in the Boston area is up. > > Now I know that some people will be quick to respond to my little rant > > above by pointing out that MediaOne, and subsequently AT&T, have > > always had a no server clause in their ToS. > > This is not the case. Their MediaOne's policy for the past few years has > been that it is OK to run servers as long as you don't ask for support This is also interesting, and (obviously) news to me. We had a discussion about this on GNHLUG not long ago, and I thought it was determined that the restrictions were still in place. Doesn't help me much anyway, since my website's down. > > I shouldn't end this without thanking Microsoft. If it were not for > > their shoddy software, none of this would be possible. They have > > repetedly ignored security issues in order to satisfy requests for > > features from their "customers" (which I'm now convinced really means > > their business partners that want to sell you stuff, and pay MS for > > the privilege to get in your face). And, for a company that touts > > themselves as hiring only the best and the brightest, they seem to be > > remarkably unable to hire programmers that understand the concept of > > bounds checking. > > OK, let's have a fair, factual debate. Two things here: > The lack of security MODEL in most versions of Windows was a > well-thought-out design decision, not shoddy programming. I would disagree that it was well thought out... I think that point's been fairly well proven. > That is what the majority of IIS/IE exploits have relied upon. Not > buffer overflow. The software bends over backwards and begs to run > downloaded executables in the name of doing what [teh software > thinks] the user wants without having to know how to do it. I agree with that, but there have been plenty of buffer overflows as well. Also, to be fair (to Microsoft's programmers), I (incorrectly) used bounds checking losely to refer generically to a class of errors which includes buffer overruns, input validation, failure to check return status, and similar kinds of errors. IOW, programatical errors, rather than design flaws. Some examples: Media Player: http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D3105 Front Page server extensions: http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2906 The Code Red bug: http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2880 Word RTF Macro validation error: http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2753 SecureIIS input validation: http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2742 IIS/PWS input validation: http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2708 My favorite is the date string buffer overflow in Outlook, which I'm too impatient to find. But you get the idea. > Now, if you track the CERT UNIX security advisories and Red Hat's security > list, you will see a few buffer overflow exploits A MONTH listed for > various Linux distributions. Who'se got shoddy software? You may be right here, I don't have the patience to do the research (I think it would take days). However even if you are right, I would point out that there is a major difference between any release of Windows and any release of Linux: Virtually all of the software sold with a distribution of Linux (red hat or otherwise) is written by ameteur hobbyists; Windows is written entirely by paid professionals. To be honest, I'm not a big fan of the code that Red Hat releases, but at least they usually have a patch out for discovered problems within a day or three. Microsoft often takes a month or longer, despite being the wealthiest, most successful software company in the history of the planet. Red Hat is basically selling easy-to-use packaging, and support, not software. The software is free, and for the most part they didn't write it. Hard to blame them for that. Microsoft expensively sells licenses to use their crappy software, and you'll pay dearly if you need them to help you make it work. > > And no, I have not forgotten that Linux software (and Unix for that > > matter) can be vulnerable too. But I also know that the Linux > > community is generally MUCH, MUCH better about responding quickly and > > responsibly to security issues than are MS and their users, and much > > more likely to design security into their programs than MS. > > Holes are patched much faster, but is the average Linux home user with a > cablemodem or DSL really more diligent about applying them? I think not. Perhaps not... the Linux users I know mostly do; however I may not be in the company of "the average Linux home user" having mostly contact with people who work with computers for a living. I'm just not sure whether or not they represent the average home Linux user... -- --------------------------------------------------- Derek Martin | Unix/Linux geek ddm at pizzashack.org | GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |