Why GNU/Linux Rocks

Tired of the negativity on the web about GNU/Linux on the desktop? Check this out:

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

56 Responses to Why GNU/Linux Rocks

  1. oldman says:

    “Using FLOSS as anyone would use FLOSS does not make me a parasite. Your anger has the best of you. You are not making any sense.”

    Wait for it Mr. K. then we can talk if you wish.

  2. kozmcrae says:

    Using FLOSS as anyone would use FLOSS does not make me a parasite. Your anger has the best of you. You are not making any sense.

  3. oldman says:

    “You use Linux. I’m not putting words in your mouth. It’s the simple truth. Are you being forced to use Linux @ldman? Now that would be another matter. Are you being forced to use FLOSS products?”

    Sometimes sir we do things that we really don’t want to do. Oiaohm, who is a regular booster of Linux is apparently a full blown microsoft VAR most likely selling windows and windows products whether he likes it or not.

    And I would not be surprised if you too are using windows in your place of employ whether you like it or not.

    Are you using windows at work Mr. K?

    “Your attempt to single me and me alone out to be a moocher makes you out to be a complete fool. The more you try to pin the moocher label on me, the more you are a fool.”

    I am singling you out as someone taking advantage of the free lunch that he has been given by others. You are admittedly not alone – there are a large number of FOSS and Linux users who just use what they have been freely given while giving zero back. Like reformed smokers They also tend IMHO to be very intolerant of anyone who does not “appreciate” what they have been “given” and actually might dare to feel entitled to software that meets their requirements.

    “So keep trying fool.”

    Fools can learn Mr. K, little twerps like you never do.

  4. oldman says:

    “You are squirming @ldman.”

    Nope I am not squirming. When Pog UN-buries my post of what you really said from the spam bucket, we can discuss it further Mr. p@rasite.

  5. kozmcrae says:

    @ldman wrote:

    “While they may be a paraphrase they echo your sentiment as expressed.”

    No @ldman, those are your words and your words only. And as for my sentiment? You profess to divine the sentiment of others? How big of you. If only it could be that simple, just write what you’d wish your opponent to say. Just impose the sentiment you’d wish me to have. I am no more a moocher than you are or anybody else that visits this blog.

    “Personally I use Linux only because of that.”

    You use Linux. I’m not putting words in your mouth. It’s the simple truth. Are you being forced to use Linux @ldman? Now that would be another matter. Are you being forced to use FLOSS products?

    You are squirming @ldman. You cannot deny the truth behind my words so you simply rewrite my words for me. It’s an old foil but it won’t work. Try it again but without writing my words for me. You can’t because you are wrong.

    FLOSS is free and meant to be used. Using it doesn’t make anyone a moocher nor is it giving them a “free lunch”. Your attempt to single me and me alone out to be a moocher makes you out to be a complete fool. The more you try to pin the moocher label on me, the more you are a fool.

    So keep trying fool.

    I suppose next you’ll say you have the right to write quotes that I never said and inflect them with any sentiment you divine me to have. Of course you will, you’re doing that now.

  6. oldman says:

    “While they may be a paraphrase they echo your sentiment as expressed. I sand by what I posted Mr. Moocher.”

    And here they are Mr. Moocher

    “I am not a moocher. I am doing exactly what one should do with the code. I am enjoying the freedom of using it. I enjoy the freedom of looking at the product of that code be it a text file of my own making or the output of a log file. And, once in a great while, I’ll send in a bug report…”

    Translation, I enjoy my free lunch and will throw he community a bone by “once in a great while” filing a bug report.

    Why once in a blue moon sir? Conscience over getting something for nothing?

  7. oldman says:

    Mr. K FOSS p@rasite said…

    “Typical Cult of Microsoft. When you lose just put words in your opponents mouth. “Free lunch”, “I’ll throw the cause a bone” and “feel like it” are your words @ldman, not mine. ”

    Typical cult of linux answer.

    While they may be a paraphrase they echo your sentiment as expressed. I sand by what I posted Mr. Moocher.

    ANd Oh BTW, just because Pog will give you a pass does not mean I have to .

    “Robert is right, to not use FLOSS is fool hardy. You are a fool. Oh wait, you use FLOSS too.”

    Professionally I support commercial applications that are run on top of Linux. Personally I use Linux only because of that.

    Personally, I use the commercial software that makes me most productive. That software runs solely on windows. The FOSS commune has proven itself incapable of replicating the software that I use to the level of quality I demand.

    That isn’t being part of a commune Mr. Moocher.

  8. kozmcrae says:

    @ldman wrote:

    “You are the one who tagged yourself as a moocher and a parasite when you said in effect “I am going to enjoy my free lunch and when I feel like it I will occasionally file a bug report”. That attitude of “hey it is supposed to be free but I’ll throw the cause a bone when I feel like it” why I’m calling you a moocher and now a parasite. ”

    Typical Cult of Microsoft. When you lose just put words in your opponents mouth. “Free lunch”, “I’ll throw the cause a bone” and “feel like it” are your words @ldman, not mine. Robert is right, to not use FLOSS is fool hardy. You are a fool. Oh wait, you use FLOSS too.

  9. oldman wrote, “That attitude of “hey it is supposed to be free but I’ll throw the cause a bone when I feel like it” why I’m calling you a moocher and now a parasite.”

    FLOSS is supposed to be used. That’s right in the GPL for instance, one of the four freedoms. It’s not mooching to use the software. Not everyone needs to contribute to make FLOSS a vibrant ecosystem because FLOSS is such an efficient generator of software. There are millions of FLOSS developers, many more millions of users who contribute in some way and it does not matter that many more millions contribute little more than using the software. It’s all good. That’s much more efficient than M$ requiring hundreds of millions of users to pay for Bill Gates’ and “partners” extravagant life-styles in order to generate much less software.

    People are foolish who don’t exploit FLOSS to the fullest extent. Doing otherwise is like living on bottled oxygen instead of free air when you have the option.

  10. oldman says:

    That’s because you are an asshole @ldman. And I use the ‘@’ character in your nym to signify that you have your head up your ass. I’m using harsh words with you because you know all about FLOSS. How it’s used and why. Yet, you still make reference to me being a “moocher”. That’s why I’m calling you an asshole. Grow up or pull your head out of your ass and take a good look around.”

    I don’t need to look around.

    You are the one who tagged yourself as a moocher and a parasite when you said in effect “I am going to enjoy my free lunch and when I feel like it I will occasionally file a bug report”. That attitude of “hey it is supposed to be free but I’ll throw the cause a bone when I feel like it” why I’m calling you a moocher and now a parasite.

    But dont worry Mr. K I’m sure that Pog, oiaohm, and the other true believer will cover you and make excuses for you showing how you actually contribute. After all they need consumers for their free heroin, otherwise known as FOSS.

    So you can keep up with your @ crap, and I will point out your hypocracy with your new name

    Mr. K – FOSS P@rasite

  11. kozmcrae says:

    @ldman wrote:

    “Oh of course I forgot you are too busy enjoying your free lunch. My Bad.”

    That’s why it’s called Free/Libre and Open Source Software (FLOSS). You are *supposed* to use it. Not everyone is supposed to be a developer. You call it “mooching”. That’s because you are an asshole @ldman. And I use the ‘@’ character in your nym to signify that you have your head up your ass. I’m using harsh words with you because you know all about FLOSS. How it’s used and why. Yet, you still make reference to me being a “moocher”. That’s why I’m calling you an asshole. Grow up or pull your head out of your ass and take a good look around.

  12. oldman says:

    “Why be shackled to an inferior file system? Of course without NTFS. I wouldn’t muck up my system with crap like that”

    Oh of course I forgot you are too busy enjoying your free lunch. My Bad.

  13. oldman wrote of ntfs3g in GNU/Linux, “I doubt that you have been doing any such thing.”

    While I was trying to keep XP going at my last school, I regularly used SystemRescueCD to reset passwords and to recover files, so, yes, I have been there and done that.

  14. kozmcrae says:

    “or while being able to read AND write to NTFS without corruption or worry of corruption?”

    Why be shackled to an inferior file system? Of course without NTFS. I wouldn’t muck up my system with crap like that.

  15. oldman says:

    “We’ve been doing that for well over a decade @ldman. Nothing new or even interesting there.”

    Without partitioning your hard drive, or while using NTFS not FAT32? or while being able to read AND write to NTFS without corruption or worry of corruption?

    I doubt that you have been doing any such thing.

    nice try though.

  16. kozmcrae says:

    @ldman wrote:

    “And his original windows 7 installation is only a restart away…”

    We’ve been doing that for well over a decade @ldman. Nothing new or even interesting there.

  17. oldman says:

    “I know there is not likely to be a show-stopper. With that other OS, one does not know whether an installation will take one hour or three days…”

    Perhaps what you are saying would be true if we were talking about installing an unpatched copy of windows xp on a 10 year old underpowered junk PC. MOre modern hardware is a different story.

    A colleague with a windows 7 laptop wanted to play with windows 8 RC on his low end dell laptop but didn’t want to break anything. Since he had a hard drive with lous of free space. it was a simple matter to install windows 8 RC on his portable as a vhd boot without a hitch in about 10 minutes. One we booted into windows 8 almost all of his devices
    were recognized. getting the rest of the unknowns recognized was a simple matter of going into device manager and doing a series of update driver tasks where using the repository of drivers that are delivered on ALL dells (in the \drivers) folder.

    I also taught him the two or three operations that he needed to get around between the metro interface and the desktop in about 5 minutes. and he was off and running.

    And his original windows 7 installation is only a restart away…

  18. oldman wrote, “Yep I’m pink…”

    As a welder, I can relate to that. Use long sleeves, an apron, and gauntlet gloves when you weld, oldman.

  19. oldman says:

    “I say you’re spam.”

    Yep I’m pink… 😉

  20. oldman wrote, “Why Robert Pogson should a non geek user ever want to do such a thing Robert Pogson?”

    A non-geek would not want to do so but that tests allows me, a geek, to recommend GNU/Linux to newbies with confidence because I know there is not likely to be a show-stopper. With that other OS, one does not know whether an installation will take one hour or three days…

  21. kozmcrae says:

    “What do you say Mr. K?”

    I say you’re spam.

  22. oldman says:

    “That other OS, on the other hand does nothing to make an installation work well on another machine, the ultimate test of hardware compatibility. I can move GNU/Linux from one machine to another with rarely a problem.”

    Why Robert Pogson should a non geek user ever want to do such a thing Robert Pogson? As I have noted the time that it takes even to reinstall everything from scratch on a new system is a fraction of the time one will lose moving from closed source to FOSS on linux not to mention the lost time making up for functions lost in the move.

    In fact as a windows user it is actually less work for me to set up my system to allow the very thing that you ask. I can do this with the new using the boot from virtual disk function that is a feature of windows from Vista on.

    You’d love it Pog, because it relies on esoteric command line utilities like diskpart and bcdedit that are part of windows now.

    My personal portable has now been set up to quadruple boot windows 7 x64 windows 8 x64 RC windows 2012 RC and windows server 2008 R2 EE using this function.

    And the cool thing is that I can move any of vhd boot disks from one windows machine to another, as long as the target machine meets the minimum system requirements.

    Oh BTW. windows 8, windows server 2012, and windows 2008 R2 all were able to use my windows 7 drivers without a hitch.

  23. oldman says:

    “I see no reason to look outside the repositories of my distro for security software or any software for that matter. That has been the case since I’ve been using GNU/Linux.”

    Translation: I seen no reason to come out of my electronic basement yet I feel entitled to verbally crap on those who may have wider experience and different needs than I do.

    “If I hear any more about Tripwire I will report you to Robert as Spam.”

    HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH!!!!!

    You produce verbal spam here all the time and yet you can’t deal with a reasonable recommendation.

    Just about what I thought Mr. Moocher.

    I’ll tell you what sir. If you tell me what distro that you are using, I will do the homework to come up with the install instructions for tripwire for you to use. Because I think in the end that you would benefit for the extra layer of protection that tripwire affords rather than rely on the so called built in protection of your average linux distribution.

    What do you say Mr. K?

  24. kozmcrae says:

    If I hear any more about Tripwire I will report you to Robert as Spam.

  25. kozmcrae says:

    @ldman, shut up about Tripwire. I see no reason to look outside the repositories of my distro for security software or any software for that matter. That has been the case since I’ve been using GNU/Linux.

  26. oldman says:

    “No I haven’t and I doubt if I ever will. That’s overkill @ldman and for you to “advise” me to implement it is asking me to spend money that would be better spent elsewhere. It’s a security product. It’s made to sell.”

    Nice try Mr. K, but if you looked at http://www.tripwire.org you would note that just as is the case with many Open source applications, there is a free license community version. You can implement it at no cost for yourself but your time, and since you seem to think that a persons time does not have value. There really is no excuse for not implementing an extra level of security, is there Mr. K?

    “Have I heard the last of Tripwire?”

    No sir you have not. Since you have now acknowledged as I have been saying in my comments here, that no system is truly secure, any time you presume to post about the in-security of windows, you will be reminded about your hypocracy in lecturing windows users when you choose not to implement a relatively painless and quite effective intrusion detection system.

    “So in reality @ldman you don’t even use applications, you use watts.”

    Nice try. But in the real world as opposed to Mr. K’s world I still use applications, and applications that are not supported on linux to boot. That is as far asw
    I am concerned a far bigger black mark than the feeble pseudo-ecological nonsense that you attempt to place against windows.

  27. oiaohm says:

    iLua something I did not cover is that php has a lint function built in php -l with functions blocked off will throw up error on any file containing something that should not be there.

    Also running something like http://rips-scanner.sourceforge.net/ contains a list of predefined this is stupid to use.

    Basically if quality control has been performed on the web applications SQL injection, OS Commanding and Null byte problems should be reading 0% The report you pulled why are they not zero. The tech to detect those in source of php java and .net existed in 2008-2009. This report is 2010-2011 so why are they not zero. Someone head should be on the chopping block since all that was detectable.

    Issue here is even commercial software had them.

    Path traversal attacks how to detect them was documented in 2009. https://www.owasp.org/index.php/Path_Traversal And you have tools to detect those problems http://dotdotpwn.sectester.net/

    https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection Yes the Insufficient Transport Layer Protection issues should not be there either.

    Cross site request forgery and cross site scripting issues are also detectable.

    Brute force also normally traces to bad design but also can be hard to prevent.

    Insufficient Anti-automation is one of the few flaws you could possible let web developers slide on. Reason the more anti-automation you add the harder the site is for a blind person to get around. So that is a double sided sword some people with disablitites need automated software to help them.

    The only ones in the report that should exist if quality control is performed.

    1) Information Leakage. Those bugs can be down right tricky to detect. There is no automated tools that can 100 percent sure tell you that you have a problem with this. Modern day taint tracking can help.

    2) Brute Force again nothing can tell you 100 percent sure you don’t have a problem with this.

    3) Insufficient Anti-automation because this the automated systems to defeat Anti-automation is always changing. What is good today will be worthless in a years time.

    4) Predictable Resource Location that is part application design. Sometimes very hard to avoid.

    So 4 out of the 10 would be valid to have some value. The other 6 should be 0% basically unfindable if quality control has been performed.

    And 2 out of the 4. Brute force and Insufficient Anti-automation should be on going problems nothing you really can do to prevent attackers making new ways of performing them so you can never be sure to be detecting all the methods attackers might use.

    This is why the report does not say what you think it does iLia. The report read to me a problem of incompetent staff not performing quality control as required to maintain secure sites.

    Some things are forgivable. But there was a lot in that report that really should not be forgiven lot of someone’s heads should roll to send a very clear message don’t do quality control your fired or at min demoted and someone willing to do quality control put above the person who did not.

    Yes any code I have asked for to be made part of the conditions of contract is no payment if any of those 5 errors is in the code. They have the tools to detect them.

    Insufficient Transport Layer Protection falls on the server admins not the web developers in most cases. But any web-development error over this also sees no payment. So yes 6 of the 10 should be 0%.

    I am willing to pay for code. But it better be quality. I am more than willing to provide the tools to the developers that have to pass to get payment. I am not expecting the impossible.

    Remote file inclusion weakness is also detected by rips and other tools like it for many years.

    This is the big problem with the document you pulled iLia what they were comparing the languages on should be 0% in all cases where quality control is performed on page 17 and other areas of that document.

    So a document that proves incompetence being used to compare languages is not a valid move iLia.

    This is why I am not exactly like iLia. I know how to use the tools to confirm quality code. I am known as a hard ass because I will not pay for anything else. In the stuff I set up I have very few exploits.

  28. oiaohm says:

    iLia
    “On the average PHP is much less secure than ASP.NET, thus if you use Asp your chances to have better security are higher.”
    There is a feature difference I am about to cover. That kinda makes this false.

    “And can you tell me how can I find out whether PHP application doesn’t rely on these obsolete unsecure functions?”
    For one disable them.
    http://www.php.net/manual/en/ini.core.php#ini.disable-functions
    Functions and classes that are built into php can be disabled. Then any code using those functions will straight up fail.

    Since “mysqli_real_escape_string mysql_real_escape_string
    mysql_escape_string” are all legacy crud they are all disabled in my php.ini file. This prevents anything from using them. Along with a lot of other o crud functions including like register_globals in 4.3.0+ php it turn out to be lets make a secuirty hole feature on. This way if audit of source code misses them they still don’t work and you get user complaints.

    C# and Java both lack a way of locking out features of the ABI effectively.

    As they found with nginx with configuration error by administrators applies to php. Same with the problem with internally developed software. Lack of auditing.

    iLia wrapping a problem up in a binary or a bytecode does not magically fix it. In fact a externally developed byte code brings its own problems. Lack of means to audit the code. So commercial developed asp.net you have no way to confirm quality just pray the provider is good.

    PHP shows the problem worse because its older. ASP before asp.net is also swiss cheese. There is very good reasons to terminate usage of legacy code paths in php or C# or java. Terminating legacy is simpler in php just not done as much as it should be. Problem is php also has the most legacy that should be terminated.

    So that that report of yours found so much insecure with php and also matched by nginx badly configured suggests administrators need a training course. Since the big secuirty problem here was that the servers were all miss configured.

    Only think saving asp.net for now is that its not old enough to have as many problems yet. Remember asp.net can still switch into unsafe mode and use pointers to win32 code so all the pointer errors that can infect a c or c++ program cam be wrapped inside a .net application.

    So safest with age with the least amount of mucking around is java. The jini interfaces make it simple to pull off any added binary interface with a issue. Also you have the full source to java so you can rebuild it missing insecure functions or removing classes.

    PHP well managed comes a good second.

    Reality asp.net is last. Has been improved with MS deciding to open source the asp.net framework of .net. This still does not allow lower engine issues to be addressed.

    PHP run on hope and pray is the worse due to how much legacy php stuff is around.

    Age will catch up with asp.net and is catching up with asp.net. If you go back a few years in the reports asp.net looked even better than it does today iLia basically its slowly sliding backwards as it ages. Java over this time has not moved. Since java and asp.net are about the same now you would say by trend asp.net is going to be worse in the tests unless something is done to the administration side.

  29. kozmcrae says:

    @ldman wrote:

    “Implemented tripwire yet Mr. K?”

    No I haven’t and I doubt if I ever will. That’s overkill @ldman and for you to “advise” me to implement it is asking me to spend money that would be better spent elsewhere. It’s a security product. It’s made to sell. I have all the security my little home network needs as long as I don’t do anything stupid, like install Windows without extra security software to go with it. Go peddle Tripwire to someone who’s dumb enough to listen to you. Or, possibly, someone who might even need it.

    Don’t believe I think I’m impregnable. My daughter’s Linux computer and her Comcast router were hacked by her ex-husband. It’s still not safe (I had nothing to do with her installation.). This is an admission I don’t mind making because security is an issue for everyone. It’s just different for Linux users than it is for Windows users. To listen to the commercial security companies scare tactics is a waste of time. It’s better to be educated on the real security threats which are not always the same as they are with Windows. So my security is ever present on my mind. Linux has security built in and the user should also have security built in. One should never rely on any product or group of products to feel safe.

    Have I heard the last of Tripwire?

    “If I have to spend a little more on a system to get speed and I can justify that cost that’s all I need to know.”

    Spend as much as you want. Just realize that on large installations that extra horsepower is going to cost a lot and is a mark against Windows. You don’t want to be burning any more watts than is necessary. So in reality @ldman you don’t even use applications, you use watts. Too many of them too.

  30. iLia wrote, “can you tell me how can I find out whether PHP application doesn’t rely on these obsolete unsecure functions?”

    PHP is text. Use grep -r pattern *. You can also turn some things off in the php.ini file, such as register_globals. That was deprecated long ago and recently removed from PHP.

  31. oldman wrote, “I dont have to deal with ANY of the headaches that lurk when one insists on letting Linux own the hardware”.

    GNU/Linux does not own hardware. It provides a dependable interface between the user’s applications and the hardware. With thousands of developers contributing drivers to Linux, what possible hardware problems could you have? That other OS, on the other hand does nothing to make an installation work well on another machine, the ultimate test of hardware compatibility. I can move GNU/Linux from one machine to another with rarely a problem.

  32. oldman says:

    “Its already on your hardware by virtualisation now. ”

    SO what. I run Red Hat Linux as part of my support and design tasks on a windows 7 desktop. I dont have to deal with ANY of the headaches that lurk when one insists on letting Linux own the hardware.

    This “you are already running Linux but you don’t know it” line that you and others periodically trot out is to me and quite a few others nonsense. I am still working with windows applications on a windows desktop. the fact that some appliance may have a control program based on Linux code doest change that.

  33. oldman says:

    “Don’t you mean you have enough horsepower to run as inefficiently as needed? You don’t need horsepower to run efficiently.”

    I run applications not operating systems Mr. K. The applications that allow me to be most efficient don’t exist on Linux.

    If I have to spend a little more on a system to get speed and I can justify that cost that’s all I need to know.

    Besides, If your knowledge of efficiency is on par with your knowledge of security, I dont think you have any credibityity taklking about efficienct.

    Implemented tripwire yet Mr. K?

  34. iLia says:

    Why is PHP worse it might be the simple fact its older and it has more legacy applications that have not been updated when they should have been.

    On the average PHP is much less secure than ASP.NET, thus if you use Asp your chances to have better security are higher.

    And can you tell me how can I find out whether PHP application doesn’t rely on these obsolete unsecure functions?

  35. kozmcrae says:

    @ldman wrote:

    “Besides I have plenty enough horsepower to allow even multiple linux instances to run as efficiently as I need them to run for the tasks they are needed for.”

    Don’t you mean you have enough horsepower to run as inefficiently as needed? You don’t need horsepower to run efficiently.

  36. oiaohm says:

    Phenom to be correct the answer is strait forwards.

    “mysqli_real_escape_string
    mysql_real_escape_string
    mysql_escape_string”
    Any code containing any of the above is obsolete no new code should contain them. Particular-ally the last one.
    http://php.net/manual/en/function.mysql-escape-string.php Its tagged deprecated so will throw error messages.

    mysqli_real_escape_string=mysql_real_escape_string
    They are one and the same function inside php.
    http://www.php.net/manual/en/mysqli.real-escape-string.php
    Notice mysqli is now a class its a back-end bit for PDO. Also no modern standard php should contain what is there. mysqli::real_escape_string or mysqli::escape_string. Is the current day. Both are exactly the same.
    PDO::quote
    PDO is current day result of calling this if database is mysql mysqli::escape_string gets called that forwards to mysqli::real_escape_string. Again exactly the same. No more code difference or behaviour differences cause quirks. Database-backend::escape_string works with all databases under newer PHP. Its been cleaned up.

    Basically everything you quoted bar one is legacy junk.

    In fact you should not be using PDO::quote in most cases. So if you are finding this the code is suspect.

    Why because parameterized db commands exist
    http://php.net/manual/en/pdo.prepared-statements.php.

    Phenom can you do a raw sql query under java and c# avoiding using the parameterized db commands yes you can. Is this wise no its not. Any code doing that is junk.

    So your statements are false on the one you picked.

    The main issue is legacy and deprecated commands still being used in PHP and a failure for some PHP coders to move across to more modern parameterised db commands.

    Really I would love if PHP got a bit strict and started deprecated a few functions faster. Particularly these two alias mysqli_real_escape_string, mysql_real_escape_string

    So yes Phenom a lot of projects fall with PHP search for functions that should be long gone still being there and most cases that is exactly where the secuirty bug is.

  37. Phenom wrote, “the sad condition of your spam filter says it all”.

    Hey! I have reports that people love it even if they end up in the spam-queue… At least I am not seeing much real spam in the spam-queue so that lightens my load. Before, I was getting more spam than beef in the queue. Akismet worked well for years but the spam kept getting smarter. It might help if visitors made better comments…

  38. Phenom says:

    That must be why every instance of WordPress or PHPbb has been compromised… (/sarcasm!)

    Well, the sad condition of your spam filter says it all. 😉

    All one has to do is set up PHP not to use risky options and to scrub user input carefully before using it. If PHP
    Ah, ignorance is bliss. While the rest of the world uses parameterized db commands, the PHP mob is left with functions like:
    mysqli_real_escape_string
    mysql_real_escape_string
    mysql_escape_string
    PDO::quote

    A bunch of functions, designed to do one and the same thing, each with its own quirks. Gosh, how can one write solid code with this?

  39. oiaohm says:

    “Don’t use PHP, use ASP.NET”
    iLia not in the report. There was no ASP.NET CMS in the compare so its not possible to switch over to asp.net it does not provide everything.

    Go to owasp.org and http://www.webappsec.org and you will find that all the flaws PHP is showing can exist in asp.net. Why is PHP worse it might be the simple fact its older and it has more legacy applications that have not been updated when they should have been.

    Like linkin recently using md5 without salting for passwords. This is out of date password method.

    oldman
    “Any so called improvements will more than be offset by the limitations of having linux own my hardware.”

    Its already on your hardware by virtualisation now. This is just being stubbon. Reality things are in flux.

  40. oiaohm says:

    Phenom exactly the problem with the report.

    “You always test libraries and frameworks, which are tagged along.”

    Without information on what frameworks were head to head. Could be a simple case that asp.net got lucky and had less frameworks so less flaws. Might not be language at all.

    Remember java was also being beat by it. Yet without asp.net cms in the mix this could explain it.

    php has older functions and newer functions. This is known. Like how many of the php sql flaws was in code not using Prepared Statement. Yes Prepared Statement is current day method to prevent a lot of sql injection dead. Basically legacy code that has not be updated to current day standards.

    http://php.net/manual/en/pdo.prepared-statements.php

    Now any php project using those legacy methods should be named and shamed because they are no longer secure code.

    Phenom some of php issue is its age. Its it supports old php programs that should be terminated from usage.

    Phenom is still possible to code sql requests legacy style in C# or java. This is just joining strings and praying for the best of course this is not the best.

    The one be thing that reported showed was internally developed was worse than free/open source or commercial. Maybe this is a third party review issue.

    So asp.net might only look better because the change from asp to asp.net cleared out old legacy programs.

    This is the problem you cannot normally zone it down to language alone. Language is one of many factors.

    Language.
    Toolkits.
    Audits.
    Maintenance.

    Maintenance include things like updating software as required and deprecating stuff that is no longer secure. Because what we think is safe method today could turn out to be the biggest blunder going.

  41. iLia, if I want a compiled language in which to write a dynamic web-page, I will use Pascal so the language is not a moving target, the code is strongly type-checked, and the code is easily read and understood by me.

  42. Phenom wrote, of PHP, “it is very very difficult to create something solid with it.”

    That must be why every instance of WordPress or PHPbb has been compromised… (/sarcasm!)

    I have written some PHP. All one has to do is set up PHP not to use risky options and to scrub user input carefully before using it. If PHP is used on GNU/Linux, the OS is not going to execute uploads automatically… 😉

  43. oldman says:

    “Oldman for example runs Linux virtual under windows if he is able to reverse that memory effectiveness and other things will improve.”

    Any so called improvements will more than be offset by the limitations of having linux own my hardware. Besides I have plenty enough horsepower to allow even multiple linux instances to run as efficiently as I need them to run for the tasks they are needed for.

    If I need more horsepower, it is a simple matter to upload my VM into our production vSphere environment and run there.

  44. Phenom says:

    Mr. Pogson wrote: “test the language”

    How can you test a language for security, Pog? You always test libraries and frameworks, which are tagged along. You know, a language without libraries and frameworks is just useless nowadays.

    So, PHP libraries and frameworks obviously suck. One reason is that PHP is such a crap as a computer language (purely theoretically), that it is very very difficult to create something solid with it.

  45. iLia says:

    Sorry, for accusing you of censorship, I was wrong about it, and admit it 😉

    Mr.Pogson:How could they find PHP “is the most vulnerable” if they didn’t test the language but the applications written in the language? They are saying “apples are sweet” while testing “oranges”. That finding makes no sense.

    Actually the language in which application is written means a lot. PHP as any other language is implemented somehow, in this case it is implemented as an scripting language and is executed with an interpreter, which can have some vulnerabilities, PHP has a library which also can have some vulnerabilities.

    And scripting languages are error-prone by design, they are dynamic languages so many errors cannot be detected until execution. Consider such line of code:

    obj1.Iine = 1243;

    instead of:

    obj1.line = 1243;

    (an uppercase “i” instead of lowercase “l”)

    No parsing error here, but the code is broken. And such types of errors require a lot of time to detect.

    Or imagine that you have to rename a member of a type, with dynamic languages you will have to look through all your source code and detect all occurrences of this name by yourself.

    And imagine that there are other types with such name (no inheritance), you will have to check manually every occurrence of this name.

    And then test the whole application, even if there is not changes in logic.

    With static languages you don’t need to bother, you rename the type member and simply compile the source code and if there are some errors compiler will give you a nice list of them.

    oiaohm:Also they provide no direct recommendations for alterations to methods or anything else to reduce the risks.

    Don’t use PHP, use ASP.NET 🙂

  46. oiaohm says:

    Robert Pogson yes Ilia is trollish did not read the full report it shows. There was no ASP CMS software in the compare. So this kinda biases the numbers.

    The report is trollish because it does not the applications compared and numbers. Particular types of applications like CMS do bring higher risks of security problems.

    Also they provide no direct recommendations for alterations to methods or anything else to reduce the risks.

  47. oiaohm says:

    Ivan Please note he did two presentation back to back. Lunduke did a Linux Suxs presentation before that.

    Linux Rocks is a compare to Linux to its competitors in a positive operational requirements. So virtalization is allowed. Also compares compares the weaknesses to other OS’s in the market.

    The Linux Suxs.
    http://www.youtube.com/watch?v=Sh-cnaJoGCw

    Linux Suxs is more of a Negative compare no Virtalization methods allowed pure Linux nothing else in Virtual machines.

    Ivan “elitist jackass” is a title what you can give to people who argue both that Linux Suxs and that Linux does not. Linux has its place this is the reality.

    Go back watch the Robert Pogson video. Ivan one of the early things mentioned is the other talk he did. Its two talks back to back. So its so funny because he is insulting himself for the talk he just gave. Of course I can understand you not getting the joke Ivan.

    Clarence Moon remember Richard Stallman talks against using tracking devices. Lot of FOSS people don’t have this limitation on there devices so would be able to find it by the dial home. Yes a lot of devices stolen at Linux confs are found by the added dial home features by the owners of the device. So you can say the the robber targeted the person that appeared to have the weakness personal secuirty. Very much how most malware writers work.

    So yes Richard Stallman will have a lot of thinking todo. Its part of FOSS not everyone ideas pass the real world test.

    “wrist cuff and chain” Clarence Moon in the FOSS world is known as a fake display of secuirty. Really what is better lose the item or lose your hand? When you consider that good secuirty you don’t bind the items to you person but give them a means to be traced.

  48. iLia wrote, “The study found that PHP, the most popular web application programming language (63% of tested resources) is the most vulnerable. We compare security of sites on PHP, ASP.NET and Java by vulnerabilities caused by the software implementation.”

    How could they find PHP “is the most vulnerable” if they didn’t test the language but the applications written in the language? They are saying “apples are sweet” while testing “oranges”. That finding makes no sense. One can write malware in just about any language in which you can actually control a computer. In a trivial case, one could code a loop to load up the CPU, cutting performance.

    ilia, your behaviour is trollish. Shape up. RMS does not advocate stealing but sharing. They are not the same.

  49. Viktor says:

    Nothing to be proud of there, Viktor, a robber is despicable.

    Oh, I am merely proud because he made Stallman cry. That’s all there is to it. Having a grown-up man like Stallman react this way indicates quite clearly that he has some mental problems. This man is clearly unfit for the role he’s inhabiting. This incident proves it once again.

    On the other hand I can’t remember absolving the thief from his deeds. His act was immoral, but that’s of no concern to me here.

    And whether any theft — no, it wasn’t robbery, as Stallman wasn’t assaulted or threatened — is always despicable depends solely on the specific circumstances of the case.

  50. iLia says:

    Trying to apply some censorship Mr.Pogson?

    Mr.Pogson:Tired of the negativity on the web about GNU/Linux on the desktop?

    OK, no problem here, now you will get some negativity about GNU/Linux on the server.

    A Russian company Positive Technologies compared servers based on ASP.NET, Java and PHP, and found out that ASP.NET is 3 times more secure than PHP.

    Some summary (5.3):

    3.4. The study found that PHP, the most popular web application programming language (63% of tested resources) is the most vulnerable. We compare security of sites on PHP, ASP.NET and Java by vulnerabilities caused by the software implementation. The study showed that 81% of sites in PHP contained critical security vulnerabilities, and 91% medium-risk vulnerability.

    The least common critical vulnerabilities are on sites written in ASP.NET: оnly 26% of them contain high-risk vulnerabilities that is significantly lower than that of PHP (81%) and Java (59%).

    3.5. nginx web server is the most vulnerable according to administration errors, that significantly exceed Apache and Microsoft IIS results.

    Unfortunately for You, there is an English translation of this study

    http://www.ptsecurity.com/download/statistics.pdf

    Use FLOSS and be happy!

    oiaohm:you think stealing is fine
    FOSS world respects property

    Actually Stallman thinks that stealing is OK, as long as you are not caught.

  51. Clarence Moon says:

    I’m proud of the robber.

    Nothing to be proud of there, Viktor, a robber is despicable. Of course I am surprised that the blame is not being placed on the bag manufacturer for not providing obvious security functions such as a wrist cuff and chain. Most open source bags have that feature as part of their basic construction.

  52. Ivan says:

    “Anyone who thinks linux sucks is a moron”

    Yeah, that’s not negative in anyway. Rather than fixing the problems in the previous demonstration, call names like an elitist jackass.

    Very productive use of your time.

  53. iLia says:

    Mr.Pogson:Tired of the negativity on the web about GNU/Linux on the desktop?

    OK, no problem here, now you will get some negativity about GNU/Linux on the server.

    A Russian company Positive Technologies compared servers based on ASP.NET, Java and PHP, and found out that ASP.NET is 3 times more secure than PHP.

    Some summary (5.3):

    3.4. The study found that PHP, the most popular web application programming language (63% of tested resources) is the most vulnerable. We compare security of sites on PHP, ASP.NET and Java by vulnerabilities caused by the software implementation. The study showed that 81% of sites in PHP contained critical security vulnerabilities, and 91% medium-risk vulnerability. The least common critical vulnerabilities are on sites written in ASP.NET: оnly 26% of them contain high-risk vulnerabilities that is significantly lower than that of PHP (81%) and Java (59%).

    3.5. nginx web server is the most vulnerable according to administration errors, that significantly exceed Apache and Microsoft IIS results.

    Unfortunately for You, there is an English translation of this study.

    Use FLOSS and be happy!

    oiaohm:you think stealing is fine
    FOSS world respects property

    Actually Stallman thinks that stealing is OK, as long as you are not caught.

  54. oiaohm says:

    Viktor very well. Since you tolerate theft of other peoples items I think you should no longer have the right to any assets and be a slave for the rest of your life. You really should not have a problem with this think you think stealing is fine. Remember do unto others as you expect done to you.

    FOSS world respects property. About time you learn to Viktor.

    Besides watch the video its not all fluff. Its the list of problems you are running into. Linux users don’t have to choose just Linux any more.

    Oldman for example runs Linux virtual under windows if he is able to reverse that memory effectiveness and other things will improve.

    The choice of Linux has less downsides today than any other time. It also has a lot of upsides.

  55. Viktor says:

    EDIT (How about implementing a genuine editing function?)

    If you’re *TIRED* of all the fluffy GNU/Linux stuff: Richard Stallman was robbed.

    http://www.devthought.com/2012/06/09/richard-stallman-robbed-in-argentina/

    I’m proud of the robber. He made Stallman cry.

  56. Viktor says:

    If you’re of all the fluffy GNU/Linux stuff: Richard Stallman was robbed.

    http://www.devthought.com/2012/06/09/richard-stallman-robbed-in-argentina/

    I’m proud of the robber. He made Stallman cry.

Leave a Reply