Hardware engineer? Are you even sure about that?

Oiaohm certainly does not seem like one to me.

The best way to counter this type of Linux cracked pot is to ignore him because he thrives on attention.

In the old days when neither the Internet nor the slang term “trolls” existed, we had plenty of intelligent and effective ways to deal with similar situations. Now when people deal with the Internet equivalent of prank callers and other social annoynances, they use idiotic strategies invented by those who have little social experience outside of working with others on their D&D dice-rolling stuff. We sure have put the world in reverse gear and floor it good, haven’t we?

Meet JeffM = Telic = Oiaohm = Peter Dolding.

This guy is a hardware engineer who needs to have his main circuit board run through the solder bath again. He is a nut’s nut and a complete OSS fanatic. He used to post as telic on various boards and blogs but got a reputation for being insane so he changed his nym to oiaohm. He posts in COLA as JeffM but hangs out on Roy’s irc literally 24×7 and is known there as oiaohm. The best way to counter this type of Linux cracked pot is to ignore him because he thrives on attention.

Oiaohm you clear dumb a bug that was down graded proves everything even higgs boson and intelligent design yes I am in fact proving those.

Yes Privilege Exploit Later on it was down graded as the Privilege Exploit was found impossible todo.

Yes Privilege Exploit and DOS are same so that bug is invalid though still in CVE. In fact all DOS bugs for Windows in CVE are bogus in same way:

http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-17153/version_id-74208/opdos-1/Microsoft-Windows-7.html

What is a Local DOS. Yes its the system locked up dead. Brillo. Linux when a Local DOS happens due to X11 defect the kernel panic will not always display.

Again yes and no, the bug locks system only when package manager is running and when the manager stop kernel ceases panic and goes clam again.

Do you know what that oval tells you. USA Nist detected MS10-048. They made patch USGCB.patch to fix then had to wait for MS to apply it upstream.

Yes and no Nist has access to source but they use cross platform language to produce patch:

http://oval.mitre.org/

So basically anyone can submit patches as long as they write in open vulnerability and assessment language not C.

Linux kernel releases have been stopped by the security team at times.

I know security team for Linux and one member lives in tin shed in rural australia. Yes the same antenna array operator and Russian cosmonaut curious but true.

Yes Coverity and other projects.

Covertiy is almost size of a small island. Large I know but not as large a project as others:

http://www.coverity.com/

Linux can correct for memory errors because its a expected event.

You idiot memory errors are as expected as software bugs. If memory error chooses to be in a it wont be in b so the kernel knows where to look for it. In the same way kernel expect bugs to occur in some places so crash is stopped before it happens.
–END OIAOHM-SPEAK–

Really you need to learn to read what you link to properly Brillo. Quoting a bug that was down graded proves nothing. MS simply does not release bugs that just cause crashes onto CVE unless its by mistake.

Yes Privilege Exploit Later on it was down graded as the Privilege Exploit was found impossible todo.

Brillo
“The Linux kernel overall does not have a unified or formalized life cycle model of any kind. A bug in the code may persist over multiple versions before it is discovered by someone who may or may not be the originator of the code. Also, of course, attackers do use the CVE database as their “shopping list” regardless of OS types or versions.”

Completely bogus in fact. A bug in windows also persists over multiple versions before its discovered. Also windows has reported security bugs persist in its releases for over 10 years.

Microsoft Security Development Lifecycle is mostly bogus to what really happens. Yes mostly a work of wishful thinking on Microsoft part. You see release after release of microsoft programs that you apply metasploit and you see hey this fault as existed for years. Reported for years yet its still there even that the Microsoft Security Development Life-cycle says it should not be. Please don’t quote works of security fiction like the Microsoft Security Development Life-cycle. A person can write a huge stack of process documents and change nothing if it not obeyed and its quite simple to skilled people do demo the fact.

In security a document is worthless. Results is what you work by. How long from reported to fixed. The better you security management cycle is working the shorter that will be. Next is the fact that none come back from the dead. Also happens in windows that a security flaw comes back from the dead. Only thing I can think they don’t follow the prac of creating a testcase to detect the security flaw. Wait the Microsoft Security Development Life-cycle does not list doing that critical step.

Brillo Linux reports more 100 percent worthless to the CVE for a remote access to data. This makes using the CVE more time consuming.

Brillo
“The answer to linux lock up is yes and no. Linux lock up can be resumed with some pressing of buttons so it appears to lock up but not really. Windows lock up cannot be resumed without reset so it in fact locks up where linux does not.”

Really you provided the link that proves you don’t know what you are talking about. http://www.cvedetails.com/cve/CVE-2012-2373/

What is a Local DOS. Yes its the system locked up dead. Brillo. Linux when a Local DOS happens due to X11 defect the kernel panic will not always display. To get out of a Linux local DOS bug most times it is reset.

Both windows and linux suffer from Local DOS issues. Microsoft Security Bulletin does not report Local DOS unless there is a possible Privilege exploit as well.

That Linux treats Local DOS as a security issue is why it locks up less.

You really don’t know how to read CVE. Brillo.

“oval:gov.nist.USGCB.patch:def:11681″ Interesting right. “MS10-048: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)”

Do you know what that oval tells you. USA Nist detected MS10-048. They made patch USGCB.patch to fix then had to wait for MS to apply it upstream. That right MS10-048 was not detected by Microsoft it was detected by a third party that was given access to the Microsoft Source code. The patch to fix it was also not made by Microsoft.

So you have not quoted a Microsoft fixed bug at all for your windows example.

Most people don’t know how to read oval url format.

Brillo
“Each product from MS is required internally to undergo team-wide code review during implementation and a final security review right before RTM.”

There is a process even with the Linux kernel. There is a security team. They have veto releases in the past.

Really team-wide code review sorry that is not how it works at all. The source code at Microsoft is sent to third parties for review like Nist. It does not remain internal at all Brillo before the RTM.

Linux and Microsoft are both using a very related model. Linux kernel releases have been stopped by the security team at times.

Same thing of going external before release happens with Linux http://news.cnet.com/Homeland-Security-helps-secure-open-source-code/2100-1002_3-6025579.html
Yes Coverity and other projects.

Linus does not make is selection to release solo. Neither does any of the major project leads.

Brillo
“MS requires NDA so reporters get no bounties even they say they do. I know scary but true there no real bounties for bug reports and no further bug reports are allowed.”

You get paid if you include the clause for payment. For true security flaws MS does pay researchers of course reporter has to sign the right NDA that says unless paid has the right to release. Researcher working in Russia particularly are paid since there is no offence to breaking a NDA if you have not be paid for services. The transaction of money is required to buy your silence in Russian law.

If you get paid does partly depend on the country you are in.

PS
“idiot oiaohm Linux even corrects memory errors in cheap embedded systems. No Linux not perfect but close enough.”
Linux can correct for memory errors because its a expected event. I said unexpected event. This is something you did not plan on happening so the code to handle it does not exist.

So Brillo does not know the difference between expected event and unexpected event.

Here are the non-working ones in their order of appearace:

1) http://www.cvedetails.com/cve/CVE-2010-1887/

2) http://www.cvedetails.com/cve/CVE-2012-2373/

1) Denial-of-Service type vulnerabilities in Windows, local or remote, are listed in the CVE database just the same way those in Linux are listed there. There is no simply merit whatsoever in oiaohm’s statement that “you see no Windows Local DOS”.

2) Usually the cited Security Bulletin provides the source of the information if such source exists. Each product from MS is required internally to undergo team-wide code review during implementation and a final security review right before RTM. Any other remaining problem in the product is gathered via a collaborative effort with external parties.

3) The Linux kernel overall does not have a unified or formalized life cycle model of any kind. A bug in the code may persist over multiple versions before it is discovered by someone who may or may not be the originator of the code. Also, of course, attackers do use the CVE database as their “shopping list” regardless of OS types or versions.

Now…

– BEGIN OIAOHM-SPEAK –

So idiot Brillo you can chart up the sources of every CVE report. Microsoft are most third party almost none direct from Microsoft. Linux on the other hand Most are direct from Linux developers to CVE with a small few from third parties.

Clearly incompetent idiot oiaohm if you chart up the sources in CVE you can see most Linux CVE are direct from a tin shed. Yes a tin shed in outback Australia in case you are not aware. Its owner is software engineer. Curiously he also a hardware engineer, a system administrator and surprise an antenna array operator and Russian cosmonaut.

Anyone who attempt to claim that any OS never locks up due to some unexpected event is a idiot. Human can make nothing that is perfect.

Idiot oiaohm Linux even corrects memory errors in cheap embedded systems. No Linux not perfect but close enough.

You will find that I have never ever said that Linux does ever not lock up. The closest you will find is that it locks up less.

The answer to linux lock up is yes and no. Linux lock up can be resumed with some pressing of buttons so it appears to lock up but not really. Windows lock up cannot be resumed without reset so it in fact locks up where linux does not.

Really you are dumb enough to claim Microsoft does not pay bug bounties. They do. Normally with a requirement to sign a NDA. Yes Microsoft does pay for bugs.

MS requires NDA so reporters get no bounties even they say they do. I know scary but true there no real bounties for bug reports and no further bug reports are allowed.

– END OIAOHM-SPEAK –

To be correct when you look at cve numbers and where those have come from. A large percentage don’t come from hobbyist or bug bounties. Most come from the the general development process.

Every CVE has who it comes from. http://www.cvedetails.com/cve/CVE-2012-2373/

So idiot Brillo you can chart up the sources of every CVE report. Microsoft are most third party almost none direct from Microsoft. Linux on the other hand Most are direct from Linux developers to CVE with a small few from third parties.

Brillo
“You clearly imcompetent oiaohm linux never locks up. In fact linux kernel with debugging built in yes linux fixes itself thus never locks up in kernel mode. kernel also attempts debug apps but will shut them down if found not fixable.”

Anyone who attempt to claim that any OS never locks up due to some unexpected event is a idiot. Human can make nothing that is perfect.

A sign that a number is bogus is when something that should be there is no there. You will find that I have never ever said that Linux does ever not lock up. The closest you will find is that it locks up less.

Brillo
“Linux bug reports go direct thru Linus Torvalds home plumbing thus dirty and fast.”
Go back read the CVE report and notice who submit them. Linus Torvalds of the current crop submitted none. 2 years ago their was one submitted by Linus.

Brillo
“Ms does not open source to windows and reward programs are thus impossible.”
http://www.csoonline.com/article/687494/microsoft-s-bluehat-goal-kill-bugs-dead

Really you are dumb enough to claim Microsoft does not pay bug bounties. They do. Normally with a requirement to sign a NDA. Yes Microsoft does pay for bugs.

Do you want to keep on proving you know nothing Brillo or will you learn to do some homework first.

Brillo by the way if I want to read the source of windows I can. All I have to do is sign a NDA. Windows is not closed source to attackers. The reality is lots and lots of people have access to the windows source code.

Basically this is Microsoft lets pretend to be closed source and give it to every government who wants to see it and their sub contractors.

Oh, Oiaohm, Oiaohm… You just never give up trying, do ya? You have been proven irrefutably again and again that you are both a liar who makes up technical-sounding nonsense as he goes along and has no understanding of your own source material. Although it’s quite ironic to see that RP still cling onto you in his last-ditch effort to seek allies in his fool’s errant… I mean, cause, taking you seriously is just a waste of time.

So, how about I try something new here: from now on I’ll reply to you in the same way you reply to other comments, with the same make up crap and the same lack of knowledge in everything and the same broken English. How’s that?

Actually, you don’t need to answer that question. You are going to get what’s coming for you whether you like it or not. Let’s begin…

– BEGIN OIAOHM-SPEAK –

Linux most are in fact reported by the Linux Kernel Developers themselves.

Oiaohm you idiot Linux bugs reported by hobbyists. Yes hobbyists play large part in bug reporting more than professionals. Look no further to firefox reward from report bugs for Linux.

http://www.mozilla.org/security/bug-bounty.html

As foss continues grow more reward programs will be offered to hobbyists to find bugs. Ms does not open source to windows and reward programs are thus impossible.

In fact no. Since both are using different defines of security reporting this is why particular faults on Linux like Local DOS reported and you see no Windows Local DOS.

Security reporting for wide scale DDOS only. Local DOS thru intranet not possible since bug reporting repeats too many times and DOS bug report system. Sysadmin could LOIC Linux install first and report thus reduce reports sent to maintainers.

Chris Weig you would have seen a windows machine lock-up at some point. Yet by the the number you are quoting that never happens. See the problem yet. Every lock-up under Linux is a security fault.

You clearly imcompetent oiaohm linux never locks up. In fact linux kernel with debugging built in yes linux fixes itself thus never locks up in kernel mode. kernel also attempts debug apps but will shut them down if found not fixable.

Windows is some of the most exploited because the CVE report of Windows is clean. You want it dirty as possible.

Windows CVE report clean only because bugs are reported to local laundromats. Linux bug reports go direct thru Linus Torvalds home plumbing thus dirty and fast.

When you limit down to take control of system. This is priv, overflow and bipass.

Again show you incompetent oiaohmn. Linux over report bipass also. Fact is linux also report tripass and quadpass. Windows does not report tripass and quadpass and this make CVE a shopping list for attackers.

– END OIAOHM-SPEAK –

And that only accounts for bugs that have been discovered in the last six months. Most of these bugs have already been around for much longer than that lenght of time.

The way you slice the figures simply makes no sense.

This is, of course, not to mention the value of “evaluations” based on vulnerabilities discovered is always at best questionable.

because they are on more PCs it does way more damage

So how would the picture become different if all these PCs were given a Debian install instead? At the end of the day, you still have all the holes in the kernel and the same amount of users. I am sorry but unless you can convince me that Linux has in fact some sort of magical power that stops exploits dead from their tracks, you are still not making any sense.

Of course, by “magic power” I don’t mean:

The number of “developers” working on the source code – in part or in whole. Unless you can convince me that every segment – right down to every character – of the code in question is examined by this same number of “developers”, who are professionals with strong backgrounds in evaluating vulnerabilities and not students, hobbyists or even professionals with little of such knowledge, the number itself is simply worthless.
Mitigatory measures against exploits. These include ASLR, NX bit, StackGuard, PaX, and other stalling tactics that slow down but do not prevent the development of exploits. Any financial or political incentive large enough will simply override the apparent difficulty to develop an exploit that can be launched against a target, and I don’t see you promoting anything other than “Debian GNU/Linux” (because, in your opinion, “it just works”).
Worms, trojans and other malware. Let’s face it – they are just exploits wrapped in packages aimed at users running the same operating system. The lack of financial incentives (such the only existing target being a home-grown vegetable farmer in Manitoba) might prevent such packages from being created, but as the number of users grows, so will the financial incentives. Again, the problem here is that I don’t see you promoting anything other than “Debian GNU/Linux”.

Alas, maybe I have over-killed here since thus far I have not yet seen an argument that this not along the line of:

Linux is more secure because it has less pieces of malware than Windows.
Linux has less pieces of malware than Windows because it is more secure.

See the problem there? That’s circular reasoning. Am I supposed to not laugh at this, RP?