Endless Sorrows

It never ends. M$’s next Patch Tuesday will document multiple “critical vulnerabilities”, some being exploited today but M$’s users have to wait.

When will the world be freed from the zombie OS from M$? I switched to GNU/Linux years ago and missed waves of malware ever since. I recommend Debian GNU/Linux because it works for me and not those malware-writing “partners” of M$.

The recipe for making secure software is not complicated. Use a crisp modular design with each piece doing a well-defined job well and it will happen. M$ is going around trying to fix mistakes it made decades ago when it decided that it was more important to mess with competition than to produce a good product.

Bill Gates (1996):“2. GOALS AND STRATEGY
We have won platforms battles before. To make history happen again, we must make the industry embrace Internet Explorer and ActiveX :
• establish a significant installed base of users (browser share is starting point),
• sell the benefits of our platforms to the content developers,
• convince the influential webmasters to switch to our standards and promote them, reach the producers,
• help the traditional developers (ISVs and corporate developers) write to the ActiveX platform, so they develop the rich base of Web applications and controls that establishes the value of the platform,
• “activate” our partners to create a supportive environment of partners – able to sell, integrate and support our solutions and 3rd party ActiveX technology.”

The strategy was all about messing with the competition. No weight was given to securing the mess that resulted. Indeed it is doubtful that a mess that complex could possibly be secured.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

34 Responses to Endless Sorrows

  1. oldman says:

    “The land mine is there. Its just a question when as a tech or a long term computer user when you step on it.”

    You are just as likely to see a kernel panic because a storage component went belly up.

    At any rate By 2014 I will gave gotten what I deem my moneys worth from the system. at that point it will simply be retired.

  2. oiaohm says:

    oldman not really. It like some second world war bombs turning up today. They do explode at some point.

    The land mine is there. Its just a question when as a tech or a long term computer user when you step on it.

    Of course you do know that 2014 is officially end of life for XP. You will one day. I am not kidding. I am not saying that the reinstall will even work.

  3. oldman says:

    “You will one day. ”

    Why? The Dell system that my wife uses is running on a copy of windows XP installed in 2004. Its been updated all along and still works quite well.

    You make too many assumptions sir.

  4. oiaohm says:

    Viktor “Ahem, that’s not necessary for most cases, as almost all 32 bit software runs perfectly fine on a 64 bit Windows.”

    32 bit software can also be used on 64 bit Linux.

    There is a reason Linux wants out of current generation 32 bit binaries. Its because in the year 2028 the UNIX style 32 bit time value will bust. Yes your windows 32 bit applications can be using this.

    Yes there is a time bomb and its ticking.

    Linux world is introducing a new 32 bit form. x32api. This is 32 bit code that runs in pure 64 bit mode with 64 bit time.

    “I’m aware that there’s but one way of installing software on Windows (except for so-called “portable” applications): double-click an .exe file.”

    Sorry not in a business network and slipstreamed disks you have a thing called a silent install. This is what rpm and deb and MSI files(if made right can provide). .run files are Linux equal to .exe installers.

    Viktor you only want to consider the home market not the business market usage because you are skipping the existence of silent installers.

    Viktor
    “Could you by any chance be talking about spyware or malware in installers?”
    In fact clean installers. Most programs don’t uninstall properly under windows even if they don’t include malware or spyware.
    “Well, I recommend common sense. There are about enough reputable download portals out there, where you don’t need to have trust issues.”
    LOL this makes no difference to the final outcome of a ruined system. The issue is the quality of the uninstaller and the installers themselves.

    Viktor
    “I can’t remember the last time an uninstaller didn’t work properly.”
    Define did not work properly. If you mean the uninstaller runs and tells you it unistalled everything so it worked you are a twit. Problem is programs under windows leave behind random trash like custom dlls they added and forgot to remove and so on. These lead to long term bad effects to system. Over time this crap ruins your system.

    “I’ve never — yes, never! — had to re-install Windows.”

    You will one day. Some games leave behind there DRM that conflits with another games DRM result computer does not boot any more due to the registry files being damaged because the DRM software blocked disc access. This is not malware or spyware. This is just one of the land mines.

    Yes nightmares that exist on the portals for applications for Windows.

    There is a point that something is too far damaged is simpler and more cost effective to replace than repair.

    Viktor you most likely not worked in IT support of general consumers to wake up that the idea that there is a trust-able site for downloadable applications is not true for windows. Even open source applications can have suspect uninstallers that ruin key sections.

    Sorry Viktor all you are proven to me is that you lack field experience. There are combinations of applications that render the registry of windows destroyed including its backup files. This can happen after uninstall of programs.

    So the question is how long until you manage to put a fully destructive combination on your machine Viktor. If you are getting and trying new applications all the time its only a matter of time before you do it to yourself.

    In that case reinstall or restore from backup is required. But most people don’t have backups so its reinstall.

    Viktor you have a limited understanding of what destoyes windows. People normally think some of these combination destructions of windows are malware, spyware or virus infection caused destruction.

    The advantage of being a person called in to find where repeated virus infections of a unknown virus is coming from that is disabling systems. With this you do start by building a system up from all clean and running it threw uninstall and reinstall of applications looking for a combination destruction of windows. More often than not is a combination of installers and uninstallers fighting with each other disabling windows.

    Linux is far clearer these combination failures Linux does not suffer from.

  5. Viktor says:

    you are aware there are 22+ different installer systems on windows.

    I’m aware that there’s but one way of installing software on Windows (except for so-called “portable” applications): double-click an .exe file. The underlying installer is meaningless. Hell, on Windows 7, even installers from the Windows 95 era still work flawlessly.

    Also windows in that never got 64 bit versions of the applications.

    Ahem, that’s not necessary for most cases, as almost all 32 bit software runs perfectly fine on a 64 bit Windows. I know, because I’ve been using 64 bit Windows for the longest time now.

    Then factor in you cannot see the make of the installer on the windows page at all. You cannot see that it will uninstall properly. deb and rpm will uninstall properly.

    You never left the stone age, did you? I can’t remember the last time an uninstaller didn’t work properly. Since Windows has long overcome the DLL hell, “uninstalling” an application properly means for most cases: delete its application directory and remove the start menu entries.

    So a windows users system ends up in one hell of mess because users cannot see what installers are crap before downloading and installing.

    Crap? Could you by any chance be talking about spyware or malware in installers? Well, I recommend common sense. There are about enough reputable download portals out there, where you don’t need to have trust issues. If Linux “gurus” can give advice like: “READ THE F**KING MANUAL!”, then it’s hardly too much to ask to employ some thinking before you click some buttons. Hell, my 70 year old father can do it.

    Yes all that reinstalling of windows people does lot tracks to uses installing applications that are bad so braking there computer.

    Re-installing Windows has become a myth. It has become a myth because there are too many twits like you out there, who don’t have a clue about Windows. Then, when they are in a pinch, they recommend re-installing Windows. I’ve never — yes, never! — had to re-install Windows.

  6. oiaohm says:

    iLia Inkscape is not as weak as you make out.

    http://en.wikipedia.org/wiki/List_of_vector_graphics_editors

    Out of vector graphics applications only 1 exceeds the size image that Inkscape can handle. OmniGraffle just to be a pain OmniGraffle is only for OS X so windows users and linux users can use it.

    Inkscape exceeds all commercial vector programs on windows in particular areas. The colour management lacking in Inkscape is fixed up by Scribus. Work is under way to fix this.

    Funny far behind competitors not so. Competitors are trying to catch Inkscape in places and Inkscape is trying to catch the Competitors in others. So its a close race.

    So on Windows Inkscape is leading the pack in particular areas.

    iLia basically you are a being an idiot. Quoting inkscape as losing to the commercials shows you never did you homework and compared features.

    iLia
    “FOSS cathedral model is more successful”
    This is no questions wrong. Lack of homework here. OpenOffice is a classic example of that failure of the FOSS cathedral model because that is exactly how SUN managed OpenOffice leading to is slow and poor development speed. Libreoffice has done equal to 6 years of work on OpenOffice in 1 year due to better management that is less central. The management must not hold the control too tight.

    You talk about openoffice I would say you have not watched the change when Libreoffice started.

    OpenOffice on Apache is basically falling into a heap. Cathedral applying force to FOSS developers end up with the Developers leaving your project. Forking it and moving on. Anyone who says the FOSS cathedral model is a twit.

    Linus looks to be at a top of a cathedral when you look at Linux kernel. People forget after a release by Linus. For the 3.x.y for the y number patches the kernel is handed off to another maintainer. They are reviewing Linus work. After so much time that maintainer will hand off to another one.

    Linux kernel is a reviewer model. Everyone will have there work reviewed by someone. This forms a tree like structor. There are side trees where stuff that is prototype goes. That Linus never sees. To have code accepted into those trees follow the same pattern.

    So you could say Linux kernel is multi Cathedral. It not a bazaar in the full sense and its not a Cathedral. Linux kernel is a form of hybrid that commonly gets called FOSS development method because we have no other name for it.

    The person in the Cathedral like location in a FOSS development could be replaced by a fork. There will be more than one Cathedral like location in side a FOSS project but this locations are only held as long as they have the support of the developers around them. Like a lot projects the maintainer for the development branch and the stable branch are two different people. Some even have custom branches for particular user groups.

    Cathedral suggest one all mighty power at the top in control of everything. This is not true for FOSS. Most projects when you get to top is not one all mighty power.

    Best I could say is you have Cathedral, Bazaar and Democracy. FOSS is more democracy with a very strange voting system. Like if you look at a democracy lot of structs look like a monarchy but there are more of them.

    Bazaar was picking something real world to decribe how FOSS works.

    Oldman that book you like point to “The Mythical Man Month” a lot of people have studied that book trying to work out how the Linux kernel avoids running into the issues it describes.

    Because the linux kernel defeats this “Brooks’s Law: Adding manpower to a late software project makes it later.” As more man power is added to the Linux system there is no extra delay appearing.

    So the book is based on something that is a broken fact.

    The trick to beating Brook’s Law is dead simple.

    “Group Intercommunication Formula: n(n − 1) / 2”
    This is it. As more developers are added to the Linux kernel more sub groups are formed. So the intercommunication problem does not grow.

    The second-system effect does not effect Linux kernel and most open source projects.

    “The tendency towards irreducible number of errors.” BKL is classic example of this in the Linux kernel. Linux kernel developers except to fix some issues you have to introduce more that are simpler to solve.

    So again this is a issue of having a internal ABI that cannot be changed.

    “Progress tracking”
    Forget it. Look at the Linux kernel model. Each group has there own working tree. When something is ready its integrated into mainline. Progress tracking done wrong has the habit of pushing something mainline before its proper tested.

    “Conceptual integrity” This is Linus and the subsystem maintainers. Where the book you pulled fails is that it does not consider a tree of people forming the Conceptual integrity check. Each skilled in that area of code to understand if the alteration is sane or not. Also this prevents central point overload that causes projects to fall behind time. No large project like the Linux kernel can a single human understand everything.

    “The manual” pushed on the the chief architect as his job just risks overloading that person so putting you behind.

    “The pilot system” Yes this is mandrory to good results best form is a builtbot system that builds you program every alteration and runs the test-suite so you know of errors early. Again this is a FOSS world first solution.

    “Formal documents” not so much. For a secuirty flaw by the time you write up a Formal document it would have been simpler to fix the fault. Formal documents have to be balanced against problem at hand.

    “Project estimation” these are done in FOSS.

    “Communication” Instructions are wrong. “all the teams working on a project should remain in contact with each other in as many ways as possible”

    All teams working on the project should not remain in contact with each other. Doing so will create overload so ruin progress. You need like a organisational chart businesses got this right along time ago. Tree struct of communication. With areas that are not dependant on each other not talking to each other.

    The surgical team is right and wrong you see Linux developers do a variation of this.

    “Code freeze and system versioning” This is correct

    “Specialized tools” This is wrong again. “team should have a designated tool-maker”. Why is this wrong. If you tool-maker person does not understand the problem correctly they will make bad tool this can again lead to cost over runs.

    So yes Specialized tools should be shared between all developers and duplication of tools should not happen or be tolerated where there is not some gain to project. Having a tool maintainer like Linux kernel does who evaluates submitted tools is the correct answer here.

    It is important that the person in the team who knows the most about the problem that the tool is attempting to solve is the one who writes it.

    The Mythical Man-Month book is buggy.

    Oldman you learn more by looking into the studies on how the Linux kernel operates than reading that book.

  7. kozmcrae says:

    “Sure it does, you just dont accept delivery on it Mr. K.”

    No it doesn’t @ldman. I’m supposed to take something from that statement but I’m not going to make something up on your behalf. Go ahead. Say what it means. I know you won’t because it doesn’t mean anything. No technical meaning, no content meaning, no meaning at all.

  8. oiaohm says:

    iLia different project have different management.

    OpenOffice and Libreoffice don’t really compare that much.

    Libreoffice in 12 month has done as many alterations as OpenOffice took 6+ years todo. So why has OpenOffice been well behind MS Office. Poor management structs and licensing setup so many people could not submit code because they had to go to there legal department and ask if I can sign copyright over to SUN/Oracle who were running OpenOffice to be able to submit. Of course most legal departments would say a flat no if you do that you are fired. Yes it simpler to ask to submit code if you don’t have to sign copyright over.

    Gimp you hold up but really its never got into commercial usage so not supported by majors that much. Imagemagick and GraphicsMagick are commercially used so have a far more alive community.

    Gimp was started as a replacement to MS paint. So gimp as well evolved out what it was intended todo. That you are comparing it to Photoshop more shows o boy. Lot of the current work on gimp is to redesign the internals from something that is design to take on MS paint to something that can take on Photoshop.

    So where would you place MS paint in compare to Photoshop. Yes its really said what MS still serves up there.

    Inkscape when it comes to this its the introduction open source program. Second top tool in that field is a program called Sk1. It is also open source and does not run on windows. Most of the open source introduction tools have been ported to windows. Lot of the high end good stuff is Linux and Unix only.

    Also when you get into processing like the huge image scans of bodies or sat images a different open source program turns up http://www.vips.ecs.soton.ac.uk/

    When it comes to graphics Linux has been a mixed bag.

    “MS Visual Studio” does sux when you have to build cross platform. QT own IDE is not bad.

    iLia
    “Linux kernel is developed mostly by paid professionals, and I think there is a lot of coordination.”
    All developing well open source projects are like this. Mysql forks are run by independent groups that are made of of companies in coordination with each other. Food is not free. So if the software is not making someone profit somewhere that they can afford to pay coders it develops slowly.

    Most fast and good quality FOSS is developed by paid professionals. Lot of those paid professionals are the same people who write closed source applications.

    “Java was developed by Sun, and not by bazaar”

    Newer Java is developed in openjdk that is a bazaar model. Java was started at sun and has evoled into a bazaar project with companies like IBM and Redhat having direct say on what gets included in the next java.

  9. oiaohm says:

    iLia
    “So not all linuxes are secure? It looks very familiar to me, when something is wrong with a linux distribution there are always at least one other linux distribution which can be recommended. There should be a trademark for it.”
    Redhat recommendation for security has not changed in 10+ years. The secure distrobutions you pick up the DoD rainbow books start reading and start checking and you find they are fine. Items like Ubuntu you pick up the DoD rainbow books and its like what in hell does not get past the chapter before hitting a fault. DoD rainbow books tells you what you should not disable. This is not a case of recommending another Distribution. Its accepting the fact some are crap. Scientific Linux its complete life(its younger than 10 year) its passed rainbows books checklist the complete time.

    Distrobutions following secure design normally remain so. Only exception to this has been Debian being up and down on selinux support.

    This is why you are shot iLia there are quality Linux Distributions and there are crap distributions. Quality distrobutions normally do try to follow DoD rainbow book recommendations. Some of the DoD rainbow set are 30 year old books on setting up computer secuirty yet they are current today. Since they list what is required not how its implemented.

    Secuirty is not a new idea. How to make a really good and secure OS existed before the first line of code in Windows or Linux was even written. This is why secuirty people get so annoyed with windows. There is nothing reinventing the wheel about doing good secuirty that is highly resistant to attackers. Ubuntu is one of the really rare distributions who maintain there own Linux secuirty module outside the main kernel so is under reviewed. So it does not get past first base.

    I don’t know why but for some reason secuirty crap items have a items of being popular. All I can think is users don’t care that they get virus infected, hacked or so on. From a security person we know they are crap before they become popular by the way because we are using the DoD rainbow books based check-lists to rate the software we are using on the odds it will be a major secuirty problem.

    So from my point of view every person buying software they use are giving malware writers a free ride by not insisting on the software they will use to be up to 30 year old standards in secuirty design at a min. Only when people start voting with there feet over this will we be able to bring the malware problem under control. We are too much lets hunt the malware writers down instead of looking at what the malware writers broken and going hey Microsoft hey Ubuntu…. How in hell did you do such a poor job setting up layered secuirty here so you gave attacker free ride to take over my complete system you pricks fix it or I will not use your product again. This is how everyone needs to be. If they have done everything right by 30 year old standards and the system fails you chalk this up to Malware writer being skilled and finding a set of weaknesses. Out of the last 10 years of windows virus there is not one that either could not been stopped or would have been mitigated by rainbow books stuff being implemented. So its past a joke.

    OS secuirty is not an addon. The frameworks have to exist in the kernel. Microsoft has approached it as a addon. Also worse is Microsoft took on the idea that you many only run 1 real-time virus scanner at a time. Rainbow books require you to consider the fact that one of anything might fail.

    selinux + cgroups are two layers attackers have to get past on good modern day Linux systems. There are also the file-system permissions as well. You can and as many real-time scanners as you have cpu power to handle under Linux as you like to the file-system and memory.

    This is following rainbow books. Never trust anything to be 100 percent flaw less always provide an layer around it just in case its not flaw less. This is a basic idea of security. These ideas are the alphabet of making a secure system. So MS is missing letters so cannot make the words required to make a secure system.

  10. There’s nothing in the Free Software manifesto to prevent large businesses being part of the community of FLOSS developers. IBM, RedHat, Oracle, etc. are huge and working on FLOSS. FLOSS works for everyone.

  11. iLia says:

    So I don’t use Ubuntu its secuirty is crap.

    So not all linuxes are secure? It looks very familiar to me, when something is wrong with a linux distribution there are always at least one other linux distribution which can be recommended. There should be a trademark for it.

    All of FLOSS is populated by projects which release early and often, the exact opposite of the man-month thing, being over budget and over time all the time.

    And steal Gimp and Inkscape are far behind their competitors, Open/Libre Offices can be useful, I used OpenOffice for 2 years, and it wasn’t bad at all, but MS Office is still much superior. And OpenOffice was developed by a German company, and not by a bunch of amateurs.

    Free Ides? Eclipse is very good, but its development is under control of very serious companies:

    Actuate
    Bredex GmbH
    CA
    IBM
    Innoopract
    itemis
    Nokia
    Obeo
    Oracle
    SAP
    Sonatype
    Sopera

    The other IDEs are too amateurish. MS Visual Studio is just splendid.

    Java was developed by Sun, and not by bazar. MySQL also was developed by a private company. Linux kernel is developed mostly by paid professionals, and I think there is a lot of coordination.

    It seams to me that even in the world of FOSS cathedral model is more successful.

    Maybe Apache Software Foundation is a good exception. But it is an exception, KDE, Gnome, Gimp, Inkscape are not such exceptions.

  12. oldman says:

    “That statement doesn’t mean a thing.”

    Sure it does, you just dont accept delivery on it Mr. K.

  13. FLOSS does not count man-months. Why should they? Because FLOSS is modular the tiny parts are manageable by smaller groups preventing the friction found in larger organizations. Take Linux for example. While there are literally thousands working on it, the only friction is at the gates where code is merged. That’s very efficient in terms of getting a product to market. Linux releases every few weeks. That’s not a myth. All of FLOSS is populated by projects which release early and often, the exact opposite of the man-month thing, being over budget and over time all the time.

    I once worked on a project that took six man-years to produce. The result did not work well. I rewrote from scratch, tested (took a while because I had to wait for a $10million system to become idle) and installed new code in six weeks using FLOSS. Training time for users fell from six months to one month just because the programme now told them what they needed to take care of next instead of telling them to RTFM. The FLOSS that I used was Niklaus Wirth‘s Modula-2 compiler for an LSI-11 microcomputer. I traded him a new box of 8 inch floppies for an old one containing the software. I only had to write ~1000 lines of code to do the job on top of that base. It was a simple, modular, multi-user controller for a nuclear chemistry lab. It ran all the interlocks on the power supplies, doors, cooling systems and safety stops for a cyclotron. More than 100 items were boiled down to a single line on the bottom of each screen.

    Roughly, a week was spent figuring out what the old code did and designing the new code. A couple of weeks were spent writing code, but it took weeks to test things because I needed all kinds of permissions and time on the schedule. On the first try, I found I had every light on the display inverted… Then I discovered a few errors in logic and it was done. I only had to concentrate on tiny parts of the system at once ensuring good code. My chaos was a lot less chaotic than the addition-of-more-paint technique that M$ uses.

  14. kozmcrae says:

    iLia said:

    “1 + 1 = GNU/Linux is not absolutely secure.”

    No one around here says otherwise except for you guys.

    He also said:

    “Oh, by the way, when I was writing this comment for the first time my Ubuntu 11.10 did shut down absolutely by itself. For the second time today.”

    Check your hard drive. Last time my Linux installation crashed it was bad sectors on the hard drive. fsck fixed it. No lost data. I was up and running again in 10 minutes. Try that with Windows.

    @ldman said:

    “A litle chaos is just chaos Pog.”

    That statement doesn’t mean a thing.

  15. If Ingo Molnar thinks Android/Linux is not a distro, he’s wrong.

    “apt-get update;apt-get upgrade” on my Debian GNU/Linux system updates all of my apps as well as the OS. That’s a huge saving in time. Android/Linux, so far, has nothing like that. Individual OEMs can push upgrades but it’s out of control of the end-user and they may or may not update applications.

    Does a smaller distro have advantages for releases? Yes, because there’s just less work to do. Does a smaller distro have advantages for applications? Nope. None that I can see. Having users hunting all over the web for applications is a huge time-waster. That’s why M$ etc. have channels feeding the customers. A distro is a very efficient thing. All of the drudgery gets done by the packagers of the distro, not the end-user if it’s done right. Debian GNU/Linux is done right.

    Ingo Molnar should go to a big box retail store and count the units on display with GNU/Linux. The problem isn’t applications or packaging. It’s the retail lock-in that M$ forced on the world more than a decade ago. The bundling of the OS with the PC should never have been accepted by the courts as business as usual. That excluded choice on a billion PCs for the OS. The explosion of interest in small cheap computers is the market going around the Wintel monopoly, not flight from GNU/Linux. Google could have chosen GNU/Linux just as well and the same thing would have resulted. OEMs blessing GNU/Linux does ship units, as we saw with ASUS and DELL. They still sell millions outside the USA, home of the Devil.

  16. oiaohm says:

    iLia
    “secuirty instead in security 4 times in a row?”
    Firefox spell checker when set to Australian english for some reason is missing that one. So its a bugger.
    iLia
    “And how many linux administrators use this “”? It seams to me that not so many. They simply download packages, install them, do some basic configuration and happy with it.”
    This depends on distribution. Some distrobutions this is all you need todo to be in conformance with the secuirty rainbow books require. There are your redhat’s, scientific linux, Orcale unbreakable Linux.

    This is not your Ubuntu. There are different qualities in Distrobutions. Right how to make you scared. Ubuntu Linux secuirty module is only built for Ubuntu is not peer reviewed for quality and its not in the upstream kernel. So its more do you fell lucky punk Linux secuirty module. Yes then it gets worse. Ubuntu default secuirty module does not pass the requirement for DoD rainbow books.

    So I don’t use Ubuntu its secuirty is crap.

    Now I look at redhat its default secuirty is selinux with decent default profiles that does pass DoD rainbow books. So I am off to a good start. As long as I can prevent the admin staff from turning selinux off its starting from a good secuirty location. Only minor work from this is required to maintain good quality. With the planned introduction of systemd into this it will double its secuirty up.

    Yet for some reason people don’t review the secuirty frameworks of distrobutions when they recommend a distribution.

  17. Phenom says:

    A post to retrieve from spam. Thanks.

  18. Phenom says:

    Ah, let’s quote something from the very source of Linux:
    https://plus.google.com/109922199462633401279/posts/HgdeFDfRzNe#109922199462633401279/posts/HgdeFDfRzNe

    My favorite part:

    Desktop Linux distributions are trying to “own” 20 thousand application packages consisting of over a billion lines of code and have created parallel, mostly closed ecosystems around them. The typical update latency for an app is weeks for security fixes (sometimes months) and months (sometimes years) for major features.

    What did the (mostly closed source) competition do? It went into the exact opposite direction: Apple/iOS and Google/Android consist of around a hundred tightly integrated core packages only, managed as a single well-focused project. Those are developed and QA-ed with 10 times the intensity of the 10,000 packages that Linux distributions control. It is a lot easier to QA 10 million lines of code than to QA 1000 million lines of code.

    Hey, Pogson, weren’t you an avid supporter of packaging systems?

  19. Pointing out that “Linux has security issues too!” doesn’t make Windows any more secure, even by comparison. Windows fanboys should tend their own garden first.

    Linux is far from a “mess”—people use it every day to do useful things; it can be hardened and secured in ways that Windows users can only dream about.

    Microsoft is a marketing company whose main product is software—they stopped being a tech company when Paul Allen was forced out—and users suffer as a result.

  20. oldman says:

    “Read The Cathedral and the Bazaar. A little bit of chaos is very fertile ground for developing software.

    A litle chaos is just chaos Pog.

    I suggest a perusal of “The Mythical Man Month”

    (http://en.wikipedia.org/wiki/The_Mythical_Man-Month)

    would be far more useful to you.

  21. oiaohm says:

    Phenom of course you miss there is a mil grade of android.
    http://selinuxproject.org/page/SEAndroid

    You are failing to read. SEAndroid follows DoD rainbow books. Yes this is the hardened form of Android. Normal Android does not follow DoD rainbow books very much at all so from my point of view is garbage. I don’t class all Linux Distrobutions as equal. I hate people who try to since they normally over state or understate the secuirty Linux offers.

    Sorry to say not one of those reports you pulled Phenom works against the hardened form of Android.

    Even CyanogenMod that is technically better grade of secuirty than mainline android. Of course CyenogenMod has nothing on proper SEAndroid.

    General goggle android I would agree with lack of secuirty. The Linux kernel is providing the security Google decides to ship without selinux framework enabled. So this means most android phones out there are not hardened so are open to many forms of attack.

    I have never said that every Linux Distrobution is secure. Android is one of the many examples of poor quality distributions being made. Yet Android has a high quality distribution mirror that runs the same applications in the form of SEAndroid. Yet people don’t go into stores asking for SEAndroid. Apparently people don’t care about their secuirty.

    Phenom “read down” the reported bug I was referring to iLia had only read the first paragraph and it showed.

    Linux kernel provides all the features you need to make a secure OS. There is a issue with distrobutions not implementing them.

    Really this is what people need to stop and wake up. Linux system should be highly secure system. Cases that its not pressure should be placed on those places to lift their game. Generally claiming Linux is flawed due to a rouge groups doing the wrong thing is not productive.

    Viktor is normal twit you are aware there are 22+ different installer systems on windows. So each one of the hubble bubble on the windows page can be a different installer that requires different options to silent install on many machines. Where the rpm and debs will straight up work. Messy sorry Linux is quite tidy it just looks more messy than it really is on the download page because you can clearly see what installer make and type you are downloading so select the most suitable for you.

    Also windows in that never got 64 bit versions of the applications. Linux and OS X did. That alone means you need to double in a few places. When you add in MSI support for group policy installs. Linux and Windows pages should look almost equally bad. MSI on windows is like deb and rpm on Linux.(yes it would be nice if deb and rpm could merge). That is about all the mess is on Linux is that deb and rpm are not merged.

    Then factor in you cannot see the make of the installer on the windows page at all. You cannot see that it will uninstall properly. deb and rpm will uninstall properly.

    Yes its simple for Linux people to avoid applications that will not uninstall properly or treat those with due care its not simple for a windows user. So a windows users system ends up in one hell of mess because users cannot see what installers are crap before downloading and installing.

    Viktor basically you are a stupid idiot who throws stones without inspecting the house he is throwing stones from to know its glass and its going to shatter into a million pieces of a stone is thrown back. Yes all that reinstalling of windows people does lot tracks to uses installing applications that are bad so braking there computer. This is all because Windows is not as clear cut as Linux about it.

  22. iLia says:

    secuirty instead in security 4 times in a row? Even the Russian “windows idiots” know how to use spell checker.

    And how many linux administrators use this “”? It seams to me that not so many. They simply download packages, install them, do some basic configuration and happy with it.

    Oh, by the way, when I was writing this comment for the first time my Ubuntu 11.10 did shut down absolutely by itself. For the second time today.

    It seams to me that your linux is no bеtter than my English.

  23. Read The Cathedral and the Bazaar. A little bit of chaos is very fertile ground for developing software. There are millions of people writing FLOSS. There is room for everyone.

  24. Phenom says:

    Android is based on Linux kernel, and it is absolutely secure. Absolutely, really!

    http://leviathansecurity.com/blog/archives/17-Zero-Permission-Android-Applications.html

    http://www.securityweek.com/sms-controlled-malware-hijacking-android-phones

    And these are only the latest of these couple of days.

    Ohio, you welcome to “read down” (what ever that means; did you mean to read with Down’s syndrome?). I don’t doubt you will find some totally off-kilter irrational explanation, that Pogson will gladly buy just because it is an excuse for his misery of congnitivity.

  25. oiaohm says:

    iLia you need to read what I said carefully.

    “Really why many Linux servers are absolutely defenseless by the rules of making hardened systems has been disobeyed.”

    The start of doing this is getting the DoD rainbow books and following there ways of system building to the letter.

    “this recent vulnerability in samba allows to anyone execute any arbitrary code”
    Only on systems not built following hardened building of application. Following rules of building hardened applications the bug does not exist/work. Sorry not anyone on any systems. Only on systems where the applications were not build using the complier options to harden. Yes there are a lot of these.

    “GNU/Linux is not absolutely secure” Neither is windows. GNU/Linux can be made more secure than Windows if the right things are done that is the simple fact.

    GNU/Linux + DoD rainbow books. Equals one hell of headache for attackers.

    In side a cgroup or selinux sandbox reaching out to devices and other things you service does not use is not possible.

    That complete list of 311 faults you searched up iLia not one of them from an proper secure configured samba set-up is possible to be used to exploit anything. Simply they don’t work. So 311 privilege escapes that don’t work at all in the hardened case of Samba. Since not one is on a path that samba needs to operate. So all are reaching out to perform an operation samba should not perform that will trigger item like selinux to land on top of samba like a ton of bricks killing it. Correctly configured selinux disables the samba sandbox so preventing it from being restarted without system administration intervention. At this point the attackers attack is over.

    This is where the term onion defence comes in. Just because you break one layer. You only break out of where contained by using what that layer would require todo. This cuts down you attack options massively. So much so that most onion layer breaches don’t give you enough to go any deeper.

    So far you have not showing a 1+1 that should happen here if the Linux system is configured properly. The first fault should not work to start with and there is no secondary fault either on a correctly hardened system in recorded history that can work to go deeper.

    Like CVE-2012-1777 uses sudo command to gain privilege samba as no reason ever to run the sudo command. So this is going out side what the application need todo so should be blocked by permissions. Yep correct reaction on a harded system to samba attempt to run sudo is shut the service down.

    Same with /proc/pid/mem samba again as part of operations should not use this. So again should be blocked by secuirty. Same response samba attempts to access /proc/pid/mem shut the service down. This is where hardened systems turn on attackers. They try to dig deeper by a method that does not work they have just shut off how they got into the system in the first place and raised the alarm.

    So only way that the samba fault should be able to get anywhere on proper configured system is if someone built samba wrong and if some never before seen exploit to raise privilege is found in the parts of the Linux kernel samba uses. So proper contained samba you are getting no where.

    GNU/Linux is only as secure as the quality of work in the distribution and the quality of work of the administrations. If either of those sux so does your secuirty.

    Yes its fine to say Linux Administrators and Linux Distrobutions should be doing a better job. GNU/Linux at base is providing what is required to defend itself quite effectively without anti-virus software.

    This is why iLia you are a windows idiot talking about Linux secuirty. Its not 1+1 equals exploited.

    Its 1+1+1 equals exploited at min on a harded system.

    1 to get into the system. 1 a flaw in the LSM configuration and 1 a privilege exploit that works.

    So unless you can get 3 you are going no where on harden Linux system. Windows its only 1+1.

  26. iLia says:

    Does samba have to be root.

    No samba doesn’t have to be root, there are a lot of other vulnerabilities in linux and linux software which can be used by non-root users to gain superuser privileges, and this recent vulnerability in samba allows to anyone execute any arbitrary code, including different exploits which can give root-privileges to the attacker.

    1 + 1 = GNU/Linux is not absolutely secure.

  27. Viktor says:

    Of course we are humans we have trouble following the light.

    That’s your excuse for everything. What next? Let me guess: you will quote Immanuel Kant.

    It’s also funny how you describe Linux as “the light”. Really, I’ve always wondered why so many Linux users despise theism and call themselves atheists, when their own little cult is basically a quasi-religion in itself. There’s just this little problem: just as you can’t ultimately know with 100% certainty that there is no god (once you’re dead, you can’t tell anyone about it), you can’t know that Linux mass-adoption will turn everything to the better. That’s your belief!

    New technology which is seen as useful in the industry is usually adopted very quickly. In certain areas that’s even true for Linux. But it hasn’t set the desktop on fire (not even a little flame) in over 20 years! Linux on the desktop is nothing more but a mere afterglow.

    Windows 8, IMO, sucks. But even this won’t be enough to give rise to Linux. Microsoft screwing up with Vista didn’t exactly work wonders for Linux adoption, or did it?

    As for the mess, let’s look at one of your popularity contests, the Humble Indie Bundle. More precisely, it’s download page:

    Windows:
    http://imgur.com/Gk8SQ

    Linux:
    http://imgur.com/tMT0M

    The problem is obvious.

    And let’s not forget Oxford. Oxford says:

    mess

    1. a dirty, untidy, or disordered condition

    13. a person whose life or affairs are in a state of confusion, especially a person with a confused or disorganized moral or psychological outlook.

    How fitting for both Linux and its supporters.

  28. oiaohm says:

    iLia is a classic example of a windows person reading a Linux bug.

    “remote code execution as the “root” user from an anonymous connection.”

    Lets break this down. Does samba have to be root. Samba has to think its root but secuirty like LSM and cgroup in Linux is free to lie to programs about this status. You think you have root because the OS told you that you have but in reality your restricted. So just because you are running samba does not mean it has root. This is why “root” is this way. It root if you system is configured that way so its not a every system fact.

    With all Linux flaws you need to read down.
    “The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array.”

    This is data memory. The fault is complier fixable in fact. Take a version of samba build with executable code limitation flaw don’t work. So out box not every distribution is effected. The hardened class distributions out box that flaw does not work. Also this one can be mitigated by selinux means to force on data memory being no executable as well.

    “And it means that many-many linux servers are absolutely defenseless.”

    Really why many Linux servers are absolutely defenseless by the rules of making hardened systems has been disobeyed.

    Where is all this extra coming from. The requirements to meet the DoD rainbow books that windows fails todo.

    That search you did iLia most of those CVE never worked with any production made linux distributions.

    Why publish faults that don’t work. Its called wasting attackers time.

    Linux developer finds a buffer overflow that can cause arborary code to run even if the program complier build options that the program will not build without will prevent it from working they will take out a CVE. So CVE is packed full of flaws that never worked.

    Yes Linux stuffs it CVE numbers intentionally. Makes attackers life harder.

    Viktor sorry Linux is not a unholy mess. To be correct its a holy well made security OS core. Of course we are humans we have trouble following the light.

  29. Viktor says:

    When will the world be freed from the zombie OS from M$?

    Oh, it’s dead simple. Offer something better than Windows.

    That by default excludes the unholy mess known as Linux.

  30. kozmcrae says:

    “Perhaps if the competition ignores doing all that, smugly thinking that a low price alone will suffice for poor service, that is indeed “messing” with the competition, but I think that such competition needs to be messed with.”

    You’re all over that smugly thinking business Clarence. You may want to tone it down a bit.

  31. iLia says:

    I tried to search CVE with keyword “linux” and got the following search result:

    There are 1846 CVE entries or candidates that match your search.

    It seams to me that Linux and other OSS are not at all immune from vulnerabilities.

  32. Clarence Moon says:

    The strategy was all about messing with the competition.

    So you believe that “sell the benefits”, “convince the influential webmasters”, help the traditional developers”, and “create a supportive environment of partners” is a bad thing?

    Perhaps if the competition ignores doing all that, smugly thinking that a low price alone will suffice for poor service, that is indeed “messing” with the competition, but I think that such competition needs to be messed with.

  33. This is an example of a service in GNU/Linux attempting to copy the bloated foolishness of that other OS. If Samba were just sharing files or printing, the bloat would be a lot less but M$ drags in inActive Directory, the dog, the cat and the kitchen sink.

    “The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code.”

    Without looking at the code, this does seem to be a blunder-type error, but that other OS relies too heavily on RPC so it’s just another example of errors hiding in bloat. That other OS has had a bunch of critical vulnerabilities in SMB/CIFS and Samba works from M$’s documentation. I count 176 CVEs with SMB links and 63 have that other OS in the brief description. “Samba” is in 7 of the brief descriptions. SMB/CIFS is a poor protocol made worse by M$’s embrace-extend-lockin policies.

    I don’t use Samba anywhere in my system for good reason. I use SSH, SSHfs and CUPS.

    The Debian Team is working on it:
    “Wed, 11 Apr 2012 07:18:52 +0200

    Jelmer Vernooij was working on it during last weeks and packages
    should hit unstable and stable-security very soon.

    Jelmer, do you confirm?

    I’ll also work on fixing 3.6 backports in squeeze-backports.”

  34. iLia says:

    And what about this vulnerability in Samba


    Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the “root” user from an anonymous connection.


    As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately.

    Actually it means that anyone can do whatever he wants with a linux-box with Samba. And it means that many-many linux servers are absolutely defenseless.

Leave a Reply