Extremadura Goes All the Way

Extremadura was in the news years ago for rolling out a lot of GNU/Linux desktops overnight. Now that they have more experience and presumably a more complex system, they are going to a complete Debian GNU/Linux solution on all desktops over the next few months.

“The CIO says the most important reason for the migration to open source is the need to unify all the desktops of the civil servants. The desktop needs to be strong, easy to use and easy to manage and support remotely, without viruses and free from security problems which are common to proprietary solutions. “And of course, it needs to be free. Because our budget for this plan is of zero euros.””

So, what some supporters of that other OS claim, that applications require people to run that other OS is just untrue. The last few thousand desktops in Extremadura’s government say so.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

113 Responses to Extremadura Goes All the Way

  1. oiaohm says:

    tmrepository Flying Toaster.
    “there is no logical reason whatsoever testing if a pointer is NULL somewhere after you have dereferenced it.”
    Exactly that is the point. Complier should reject code with defects like that. Not attempt to correct it. Because the complier built what is invalid code. Then optimised invalid code out of existence so creating secuirty flaw. Compiler screwed up.

    What you are not getting the superblock in ext2 ext3 and ext4 reference the inode tables. If you have lost the superblocks and the inodes tables then you are in big trouble.

    Lose of superblocks is a pain because you have to know the format flags used to make the filesystem to put the superblock back right. Lose of the superblocks is not fatal to data. Recovery from lost superblock is risky to a point. You must image before attempting. You get one flag wrong you will not recover data but damage data. So if you just applied mke2fs -S to a drive expecting data back you most likely will get nothing most likely will get 1 flag wrong that is all it takes. And there are multi backups of the super-block.

    If you cannot reconstruct the superblock. You can locate the inode tables. That contains enough information to recover file data and file names. Maybe with directory structure a bit screwed up.

    The man requires a big scary warning so idiots don’t just attempt using that feature so destroying data. Man pages sometimes have to lie a little for people general safety.

    Yes there is a formal method to detecting old copies of libraries in memory. As well. The method shown on tmrepoistory can be extended to a puppet or cfgengine script that will detect any old libraries in use and terminate and restart effected services and applications. Not just selected out of date library.

    So making the tmrepoistory example crap. Could say that the Linux users should be using the following script that will detect and clean up all old parts left on the system so making the system secure. So Linux does not require reboots when in hands of skilled people. When in hands of unskilled completely different matter.

    So as normally tmrepoistory is bogus.

    Linxusoid Microsoft still holds the record for the longest time to fix a secuirty bug. 12 years + and still counting. Really your 3 days MS close a bug you got be kidding me.

    That Linux flaw mostly was not accessible because on line servers don’t run X11. So was a LAN area attack only.

  2. Linxusoid says:

    Linxusoid continues to move the goal posts in hopes of a win
    Moving the goalposts? OK, let’s get it straight. Stand straight and tell us you think that either
    1. Running random crap from the internet on your machine is not stupid?
    or
    2. Not applying security updates (as Linux does) is not stupid?

    Or maybe both? Where exactly did I move the goal posts?

    You should know that in many situations, the user has not administrator privileges and cannot install updates.
    And it’s me who is moving goalposts, right? We can go into discussion about stupidity of admins, who disable both automatic updates and Users’ ability to apply them manually (both enabled by default). We can discuss reasons why malware would need administrative privileges to run botnet client, send spam or steal user’s passwords at all. We can discuss a lot of things, but how is this related to the FACT that there was no malware outbreaks in the last 10 years, that didn’t depend on user’s stupidity?

    Well, I am three time zones east of Redmond WA. They release early in the morning, right in the middle of my day. TL;DR
    OK, you’ve provided 3 days window of opportunity to the malware writers. It should be obvious that unlike Linux where some publicly known critical vulnerabilities remain unpatched for 6 (SIX) years and even when they provide timely patch, Linux conveniently doesn’t really apply them, 3 days window is a major disaster when we are talking about Windows. I would like to see any evidence from you, that attacker could reverse engineer Microsoft’s patches, write reliable exploits and start broad “attack” in a 3 days period.

  3. Flying Toaster says:

    The system was set up by an MSCE. I had nothing to do with configuring it but just to keep it going.

    Or not, since it was not working and you obviously did not even try and get it work again.

    for f in list_of_ips;do ssh $f “apt-get update;apt-get upgrade&exit;”&end and I get on with my day.

    True that… Or really?

  4. With GNU/Linux, I have no problem implementing updates in real time while systems are in use. In particular, the terminal servers are always up.

    for f in list_of_ips;do ssh $f "apt-get update;apt-get upgrade&exit;"&end and I get on with my day.

  5. FT, my boss was of the opinion that the system worked perfectly and he forbade me to change anything. I could have been fired for enabling automatic updates. He eventually asked me (under pressure by teachers) to install GNU/Linux in the old lab because it just was not functional with XP.

    The system was set up by an MSCE. I had nothing to do with configuring it but just to keep it going.

  6. Flying Toaster says:

    Well, I am three time zones east of Redmond WA. They release early in the morning, right in the middle of my day.

    Again, that’s strictly a problem between you and your company’s policy. Switching from Windows to Linux or Solaris or anything simply won’t change any part of that equation by even the slightest. When a patch gets released, it gets released worldwide at the same time, and people live with that fact whether they are in Europe or the Pacific Rim – and we are talking about time differences of far more than just an hour or so.

    The next day, inevitably, there would be a bunch of PCs that had not communicated with WSUS, so it would take another day of vulnerability on some of the PCs.

    And you never looked into the issue? Never rang up MS and asked a single question? Never even tried and looked for a solution on Google?

  7. Flying Toaster says:

    That is the point. The compiler cannot get every case right on it own. Once a compiler is thinking for the coder the ***compilers creates secuirty flaws***.

    Let’s face it – there is no logical reason whatsoever testing if a pointer is NULL somewhere after you have dereferenced it. If the compiler tells you about every line of code it has optimized, your screen will be deluged with warning messages.

    In a nutshell: stuff like this needs not be warned, as stuff like this is never supposed to be in your code anywhere.

    And, as I said, you can’t expect the compiler to warn you about NULL pointers, and you can’t expect the compiler to do anything at all if the pointer itself is a parameter of a function. Even managed code such at that in Java or C# can only tell you about NULL pointer exceptions during run-time. In C, you can only hope that the resultant mess somehow triggers a segfault or else you pretty much have to expect everything to happen.

    This is not even to mention that following your line of argument, there is still no point in having the code as, unless you know where to look, there is simply little chance for you to catch the bug (as the compiler – the one tool that you rely on – simply won’t tell you a thing about what has gone wrong in the code, and sloppy crap like this is virtually littered everywhere in the kernel source).

    You can rebuild a ext2/3/4 filesystems without superblocks. To be correct you can recover full files from worse.

    To set the matter straight, here’s an explanation on file-system superblocks. If you think having lost a superblock completely is a trivial matter, then think again (particularly given what Ts’o himself has said in that email). Sure, there is a chance you can salvage something with recovery programs, but there is no guarantee what that something is going to be, and your claim about “100 percent” is at best dubious if not downright false.

    Yes mke2fs -S is basically a search of disk for ext2/3/4 structures and attempt to jigsaw what you find back into one piece does need the format command used to make the disk so it can jigsaw.

    I am getting really sick of your bogus nonsense, so all I can say here is, “Read the fscking manual.

    The issue with NTFS is the issue of it still mounting after the file-system is screwed and it don’t know better.

    *yawn*

    http://www.linuxquestions.org/questions/linux-general-1/file-directory-corrupted-on-external-ext3-usb-drive-733733/

  8. Flying Toaster wrote, “For example, M$ releases the patches at a convenient time in M$’s timezone so they may be installed a day late in other timezones

    Never heard of such a thing. And I live in a decidedly different time zone from yours.”

    Well, I am three time zones east of Redmond WA. They release early in the morning, right in the middle of my day. I could not tell everyone in the building to reboot their PCs, so I put on automatic updates to do the thing late at night. That leaves us vulnerable to zero-day attacks for one working day. The next day, inevitably, there would be a bunch of PCs that had not communicated with WSUS, so it would take another day of vulnerability on some of the PCs. I had two days of worry just because we were using M$’s stuff. I grew tired of that. Some of the malware coming down the pipe was quite scary, sabotaging infrastructure in horrible ways or invading privacy or leaving doors open for other stuff… There was no end to it. I was glad to leave that place.

  9. Flying Toaster says:

    Correction:

    toasts

  10. Flying Toaster says:

    @Rob

    You should know that in many situations, the user has not administrator privileges and cannot install updates. I worked at a place like that. It was so tedious that I, without permission of bosses, enabled automatic updates which could have been disastrous…

    So, you are citing a scenario entirely based on human stupidity in order to proof what? That it is somehow not human stupidity? In fact, tell me – how hard is it supposed to be to test the latest updates on a machine or two before integrating them into the production environment? Microsoft had nothing to do with your company’s bureaucracy. And don’t forget as well that you need superuser’s privilege in order to update your Linux system.

    This is unless, of course, you somehow believe that not updating your Linux system is a good idea (and it’s not). Otherwise, I don’t honestly see you have any valid point there.

    For example, M$ releases the patches at a convenient time in M$’s timezone so they may be installed a day late in other timezones

    Never heard of such a thing. And I live in a decidedly different time zone from yours.

    @oiaohm

    Flying Toaster In fact I have already given a part example with the UAC elevation without user being informed.

    Again, read your own link before posting it. You can’t keep counting on other people to do your homework for you, can ya?

    “However, in conjunction with the default Windows 7 UAC policy and this vulnerability, the potential impact of RCE vulnerabilities is raised, as the malicious code executed could silently elevate itself to have much more free reign over the system than before.”

    This exploit is purely because injection powers are two high.

    It’s getting tiresome watching you making things up on the spot. I understand you may have trouble comprehending the English language (or any written language for that matter), but offering made-up nonsense where facts are due is just plain pathetic. “Injection powers”? I am sorry, but I never noticed we were in any way discussing the intricacies of internal combustion engines.

    Linux traditionally works by a tighter rule than session.

    Utter nonsense. Putting aside all that “debugging” program fairy-tale bullcrap, all you need in a *nix system is a sudoer account and you are toasts.

    Yes once you have got to admin level as the user by any means the session split under windows no Longer exists at all.

    And the reason you want to do everything as a member of the Administrators group (instead of, say, the Power Users group) is completely beyond me. Why not try and run everything as SYSTEM when you are at it?

    And, as Linsuxoid points out, all that stuff you say about SeDebugPrivilege is simply bogus.

    Look at the MS debug crash window path you will find something nicely not secured.

    Really? Have you even tried and understood why or when those “debug crash windows” pop up and from where/to whom? Seriously, could you please stop making up bogus nonsense just for once?

    If you did deeper you will find that the protected services are not that protected either. Because you have missed once you get to admin level anywhere you can insert a root kit disabling the protected services protections.

    Italics mine. Seriously, oiaohm. Seriously.

  11. Linxusoid continues to move the goal posts in hopes of a win, “Go ahead and find a single widespread worm that:
    1. Didn’t rely on user to deliberately run it
    2. Didn’t rely on user to not install updates for weeks/months”

    You should know that in many situations, the user has not administrator privileges and cannot install updates. I worked at a place like that. It was so tedious that I, without permission of bosses, enabled automatic updates which could have been disastrous… Now he will have to add a third line to move the goal posts a bit further. Then I will mention zero-day attacks, where the bad guys (not M$, who are also bad) get a clue a few days before the updates are available/installed on all machines even if the administrator is willing/doing his job. For example, M$ releases the patches at a convenient time in M$’s timezone so they may be installed a day late in other timezones and some machines don’t take updates properly on the first try of automatic updates, and…

  12. Linxusoid says:

    You know what, I’m generous today, here is some help. Go ahead and find a single widespread worm that:
    1. Didn’t rely on user to deliberately run it
    2. Didn’t rely on user to not install updates for weeks/months

    Report back here – I’ll be waiting

  13. Linxusoid says:

    Glad you’ve mentioned Blaster, since it’s one of few worms, where original author has been caught and has admitted that he have found vulnerability by reverse engineering Microsoft’s patch, released a month before first discovery of the Blaster.

    Same with Sasser. Patch was issued almost 3 weeks before first discovery of the worm.

    I call not applying security patches for weeks (and months, because it actually become pandemics several months later) – yes, you’ve got it – a stupidity. Stupidity that Linux package managers have by design (they are known to not update software even when they report that everything is updated), so you don’t have to rely on stupid user (well, let’s ignore pretty telling fact that the user is using Linux in first place) to not update his system.

  14. Linxusoid wrote, “Please, give me a single example of major Windows pandemics in the last 10 years, that didn’t rely on user’s stupidity.”

    See Blaster:
    The worm spread by exploiting a buffer overflow discovered by the Polish cracking group Last Stage of Delirium in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.”

    This spread without user intervention so the intelligence of the user was not in question unless it was to use a PC running that other OS. A place where I worked had actually pulled the plug to avoid that one.

    Then there was Sasser

    So, two for the price of one. I am generous.

  15. Linxusoid says:

    That’s why I use GNU/Linux. I don’t have to be a security expert to keep from getting owned by the bad guys.
    Because, you know, just not being stupid is not enough, right? You insist on your right to be stupid or what?
    Please, give me a single example of major Windows pandemics in the last 10 years, that didn’t rely on user’s stupidity.

    You can’t fix stupid (even though Microsoft makes a major progress even here). If stupid user installs Linux he makes things WORSE – not better.

    When I was using Microsoft’s Windows, I had to stay abreast of all the latest virus detection software, firewalls, adware and registry cleaners
    Cool story, bro. My 7 y.o. kid does better job than you (and did better 1 year ago). Yes he does have his own computer.

    Do you really think Windows is equal to Linux in security?
    OF COURSE I DON’T. Linux’s “security” is a joke compared to one of Windows. In fact there is no such thing as “Linux security” – there are dozens of incompatible and ugly patches to workaround stupidity of some earlier ugly patches, while in Windows we have a consistent, flexible and powerful DESIGN from day 1.

  16. Kozmcrae says:

    “I’m telling that none of the Linux white knights here have a tiniest clue about security, filesystems or software design in general.”

    You pegged me pretty good Linxusoid. That’s why I use GNU/Linux. I don’t have to be a security expert to keep from getting owned by the bad guys. When I was using Microsoft’s Windows, I had to stay abreast of all the latest virus detection software, firewalls, adware and registry cleaners (I know some people said never use them because they could scramble your registry, but I found it could do that by itself anyway.). It was a Royal PITA. Wait, you know all this, so why am I telling you? Do you really think Windows is equal to Linux in security? No one in their right mind would believe that.

  17. Linxusoid says:

    Apple doesn’t count of course.
    Since when OSX is a “BSD installation”?

  18. Linxusoid says:

    Reading comprehension problems? Not surprised.

    I’m telling that none of the Linux white knights here have a tiniest clue about security, filesystems or software design in general.

    That doesn’t prevent them from being loud and aggressive. That’s pretty much how most other ultra-religious folks behave.

    Seriously guys, educate yourselves. If nothing else, it will give your pro-Linux rants at least some credibility.

  19. Kozmcrae says:

    So Linxusoid, what are you trying to say?

  20. Kozmcrae says:

    “How many installations of BSD (any flavor) are there?”

    Apple doesn’t count of course.

  21. Linxusoid says:

    Linux advocate modus operandi: make a lot of stupid claims in hope that your opponent will get bored and something will “stick”.

    Linxusoid read the Linux implementations of selinux and smack. MAC systems. Both include terminate on offense.
    Still don’t get what MAC is, do you? Again, termination doesn’t have anything to do with MAC. Period.

    For all attacks it basically equal to suid. With CAP_SYS_PTRACE or SE_PRIVILEGE_ENABLED.
    Oh, really? Let’s assume that Administrators is roughly equivalent to root. So, I’ve just made “copy cmd.exe su.exe”, where exactly should put that “SE_PRIVILEGE_ENABLED” to make this su.exe to always execute elevated without explicit user consent?
    Or maybe you just belive those who are smarter than you, that privileges belong to user tokens and not to executables?

    There are many bits that basically equal sudo rights when you have them.
    See that “when you have them”? That’s quite important. Administrators could live a perfect life without SeDebugPrivilege. Classic UNIX security CANNOT do anything administrative without total and unrestricted access to the system (which is superuser) – it’s all-or-nothing security (superuser is a special hack around stupid triplet based security and suid/sgid are special hacks around superuser and sudo is a special hack around suid/sgid)

    Linxusoid that inject demo of yours on Linux does not work on hardened Linux systems while running in secure mode.
    And that inject demo of YOURS has following:

    if (!Elevated)
    {
    // Elevate the process.
    if (GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath)))
    {
    // Launch itself as administrator.
    sei.lpVerb = TEXT(“runas”);
    sei.lpFile = szPath;
    sei.hwnd = NULL;
    sei.nShow = SW_NORMAL;

    if (!ShellExecuteEx(&sei))
    {
    MessageBox(NULL, TEXT(“ShellExecute() failed!”), APP_TITLE, MB_OK);
    return -1;
    }
    }
    return 0;
    }

    It elevates itself by asking user to elevate. Oh, very smart attack, don’t you think so?

    Yet the LSM MAC systems using in hardened Linux systems will not allow it to operate.
    Oh really? And SRM DAC systems used in normal Windows for 20 years do “not allow it to operate”. Now, tell me, how exactly MAC helps here.

    Linux is nice this way just because you can code something does not mean it will run on all Linux systems. Injection is only for when system is allowed to be.
    Seriously? How about those gaping DESIGN holes (at least two of them) in X that will expose your root password to anyone once you enter it into either terminal or sudo? Open and publicly known for 20 years already. Nobody cares.

  22. oiaohm says:

    Linxusoid read the Linux implementations of selinux and smack. MAC systems. Both include terminate on offense. This is secuirty. Something does something it should not die. If you read making a MAC to old US Mil standard MAC must include this feature.

    “SE_PRIVILEGE_ENABLED doesn’t align to “sudo bit”. It’s just a flag that all privileges could have. SeDebugPrivilege aligns to CAP_SYS_PTRACE in Linux (and in general Linux’s caps are analogues of Windows’s privileges – only 10+ years later)”

    For all attacks it basically equal to suid. With CAP_SYS_PTRACE or SE_PRIVILEGE_ENABLED. It fairly simple then to work out how to get into something with higher privileges than you and steal those privileges. Unless you run into something like selinux roles or cgroup pid that stops you from interfacing with the other processes.

    There are many bits that basically equal sudo rights when you have them. This is why privilege rights should only be given to programs that cannot be injected ever while in secure running.

    Linxusoid that inject demo of yours on Linux does not work on hardened Linux systems while running in secure mode. Yes demo code how to inject. Yet the LSM MAC systems using in hardened Linux systems will not allow it to operate.

    Linux is nice this way just because you can code something does not mean it will run on all Linux systems. Injection is only for when system is allowed to be.

    Notice something here you have nothing to win with. All linxusoid and Flying Toaster is trying is smoke and mirrors without enough information on what works and what does not.

  23. oiaohm says:

    Flying Toaster In fact I have already given a part example with the UAC elevation without user being informed.

    http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

    Really the UAC breach is not wild imagination.

    The control interface is user session code of UAC that can be controlled by injection code to get the UAC set what ever the injector wants.

    Because to inform user of error it has to enter the users session. So once in the users session the user can inject into it and alter what the end users sees and even approve for the end user. Its now on the same level.

    This exploit is purely because injection powers are two high.

    There are many badly written programs out there that enable SE_PRIVILEGE_ENABLED and open up a interface to the users desktop in a way that is inject-able.

    Linux traditionally works by a tighter rule than session. Application can only debug what it starts. This stops the side ways path in the session. Also suid bit binaries are normally off limits to debuging. 2005 there was a glitch that now makes it as bad as windows. Where you can now exploit a privileged application the user run. This is how you get out of windows secuirty. Wait around for a user to run an application with the wrong privileges or run it yourself.

    Session is not as split as what you think.

    http://blogs.technet.com/b/chad/archive/2011/06/20/tip-41-the-phantom-of-the-session-0.aspx
    Yes once you have got to admin level as the user by any means the session split under windows no Longer exists at all. Yes Wild right that as administrator you can start an application on anyone desktop in the system. Kinda say by by to role based secuirty at this point and any session protection you thought the system had. Remember anything you start in another session from a application with SE_PRIVILEGE_ENABLED that application starting in the other session has this privilege if you do it right.

    Next question why in heck and the administrator start application in anyone session. I can understand administrator being able to kill a session or kill applications in a session. But start what ever into a running session without the user knowing what happened this is not exactly good.

    “you can’t even obtain PIDs that are not associated to you.” That is not correct you cannot associated with PID’s that are not in linked to the session. But that really does not matter once you get high enough and you can start a process in any session and attack what ever is in there from the correct session.

    Session isolation is basically a figment of MS mind basically. As soon as you start testing you start finding its really simple to get between sessions. Too easy in fact.

    MS session isolation is not like Linux cgroup PID or selinux roles that work.

    “You are allowed to fiddle with the “debugging” process.” Look at the MS debug crash window path you will find something nicely not secured.

    If you did deeper you will find that the protected services are not that protected either. Because you have missed once you get to admin level anywhere you can insert a root kit disabling the protected services protections. This is why MS is now needing to secure boot form boot loader windows 8.

    Injecting basically with careful planing can get you to administrator or higher. From administrator nothing is off limits.

    Injection allows all kinds of horrid ways of getting up to administrator and higher and take out the complete system. Injection is one of those operations that should be highly controlled.

    Very much like Linux running proper selinux step. Unless the application is particularly enabled for debugging or equal injection should be rejected.

    Yes Windows has session injection just as much a application injection both not properly secured.

    This is the problem you find door hole after door hole. Key design parts have not been done.

  24. Flying Toaster says:

    @oiaohm

    I misread. Your nutty sermons are apparently directed at me, so here goes:

    I am the user of the application so I can inject code into it. The application I am inject code into does not have to be my child. Basically its the /proc/pid/men bug but its default windows.

    Windows doesn’t have “/proc/pid/mem”, by default or otherwise. What it does have is a set of functions, namely, ReadProcessMemory() and WriteProcessMemory(). See below.

    Example of the flaw. Run it and play a little how many of your desktop processes you can just inject sideways into.

    And not from above or below? My-oh-my, I am shocked!

    Read source #2. Read it carefully. See what it is there for? It’s a library for providing the likes of WriteProcessMemory() in Windows 9x for remote code injection. The stuff demonstrated in your link simply wouldn’t work without functions like that. And guess what? WriteProcessMemory() is subject to the access restrictions imposed upon by the kernel itself, and that means without sufficient privilege, you can’t just go around and fiddle with every process you come across. And, no, UAC is enforced by the kernel itself, not just some random process like you think it is.

    Here is the next bug to complete the evil pair. Running as administrator you get this. Next but worse is a debugging process that has been triggered because a application has crashed by your user can be running at a lower privileged process than your processed but have SE_PRIVILEGE_ENABLED attached so you can inject into the process without question.

    Theoretically, there is no doubt about that, but in order to realize such an attack, you’ll need:

    1) A process with sufficient rights opening up a “debugging” process with SeDebugPrivilege enabled, and
    2) You are allowed to fiddle with the “debugging” process.

    Don’t forget, too, that the kernel enforces session isolation, and that means, without sufficient privilege, you can’t even obtain PIDs that are not associated to you. Show me a real-life example in which your proposed scenario applies, or else I’ll just have to write it off as another piece of nonsense you have made up on the spot.

    Guess what this keeps on happening bug after bug after bug that create a privilege exploit on windows.

    No, privilege escalation doesn’t work that way. Even your link tells you that the demo doesn’t work on “idle process (PID = 0), system process (PID = 4) and protected processes”, and your wild imagination about UAC simply won’t change that.

  25. oiaohm says:

    Flying Toaster
    “All the compiler did was taking away a NULL pointer check that should have been done before “tun->sk”. You can’t expect the compiler to know if tun is NULL in every case.”
    That is the point. The compiler cannot get every case right on it own. Once a compiler is thinking for the coder the ***compilers creates secuirty flaws***.

    Since the compiler does not know exactly should inform coder of its actions that might or might not be safe.

    The compiler took what should have been either a error or a complete failure and turned it into a secuirty flaw. Compiler used is a important factor on how good the binaries you are using are. This is something people like to forget.

    Error path saw tun->sk not returned to user-space and it was not used in the middle between the check for null. It was set then checked. Ie backwards. Backwards should really bring up a compiler error ok why in hell are you checking this basically.

    If compiler had raised a warning the build process of kernel would have stopped at that point. Because warnings under gcc with Linux kernel becomes fatal errors to the build process. So secuirty exploitable binary would have never existed.

    Yes the compiler had a defect. Dead code is also a waste of space in the code base. So compilers telling developers what code they call code path dead is a good thing.

    Flying Toaster
    “And without a backup (for the superblock, no less), the chance you can salvage anything is pretty slim.”

    You can rebuild a ext2/3/4 filesystems without superblocks. To be correct you can recover full files from worse. http://www.sleuthkit.org/autopsy/ Autopsy knows ext2 and ext3 and ext4 structures and will locate directories that information is still intact. As long as they have not been over written. Its basically 100 percent that you will recover something as long as the drive spins and has not been overwritten. autopsy can take a pretty good guess at what the ext superblocks should be.

    Recovery the file system 100 percent finding a super-block is kinda helpful.

    mke2fs -n /dev/hda1 lists all backup superblocks. Notice the person does not send another email. Most likely the prior pair were not damaged. But due to the fact that might be missing a bit of time ext file systems don’t mount. So you can image the harddrive before doing that. To prevent data loss.

    mke2fs -S will attempt to rebuild the ext filesystems without super-blocks. Of course its recommended to duplicate the hard-drive first and and duplicate of the duplicate before attempting it.

    Yes mke2fs -S is basically a search of disk for ext2/3/4 structures and attempt to jigsaw what you find back into one piece does need the format command used to make the disk so it can jigsaw. So yes a ext file system can be very major-ally damaged and you will get data recovery. Its mentioned in the email by the way Flying Toaster. Yes if you have balls you can delete the superblocks on ext2/3/4 run mke2fs and most likely you will get everything back as if nothing was damaged. If mke2fs goes wrong or will not do it you will want to perform Autopsy from sleuthkit. Lot of other meta structs can be deleted as well without effecting recovery of the data. Ext is quite a strong file system.

    So were is the zero data recovery point. It does not exist here. Also notice the person did not come back saying they failed to recover asking for more assistance.

    Final level of recovery is break out something like photorec or Foremost to hunt the files down on the disk. Of course this is only possible if the disk has not been overwritten.

    Failure is sometimes exactly what should happen. Disk damaged fail give a person a chance to image it.

    The issue with NTFS is the issue of it still mounting after the file-system is screwed and it don’t know better. Result is the file-system could have a overwrite event of someone placing a few files on that disk so making recovery impossible.

    MFT handling failure is one of NTFS biggest issues.

    I can tell that Flying Toaster is a Windows user is use to the fact that a failed file system equals lost data. This is not the case. Failed file-system and data are two separate things.

    Also that ext3 example was from 2003. Ext3 did not get declared production until 2004. Mind find an example from when it was production rated.

    Yes ext3 is quite young. Invented nov 2001 2002 it was still development end of 2003 it was declared production.

    As normal Linux hates cannot use anywhere near current bugs. Yes section of super-block handling was corrected in ext3 in 2003.

  26. Kozmcrae says:

    “Your discussion, therefore, should concentrate on how Linux is more secure than FreeBSD or OpenBSD. (Here’s a hint: it isn’t.)”

    You are right, BSD is more secure than Linux. I was referring to Linux vs Windows since that is what we are usually talking about here. It completely slipped my mind about BSD. How many installations of BSD (any flavor) are there?

  27. Flying Toaster says:

    “You don’t know C or kernel mode. Dereferencing a nul at runtime is valid. Nothing illegal about performing a referencing on a Null. If you have access to that address at runtime is another thing. Crash is memory error that may or may not happen.”

    Amazing, oiaohm! Of course there is nothing wrong about dereferencing a NULL so as long as you treat C as much a free-for-all as you do with the English language. Hell, why not dereference an undefined pointer when you are at it?

    And all this occurs in the kernel mode, no less.

    In fact its both. Compiler and sloppy code. Gcc was revised. If it was removing checks if a pointer was null for any reason send up a message since there should be no null checks on dead code paths.

    I cannot vouch for this, and since almost everything you have said (saving the MFT part) has no cited source, I have all the reasons to doubt any changes in GCC will amount to anything in this regard, especially if “tun” is a parameter passed to a function.

    I am nevertheless glad that you at least admit the code was indeed sloppy.

    Lets think this through. If the thing triggered a memory fault the system would crash so no secuirty flaw. If the check run it would error out again no secuirty flaw. Bad code yes. Secuirty flaw no.

    I don’t think you are thinking this through. The bottom-line here is that you should never, ever have a piece of code attempting to dereferencing a NULL anywhere in your software. According to your logic, there is nothing wrong with dereferencing an undefined pointer either as long as it is pointing (randomly) at something and not giving you a segfault, and that’s insane.

    Yes compiler turns a computer crash fault into a secuirty flaw. Yes the one you pulled is a complier fault and sloppy code. Really hazard conditions this is.

    All the compiler did was taking away a NULL pointer check that should have been done before “tun->sk”. You can’t expect the compiler to know if tun is NULL in every case.

    That ext3 example you gave Flying Toaster. Is not what NTFS is doing. Read what you posted. Ext3 not coming up clean. You run the checks on the file-system and its yelling and screaming something is wrong.

    Yeah, it’s called “a damaged superblock”, in case you are wondering.

    And without a backup (for the superblock, no less), the chance you can salvage anything is pretty slim.

    Read the email.

    NTFS with MFT damage. Basically pretends everything is good.

    Why, you have a problem with that? The MFT is pointing at something, no? So, what’s your complaint?

    Of course I am kidding, but somehow I just don’t know how to find a part of me that can take you seriously.

    That ext3 has done what it proper should have.

    Yeah, it’s called “going belly-side up”. Not so proper if what you care about is your data, though.

    I shall leave the rest to Dr. Loser.

  28. Linxusoid says:

    Oh and to no surprise you’ve got MAC vs DAC thing wrong. MAC doesn’t have anything to do with killing process on failure.

  29. Linxusoid says:

    From here magic mix to make a Windows privilege exploit. Yes you could say SE_PRIVILEGE_ENABLED aligns to sudo bit in Linux in Dr Loser example. You just need to find a suitably SE_PRIVILEGE_ENABLED application and run it then inject into it. After that system is yours.

    So, you are basically admitting that you HAVE NO CLUE about either Windows or Linux. You can’t even get terminology right – let alone actual understanding of how things work.

    1. SE_PRIVILEGE_ENABLED doesn’t align to “sudo bit”. It’s just a flag that all privileges could have. SeDebugPrivilege aligns to CAP_SYS_PTRACE in Linux (and in general Linux’s caps are analogues of Windows’s privileges – only 10+ years later)
    2. There is no such thing as “sudo bit”. There are suid/guid bits and that abomination named superuser. Neither of those Windows EVER had.
    3. To inject code into privileged process you should ALREADY have privilege (SeDebugPrivilege is only granted to Administrators) or someone privileged should grant you that right EXPLICITLY through ACE.

    I have named the fault Flying Toaster. With example code and all.
    No, you haven’t. Your “example code” is somewhat similar to this http://www.linuxjournal.com/article/6210 (read from “To inject code”) – you can do this only if you already have privileges (well in case of Windows they are flexible and controllable in runtime, in case of Linux they are mostly hardcoded right into kernel – do you understand difference between code and configuration?).

    God, will I ever see a single Linux advocate that is not so glaringly technically illiterate?

  30. oiaohm says:

    Dr Loser the attack was pure dependant on the /proc directory interface being read/write. This is not true under a Selinux strict. Snooping into /proc is not tolerated basically. So yes trusted system was unable to be attacked as demoed against the /proc/pid/mem. Yes a full blown selinux equals attempting to go there if you are not a debugger application terminated. No opps I should be let go like DAC does.

    Strict Mac systems don’t allow lots of things.

    So yes the /proc/pid/mem attack completely fails against a trusted Linux worse logged. Only general entry level systems not setup for secure work can be attacked by it. Simply applying a rule into the Mac cures it on people not running at full trusted level.

    Selinux is loved and hated for the same reasons. Sad part is that solarias and Linux Mac is basically done the same way.

    Lot of the Linux MAC issues are not as bad as people try to make out. Most people who do never have run trusted aix.

    Also I would bet one of your first attacks would be the idea the file system can be altered off line. Bad news selinux can audit settings after start up from TPM checked files. So the idea of off line attack does not work on trusted systems. Has been fully blocked in fully trusted linux systems for years.

    Lot of the classic Linux MAC weaknesses don’t exist any more DR Loser. Most likely you have lots of out of date information about what was weaknesses.

    Yes selinux can apply secuirty limits to file-systems without meta data these days as well. There is no soft point.

    Dr Loser of course there is a problem. Android linux kernel contains functionality mainline Linux kernel does not contain.

    The functionality does not exist in
    FreeBSD, OpenBSD, QNX, Web OS(standard Linux kernel) and Windows Phone.

    RIM is having to extend QNX to support Android. Android driver stack does not exactly match Linux mainline driver stack either.

    There is also special “memory management”. Android has a different low memory killer solution.

    You could call Andriod kernel 95 percent standard Linux. 5 percent special stuff that is required to make a power effective android device. Including special memory management for Dalvik VM. Yes there are many reasons why porting Dalvik to general Linux kernel is taking ages. Mostly that the general kernel has to add lot of the 5 percent first.

    Yes you might be able to get it to run on those other OS’s but you are going to pay a high price in battery usage with the 5 percent. Mobile device flat battery is worthless. Kernel is a deadly critical part to a mobile device it wrong you interface above it will not remain running to be seen. So yes all the android work is worthless if its not on a kernel that works.

  31. Dr Loser says:

    @Robert:

    “Of course, the kernel is a huge part of Android/Linux.”

    Not that I care, but no, it isn’t. I can easily imagine it being swapped out and replaced by any one of:

    (1) FreeBSD
    (2) OpenBSD
    (3) QNX
    (4) Web OS
    (5) Yes, you guessed it … the kernel bit of Windows Phone.

    Look, if it runs a Dalvik Virtual Machine, and it has the relevant drivers, pretty much any OS would do. There’s nothing special about Linux here (which, as you reminded me earlier, isn’t an OS at all — it’s a kernel).

    Your link, btw, mentioned Linux three times. Want me to list these paeans of support for the “huge part” bit? OK:

    “The Dalvik VM relies on the Linux kernel for underlying functionality such as threading and low-level memory management.”

    and

    Linux Kernel

    “Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack.”

    Or, to put it another way, it’s a kernel.

    Gosh, wow.

  32. Dr Loser says:

    @oiaohm:

    “Ok please talk about the MAC in future the DAC is a joke on most OS’s Dr Loser. Reason DAC does allow owner of file to change permissions unless its blocked by the MAC.”

    Somewhat irrelevant to this particular vector of attack, I would have thought. Unless you can prove that a fully-blown MAC system would have prevented it?

    Because the fact is, you see, that almost no Linux installations use MAC. It’s an SELinux construct and is very rare in the field.

    So not only would it not have prevented this particular idiocy, but even if it had, it wouldn’t have been in a position to do it.

    The Linux implementation of MAC is horribly flawed, btw. I am happy to talk about this if you want.

  33. Dr Loser says:

    @Koz:

    “Extremadure’s CIO … He/she knows which OS is more secure and so do you.”

    I’ve been through this earlier in the thread, you fool. The base requirement was that the whole thing is zero cost. (It’s flawed in so many ways, but it’s what the CIO insisted upon.)

    Having filtered your choices down thus, you are left with:

    (1) Linux
    (2) FreeBSD
    (3) OpenBSD.

    Your discussion, therefore, should concentrate on how Linux is more secure than FreeBSD or OpenBSD. (Here’s a hint: it isn’t.)

    All his or her other points are mere flummery, since they obviously didn’t disqualify the use of Windows in any way.

  34. oiaohm says:

    oldman even so the / kernel is one of the general convention.

    Of course its a GNU convention that not everyone agrees with. Oldman.

  35. oldman says:

    “There are no “regular” GNU/Linux distros. There’s no rule to state how much GNU is in there, nor how much Linux.”

    Yet if you ask most people who care, except possibly those like yourself with an ax to grind,, they will tell you that linuxs = kernel + GNU tool chain + a certain set of “standard” packages. They will tell you, Red Hat, Ubuntu, Mint, Debian are Linux. They may tell you that the commercial OS named android is based on the linux kernel source, but most of them would NEVER use the name Android/Linux.

    That is your invention.

  36. Phenom wrote, “except for a part of the kernel, Android has nothing, absolutely nothing to do with a regular Linux distro.”

    Of course, the kernel is a huge part of Android/Linux.

    There are no “regular” GNU/Linux distros. There’s no rule to state how much GNU is in there, nor how much Linux. Debian GNU/Linux, for instance, is working on shipping a FreeBSD kernel. I guess it’s still Debian GNU/Linux if one multiboots… They have a new architecture, kfreebsd-i386, too, so I guess there is a Debian GNU/kFreeBSD.

  37. oiaohm says:

    Yes means to inject into any process was in windows NT the first version with the same bugs. Of course I will be nice and disregard the defective windows running on dos that also has the same fault.

  38. oiaohm says:

    Flying Toaster
    “He’s the thing, oiaohm – in C, you always check for a pointer’s existence before you proceed and deference it. As the cited source points out, “[b]ecause tun is dereferenced (to use tun->sk) the compiler assumes that tun is non-null, so it removes the check for tun against NULL.” And even if the compiler did not remove the “if” statement, the fact that “tun” is potentially NULL still stands, and dereferencing a NULL pointer (as in “struct sock *sk = tun->sk;”) during run-time would still give you at least a crash under normal circumstances (again, as pointed out in the cited source). Hence, the presence of the vulnerability is due to sloppy code – not the compiler.”

    You don’t know C or kernel mode. Dereferencing a nul at runtime is valid. Nothing illegal about performing a referencing on a Null. If you have access to that address at runtime is another thing. Crash is memory error that may or may not happen.

    –Hence, the presence of the vulnerability is due to sloppy code.–

    In fact its both. Compiler and sloppy code. Gcc was revised. If it was removing checks if a pointer was null for any reason send up a message since there should be no null checks on dead code paths.

    Lets think this through. If the thing triggered a memory fault the system would crash so no secuirty flaw. If the check run it would error out again no secuirty flaw. Bad code yes. Secuirty flaw no.

    Yes compiler turns a computer crash fault into a secuirty flaw. Yes the one you pulled is a complier fault and sloppy code. Really hazard conditions this is.

    That ext3 example you gave Flying Toaster. Is not what NTFS is doing. Read what you posted. Ext3 not coming up clean. You run the checks on the file-system and its yelling and screaming something is wrong.

    NTFS with MFT damage. Basically pretends everything is good. chkdsk returns perfectly nothing is wrong. Filesystem is valid. Just everything disappeared but the file-system. Everything is fine is what NTFS reports. Even allowing drive to be mounted read write and copy data onto the drive so possible allowing what ever data on the drive to be destroyed.

    That ext3 has done what it proper should have. I am not going to mount while I am damage. Ext3 even refusing to mount. This is all because Ext3 has checksums so Ext3 knows something is badly wrong.

    This is what should happen. When backups fail stop so people can take drive to someone to perform data recovery on and most likely recover there data or get advice how to recover it.

    Worst thing is that the data gets over written. This is exactly where you end with NTFS where the drive mounts as if nothing is wrong. Over written can equal the data gone for ever.

    The core design bug is simple for the 1 Dr Loser raised. Flying Toaster.
    I am the user of the application so I can inject code into it. The application I am inject code into does not have to be my child. Basically its the /proc/pid/men bug but its default windows.

    Effects of this. 1) I have malware but it does not have to appear in task list because its running as subthread in the user explorer program waiting for chance todo worse.
    2) Even the most minor user assignment error to a process like the UAC one. Allows malware to inject into that and exploit from there to gain privilege.

    http://www.codeproject.com/Articles/11777/InjLib-A-Library-that-implements-remote-code-injec Example of the flaw. Run it and play a little how many of your desktop processes you can just inject sideways into.

    Here is where it gets really evil.
    MNIN secuirty
    –First, it is necessary to adjust the token privileges of your program so that debugging (SE_PRIVILEGE_ENABLED) is allowed. If you are injecting code into a lower privileged process, then this will not be needed.–
    Here is the next bug to complete the evil pair. Running as administrator you get this. Next but worse is a debugging process that has been triggered because a application has crashed by your user can be running at a lower privileged process than your processed but have SE_PRIVILEGE_ENABLED attached so you can inject into the process without question.

    From here magic mix to make a Windows privilege exploit. Yes you could say SE_PRIVILEGE_ENABLED aligns to sudo bit in Linux in Dr Loser example. You just need to find a suitably SE_PRIVILEGE_ENABLED application and run it then inject into it. After that system is yours.

    Fix this privilege mess up and breaking a window system will become way harder. Note SE_PRIVILEGE_ENABLED is true inject into any process you wish under windows. So basically what ever user rights you wish.

    So basically the privilege control around injection is complete crap. You are always granted some and that some is too much and can be exactly what you need to be granted everything.

    Also you can request SE_PRIVILEGE_ENABLED from you application without raising any form of alarm.

    Guess what this keeps on happening bug after bug after bug that create a privilege exploit on windows.

    I have named the fault Flying Toaster. With example code and all. With bit of skill you will be able to make a fully functional exploit and just seek down the applications with privilege but running too low to take the complete system.

    I named it perfectly correctly Flying Toaster just you want to pretend it don’t exist.

  39. Phenom says:

    @Pogs, you are wrong.

    Anyway, let’s assume you were right, and kernel is not the OS. If that statement of yours were correct, then you would have no right to call Android “Linux”. Because, except for a part of the kernel, Android has nothing, absolutely nothing to do with a regular Linux distro.

  40. Flying Toaster says:

    Correction:

    has so reluctant to name? => are so reluctant to name?

  41. Flying Toaster says:

    That sans bug by Flying Toaster is a compiler introduced bug. In case of a compiler bug you need to be able to rebuild all code built by that compiler.

    oiaohm – a guy famous all over the Internet for his broken English and generally making stuff up on-the-fly is now chatting up with me. I honestly can’t tell you how privileged I feel right now!

    He’s the thing, oiaohm – in C, you always check for a pointer’s existence before you proceed and deference it. As the cited source points out, “[b]ecause tun is dereferenced (to use tun->sk) the compiler assumes that tun is non-null, so it removes the check for tun against NULL.” And even if the compiler did not remove the “if” statement, the fact that “tun” is potentially NULL still stands, and dereferencing a NULL pointer (as in “struct sock *sk = tun->sk;”) during run-time would still give you at least a crash under normal circumstances (again, as pointed out in the cited source). Hence, the presence of the vulnerability is due to sloppy code – not the compiler.

    Yes the MFT has screwed up and the complete file-system has disappeared into no mans land.

    Oh, the MFT! I am pretty sure you know for a fact that it’s short for “Master File Table” and serves as the index of all files and directories within the file system, don’t you? It’s not, you know, a boat, a car or a kitchen sink, for that matter. And speaking of indices, here’s a response to one hapless Eddy courtesy of Theodore Ts’o himself:

    https://www.redhat.com/archives/ext3-users/2003-July/msg00035.html

    Please read Microsoft Lifepolicy. It is true in case you ring up with a OS past the end of lifepolicy

    Windows Vista, as we speak, is still under mainstream support. On top of that, this mainstream support period has lasted longer than the support any version of Debian has received from its developers. If you happen to have trouble comprehending what is being discussed, then please consult a dictionary, a speech therapist or a translator before you start cluttering up the discussion with irrelevant tangents.

    Really want to correct that thousands of bugs sourcing form one core bug.

    Again, seek appropriate assistance if you happen to have trouble comprehending what is being discussed. Don’t try and throw catch-all nonsense such as “the defect in the design of application code injection lacking required security” and pretend you have addressed any particular point I have made.

    There are many particular core design bugs that have spawned thousands of secuirty flaws over the years MS has not address.

    So what is this “desgin bug” to be specific? And how has it, in fact, spawned thousands of these security flaws that both you and Pogson has so reluctant to name?

    The inquisitive minds demand answers to these questions.

  42. oiaohm says:

    Flying Toaster that bug you pulled out is a clear reason not to allow binaries from where where into kernel space.

    That sans bug by Flying Toaster is a compiler introduced bug. In case of a compiler bug you need to be able to rebuild all code built by that compiler.

    Yes sans story is exact reason why binary drivers in kernel space are not safe. How do you know the driver was build with a safe compiler and is safe to use. Linux kernel only takes modules built by the same compiler as it. Attempt to keep modules currently built and in cases like this to prevent the fixed kernel loading older drivers.

    Yes the reason Linux will not load binary drivers is intentional.

    Yes over the years there have been many defective code generation errors reported against the MS compiler used to build kernel drivers. Question is how many of the old drivers that could contain the create flaws by the compiler have been rebuilt that people are using. Not many have been rebuilt so the volume of possible hazard is huge.

    Yes particular exploits against Linux show issues for any one thinking binary drivers is a good idea.

    NTFS the worse case you here reported is this.
    http://www.techimo.com/forum/technical-support/8110-ntfs-volume-lost-root-directory-help.html
    Yes the MFT has screwed up and the complete file-system has disappeared into no mans land. And the windows repair tool tells you that everything is perfect even that you files are no where to be seen. NTFS errors are reported over and over again with different levels of pain. Sometimes people have lost critical documents. Sometimes it the complete drive. Same issue MFT section of NTFS is not designed properly.

    ReFS that is coming hopefully should address these problems.

    “the instances in which Microsoft forces its customers to upgrade their operating systems (or their Office software suites, for that matter) in order to address a security vulnerability during any support period, or in which representatives from Microsoft advise enquirers to upgrade their operating system in order to address a specific malfunction”
    Please read Microsoft Lifepolicy. It is true in case you ring up with a OS past the end of lifepolicy. Extended support unless you have paid they will tell you upgrade to deal with a malfunction if its not security. It clearly spelled out in black and white. Basically if you had done you homework you would not be asking such a stupid question Flying Toaster.

    Yes you are told are part of the lifepolicy that you do have to upgrade past a particular point to address secuirty flaws. Because no more patches will be coming.

    “the “thousands” of bugs, critical or otherwise, that have persisted from Windows 3.1 through to Windows 7.”

    Really want to correct that thousands of bugs sourcing form one core bug. The defect in the design of application code injection lacking required security. Has made many malware infections and secuirty exploits from Windows 3.1 to now possible.

    Address the one mother bug by introducing stricter controls on code injections and the number of exploits against windows will reduce massively. Because tones depend on this one flaw existing to operate.

    There are many particular core design bugs that have spawned thousands of secuirty flaws over the years MS has not address. What MS is doing is trying to put out a house fire by stopping the garden from burning. Instead of attempting to put out the fire in house.

    There is about 10 major core bugs in Windows. Most secuirty assaults against windows depend on them. Fix those 10 and 90 percent+ of all privilege attack methods end instantly. Yes 10 major core bugs are causing a bush fire effect around windows for infections and malware.

  43. oiaohm says:

    Dr Loser
    “I was actually defending Red Hat, by contrast.”
    No you were making things up “ASLR is basically not turned off on Linux by default.

    “downstream distros that intentionally turn off ASLR”

    If you were not making stuff up name the downstream distributions that do other than “Damn Vulnerable Linux” and equal.

  44. Flying Toaster says:

    Correction:

    Source

  45. Flying Toaster says:

    For every example of a vulnerability like that in Linux there are thousands in that other OS like the Lose 3.1 bugs that eventually found their way into “7″.

    Then care to show your readers an example or two, then. I have shown you evidence for every statement I make about Linux. Now it’s time for you to show yours about Windows, particularly:

    1) the existence of “the kitchen sink, the car, and the boat” in NTFS and the failure modes in which they cause malfunction in the file system,
    2) the instances in which Microsoft forces its customers to upgrade their operating systems (or their Office software suites, for that matter) in order to address a security vulnerability during any support period, or in which representatives from Microsoft advise enquirers to upgrade their operating system in order to address a specific malfunction, and
    3) the “thousands” of bugs, critical or otherwise, that have persisted from Windows 3.1 through to Windows 7.

    Remember – I am referring to the instances you have failed to provide any empirical evidence to support your claim about Windows. And since you are a man of science, I am certain that you know what exactly I am demanding here. Lose that metaphorical arm-waving, and show me the evidence.

    And, fear not – I am patient, and I’ll wait until you are ready to substantiate all of these claims, and I’ll keep reminding you to substantiate these claims until the day you produce the evidence. Hence, my advice here is that you get your evidence going and thus save me – and arguably you – the precious time.

    In the meantime, here’s a video clip for the rest of the readers to feast their eyes upon. (Source)

  46. oiaohm says:

    Really Flying Toaster with how simple it is in fact to find a current list of currently Debian effecting bugs its really a joke doing what you are doing.

    FOSS does not hide the fact. Bugs exists MS does. All major distrobutions have proper secuirty trackers.

    Particular ones can be mitigated.

    Also the oldest still open bug on Debian.
    CVE-2006-0197: XClientMessageEvent struct issue on 64 bit
    We are not even sure if the issue really does cause a problem. There is no test case or sample code to even prove a issue exists. Yes the report that placed the CVE never contained any tested samples it was just a person who was looking at the source code who called it sus.

    Basically just because a CVE exist does not mean its a exploit with open source. It can be that some audit program has detected a possible fault.

    Yes not using php smarty is most likely a very smart idea.

  47. oiaohm says:

    Flying Toaster
    http://security-tracker.debian.org/tracker/CVE-2009-3547
    –security-tracker.debian.org/tracker/–CVECODE–
    Mind point to a bug that is not just a warning notice these days to make sure you do install updates. Those are all fixed.

    I could point you to all the other secuirty trackers as well. Guess what the secuirty flaw is not closed yet because its not fully patched up stream. Downstream at the distributions they are already fixed. Patching a secuirty flaw upstream is a little trickier. Since you have to consider if that code section should be fully re-factored or not.

    Dr Loser
    “It’s jammed full of pointless ancient drivers that have to be compiled from scratch when it’s built, because there’s no sane way to provide them with a stable ABI into kernel space so that you can put the other bits into user space.”
    Your a moron. Reason why ancient drivers need to be rebuilt ever cycle is secuirty. You cannot allow anything into kernel space that is not audited.

    Problem with closed non rebuilt drivers in kernel space is they can have secuirty flaws themselves that are not detected that would have been detected by the building and auditing process with the new compilers and tools. MS is more than aware of this and this is why they tried to make a .net only OS to get rid of native code binaries from kernel space that are not repetitively rebuilt.

    Dr Loser your argument again is bogus.

    The fact Linux userspace can make driver is over looked.

    Secure OS only source code that can be auditted should be in kernel space.

    Windows is full of old not audited drivers so is a far bigger sitting duck to driver caused problems than Linux.

    “Once you accept that assumption, you now need to justify the separation between the open/close bit and the read/write bit. Oh, and after that, you need to justify a simplistic rwxrwxrwx”
    Ok please talk about the MAC in future the DAC is a joke on most OS’s Dr Loser. Reason DAC does allow owner of file to change permissions unless its blocked by the MAC.

    MAC=Mandatory Access Control this is what selinux is.
    DAC=old unix like permissions. Discretionary Access Control.

    What is the difference between the two. Break MAC selinux rules your application get terminated instantly. So attempting to access something /proc/pid/mem and not be a debugger or something else approve program is terminated.

    DAC like the old unix permissions get warned you been a naughty boy and let keep on running when it fails.

    Dr Loser particular bugs don’t work due to Selinux and other LSM modules. LSM is a second level of permissions to what you can access. It is between all file open close write events. So to open /proc/pid/mem you must have the LSM approval or application terminated. To write to /proc/pid/mem you must have LSM approval or terminated.

    Heck even reading a file from the /proc from an application that should not access proc at all will see selinux terminate application.

    So yes the base permissions were wrong but the LSM level permissions can be different so blocking the attack completely. Yes default selinux has /proc as read only unless application given special access. No matter what the kernel set proc to.

    Lot of attacks are documented against secure Linuxs distrobutions a very distance possibility if you happen to be running with the LSM turned off they might work in most cases.

    Yes the idea that Linux has two permissions systems is a little strange. One that is DAC and one that is MAC. The MAC is configurable on preference.

    Debuging is the one time the fault Dr Loser found works.

    That UAC override I pointed to is not patched yet.

  48. Flying Toaster wrote, “More insane stuff:”

    Good that it’s fixed then, eh?

    The long uptime of many GNU/Linux servers and the lack of crashes in PCs suggests the diversity of GNU/Linux saved the day. Unlike that other OS that has the exact same stuff on hundreds of millions of PCs bringing down all of IT every now and then, GNU/Linux thrives on diversity and is tough to bring down. For every example of a vulnerability like that in Linux there are thousands in that other OS like the Lose 3.1 bugs that eventually found their way into “7”.

  49. Dr Loser wrote, “The Linux kernel is the operating system.”

    No. It’s not. There’s no user-interface. No command interpreter. No accounts, users, file-systems, start-up scripts, services, etc. All/some of that needs to be added to make it useful. How do you as a user, or a pusher of buttons make the kernel do anything? Doing nothing is not operating. How do you get the kernel to boot now that it’s too big to fit in the boot record?

  50. Kozmcrae says:

    “In what way is, say, glibc.so inherently any more or less vulnerable than kernel32.dll?”

    It’s the eyeball thing your rebooted brain forgot about. And there you go again, taking GNU/Linux in detail. We don’t use it in detail. We use as a whole. You tell me which OS is way more secure than the other, since you know as well as I (rebooted brain or not).

    Extremadure’s CIO:

    “The desktop needs to be strong, easy to use and easy to manage and support remotely, without viruses and free from security problems which are common to proprietary solutions.”

    He/she knows which OS is more secure and so do you.

  51. Dr Loser says:

    @Robert:

    “No. It’s not. The Linux kernel is one component of the GNU/Linux operating system.”

    Yes, it is.

    The Linux kernel is the operating system. Heck, it’s even monolithic. It’s jammed full of pointless ancient drivers that have to be compiled from scratch when it’s built, because there’s no sane way to provide them with a stable ABI into kernel space so that you can put the other bits into user space.

    I’m sorry to have to correct you here, Robert, but that is what 100% of computer-literate people since the year dot have defined as an Operating System.

    Nevertheless I am always open to new ideas. Which other bits of the GNU stack (or otherwise) do you consider to be part of the Operating System?

  52. Dr Loser says:

    @NT_Jerkface:

    “I still don’t see why they think it is a good idea to stick everything in one giant text file.”

    It is the Linux way. Never forget that. Everything is a (flat) file.

    I’d actually have had some sympathy with the morons if they had at least adopted the Berkeley DB and made it part of a transactional, indexed, file system, but oh no.

    That would have been evil, wouldn’t it? Completely the wrong license!

  53. Dr Loser says:

    @oiaohm:

    Borrowing backwards (it’s a long thread) I’ll take this as a partial response.

    “Effects where not considered well enough.”

    D’Oh!

    There’s a more subtle point to be made here. It’s impossible to consider “effects” in the Linux kernel, because it’s impossible to reason about it at all. It’s one huge mass of spaghetti with no real design and one patch over another patch over another patch.

    I suppose I could enumerate the particular patch over a patch that caused this hole, but why bother?

    It’s endemic to the development process. And for Mr Hill, who probably doesn’t understand the phrase “endemic to,” please feel free to substitute “unavoidably part of.”

    “Reason for it being made write able was to enable more applications to be debug-able without requiring root or a debugging kernel.”

    Not a very good reason. I worked on VOS for ten or more years (another Multics derivative), and apart from not needing this spurious advantage, the debugger was far, far more capable than gdb is today.

    This is purely an excuse for ten or more years worth of incompetent development.

    “Also it was believed at the time selinux and other equal protection methods would be used to limit access.”

    My emphasis.

    Look,, oiaohm, you’re gonna have to give up on this “it was believed at the time … selinux” bollocks.

    On the weaker side of my argument, I would point out that you have no proof that it was so believed at the time.

    On the stronger side, IT DIDN’T HAPPEN.

    This is fantasy land.

    You cannot excuse a security breach by claiming that somebody else should have fixed it first.

    That is not how security works.

  54. Dr Loser says:

    @oiaohm:

    “There are times where not being able to set /proc/pid/mem read write is a bad thing.”

    When?

    Given the way that certain Linux functions, I don’t want to alert you to further walls’o’text, work, this is partially true. Once you accept that assumption, you now need to justify the separation between the open/close bit and the read/write bit. Oh, and after that, you need to justify a simplistic rwxrwxrwx plus various other SilliBits, plus a couple of inane kernel strategies for unique ids that turn out not to be unique, and …

    Actually, and this covers the use cases in Windows (far more secure, as detailed above under “Installer Privileges”), I believe this is simply an awful way to go. I wish Windows hadn’t done it. I have no clue about either Apple or *BSD. I’m fairly certain that Solaris did it.

    It’s just plain wrong. You don’t expose the squishy bits in your insides to the general public (via an exploit, obviously), unless you have a VERY GOOD REASON.

    In your court, oiaomn. You are the master of all you survey.

    Pick a single good reason, and I promise you that I will refute you.

    Even given the observable fact that, refutation or not, this is a particularly egregious example of kernel development failure.

    On Linux, would you believe?

  55. Dr Loser says:

    @Robert:

    With friends like oiaohm, do you actually need enemies like M$?

    “Dr Loser:

    ‘Further, the sole reason that Red Hat and Debian are not affected is because they are not one of the many downstream distros that intentionally turn off ASLR.’

    Boy you love making stuff up. Redhat was effected by this flaw there a detection program from redhat that detects if you have messed you selinux setting up then corrects the selinux settings so fixing problem for now with redhat. Debian and redhat users need to check for this error as much as anyone else.”

    This is truly bizarre. I could have gone into details about the various Red Hat releases and patches and (I personally think) sane attitude to this flaw, but I chose not to do so. Why?

    Well, it wasn’t actually part of my argument, which was that there are a whole bunch of uncontrolled distros out there run by people who (like me) are not security experts, and they tend to do things like fiddle with the code at rather deep levels.

    I was actually defending Red Hat, by contrast.

    And oiaohm thinks I’m “making stuff up?”

    You need to pony up some serious money in the Spring Season and get a better #5 pitcher for your team, Robert. This one’s ARM is worn out.

  56. Flying Toaster says:

    More insane stuff:

    http://www.securityfocus.com/bid/36901

    A privilege escalation bug again, but this time right in the kernel itself.

    Distributions affected?

    “Debian Linux 5.0
    […]
    Debian Linux 4.0”

    It’s rapidly developing indeed.

  57. Flying Toaster says:

    @oiaohm

    Then mind if I point out something insane for you?

    http://lists.debian.org/debian-security-announce/2011/msg00005.html

    A privilege escalation bug in glibc, meaning that anyone with the know-how can gain root access to the entire system.

    Robby Pogsons around the world – take notes.

  58. oiaohm says:

    Yes every windows user has the same kind of bug as the Linux kernel just did rolled out to them for the past 20 years. Yet I have not seen Dr Loser complaining about this.

  59. Dr Loser says:

    @Koz:

    “Dr. Loser’s brain, like the OS he advocates for, reboots every morning. He forgets everything you told him the day before.”

    It’s true that I tend to have a hazy recollection of the more inept and ignorant things I was told the day before, although I seem to recall this:

    “And by the way, if you knew about kernels, you know that Windows kernels are very vulnerable as it is a simple DLL file which is located within the OS, which makes it easy for simple attacks on a system.”

    Do you remember being told that this is total nonsense the day before, Koz? Or are you, like I, going senile?

    But enough banter. I’m up for the challenge. In what way is, say, glibc.so inherently any more or less vulnerable than kernel32.dll?

    (Ignoring, as one would, gdi32.dll and user32.dll. Neither of these have the magic “ooh, I can google it!” token “kernel” in the middle, which would leave Mr Hill with very few resources left. Oh, and also ignoring the fact that, as explained, the actual NT kernel is elsewhere … in stark contrast to the thing that sits behind /proc/id/mem.)

    Any clues you feel willing to impart?

    I’m willing to wait until tomorrow morning, so that I have a full working day before I forget the stuff.

  60. oiaohm says:

    Dr Loser I will point out something insane. How do you by pass the UAC on Windows 7. If you are a evil program inject into the UAC process its permitted from a normal user.
    http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

    Same problem as what the Linux developers just made for themselves. Don’t throw stones when standing in a glass house. Lot of windows privilege escapes are the same thing. Inject into a process of higher privilege.

    Linux mistake is not unique but at-least the Linux one is being fixed properly.

    So I guess you don’t run Windows Dr Loser because it a insecure bit of crap. Interesting to here what OS you are running.

  61. Dr Loser wrote, “It IS the Operating System”.

    No. It’s not. The Linux kernel is one component of the GNU/Linux operating system.

    The particular bug was in a beta-testing version. It did make it through the Linux kernel’s group, just a few thousand users. Beta-tests are used by millions of users in Ubuntu, Debian GNU/Linux etc. The particular bug was not released in any mainstream distro as far as I know. Do you think the world should roll out Linus’ latest build on millions of PCs routinely? Twit.

  62. oiaohm says:

    oldman by the way there is a reason why big businesses like IBM have remained on Samba 3.x with openldap backing it.

    Samba 3.x with openldap combination supports read only slaves. Samba 4 ADS also implements read only slaves. Advantage this prevents the issue of remote location losing network link and the ADS server going on its merry little way when you fix the limit the complete network going nuts.

    Turns out most applications most of the time only read from the ADS. So a read only ADS in case of link failure mostly goes unnoticed.

    MS ADS and Samba ADS are not 1 to 1. Samba 4 has features MS ADS still lacks. So both have to be placed based on the merits of the problem at the moment.

    Oldman you are two small basically MS ADS does have issues once you get past a particular size so forcing the use of Samba to remain stable. This is why Samba is so well supported by large enterprises.

    Cost is not the factor here stability is.

  63. Dr Loser says:

    @Mr Hill & @Robert:

    Once again, after all that, I return to this very simple point.

    Robert defends this inexcusable idiocy as “it’s a rapidly developing package.”

    IT IS NOT. It IS the Operating System.

    Now, you can quote, or better still, demonstrate, a million security holes in the NT Operating System, and you are free and indeed encouraged to gloat over every single last one. (Thoroughly ignorant posturing does not count in this respect, Mr Hill.)

    It’s irrelevant. Find me a hole in the NT OS, and I will agree with you. I’m not about to cover it up with some stupid blathering about “it is a rapidly developing package.”

    Because, you know what? I expect certain standards from my Operating Systems.

    Evidently you do not.

  64. oiaohm says:

    oldman Really are dumb are you.

    Microsoft Active Diretory and Samba Active Directory are not independent development. This is part of the EU ruling. All new alterations MS wants todo before being released to you oldman have to be released to Samba. Yes even before beta release anything being altered in the protocols you will know about it at Samba first. MS cannot even make press releases about those features first.

    This is no longer reverse engineering. Samba Posix interfaces MS also cannot break as they have in the past as well. Both Samba and MS have extended the SMB protocols this. MS as the standard controller had the right to.

    “The fact is however, that I could care less. Samba 4 is not MSAD. It will never be MSAD, and no matter how closely the sambe developers attempt to track the changes to msad over time, it will always be a day late and a dollar short.”

    Samba don’t have to attempt. MS is legally required to track and report there changes. SMB and related network protocols own to Samba as the body that managed that standard for IBM not Microsoft. Any alteration MS must legally report or be facing muli-billions in fines.

    ADS should have never been a secret.

    “It will never be guaranteed to be compatible, and more importantly, it will never be supported by microsoft, nor will it be guaranteed to be compatable with all of the myriad tools that supplement and build on top of active directory.”

    In fact you are wrong. Microsoft Linux division runs samba 4 and rebuilds it and tests against any upcoming MS product. You can ring up MS technical support if you have and get configuration assistance for Samba 4. Each September for 1 week samba and Microsoft ADS and SMB and other linked protocols are in Microsoft main building doing one to one compatibility testing.

    Compatibility of samba is basically being constantly tested oldman by Microsoft no less.

    Oldman the MS does not make it defense does not hold water with Samba.

    Oldman time to pull head out sand. Samba 4 does operate as advertised.

  65. Flying Toaster says:

    You mean, they’re perfect?

    Did I? What’s more, are you trying to pass a performance problem as your evidence that AD “doesn’t work”?

    Don’t ever try and put words in my mouth, Robby.

    Ten years ago, Gates propagated a memo

    So what does that exactly prove? That Microsoft does not provide hotfixes and service packs for Office? I don’t think so.

  66. Flying Toaster wrote, “I am pretty confident to say that both of the above are simply false.”

    You mean, they’re perfect? No way! The last time I used AD I saw delays up to 30s from an idling server. Others have as well.

    XP/2003 is relevant.

    Flying Toaster wrote, “provide us poor readers the extraordinary proof that Microsoft did in fact announce that their product “was a piece of crap for malware and reliability””

    Ten years ago, Gates propagated a memo:“So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid e-mail-borne viruses. If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first.”

  67. Flying Toaster says:

    Correction:

    an insane model (linky)

  68. Flying Toaster says:

    ext4 has a journal checksum.

    And what Linus Torvalds calls an insane model. You see, Pogson, I do have the courtesy to not pick on an easy target when making a point.

    “kitchen sink, the car and the boat”

    Then care to point out what exactly these supposed “kitchen sink”, “car” and “boat” are in NTFS, and, more importantly, their failure modes? Because as far as I am aware, there aren’t really any kitchen sinks, cars or boats in that particular file system, and metaphorical arm-waving does not constitute a valid argument.

  69. Flying Toaster says:

    Correction:

    mainstream => mainstream support

  70. Flying Toaster says:

    “M$ doesn’t guarantee its stuff, nor does it support its stuff. “

    That’s quite an interesting statement in and of itself since what you are implying here is that:

    1) AD doesn’t work, and
    2) Microsoft doesn’t care if it works or not.

    Given the amount of organizations out there running AD, I am pretty confident to say that both of the above are simply false.

    And, Pogson, if you are trying to make an off-the-cuff remark about AD, at least try and not use XP and Vista as your talking points, as those are operating system versions for desktops and workstations. Server 2000, 2003 and 2008 are what you are suppose to use for AD domains. What’s more, as we speak, Vista w/ Service Pack 2 is still under mainstream, meaning that unless you can produce evidence showing that Microsoft is indeed in one way or another asking you “to buy the next licence to get a new version if the last was bug-ridden” (despite the obvious violation of consumer laws in at least several western countries), this applies.

    They gave the world XP. Announced it was a piece of crap for malware and reliability and then gave the world Vista. Even Vista-debugged has lots of vulnerabilities. It’s a treadmill for slaves.

    There are a few persistent issues I am aware of in both Windows Vista and 7. However, Pogson, when you are trying to make an extraordinary claim like this, at least have the courtesy to provide us poor readers the extraordinary proof that Microsoft did in fact announce that their product “was a piece of crap for malware and reliability” and then subsequently gave us so-and-so instead. In fact, care to cite an instance in which Debian, your favorite OS, is given a support period longer than Microsoft has provided for Vista? I know – it’s a trick question, but what the hey!

  71. ext4 has a journal checksum.

    It’s a principle of engineering: (some failure rate per system) X (more systems) = higher rate of failure. NTFS now contains the kitchen sink, the car and the boat. They all can fail.

  72. oldman wrote of Samba and AD, “It will never be guaranteed to be compatible, and more importantly, it will never be supported by microsoft, nor will it be guaranteed to be compatable with all of the myriad tools that supplement and build on top of active directory.”

    M$ doesn’t guarantee its stuff, nor does it support its stuff. In large part M$ asks people to buy the next licence to get a new version if the last was bug-ridden. XP–> Vista –> Vista_debugged.

    When I get my front porch repaired by a tradesman, I don’t expect to have to hire another to fix the repairs but M$ demands that all the time. They gave the world XP. Announced it was a piece of crap for malware and reliability and then gave the world Vista. Even Vista-debugged has lots of vulnerabilities. It’s a treadmill for slaves.

  73. oldman says:

    ““Maybe it has not crossed your mind that I have been running Samba4 the ADS part for over 2 years. Oldman so I know the bugger works.”

    It certainly did cross my mind that you have been playing with samba 4. The fact is however, that I could care less. Samba 4 is not MSAD. It will never be MSAD, and no matter how closely the sambe developers attempt to track the changes to msad over time, it will always be a day late and a dollar short. No business is going to build an active directory service on such a castle of sand.

  74. oldman says:

    “The reality is there is another active directory server in town.”

    Sorry, Sir, but there is no such thing as “another” active directory domain controller. The only real active directory domain controller is that produced by microsoft. samba 4 is at best is a reverse engineered kludge. It will never be guaranteed to be compatible, and more importantly, it will never be supported by microsoft, nor will it be guaranteed to be compatable with all of the myriad tools that supplement and build on top of active directory.

    As far as I am concerned, it is fundamentally dishonest to portray samba 4 as true substitute for a microsoft server, whatever its capabilities may be.

    “Problem is real businesses don’t have MS ADS servers in the first place Oldman. Lot have still been running on ldap with samba 3 on providing a NT 4.0 domain. There is a large area to upgrade before touching MS.”

    I think you have to be more specific on you definition of “real businesses” sir. My definition is someone who is using real microsoft service delivery platforms to provide real services, not some linux oriented shop that is using the current samba kludge to avoid having to implement real microsoft servers. I am also leaving out those who are using proprietary NAS solutions. Of course Samba 4 if/when it performs as advertized will become one more tool in the arsenal of those who need to offer microsoft services but wish to avoid actually implementing microsoft servers.

    As far as NT domain legacy users that you speak of, these may be big in the huckstings of austrailia, but they are few and far between here.

    “Maybe it has not crossed your mind that I have been running Samba4 the ADS part for over 2 years. Oldman so I know the bugger works.”

    Given the level of geekery you show, it certainly did. However I dont really

  75. Mr Hill says:

    Quote from Phenom – Ohio is undisputedly the top incompetent ignoramus of this little forum

    OMG you have to copy and paste the same line to insult people (Doing it without the BSOD, congrats). When you has to resort to personal insults its a sign you have lost the argument. Can’t wait for the tablet revolution to push MS to further irrelevance.

  76. Flying Toaster says:

    No I did not realize journalled file-systems should have this problem.

    The problem arises when power failure occurs during journal updates. This is regardless of whether you are aware of such a phenomenon or not.

    And since ext3 does not have journal checksum, there is simply no way for the file system to determine if the information provided by the journal is indeed reliable. This is not even to mention, as the lwn correspondence points out, that the ext3 journalling mechanism simply has no regard for such things as disk caches and out-of-order writes.

    Of course, NTFS is a much more complex file-system and has many more points of failure.

    Then care to point out some of the specificity, e.g. the names of these alleged “points of failure” and their failure modes? Having an unambiguous description is important for people to verify your claim, after all.

  77. oiaohm says:

    Phenom The market is quite huge. Lot of different things can be going on at the same time.

    Openldap solutions behind samba being replaced by samba 4 solutions in business would not have to register same with same. Maybe it has not crossed your mind that I have been running Samba4 the ADS part for over 2 years. Oldman so I know the bugger works.

    Phenom remember Linux servers sales also saw growth.

    Its nice for those small locations were you are that 1 server short. Its been delivered partly for many years Oldman. Completely delivered with integrated DNS support file server and printing. Will make life simpler. Compare to the current Samba 3. Samba 4 combination.

    “active directory domain controller” Think carefully do all active directory servers need graphical interfaces.

    Sorry oldman watch the video and wake up. The reality is there is another active directory server in town. There has been for quite a while. Proper integrated is why it has not gone full formal release before now.

    Phenom the might be the last year MS server department does any good. Because this is the last year MS server department has not had to face a integrated replacement to ADS with some having integrated replacements to Exchange and Sharepoint.

    Problem is real businesses don’t have MS ADS servers in the first place Oldman. Lot have still been running on ldap with samba 3 on providing a NT 4.0 domain. There is a large area to upgrade before touching MS.

    Basically oldman you screwed all you can do is throw insults and hope this other solution goes away. Sorry its not going away about time you get use to the facts.

  78. oldman wrote, “No business is going to build their directory service on this hack. Its simply not worth the price of a couple of windows licenses.”

    A lot of businesses use openLDAP quite reliably. They certainly use Samba for storage.

    Of course, folks migrating to GNU/Linux don’t need AD at all:
    Munich:“The Microsoft solution would have made it necessary to introduce an Active Directory system, which would have meant a strong lock-in and would have caused significant follow-up costs.”

    It’s not just about cost but avoiding lock-in. Making a whole system dependent on M$ is foolish.

  79. oldman says:

    “oldman I love it. Just cannot be reality that its already in usage.”

    Oh yes, Linux and NFS is all over business, but as a substitute active directory domain controller, that is another thing entirely sir. I am fully aware that you will not accept delivery on this because of your linux bigotry, but your average business not going to replace a real active directory domain controller with an ersatz clone.

  80. Phenom says:

    Ohio, my dear, what are you smoking today? Just a few days ago MS published data about the outstanding performance of its server division, and now you say “Windows has already lost in a lot of businesses in the server room”. Please quit this stuff, probably there is still hope for you.

  81. Phenom says:

    Pogs, NTFS is a journalled file system.

    Ohio is undisputedly the top incompetent ignoramus of this little forum, and I don’t think we need another one. I know you are a teacher, but please read before you write.

  82. Flying Toaster wrote, “You do realize you can corrupt an ext3 file system in the exact same way”.

    No I did not realize journalled file-systems should have this problem. That’s one of the main reasons they have journals. Of course, NTFS is a much more complex file-system and has many more points of failure.

  83. oiaohm says:

    Really I told you about the lca2012 video it now up on the samba site go watch it and take careful note that Samba 4 ADS is currently actively deployed.

  84. oiaohm says:

    oldman I love it. Just cannot be reality that its already in usage.

    couple of windows. Its worth it when you are talking a few 100 servers due to your business being big.

    Of course oldman is tool small to understand this.

    Windows has already lost in a lot of businesses in the server room. They are larger than you oldman.

  85. oldman says:

    This is of course all academic. Samba will never be anything more than a reverse engineered clone of a commercial product. No business is going to build their directory service on this hack. Its simply not worth the price of a couple of windows licenses.

    IMHO this is nothing more than a tool that refuseniks and cheapskates will use.

  86. oiaohm says:

    nt_jerkface thanks for that bug.
    http://lists.samba.org/archive/samba/2011-July/163278.html

    Note I said next when you have to upgrade from Windows server 2008. Support only lasts so long. Sooner or latter you have to pave over with something.

    Please take a close look at the version 2009 samba. Being installed in the year 2011 by that point the 2.4.x line 2.4.14. 2.4.0 is for the insane. Sad part is that issue was fixed in 2.4.3 the issue is in fact that the user created the unix user first then tried to create a samba user the same name. Its not a configuration file issue at all. Normal admin error.

    Basically nt_jerkface the user was using a out of date version of Linux with a out of date version of Samba worse the version version of a series. So hurt was to be expected.

    Really nt_jerkface you don’t know the topic. As a ADS server Samba 4 is already being used in production without issues.

    The problems have been ironed out of Samba 4 for the ADS role. You forget Samba has a direct line to MS for information on a ADS server. For a NT 4.x domain they don’t.

    Samba 4 will not be the samba you have known. Me running the alphas its not like the samba I have known it strong. Its configuration is very much reduced. Independent ldap server support gone. Sambas own internal ADS ldap only. Server to Server replication ADS style by default. Sub-domain support currently in final testing. Support for read only instances of a ADS.

    Just to be nasty they have tested this ADS on arm embedded project boards that just get there power pulled when cleaning house and other evil thing attempting to break samba 4 or the Linux under it. Samba 3 has never had this level of testing abuse. In the process they have found many bugs that have had to be fixing in Windows 2008 server as well.

    nt_jerkface cannot read bugs and does not know current industry recommendations.

    Yes nt_jerkface you need to thank the samba guys for the quality of the windows 2008 server.

  87. Flying Toaster says:

    FT, you’ve lead a sheltered life. Google finds 469000 “ways to leave your lover”. M$ has one.

    A quick search with Google reveals 179,000 results for “Robert Pogson Loves M$”. I am by no means an expert in this search engine business, though. 😉

    Jokes aside, let’s have a look at the Microsoft Answers link you have cited, shall we?

    “My C: was dirty and I ran a chkdsk /f /r and it was working okay after the clean.”

    So the guy in fact didn’t shut down his system properly. You do realize you can corrupt an ext3 file system in the exact same way with Linux, right?

    So much for those 469,000 ways to leave a lover.

  88. nt_jerkface says:

    Yes Linux servers will be able to pave over existing Windows servers without having to change any client settings. Linux server will just take over the ADS role. Issue with be server side applications.

    Why the hell would anyone pave over an existing AD setup? You might of had a case back when Windows wasn’t reliable but SV2008 is rock solid.

    As someone who has worked with both SV2008 and Samba I think you guys might be forgetting a little tidbit which is that Samba sucks and is annoying as hell to deal with. I still don’t see why they think it is a good idea to stick everything in one giant text file. Then you have the same old problem with dependency breaks from upgrades.
    http://lists.samba.org/archive/samba/2011-July/163278.html

    God knows how many problems they will have to iron out with their AD clone, whenever the hell it comes out.

    Forget even comparing it to anything from Microsoft, compared to other open source server software it is messy and built like a house of cards. I don’t mind working with MySQL or Apache but Samba…..ugh.

  89. Flying Toaster wrote, “despite my 20 odd years of experience with the OS I have never seen kernel32.dll getting “damaged” all by itself.”

    FT, you’ve lead a sheltered life. Google finds 469000 “ways to leave your lover”. M$ has one

    “c0000221 (Bad Image Checksum) kernel32.dll corrupted”

    OMG! It does happen that that other OS which is in charge of things like the file-system keeps messing it up.

  90. oe wrote, “down-time when Winblows reboots in the middle of the workday for security patches”.

    In 2010, I had that happen in the middle of a presentation. A pop-up warned I had 15 minutes. I didn’t make it… That same day I paved the machine with GNU/Linux. I was using the machine as a thin client using RDP to the server and rather than figure out how to respond to the pop-up without interrupting my presentation, I estimated I could finish in time. M$ has a lot of nerve to interrupt my class deliberately.

  91. Kozmcrae says:

    “And by the way, if you knew about kernels, you know that Windows kernels are very vulnerable as it is a simple DLL file which is located within the OS, which makes it easy for simple attacks on a system.”

    Dr. Loser’s brain, like the OS he advocates for, reboots every morning. He forgets everything you told him the day before.

    He will conveniently lose knowledge if it conflicts with promoting uncertainty in FLOSS. That seems to be the major objective here, keeping people from adopting FLOSS by promoting uncertainty. It’s easier than winning arguments or presenting “facts” and it keeps the people behind FLOSS on the defensive.

  92. oiaohm says:

    Mr Hill and oe the game changes this year. Since the advantage of the ADS disappears.

    This now means server side Windows will have to fight on its merits. This will see items like Sharepoint have vs Alfresco.

    Btrfs supports everything MS new filesystem does and more. ReFS from MS is kinda out gunned. Yes the means to add and remove disks on the fly is a Btrfs feature. Yes equal to volume shadow copy is supported by Btrfs naively.

    Yes this is the year Linux will be able to-do almost everything in the server room. No windows machine required for user management any more.

    Yes Linux servers will be able to pave over existing Windows servers without having to change any client settings. Linux server will just take over the ADS role. Issue with be server side applications.

    Next upgrade in the server room will be a choice between the two paths. Last time we saw this was 1999 when MS was losing NT market.

    ADS servers in business is the one area Linux does not major-ally dominate yet.

  93. Mr Hill says:

    Oe, great points you have added. Couldn’t agree with you more. The amount of business I know that have gone out of existence because their dependency of MS. Downtime is unacceptable, as time is money and delay in deadlines. Networking is an absolute nightmare with Windows, but the experience with *nix systems (whether Linux, FreeBSD, and all the other BSD derivatives) have been more straightforward to deal with.

    The thing is guys that have had day-to-day experiences with MS tools and have had bad experiences share the same angst; we can talk about it with an objective eye and say it as we see it; tell these Microsoft Boosters and sponsored trolls what the problems you have and they either belittle you,FOSS or go by personally insulting you.

  94. oe says:

    Mr. Hill a good analysis to start but you forgot to include the equally important (if not more) of employee down-time when Winblows reboots in the middle of the workday for security patches, slows to a crawl for the obligatory malware scans, is bloated pig in dealing with network shares (afs/nfs is a dream I enjoyed about a year ago…), and generally sucks at any transaction work (e.g. Web, Office, document generation, etc., much less high end engineering computing/analysis/design); this time adds up in a lot of coffee breaks we take…except for those of us fed up and using the PREVIOUS generations hardware, intercepted from excessing and paved over with mostly Linux, some OpenBSD or NetBSD, and use these on the “research LAN”. A couple of IT staff in the know will do sys admin support for you (as opposed to your-on-your-own) over the wire, if you ask nicely for it, as it’s not in their job description. Quite frankly given the mess the upgrade to 7 has left us in, its generous of them to give a little time.

  95. oiaohm says:

    Dr Loser
    “A very, very bad idea. Show me another OS that does this, or alternatively one where you have difficulty debugging an application. And even if it were a good idea, it would still be a massive security risk, which means that it is a very, very bad idea.”

    MS Windows Injection system works exactly the same. Same basic design as what Linux just implemented with /proc/pid/mem. Any process your user owns you can inject into on Windows.

    Before this change under Linux you could only inject into a application your application started. This can be a major pain in a but application locks up you had failed to place a debugger before it.

    Dr Loser sorry what the Linux guys did here was basically copy section of Windows Internal design. Thank for stating so forcefully that Windows is bad internally because you have to be stating that since its the same design in both OS’s and Windows one has been there for over 10 years. Because under windows you can still inject like this.

    How do I know the block to injection is why most no-cd cracks a lot of people complain about not working under wine are not working yet they work perfectly under Windows even in Limited Accounts.

    There are times where not being able to set /proc/pid/mem read write is a bad thing.

    Should it been made default always on under Linux most likely no. Does windows need to fix this issue as well hell yes Dr Loser. Don’t throw stones while standing in a glass house. This is why privilege exploits from 2000 and before still work under windows 7.

    So 5 years nothing really and at least when it been detected it being fixed properly.

    AD=Active Directory. ADS=Active Directory Server. There is a difference Dr Loser. Big one. AD can exist on many Active Directory Servers at the same time. ADS is what hosts the AD. Dr Loser MS developer terms are AD and ADS that mean two slightly different things. You don’t make implementation that is a AD. Implementations are always ADS. Since they must be a server. AD is something that might be on one server or replicated between many. When replicated between many any ADS might answer the AD request. It is important to think of AD and ADS as two different things. AD could be clustered. ADS is one physical item.

    Of course I should expect Dr Loser to be IT illiterate for Microsoft Windows Server Administration terms. Dr Loser keeps on proven over and over again about knowing nothing.

    Dr Loser
    “Further, the sole reason that Red Hat and Debian are not affected is because they are not one of the many downstream distros that intentionally turn off ASLR.”

    Boy you love making stuff up. Redhat was effected by this flaw there a detection program from redhat that detects if you have messed you selinux setting up then corrects the selinux settings so fixing problem for now with redhat. Debian and redhat users need to check for this error as much as anyone else.

    Its also rare for ASLR to be off. Really what down stream distrobutions. The top 20 on distrowatch have it on to ASLR=2 level this covers 90 percent of all Linux desktops. So what ones are you talking about. Again Dr Loser stating items that are not fact. Default kernel builds build with it on. Linux applications don’t notice it mostly because if they did they would be screwed.

    Why because when a Linux application gets forced out of memory and into swap. It may not be restored back to the same address space(required for systems without MMU). This is a historic fact of Linux prior to ASLR invention. If you application is broken by ASLR it can also be broken by swap management. So is a unstable application and it should not be running on Linux. Yes compatibility with what ASLR might do to you is the same you need to be Linux compatible in the first place.

    Ever wondered what the -fPIC flag in gcc was DR Loser. “position independent code”. Most Linux applications are build with this.

    oldman I see you did not catch the lca2012 samba video what is basically samba yearly update of where they are and what they are working on. Good video its on youtube. This is samba the lead developers Australia. So the do nice person to person talks at Australian Linux conferences.

    The hold the big announcements until they are at the LCA. About in 2 to 3 weeks it should appear on the website if you are lucky.

    Also lca2012 was the announcement that the btrfs will go into active deployment before the end of this year as well in the btrfs demo video.

    Really it would be nice someone would write down what was said in those video each year or put link on samba.org each year to the video for the samba one. So people like you oldman remain in the loop.

    Lca is where a lot of core project to the Linux world to a lot of work. I go them when I have the time. Of course there is another conf that the X11 developers mostly attend coming up so there are going to be some big announcements about it as well soon.

  96. Flying Toaster says:

    Correction:

    this is not to say that you can’t pull off something similar in Windows, but since messing with the \Windows\System32 directory generally requires you to at least be “TrustedInstaller” or have the ability to transfer ownership from one entity to another[…]

  97. Flying Toaster says:

    “And by the way, if you knew about kernels, you know that Windows kernels are very vulnerable as it is a simple DLL file which is located within the OS, which makes it easy for simple attacks on a system”

    The NT kernel image is stored as an executable (ntoskrnl.exe) under \Windows\System32. It is simply not a DLL or shared library of any fashion.

    If someone hacks into the Windows folder, you are buggered as you do not need permissions.

    The same can be said about vmlinux, which is ironic considering the fact that there is usually nothing beyond the basic POSIX permissions to protect anything within /boot, and once you have exploited one of many, many well-documented privilege escalation bugs in Linux there is simply no stopping of you from doing whatever you want to do with it.

    Of course, this is not to say that you can’t pull of something similar to Windows, but since messing with the \Windows\System32 directory generally requires you to at least be “TrustedInstaller” or have the ability to transfer ownership from one entities (depending on your definitions in “Local Security Policies”), the possibility of such an attack is simply no more likely than that on an Linux System.

    unless you had the superuser’s credentials you cannot compromise anything

    Again, you need no more than a privilege escalation vulnerability to gain superuser credentials. After all, that’s the basis of your argument, isn’t it?

    and even if you did with your own hands there are other kernel versions you can fallback with a previous version

    And what makes you thinks that an attacker will only mess with one kernel image within your system and not any other?

    if you have your kernel.dll damaged (which does happen often);

    That’s kind of odd given that despite my 20 odd years of experience with the OS I have never seen kernel32.dll getting “damaged” all by itself.

    Besides, kernel32.dll (if that’s what you mean by “kernel.dll”) is a library for the Windows API. It’s not the kernel itself by any stretch of the definition.

  98. Mr Hill says:

    Quote from Dr Loser – No, but if it helps I did live in San Bruno during the dot-com boom. I even worked at a start-up in Concord (a bit of a long drive, unfortunately).

    It is not 1999 now, it is 2012. Goodness sake. You must be play GTA3.

    And by the way, if you knew about kernels, you know that Windows kernels are very vulnerable as it is a simple DLL file which is located within the OS, which makes it easy for simple attacks on a system. If someone hacks into the Windows folder, you are buggered as you do not need permissions. With a *nix kernel, you would know it is underlying software, which the OS works on top of, it is not a library; unless you had the superuser’s credentials you cannot compromise anything, and even if you did with your own hands there are other kernel versions you can fallback with a previous version; or compile a newer version from source. You cannot hack like you can with a Windows OS, if you have your kernel.dll damaged (which does happen often); then you are finished. Thats why people are opting more towards *nix and MAC OS, especially with the new phone and tablet market.

  99. Dr Loser says:

    @oiaohm:

    “Dr Loser funny /proc/pid/mem alteration is not a completely stupid idea.”

    As they say in the literary business: Show, do not tell.

    I maintain that it is. You have nothing.

    “Effects where not considered well enough.”

    Meaningless.

    “Reason for it being made write able was to enable more applications to be debug-able without requiring root or a debugging kernel.”

    A very, very bad idea. Show me another OS that does this, or alternatively one where you have difficulty debugging an application. And even if it were a good idea, it would still be a massive security risk, which means that it is a very, very bad idea.

    “Also it was believed at the time selinux and other equal protection methods would be used to limit access.”

    OK, I’ll buy that.

    Under such a scenario there would doubtless be no problem whatsoever.

    Now then. What do you do when that scenario fails to come to pass?

    A very, very, bad idea.

    But fairly par for the course in Linux terms, even when it comes to the kernel.

  100. Dr Loser says:

    @Oldman:

    I would hope that it has AD rather than ADS (or ADHD, as I believe it is now labelled).

    But it’s more a hope than an expectation. We can but pray, eh?

  101. Dr Loser says:

    And I would be remiss if I did not point out that, driving as I did between San Bruno and my girlfriend’s pad in Sunnyvale via Menlo Park, I somehow entirely missed out the bit of I285 that passes through Alto Palo.

    Are you sure you’re not related to oiaohm?

  102. Dr Loser says:

    @Mr Hill:

    “BTW I guess you are not exactly from Cupertino, Alto Palo, or any part of Silicon Valley. I bet your address isn’t even 1 Microsoft Way in lovely Richmond. Keep on trying, you might replace Mr Ballmer one day.”

    No, but if it helps I did live in San Bruno during the dot-com boom. I even worked at a start-up in Concord (a bit of a long drive, unfortunately).

    I’m not sure whether this supports your argument or otherwise, because you are at your most ravingly incoherent here.

    But feel free to use that fact, either way.

  103. Dr Loser says:

    @Robert:

    “Dr Loser wrote, ‘this is the kernel’.

    Yes, it is a package under rapid development.”

    No, Robert, it is not. It is not a package. It is the kernel. It is the underlying OS.

    I don’t care how frigging rapid your kernel development is (although I’d love to hear an argument for that): it is the kernel. The kernel. The kernel.

    I’m not sure how to make this more plain. You do not dick around with security in the kernel. Specifically, you do not expose something that should be strictly in kernel space under something daft like /proc/id/mem. Further, should you do so, you do not remove an #ifdef that controls open/close/read/write to /proc/id/mem, just because you can.

    Further, this problem has apparently been around since 2005. Occasionally it gets patched and occasionally, one would presume from the evidence, it gets unpatched.

    Further, the sole reason that Red Hat and Debian are not affected is because they are not one of the many downstream distros that intentionally turn off ASLR.

    Further, according to the comments on that link, even this doesn’t necessarily help.

    Look, fess up. It’s a mistake. You claimed that FOSS learns from its mistakes. I claimed that it does not, and that every “mistake” is twisted into a non-mistake (in your case, the totally unsubstantiated claim that Windows is far more insecure).

    It’s a mistake. Live by your own credo, man, and learn from it.

  104. oldman says:

    “Don’t worry the samba developers are in the last stages of prep to release Samba 4. This has ADS and SMB2.”

    Last stage. The samba site says nothing beyond that fact that its not ready for production. a Google suggest The earliest this is showing up is the end of this year…Maybe.

    Last stages seems a bit optimistic , dont you think?

  105. Mr Hill says:

    Oh my goodness first Phenom uses a poor comparision with politics; sometimes people use tired Fox news rhetoric that they don’t understand. Being practical means you are a leftist. I was wrong, you are not stuck in the 1990’s like the rest of the MS boosters, you are stuck in the 1950’s. Hahaha! Red Army on the march, dive in your nuclear bunker. Absolute rubbish, I will call you Mr McCarthy now. I use what I feel is best and there are times when FOSS is good enough for the task.

    For councils, all they need is to process letters, handle emails, and the general office tasks. Why pay over 1200 pounds per PC to do these simple tasks with MS Office, Outlook and Windows. Covering thousands of PC’s per authority; you are talking hundreds of millions of euros a year for doing simple letters. Imagine each letter processed with MS Office within Windows would cost. But if you did this inside Linux, Thunderbird (with Lightning) and LibreOffice (which does the same thing without vendor lock-in), it costs nothing. As the Americans say “Do the MATH!”. Its the extortionate fees payed by local authorities that have cost millions of jobs in municipal, provincial and county authorities around the world. Keeping up paying for something the authorities do not even own every year. It is a tax, which has left most to re-evaluate what other options to save money in tough economic times. That is now becoming FOSS software. The cut backs in local authorities can partially be blamed by proprietary software as the authority leaders did not understand what he was going into. Now the dawn has been realised and they realise now that they are stuck with proprietary solutions (file formats, DB’s, etc) which is a jail for authorities and companies who keep on paying the over the top prices. In a new world of new solutions, only open standards make sense; but MS doesn’t allow that. That’s why MS did it and sold organisations down the primrose path.

    I commend Extremadura local authorities to making this bold step. It will be only a matter of time before MS tries to bribe their officials like they always do.

    Quote from DR Loser – Extremadura is hardly one of the most technically advanced provinces amongst Las Espanas.
    BTW I guess you are not exactly from Cupertino, Alto Palo, or any part of Silicon Valley. I bet your address isn’t even 1 Microsoft Way in lovely Richmond. Keep on trying, you might replace Mr Ballmer one day.

  106. oiaohm says:

    Dr Loser funny /proc/pid/mem alteration is not a completely stupid idea. Effects where not considered well enough. Reason for it being made write able was to enable more applications to be debug-able without requiring root or a debugging kernel. Also it was believed at the time selinux and other equal protection methods would be used to limit access.

    Yes the demo attack against /proc/pid/mem does not work against my computer unless you happen to be a privileged app. Yes a debugging mode kernel /proc/pid/mem was always writable. So just because the bug exists its not exploitable on all systems out there. Again this is why distributions should take there LSM parts seriously.

    Dr Loser put up time show me a bugzilla chocked full of won’t fix. I have never found one. All protects have a percentage of won’t fix but its not that large. Even works as designed is not that large.

    Basically I believe you are trolling have done no research on anything about FOSS Dr Loser. Please don’t try to tell us who have lies. You will only get ripped appart.

    “Never mind that Apple managed to get the thing right, more or less from scratch, in two years or less.”
    This is wrong please check out the apple bug reports over there SMB stack. There SMB2 support has been dicy. Samba delayed because it would not pass test cases. Apple just shipped anyhow.

    Don’t worry the samba developers are in the last stages of prep to release Samba 4. This has ADS and SMB2. This includes migration scripts from Samba 3 to Samba 4. Question is apple going to implement there own ADS server as well.

  107. Dr Loser says:

    , just to clean up again. Damn this keyboard.

  108. Dr Loser wrote, “this is the kernel”.

    Yes, it is a package under rapid development. That’s why RedHat and Debian did not ship it. It did make it into Wheezy/testing, but not onto my system. I doubt this bug made it onto any consumer goods. Look at how many thousands of builds M$ does and it ships far more critical vulnerabilities polluting IT with malware.

  109. Dr Loser says:

    Speaking of “learning from your mistakes,” how about this?

    “In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly.”

    My emphasis.

    It’s hard to describe how much disgust I feel at this shallow and incompetent behaviour. You don’t just run around removing #ifdefs and re-activating dangerous code simply because you think it might be a fun thing to do.

    I regard /proc/pid/mem as a security bomb waiting to happen in any case — it’s a bloody stupid bit of design — but at least the fools in charge could be a little more careful about it.

    And yes, it’s been patched (hopefully, reverted), so you are welcome to claim that the kernel guys have “learned from their mistakes.” On a line-by-line basis, possibly; I refuse to believe they have drawn any more general conclusions.

    And this is the kernel. The kernel has all sorts of people looking at it, all the time. The kernel should be the cynosure of all security eyes if your argument is correct.

    What about all the other dreck out there?

  110. Dr Loser says:

    Quoting the CIO of Extremadura is really scraping the bottom of the barrel, isn’t it? Extremadura is hardly one of the most technically advanced provinces amongst Las Espanas.

    “And of course, it needs to be free. Because our budget for this plan is of zero euros.”

    Therein lies the sole “justification” for this nonsense; it would be nice if he just left it at that. All the rest is irrelevant puffery, unless somehow you can provide an alternative that “costs” zero euros.

    As usual, of course, the real cost will be shifted from budget to budget behind the scenes, leaving nobody any the wiser. In much the same way that anybody forced to do administrative work on a Linux desktop is never any the wiser, either.

  111. Dr Loser says:

    @Robert:

    Not sure what “revealing the source code” has to do with learning from mistakes. You could (and do) argue that it provides the best platform for correcting those mistakes — many of us would disagree on this point, but it’s fair enough — but it’s hard to explain how this assists with the actual learning process.

    There isn’t really a “learning from mistakes” culture in Linux, because everybody concerned is permanently on paranoia standby. It’s difficult, if not impossible, even to admit to a mistake. Linux must be presented as “perfect” to the rest of the world; thus, the various Bugzillas are chock-full of “won’t fix” and “works as designed.”

    And failing that, as with the SAMBA fiasco, it must be somebody else’s fault. Never mind that Apple managed to get the thing right, more or less from scratch, in two years or less. The Blame Game is much more fun than knuckling down and actually fixing things.

    I imagine this is handled better by the Linux arms of IBM and Google and Red Hat and so on, because they are professionals, and the incentive here is that you get fired or marginalized if you keep making mistakes … but then, that’s precisely the same incentive that applies in “proprietary” companies.

  112. Phenom, being a pompous ass, wrote, “A peculiar characteristic of FOSS proponents and leftists in general is that they never learn from theirs and others mistakes.”

    As if Hitler and George Bush learned anything from their mistakes.

    FLOSS is all about learning from mistakes and doing things right. FLOSSists are not shy to reveal the source code.

  113. Phenom says:

    Hm, the project manager of Munich said the same thing back when they started. Reality, however, demonstrated he was not quite right.

    A peculiar characteristic of FOSS proponents and leftists in general is that they never learn from theirs and others mistakes.

Leave a Reply