[BLU] Re: [BLU] RE: [REDHAT] Dell knocks Linux off the desktop (fwd)
Derek Martin
ddm at pizzashack.org
Wed Aug 8 23:24:44 EDT 2001
On Wed, Aug 08, 2001 at 10:34:33PM -0400, David Kramer wrote:
> On Wed, 8 Aug 2001, Derek Martin wrote:
>
>> AT&T now filters all requests to port 80 across their entire
>> network.
>
> Funny, mine was not changed. Maybe they're doing it area by area. Too
> bad DSL sucks. Not many options.
Interesting... I think you may be right. Several sites of friends in
my area are down, but at least one that I know of in the Boston area
is up.
> > Now I know that some people will be quick to respond to my little rant
> > above by pointing out that MediaOne, and subsequently AT&T, have
> > always had a no server clause in their ToS.
>
> This is not the case. Their MediaOne's policy for the past few years has
> been that it is OK to run servers as long as you don't ask for support
This is also interesting, and (obviously) news to me. We had a
discussion about this on GNHLUG not long ago, and I thought it was
determined that the restrictions were still in place. Doesn't help me
much anyway, since my website's down.
> > I shouldn't end this without thanking Microsoft. If it were not for
> > their shoddy software, none of this would be possible. They have
> > repetedly ignored security issues in order to satisfy requests for
> > features from their "customers" (which I'm now convinced really means
> > their business partners that want to sell you stuff, and pay MS for
> > the privilege to get in your face). And, for a company that touts
> > themselves as hiring only the best and the brightest, they seem to be
> > remarkably unable to hire programmers that understand the concept of
> > bounds checking.
>
> OK, let's have a fair, factual debate. Two things here:
> The lack of security MODEL in most versions of Windows was a
> well-thought-out design decision, not shoddy programming.
I would disagree that it was well thought out... I think that point's
been fairly well proven.
> That is what the majority of IIS/IE exploits have relied upon. Not
> buffer overflow. The software bends over backwards and begs to run
> downloaded executables in the name of doing what [teh software
> thinks] the user wants without having to know how to do it.
I agree with that, but there have been plenty of buffer overflows as
well. Also, to be fair (to Microsoft's programmers), I (incorrectly)
used bounds checking losely to refer generically to a class of errors
which includes buffer overruns, input validation, failure to check
return status, and similar kinds of errors. IOW, programatical
errors, rather than design flaws. Some examples:
Media Player:
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D3105
Front Page server extensions:
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2906
The Code Red bug:
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2880
Word RTF Macro validation error:
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2753
SecureIIS input validation:
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2742
IIS/PWS input validation:
http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2708
My favorite is the date string buffer overflow in Outlook, which I'm
too impatient to find. But you get the idea.
> Now, if you track the CERT UNIX security advisories and Red Hat's security
> list, you will see a few buffer overflow exploits A MONTH listed for
> various Linux distributions. Who'se got shoddy software?
You may be right here, I don't have the patience to do the research (I
think it would take days). However even if you are right, I would
point out that there is a major difference between any release of
Windows and any release of Linux: Virtually all of the software sold
with a distribution of Linux (red hat or otherwise) is written by
ameteur hobbyists; Windows is written entirely by paid professionals.
To be honest, I'm not a big fan of the code that Red Hat releases, but
at least they usually have a patch out for discovered problems within
a day or three. Microsoft often takes a month or longer, despite being
the wealthiest, most successful software company in the history of the
planet.
Red Hat is basically selling easy-to-use packaging, and support, not
software. The software is free, and for the most part they didn't
write it. Hard to blame them for that. Microsoft expensively sells
licenses to use their crappy software, and you'll pay dearly if you
need them to help you make it work.
> > And no, I have not forgotten that Linux software (and Unix for that
> > matter) can be vulnerable too. But I also know that the Linux
> > community is generally MUCH, MUCH better about responding quickly and
> > responsibly to security issues than are MS and their users, and much
> > more likely to design security into their programs than MS.
>
> Holes are patched much faster, but is the average Linux home user with a
> cablemodem or DSL really more diligent about applying them? I think not.
Perhaps not... the Linux users I know mostly do; however I may not be
in the company of "the average Linux home user" having mostly contact
with people who work with computers for a living. I'm just not sure
whether or not they represent the average home Linux user...
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
ddm at pizzashack.org | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list