Thursday, November 20, 2008

Why Linux Is Not More Secure Than Windows

Alright, every once in a while, I come across a truly stupid Linux article and have to give it a rant of its own. This stupid post goes on to describe how Linux is more secure than Windows. Let's eviscerate this mismash of stupidity and FUD, shall we?
Since the 1970s Unix has had a proper permission based system.
So it has an old feature. Big deal.
Every computer has an “administrator” account called “root”.  The root account can perform any function whatsoever on the system.

That does not seem very secure. If an attacker can get the root password, the system is completely at his mercy. Plus, Windows NT/2K/XP/Vista has this feature as well.
You have access to one single directory known as your home folder.  To do any task, or for any program to execute any task, outside of your home directory, you will need to give it the root password.
You can setup this feature in Windows XP and especially Vista. Vista makes it easy to install and run as a limited user, and if an action requires administrative privileges, they are only a sudo away. Even in XP it is not terribly hard to create a limited account. I think the default account is 'Power User' who can install software but is still restricted in some ways.
Every file, program, etc.. has a series of three permissions on it.  One for the user, two for the group, and three for world (or everybody).  Each of these series has 3 different types of permissions, read, write, and execute. 
Only 3? Uh, Dude. I think you should Google something like Windows ACL (I just did it for you). You should find a site like this one.
Again, the registry, by default can be editted by anyone or any process running.
Since I wasted so much time with Linux, I am quite unfamiliar with the innerworkings of the Windows registry. Are you telling me that HKEY_LOCAL_MACHINE can be edited by users of any privilege level? I highly doubt it; otherwise, it would have definitely been listed as a criticism. Wait, I think you are still talking about the default permission thing, aren't you?
Linux doesn’t have a registry, it has a folder which contains configuration files (one file per application) that controls settings for JUST that program. 
Dude, ever heard of Gconf? It has all the features of the registry and all the problems.
Because open source software is open to the world, the code has many many more eyes on it.  So bugs and vulnerabilities get patched sometimes two and three times faster than corporations are able to patch theirs.
Yes, when a security flaw is found, the code can quickly be patched, but this is true in the proprietary world as well. The real test is getting the patched binary out to the users. When a major problem is discovered, like the WMF vulnerability a few years ago, Microsoft can move quite fast.
The problem is, the grand majority of users have no idea about computers, software, and technology.  They know what they need to know to perform their tasks and that’s it.
Yes, this is true. This is also something that many lusers don't seem to understand.
With Windows, you go scouring the internet looking for that program that will remove spyware, or help you balance your checkbook, or allow you to talk to friends and family over IM.  This is problematic as most people are unaware of what web sites offer legit, virus free, spyware free, applications that do exactly as advertised (for free or paid for).
Well, you could help them by giving them a link to download.com (I did it for you again). I have heard that they run the software through some checks to prevent uploading malware. It is easier than teaching them how to use Linux.
In Linux it’s a bit different.  There is one place to get a majority of your software, and this same place has the ability to update all your software as well.
Of course the binary they are downloading is not always exactly the same as the one compilable from the code released by upstream. It often contains patches, and sometimes these patches can cause major security problems.
Many distributions use what’s called “Secure Linux”
Uhhh.... Mandatory Integrity Control? It was included by default in Windows Vista, which was released nearly two years ago.  Where have you been?
Again, when you install proprietary software, you never really know who has access to what.  Since the code is closed off, the maker of that software can include any backdoor they wish.
Yes, but if they screw up, the backdoor will be found, and if the backdoor is found, then people will be hesitant about using the software. A software company that needs buyers to give it money to survive will have a vested interest in not screwing its users (at least, not too much). Sure, freeware developers can include spyware as a revenue stream, but this just illustrates the principle of TANSTAAFL
And unlike the NSA developed SE Linux, this code is held private so no one can review it
There are many ways to find backdoors: running applications through a debugger, monitoring network connections (the big one), etc. Since this potential Windows backdoor was found, it looks like it is possible to find backdoors in closed-source software. It is also possible to include backdoors in open source software; just look at the Underhanded C Contest

So, basically, these are the security enhancements that Linux has over Windows? Call me a Micr0$0ft $hi11 if you want, but I do not think these 'advantages' outweigh Linux's other problems.

173 comments:

Anonymous said...

Good post LHR. I know what luser will say then : "But at least we dont have viruses"

Of course you don´t. Why the hell write a keylogger or any kind of malware for an OS that just 0,01% of the desktop users use ?!!

And they would say : "But we have more than 60% of the servers of the Internet"

Ok. But I don´t think an administrator would execute files like "britney_spears_naked_pics.exe"

oiaohm said...

How to die. Really.

Lets start off with some basics. Number 1 lot of windows programs will not run without administrator permissions. As a Linux limited account ie normal user how much don't work.

Power user account in Windows default is barely restricted. http://technet.microsoft.com/en-us/magazine/cc138011.aspx << should have read that one. Power user is Administrator no difference under XP and before basically. People wonder why Windows is so virus infected. Security has been 100 percent incompetent.

To be correct even in vista power user flawed allows a complete major back door. You can load a any new service you like. Any idea what the problem is there? Service in Vista can do what ever it like bar edit the screen or capture.

Linux mandatory access control is on services. Windows is not even in Vista. So Vista security is crap. Something running all the time in background you don't bother putting security on. Yet applications user is running in for ground that damage could be locked to there user account have a pest of a UAC. I think someone in the Windows Secuirty Design should get the dick head of the year award.

Yes UAC makes Vista look secure but it really does nothing particular when users end up running either with it disable or switched there way back into administrator to get away from it.

Linux people know the flaw of the root user. Reason why running as root is classed as a mortal sin. Out of box distrobutions try to avoid it. Its also why new security systems that have been designed like policy kit and posix file capabilities are designed to reduce its usage. Long term goal of the Linux world is root user ceases to exist.

Also true hardered Linux's Root users is a paper weight. Its a non functional account. You can log into it yet it has the powers to alter nothing. Something that is overlooked Root users in Linux is nothing more than a virtual account. Emulation of history. Capabilities assigned to root user can be added or removed when kernel is built.

Registry is a stability issue and a security. Why can all services inside vista write to HKEY_LOCAL_MACHINE unblocked? Also just to be funny if they did not fix this in vista registry was taged read write in XP. So if you could get the file handle of the registry and use your own registry writing tools yes any USER could write to the registry. Write lock to registry was not protected at the file system level. Only at the API level. Its also why some worms had high registry destruction rates. Two writes at the same time not synced to registry equals dead registry file.

Gconf does lack two major defect of Registry. Internal fragmentation leading to system running slower and slower.

Other major difference from a registry Gconf uses Schema files so you know what a setting in Gconf is controlling. Making a failed Gconf repairable. If you try to dump some random setting into Gconf you will be rejected.

If I want to fill windows registry with random garbage I am perfectly free. This is a security fail. How in hell do you audit a registry? Basically really hard. Auditing a gconf is surprisingly simple.

Next problem Main registry are written to every startup. Not like a Linux system where you can make /etc read only to everyone including root and still boot up. Do that windows registry hive for HKEY_LOCAL_MACHINE and it cannot boot.

Underhanded C contest is run to get new methods to hid so new tools can be developed to detect it. So yes it improves source code auditing tools. About 2 months after the Underhanded C contest methods used are detectable by converity its security R&D.

This is also the difference of source code. You can audit it yourself if you suspect something is wrong with tools like converity. Note suspect. Windows no such option.

MS MIC don't compare to Selinux or Smack for Linux.

MIC sandboxing has major differences to Selinux and Smack sandboxing. Selinux locks down on what functions in what .so/dlls you use. Call 1 function application would have never used Selinux and Smack will kill the application. MIC allows probing to find a weakness to break out of sandbox ie calling functions it never used before looking for a flaw.

Selinux Smack does not have like 3 different forms of security. Low IL Med IL High IL as provided by MIC don't provide the fine grained control.

Selinux and Smack are fine grained control. So MIC grants applications more permissions than what they really need.

Anyone yet not think someone at Microsoft needs to be so fired its not funny. MS is are directly responsible for a lot of the evils that effect the Windows world.

Please stay out of areas you apparently know crap about.

Linux don't suffer from that many viruses due to virus cycle you fool.

The virus cycle.

Rootkit/data thief. Most common first user of a exploit. Commonly years before it becomes used in a virus. They are very secretive and cover there tracks well. It has taken MS on average 6 to 8 years to patch a report a Rootkit flaw. Microsoft is so focused on the Viruses they are not fixing where they are coming from.

Just like the 12 year old bug MS just fixed documented 12 years ago reported to Microsoft 8 years ago and every year since. Major security flaw allowed you to execute anything threw lan on a windows machine as Administrator on that machine. Only fixed when a Virus started using it this year.

Linux biggest threat is the root kit. By keeping root kit numbers down you keep virus number down. This has applied to all OS's threw out history.

Even when Apple made up a huge section of the market they keep root kit flaws down so virus numbers stayed down.

Really since Linux servers store a lot of critical data they are highly targeted by data thiefs. Data thiefs are very well funded.

Malware and viruses is not the only threat out there.

MS has basically been incompetent here as well.

whitetigersx said...

"Ok. But I don´t think an administrator would execute files like "britney_spears_naked_pics.exe""

I dunno' if their a Linux Admin they just might be looking for a new little toy for late nights in the basement.

Anonymous said...

The truth is, when asked, 99% of freetards will never know how to articulate anything more than "but .. but... it's more secure by design! because it's UNIX"

We should trust them then... after all, they read that on the Internets, so it must be true.

Anonymous said...

To be correct even in vista power user flawed allows a complete major back door. You can load a any new service you like. Any idea what the problem is there? Service in Vista can do what ever it like bar edit the screen or capture.

In Vista the Power User group does not exist anymore.

Yes UAC makes Vista look secure but it really does nothing particular when users end up running either with it disable or switched there way back into administrator to get away from it.

LOL!. In Vista even administrator don't have full priviledges until elevation is granted. Sure, you can disable UAC. And you can also run your UNIX machine as root. So what is your fucking point?

Don't you love it when freetards show their ignorance so nicely?

RadiantFIre said...

"Registry is a stability issue and a security. Why can all services inside vista write to HKEY_LOCAL_MACHINE unblocked? Also just to be funny if they did not fix this in vista registry was taged read write in XP. So if you could get the file handle of the registry and use your own registry writing tools yes any USER could write to the registry. Write lock to registry was not protected at the file system level. Only at the API level. Its also why some worms had high registry destruction rates. Two writes at the same time not synced to registry equals dead registry file."

Except for the fact that every executable in vista must be "unblocked" or it gives a "run me" prompt. Thus any executable that runs has been given explicit permission to run by the user (either by installing, or by unblocking).

RadiantFIre said...

"Gconf does lack two major defect of Registry. Internal fragmentation leading to system running slower and slower."

Wrong... GConf stores itself in a bunch of files. It fragments as the file system fragments. Faster even, since its a in a bunch of little files and a bunch of directories.

oiaohm said...

Power User group lives on threw ADS transfer. Power user created in ADS server for XP still has too much power when that profile is used on Vista.

Gconf fragments slower than a registry hive even on a ntfs partition.

Bunch of files funny enough on a file system that is fragmentation resistance does not fragment very quickly at all.

Ie NTFS has fragmentation resistance not the best but it has some.

Registry hive design lacks any good from of internal fragmentation resistance so it turns to crap. Idea that a single large file bests a bunch of small files on fragmentation is kinda a joke.

If the inside of the large file is like a file system and it fragments with no tool to defrag it provided out box you might as well had a bunch of small files on the file system that normal defrag can fix.

No there is a third way to get permission to run under vista avoiding having to be installed or approved. Run inside something that already is. One of the simplest is games that trade .dll files for game mods. UAC is a joke too many holes. .dll or .so file control is required for any solid secuirty system. Vista is lacking.

Selinux and Smack on Linux both got redesigned so they did not annoy users. Annoying users you might as well not even bother putting them on the system.

Lot of work goes into making Linux's security system as invisible to end user as it can be. When Selinux was first released it was too annoying as well and 90 percent of systems with it got it disabled. History tells you not to do this. For some reason Microsoft never checked history.

Most critical areas to cover from secuirty.

All Services locked up in Mandatory access control. So that if something is wrong in them they cannot do unlimited damage.

Applications provided to users must not where able need to use sudo or other elevation operations. Instead use small segment raise of security. Or even better use something like policy kit. Policy kit provides a service that granted applications can request policy kit perform a task for them. Applications never need to truly raise there security level. Code for the task is truly isolated from the user.

Unix design is not more secure than Linux's reason. Sections like fragmenting root powers into capabilities that can individually granted or refused never has passed the vote for include in the official Unix design.

Linux security system is not Unix. It only looks like Unix to the untrained eyes. Like the simple fact Linux Root User is optional. If you are running a Distrobution without a Root user there is no way you could ever run a application as it. Not all Linux Distrobutions are created equal. Now that would have been the wise line to attack Linux secuirty.

File capabilities allow ID 0 ie what people call root to be lied to a application that it has Root when it really has no extra capabilities at all. Like ping use to be suid bited ie full root capabilies granted to it when it run. These days on secure linux distrobutions only the means to do raw sockets interface is granted to it.

When combinded with selinux and smack the exact files the application can write to can be locked down. So ping no disk access required.

Hacking is now far harder.

Where is the windows equal. Ie the means to lie to application asking if it as Administor powers and saying yes.

fakeroot and other tools for Unix world have existed forever to do this. Applications demarding Admin users never has to be truly granted.

Linux secuirty is something else. Even user id's with the new container tech can be fake. Process list that applications can see can be fake.

Basically one day every bit of information a application can request about the Linux they are running on could be all fake.

Linux is basically developing into a secuirty system were as a Administator you choose exactly with myth you want the applications to beleive.

How does this make it way harder for attackers. How do you know what application in the system has the powers you want.

Anon E Moose said...

Yeah, you can audit the code yourself - *if* you're a code monkey and *if* you prefer spending your time proofreading someone else's work.
Doesn't do the rest of us any good, however, and in the end we still have to trust people like you who tell us it's okey-dokey.

What makes some anonymous hacker on the net a more trustworthy judge of good vs bad than a business that wants me to buy its product?

Especially a hacker with an agenda, as many fossies seem to have.

Which leads into my final statement: I think we can agree that stupid users break computers.
I can manage to run as an administrator and not pick up infections. Maybe it's because I know not to open "Hi, I'm Monique" emails or click the download button on a website that tells me I'm infected with something.

It's these idiot senseless users that are the ones who should have Linux inflicted on them, I suppose, since they need to be placed in a sandbox with padded walls so they don't hurt themselves and give me heartburn in the process. And since they would sooner or later break Linux when a poorly "audited" kernel update comes down the automatic updater and they click Install just as brainlessly as they would with Windows, I just tell people to buy Macs.

And I don't even like Mac hardware OR software. But as a company that sells a complete platform, Apple very much has a vested interest in not making a bollocks of their product, and I would therefore certainly put more trust in that faceless corporation than I would in some anonymous twat on the net who says I Am Right And You Are Wrong, Because I Can Write Essays 5 Times A Day That Say So.

thepld said...

I love how they bitch that UAC is worthless and mock how you needed admin rights to change the clock in Vista, while totally ignoring that you need to sudo to update the clock in Ubuntu as well. Hell, if anything, because of the secure screen feature its superior to sudo.

Anonymous said...

Number 1 lot of windows programs will not run without administrator permissions.

Ok, I keep hearing this a lot, however, me and my colleagues have been running XP and Windows server for years using just a user account. And, guess what? I really can't remember many programs which need admin rights to run. True, most of them need to be installed as admin, a small number of them has to run as admin for a first time, and a small number need a write access to their Program Files dir (especially some older games). For example, I just installed Fallout 2 on my XP 64 computer and I can happily run it under my normal account...

Speaking of which, it's quite amazing to be able to run 10 years old game on the completely different hardware and software platform.

Linux Haters Redux said...

Anonymous, no, running old games on different hardware (x86-64) and software (NT 6.0) is not amazing at all. One of the core features of these platforms is their backwards compatibility with older platforms (x86 and DOS). If they were not compatible, they would have likely been driven off the market. So, no, running Fallout 2 on your new desktop is not amazing, and that is exactly how it should be.

Anonymous said...

Anonymous, no, running old games on different hardware (x86-64) and software (NT 6.0) is not amazing at all.

Of course. I was a bit ironic there.

However, some people don't really believe it works, so they are quite surprised when I show them Netscape 0.9 or Mosaic, or some other old stuff running on XP.

RadiantFIre said...

"Bunch of files funny enough on a file system that is fragmentation resistance does not fragment very quickly at all."

Wrong again. Many small files cause internal fragmentation, because these many small files do not align to block sizes. My understanding is that the default block size on linux defaults to 4K. How many of those midget gconf files have exactly 4096 characters in them? How many have many fewer?

The primary advantage of a a single compound file is that it is possible for the I/O scheduler to read large swaths of the necessary data in one pass, instead of thrashing the disk trying to read many non-sequential blocks.
This disk thrashing is guaranteed to happen because programs such as gconf must open a file, read it, then close it, open another file, read it, then close it. This is a poor disk access pattern.

Anonymous said...

> Number 1 lot of windows programs will not run
> without administrator permissions.

a lot? Where have you been in the last few years? That's just *badly coded* software; if any crappy freeware utility were to ask you that, then you should just AVOID it, just like you would do on OS X or any Linux distro.

> Yes UAC makes Vista look secure
> but it really does nothing particular
> when users end up running either with it
> disable or switched there way back
> into administrator to get away from it.

wait what? are you saying that you would be unsafe by disabling a security feature? what a news! :D

Also, Administrators in Vista run in a low-privilege mode until an application asks for an action requiring higher privileges; that's the reason for the "do you really want to continue?" nags: they're actually asking you to confirm the privilege escalation for that particular action; and they're substituted by a gksu-esque GUI asking for an admin password if you're using a limited account.

Again, as it happens in Linux, as long as you use GOOD apps, and stay in your HOME dir, in Vista you should *never* be prompted for your admin password.

> Linux people know the flaw of the root user.
> Reason why running as root is classed as a mortal sin.
> Out of box distrobutions try to avoid it.
> Its also why new security systems
> that have been designed like policy kit
> and posix file capabilities are designed
> to reduce its usage. Long term goal
> of the Linux world is root user ceases to exist.

And that's *EXACTLY* what Windows' ACL and UAC are designed for!

oiaohm said...

Sorry no disk trashing is not sure to happen. Linux has a compressing cache in memory. File is open its cached no real difference re accessing same file. Disk trashing happens in all OS's from time to time. Even XP and Vista can thrash when dropping the wrong sections of the registry out of memory.

The effect on fragmentation is directly related to the file system. Yes Gconf is not always disk space effective. But not disk space effective does not equal fragmentation. Does not equal longer search times. Even so space waste is part of the file system design issue.

http://en.wikipedia.org/wiki/BTRFS Notice the space packing feature under development. So long term when change over to better file systems happen there is really no disk waste to talk of.

Since a schema request lines up with a file applications wanting access to that data yes its simpler to have many files. Reason instead of having to search your way threw a registry looking for the key. Bigger the registry the more CPU time it will cost to process. gconf processing load stays constant no matter how much it expands.

Compared to open schema open main file and user file to process registry. Funny enough more file opens truly work out faster than windows registry and lighter on cpu usage.

Also its memory usage. Its simpler to know what sections of the gconf system you can throw out of memory.

Registry design really does not give that much advantage.

Finally security. Schema system makes it simple to lock X zone of gconf only to particular programs.

Name the other major problem with a single file on disk. A single bad sector can make large section of the registry not read able and hard to recover. Single bad sector in gconf files is only minor damage.

thepld remember what I said about not all distrobutions being created equal. Ubuntu one of the most popular distrobutions does not have a high security rating. It uses sudo instead of creating a proper configuration system to avoid the need for root powers completely.

Root/sudo is optional. Root/sudo is a hack any Linux with a root like user with all capabilities is not a secure Linux. Reason capabilities should own to applications not to users for secure Linux's. Ie to edit configuration files and alter time and so on on them you call management software. It logs the alteration allows roll back.

Even the sections of the management software is wrapped in a security system. Its called the smallest area of risk model. Really hard model to attack there is no soft point.

Yes the lack of good configuration software is a security issue.

Sorry UAC and ACL inside windows is not good quality for what they should be. They leave key areas like .dll inserts not covered.

oiaohm said...

root, sudo and su are old Unix school methods.

All three methods in Linux should be killed off.

http://en.wikipedia.org/wiki/PolicyKit this is the new tech.

There is a large issue of distrobutions. Linux security allows lot harder and almost unbreakable security. Yet lot of distrobutions don't deliverer.

UAC and ACL in windows is the wrong solution. They are coping the designs Linux world are trying to kill off from the UNIX days because they are defective.

Notice that policy kit can still ask you for a password to do something.

Linux is having a battle killing the defective off because yes it does include killing some applications off for good.

Yes applications that ship with windows to configure things must be run from a user with Administrator rights. So user can run programs with Administrator rights. Policy kit is completely about not being able to do that. You have Administrator rights but you can only use Administrator tools marked for Administrator usage and contained in the security system by calling threw policykit. Ie your user never ever gets given any extra rights.

No user tricking option and all users even the admin always is a limited user.

Anonymous said...

PolicyKit is the future, huh?

Now, does Windows have anything like that? Perhaps something that can even be deployed to huge networks via a grouping in a centralized directory? Perhaps even something that can be fine-tuned on a per-application basis?

Maybe you should look up local policies, group policies and application compatibility shims. And if, by any chance, you will allow managed code (called .Net by some) to be included in this discussion, you should also look up Code Access Security policies.

oiaohm said...

Its different to ads. Policy kit is also part of freeipa.org what is a Linux ADS replacement.

Selinux is integrated into freeipa.org framework as well.

Code Access Security is what selinux and smack is. Except selinux and smack apply to native executables. Also selinux and smack are less merciful on a failed operation.

Problem here is that selinux and smack have proven not to be able to provide fine enough grain security. Same defect exists in Code Access Security ,local policies and group policies.

Unfortunate local polices and group polices are like mountains.

Code Access Secuirty is like boulders compared to grains of sand for selinux and smack. But for security around not fully trusted code you need super fine dust. Basically dust that is atoms.

http://msdn.microsoft.com/en-us/library/h846e9b3(VS.71).aspx Look closer at what Code Access Secuirty allows you to control. It is not super fine grained.

Go threw them selinux and smack they go down to a per function base, per file , per syscall base. Linux world has found this is not even enough to stop the perfect pro attackers. Turns out even the a program that has a complete execution profile. A exact map of what of execution travel threw the program can be exploited. This is getting close to dust but not quite there.

Windows world don't go head to head with data thief's that much or if you do you normally don't detect them. More that you don't detect them. Security and auditing far too weak.

Policy kit is different to what you are describing. Policy kit isolates active system altering code from user and from user applications. Isolation is the only method that appears to work.

Application needs to perform a task it calls the policy kit that number 1 checks if user is allowed to perform that task and number 2 if the application has been permitted to perform that task. System can be setup to be 2 user sign offs required. 1 by the system admin allowing the application to work. 2 by the user them-selfs.

Now it can ask user to approve or reject this action. At no point does the applications execution rights need to be increased to perform selected tasks.

Policy Kit has the power to audit the permission requiring call. Exactly what the application has requested to do no grayness can be presented to the user and administrator. Also the power to allow only that exact call no different options.

Each policy kit allow can be rejected next time. Invalid call to policy kit can also end in application termination if user or the administrator so wishes.

.Net is always put up as the save of it all. Sorry its not. Buffer Overflow bit it so calls protects you from can be prevented in native code. The security system it provides is not up to what is need so is a sitting duck.

Beware that selinux and smack both do extend into the users home directory if the administrator so wishes. So yes native code on linux already has better than Code Access Secuirty.

Code Access Security is nothing more than a poor copy of selinux or smack with the means to be embedded in applications.

Compatibility shims have not been expanded to the point to fake out applications about there privileges. This is a defect that should have been addressed in windows yet has not.

Linux container alterations go way past what Compatibility shims offer.

Why run shims when you can run the OS the application needs inside a virtual space. Never worrying about a incompatible shim.

shevegen said...

oiahm you are trolling so much it is not even funny anymore. From among the huge amount of crap or half-truth you write, I want to pick out just one which jumped into my face.

You wrote:

"This is also the difference of source code. You can audit it yourself if you suspect something is wrong with tools like converity. Note suspect. Windows no such option."

(1) It takes time.
(2) It requires knowledge. Many users do not have that ability.
(3) Even on windows you basically HAVE access to study the source code under certain requirements, i.e. one that immediately comes to mind is for students.

So, let's say you are an average user. What good would it be for you to study source code YOU DO NOT UNDERSTAND ANYWAY?

I do not get that advantage. Do you think anyone alone understands the whole Linux Kernel code either? Your audit claim is such a huge crap that I wonder what the f*ck you are doing in reallife other than trolling here. Or does RMS pay you to write so much?

And I still have a big problem with your english. Wtf is this:

"Unfortunate local polices and group polices are like mountains.
Code Access Secuirty is like boulders "

Mountains? Boulders???

What the heck!

kerensky said...

Yet another jackass luser! No wonder GNU/Linux is the mess it is if this is the quality of the advocates!

Anonymous said...

One of the core features of these platforms is their backwards compatibility with older platforms (x86 and DOS).

What about software (almost all versions that are over 1 year old) that requires administrator privileges to run? Should MS preserve Windows design errors because of it? You can't have both secure design and full compatibility with the old versions in Windows.

By the way, I just ran NCSA mosaic 2.5 (released in 1995) on opensuse 11. I have also compiled old mainframe programs from the 80s on it.

Yet another jackass luser! No wonder GNU/Linux is the mess it is if this is the quality of the advocates!

This tells more about yourself than anything else.

kerensky said...

"Yet another jackass luser! No wonder GNU/Linux is the mess it is if this is the quality of the advocates!

This tells more about yourself than anything else."

So what does hiding behind "Anonymous" say?

Anonymous said...

I have to credit you oiaohm, you have done your homework. Let's go over our respective points again.

So, we are agreed on the fact that PolicyKit is conceptually similar to what Windows has had since Windows NT 3.1 in the form of local policies, and since Windows 2000 in the form of Group Policies? If we are, then the remaining discussion is on granularity.

Again, to move the discussion forward, let us in theory agree on the fact that neither the Linux implementation nor the Windows one is granular enough.

That said, tell me, what exactly is "granular enough" for you? Policies in Windows control just about every action, including File IO, process launching/loading, and access to system services and even hardware. With group policy, this can be expanded to include network services as well. Additionally, applications may define their own policy elements, which administrators may enforce. Just as an example, Microsoft Office defines a policy which can be used to control whether anyone can change shared templates, and if yes, who can change them. Of course, every aspect of this can be audited (auditing is off by default). So what exactly are you looking for?

True, it's not on a per "syscall" basis. Maybe it needs to be, but does it really? If I mandate that attaching a debugger processes is not allowed, it will not be allowed regardless of which API is used.

Note that I am talking about native code here, not managed. Let's move on to managed code and code access security now.

CAS granularity is per function, as in the dictionary meaning of function, not the programming language meaning. It does not have to be on a per class or per method level, although those options exist within the CAS framework. And yes, the default policy for CAS is to be "more forgiving", but as with anything else, this can be changed to , for example, process termination like in the examples that you provided.

Calling CAS a "poor copy" of SELinux or smack is...well, naive. For one thing, As I have tried to show, what SELinux does is closer to Windows policy and the completely misunderstood Windows ACL system than CAS. Now, in Windows, these things have existed since 1993 (release of Windows NT). Linux, as per the "SELinux timeline", got them in 1999. Who copied whom? For another, just take a look at the different ways that CAS can match permissions requested by calling code to permissions demanded by called code, and compare that the the "1-7 character label" method of smack. Please. Moving on...

In a sense, compatibility shims *exist* to "fake out applications about their privileges". It's just that normally you hear about them being used to *increase* privileges. The same technique can be used to decrease them as well, although compatibility shims are not really thought of in those terms.

And if you really want to go down to container alteration, Windows has Hyper-V, app virtualization, what have you.

Look, we can go on and on like this. What I hope it proves is that if you dig deep enough, both sides have VERY advanced technology. Being firmly on the Microsoft side, I believe that my team is better, but I accept the fact that I could be wrong, and I am always open to civilised debate.What I cannot accept is the white noise from the Linux corner, from people who know nothing or very little about Windows and are not willing to learn.One example of such is the F/OSS hero Eric S. Raymond, who outright lies about Windows in his book, "The Art of UNIX Programming".

You, oiaohm, are not one of those people. I respect the genuine effort you seem to have put in to write your rebuttal to my first post. Thank you, sir (or ma'am).

Someday, study Windows deeper and with an open mind. It's much bigger and deeper than it appears, and the information is all there, even if the source isn't readily available. You may still prefer Un*x in the end, but I think there is a lot to like in Windows as well.

Oh, and I have no problems with your English. English is not my first language either.

Anonymous said...

What about software (almost all versions that are over 1 year old) that requires administrator privileges to run?

What are you talking about? Which software requires admin privileges to run? I've been using XP and Windows server for years using only unprivileged account. Administrative privileges are only required to install (most of) the software and for administrative tasks.
Some older software needs a write access to their installation directory.

The only thing that I can remember is that, as an ordinary user, you can't see the calendar and the clock, since it requires a privilege to change system date and time. This is quite silly, but can be easily fixed using group policy.

So, yes, you need administrative rights to administer things, but you don't need them to work or play.

There are a few ways to make a life easier if you frequently need some admin tools. One of them is to create a shortcut for them and make them run with different credentials. The other is to run something like 'makemeadmin' utility. It creates cmd.exe process with admin privileges from which you can start whatever you need to run with administrative rights. (Yes, Windows has a command line too :)

I'm really tired of this crap.

Anonymous said...

Should MS preserve Windows design errors because of it? You can't have both secure design and full compatibility with the old versions in Windows.

Yes, it's a hard decision to make. If they prevent the old software to run, Linux zealots will endlessly lament about MS tax, forced upgrades, Windows suckiness, and whatever. If they make it possible to run them, the same zealots will talk about Windows being broken, insecure etc... they can't win, can they?

By the way, I just ran NCSA mosaic 2.5 (released in 1995) on opensuse 11.

Good. However, it seems that Ubuntu users have a problem installing FF 3 on previous version. I also had a problem running some older Gnome utilities on newer versions of Mandriva (don't remember which ones since I stopped using it).

I have also compiled old mainframe programs from the 80s on it.

I believe you did. But, that's not the point.

oiaohm said...

Look closer at policy kit. It about avoiding switching up.

Now your user account and all applications you run stay normal privilege. Even the applications you use the prepare the data for the admin operation.

Its least area. Large the code base you have operating at privilege the more you have to audit.

Admintools need to be split in two. Section of code that performs secure operations. Section of code that interfaces with user that can be run without privilege. Just to reduce the exploitable area.

Idea of using auto jump up tools has already been done with selinux proven not to be good enough. Area of code with the ability to be exploited for major system threat is too large.

Hyper-V is memory heavy due to not being able to share memory and requires cpu support. Compared to containers does not require cpu support and shares memory.

Containers is light weight. Provides extra security.

Linux system also has a ACL system.

I use feature set for what most people from windows world call function.

Since a feature set is made up from a group of program functions.

Function is referring directly to a program created function.

The granuality of every .dll/.so/syscall function application accesses as been proven required. Reason same as before least area of threat.

If a application is not defective and does not interface with a defective function it is basically unbreakable.

Now if application is defective and the functions it interfaces cannot be changed the damage it can do is limited as long as those functions are secure.

Worst nightmare of the feature set modules of windows is that application is flawed and ends up 100 percent insert able with code from outside. This could be as simple a the program supporting its own internal scripting language and it be flawed in a way providing a lot of power. .net is not magical against this. This code now can access all the feature set functions. So area to search for something to do a privilege escape to get deeper into the system is larger.

This is why selinux fails. Even with per function the risk of flawed application being able to go higher cannot be underestimated. If the application uses a single flawed function that the flaw allows getting up privilege you are done.

Policy kit has basically been invented to make the grain even tighter.

Like closing a cdrom. Changing the date and time. These are all like single functions. There is really no reason why User privilege has to be raised to do them. If user can call a service to perform them for them that is all that is required.

Under Policy Kit user has a set of permissions there that allows them to perform tasks there normal privilege would reject. But only by calling Policy Kit itself. So if one of those features takes like 20 functions to perform user application only sees 1 threw policy kit. Least area again. Basically reduce the area of functions applications have access to improve security.

You really need to ask your self how many times are you giving users a feature set when all they should be getting is single functions.

Same goes for applications why give a application a full feature set when it only needs 1 function out of that feature set. Even then should the application be getting that function without the options being sent being audited. There are a lot of key functions you really don't want applications to use not audited.

The complete ideas of runas, sudo, su, Granting users feature sets, administrator users and root user are flawed from a security point of view.

Security designed linux's simplely don't have them.

Policy Kit design is really not platform locked. If someone wanted they could port it to windows and harden its security up.

Selinux is designed from the http://www.dynamoo.com/orange/summary.htm for the USA government that predates Windows Existing. Microsoft decided on only going for the lower grades of it.

Windows is also based off the orange book. Windows is C2. Linux is almost all of the B3.

Not A ratings yet. Windows is not that far advanced. C2 rating is not great.

People running secure networks are not exactly normal end users. Yet better design of windows could see end users not wishing to switch to administrator because they can do everything as a normal user.

Auditing source code can be done many ways. If you have the source code. You can pay companies to scan it. You can scan it yourself with software you have.

Or you can be a programmer and manually dig you way threw. What is the slowest method. People don't need to be highly skilled to get code audited if they suspect something is wrong. Idea that you have to be a coding master or something to get code audited was true like 12 years ago. Its not true these days.

Anonymous said...

I looked at policy kit. I do not see anything better than what Windows policy offers. If anything, I am even more convinced that it was "inspired by" the Windows policy mechanism.

Your idea of services (daemons?) actually authorized to make changes and client UI apps to talk to such daemons has been around for a while on both sides of the divide. Fine, so the client UI application does not have the right to, say, shut down the machine, only the service does. How difficult is it to fool the client app to send the appropriate signals to the server? In fact, in a textbook case of this kind of behaviour, Adobe Flash made the sandboxed Internet Explorer in Vista vulnerable. Flash had a more privileged service running, to which a less privileged Flash plug-in would connect. This was susccessfully used to hack Flash. The hacker went on record to say that the same technique could be used in Linux.

Microsoft has also been experimenting with "Trusted Path" computing for a while. They haven't found a good enough mechanism, despite having many pieces such as policy, ACLs, autheticode etc. in place and in use for many years. The Linux side is also *trying*. It's naive to say that they have found the solution.

Now, a question. Could you please cite a reference for your claim that Linux, ANY Linux, has passed Orange Book B3?

oiaohm said...

Fooling client side of flash is different.

Sandboxed IE was not Sandboxed. Simple fact of the case. A true sandbox cannot access the core system outside. Linux and solarias container tech is about true sandbox. What is inside the sandbox cannot interface with anything outside it.

Selinux and policy kit is used in a dual setup.

Fooling the client side presumes you can. Userside parts on a secure system are still blocked from keyboard and screen controls other than user. Debugging is forbid api access of the application is still controlled.

Basically the client side program is still protected like a high privileged application even that its not. XACE extensions in X11 used in security distrobutions make the interfaces of client side programs invisible to other programs running as well. Screen shot from a non approved program and the windows basically don't exist.

Secure running is still required at normal user for sensitive documents and the like so these things are not that far extra features for secure linux's.

The splitting does not make it any weaker than it was to start off with. But it adds something.

Unlike flash when you fooled the client side part was 100 percent server sure to carry out action. Policy kit does not give that assurance. Privileged operation still can trigger a password event from the Policy kit itself or even respond extremely killing everything the user is doing. Attacker has no clue how touchy Policy kit is set. There is no way for the application using policy kit to know if this has been allowed in past or what will happen when they try to do it.

Even worse for attacker if there are multi able interfaces to change the feature they want there is no way from a application running as user to find out what application the user has approved. Policy kit provides some security there obscurity. Something the flash case clearly lacked. Who said hidden source code is need to make insane obscurity. We just need the open source world forking of front ends.

Basically policy kit allows each user to create like there own signature of actions based on the way they like configuring the system. Any alteration from that will trip the policy kit.

Old moto of security design you cannot do it perfect just make sure you land mine it well.

Container tech will makes attacking policy kit clients even harder. If normal applications are kept inside a container it can be setup in such a way that they cannot see that the policy kit client applications are even running. This also splits the memory zones of the application.

OS splitting is a required feature for long term security.

Linux is basically going threw multipliable levels of hardening.

MS has basically failed to design a trusted system because there model simply cannot work. Obscurity is required. As well as heavy land mining. If you do the wrong thing you application is nuked. Something MS has always feared they seam to aways want to design applications to keep on running. That goes against what is required to build a secure trusted path. Probing cannot be tolerated.

Please note real Obscurity. Hiding your source code does not create real Obscurity. Real only comes from having multi-able paths to do the same thing and only 1 being currently valid with no way to find out before you stuff up what the correct one is.

Look at the OS's that have done trusted path. It is done the same way as the policy kit and selinux path. Land mine it well. Make it simple for attacker to go anywhere else because hitting the land minds is going to raise alarms as well as costing a lot of time.

Selinux development is completely based off the Orange Book. B3 is the section they are working on at moment. Mostly complete. Yes they started at the start of the book and has been working there way threw. Thinking NSA created Selinux and created Orange Book it would be kinda strange not to be using there own guide.

Certification is no longer given on Orange Book. Instead its done on the new EAL system. That unfortunately does not really cover security frameworks. Windows and Linux both have EAL4 ratings. Even that when you compare both using the Orange Book requirements they are miles apart.

Orange Book is still a good for accessing features for how good of security you are really looking at.

The major thing that annoys me is lot of Administrator lack of understanding of privilege escape.

Most people think its just escaping up to Administrator or root side ways escaping can be just as bad.

Side ways is Normal user to Normal user. Lot of alterations people do on windows to allow old defective programs to work allow side ways escaping.

Making a program directory write able to everyone is bad. Dll injection into that program now works. So attacker enters the system and sees them so infects them in the hope that Administrator at some point will run one of them.

Windows lacks lot of the key requirements to setup old applications correctly.

People basically back door there own systems. Part of the MS problem is poor training.

Anonymous said...

Now you are reaching.

Hello? ANY sandbox allows for going beyond. By definition, a sandboxed environment is *controlled* access to a non-sandboxed one. The Flash thing was just that: the Flash service trusting the Flash client to perform known operation. It was a different matter that the flash client gave the signal at the wrong time. Note that this was completely a Flash thing; the bug has susequently been corrected by Adobe. "Not a true sandbox", indeed.

Try and read again what you wrote about "obscurity". My dear chap, Windows is meant for all kinds of use, including day-to-day use by consumers. The default packaging and confiuration keeps this in mind. Regular users cannot stand so much as clicking a button to allow a system-wide change, and you are advocating failure in the event of even a hint of a non-secure operation? Even the regualr flavours of Linux do not do that.

The so-called "trusted path" OSs that you are asking me to look at; which ones? In any case, it is possible to harden Windows down to something closely resembling what you describe. However, this is such a special case that there is no "Secure Windows" out of the box. Just as a start, try using the "HiSecWs" local policy setting. I have been running with that for five+ years now.

I agree with you on sideways escaping. In fact, I think that in some cases that is more dangerous than Administrator-level escaping. I also agree that program directory write access is dangerous. So, do you know about Vista's directory virtualization, which very neatly takes care of this problem?

So, there is no certification? Just alleged building according to a spec? Okay.

If Windows lacks anything, it is people with adequate knowledge of exactly what the system is capable of. Microsoft is to blame to a large part; you have "Linux" experts as well as Apache experts, Tomcat experts, PHP experts, SELinux experts et al. But how many "Windows" experts exist? All the gurus on the Microsoft side are experts of some part of the stack; very few take a holistic look at Windows itself, Mark Russinovich being a notable exception.

As I said before, do study Windows more. There's a lot in there you might like.

Let's not annoy everyone else by continueing to debate on this topic. I'll see you in the next post.

Anonymous said...

As I said before, do study Windows more. There's a lot in there you might like.

I'm no security expert, but MS seems to copy some nice ideas from others, implement them badly, many times to the point of them being useless or even compromising system security, all the time making Windows appear to the naive as a secure system. Windows security looks to me like a checklist with buzzwords that are supposed to make Windows secure, even though no one ever tested whether it really is as secure as it is claimed to be. One thing that illustrates this is that a design error in win32 rendered user isolation impossible in Windows for ~10 years, yet the system had C2 certification. Of course, this didn't prevent MS from conquering the desktop market, why should they ever care about security, since it doesn't sell?

Ramón said...

Sorry but this is one of the less smart articles in this blog.

Linux seems more secure because we're not attacked by viruses, trojans and the like. The major reason for that is, however, not that linux is sooooo secure but quite that linux is (still) so unimportant that there are almost no viruses.

Otherwise the source of security problems - in both, Windows and linux - is usually human. Both provide a reasonable set of means to be pretty secure - admittedly, in Windows this includes disabling and using alternatives for major parts of the software stack (IE, ...).

One might argue that Windows is by default less secure and "inviting" ignorant (or unexperienced) users to comitt major security sins. That can be said of linux, too, however (enabled initd, anyone ? Or default disabled firewall, unpatched deamons ...).

But then, to be fair towards LHR, it should be noted that the article he replies to is quite bare of logic and reasonability *g

Nik said...

Ramon, the original article is indeed less smart. It contains too many factual errors and complete crap. I pointed out in the comments of the original article, but my post got deleted. Obviously, it was too harsh for the tender soul of the freetard.

Back on topic. One of the reasons there are no viruses for Linux is the same as the reason why there are no commercial applications for general use for Linux. It is simply too hard to do anything that works on a wide range of distributions.

Vi said...

I vote for booting the biggest idiot ever - oiaohm - out of here. He stinks up the whole blog. He is the dumbest guy ever, regardless of whether some of his point are valid or not. He uses this blog for self-propounding masturbation.

Anonymous said...

Come on, clueless freetards are required to ignite the flame. Otherwise, where's the fun?

oiaohm said...

Trusted Solarias has a trusted path. Same with lot of the other trusted. Is one of the hardest systems out there still to break. Note Trusted Solarias that did have the B3 certified under orange book used a ported selinux.

That is the thing selinux has been ported to other platforms because of its design.

Solarias does have a true trusted path. Problem is finding it. Containers are key to it. If your applications are in the wrong container they cannot alter the system no matter what they do. Even that everything is still running at the same user the applications are seeing 2 completely different machines. One that if they write to system files they are dead. One they can. So yes if you are not running in the right container your attack is dead in the water. Only one problem the container does not tell you its the wrong one. There is no way to see any application out side the container the application is running in.

Policy Kit like design removes the need for anything user runs to have extra privilege attached to it. Allowing the containers to be used more effectively.

Vista Virtual file system is only a really small section of what is required to build containers. Feature that has been in the Linux/Unix world for ages. Name chroot. Funny enough Vista Virtual File system has bugs that make its usefulness limited. Same problem also has existed with chroot. MS has failed to do critical security homework. Like with gcc bug with it yes it virtualised the writes only one problem gcc calls kept on seeing the not altered filesystem. Same fault also affects a lot of older programs. Also means attacker can work out when they are being faked out. MS reason that programs had to be able to detect when they were being fooled for security reasons ie Digital Rights Management. Basically it has a full F as a effective security feature. Also part of Microsoft problem trying to serve one too many masters. Protecting User/System security completely goes against what Digital Rights Management wants.

Maybe Windows 7 MS might be able to offer up something half decent. Some how I don't think they will. Dropping Digital Rights Management is kinda a requirement.

Trusted solarias makes it very hard to tell who is administrator. Since the administrator account looks exactly like everyone else. Other than the fact that administator using admin tools does not equal account suspended to disk and password disabled.

Trusted Solarias does have the advantage of containers around users. So unlike the equals in Linux that have to just straight out terminate a user when they do the wrong then Trusted Solarias can suspend the user to disk for latter inspection or restore if user just went somewhere they should not. Killed threw miss adventure.

This effectively make the administrator undetectable in a stack of honey pot users.

Windows model is simple wrong and old school. Don't stop users from doing the wrong thing as such. Allow them in a contained way ie they think they did it. Only to trigger nasty response from the OS. Suspend to disk is ideal.

There is another important effect of this. One of the biggest issues on windows is employee found security holes.

Ok give employee wrong privilege extra options appear. This is bad. Old school security has this as a valid method ie hide the interface. Over all the recorded attacks its nothing more than a pure confirmation to the attacker that they have won.

No viruses on Linux is a lie. They do exist just extremely rare. The security holes they use to get into the systems have been removed so they died out. Lot use the stable kernel userspace api as there interface so yes a lot of Linux Viruses are more cross distribution than Linux commercial programs. Linux Standard Base is basically coming around to the Virus/Malware method. Would have been better if it had been copied 6 years ago.

Biggest threat to Linux is rootkits. Same thing they are cross distribution as well.

Yes really wrong fact Malware writers have done a better job than commercial software vendors for a Long time on the cross Linux distribution issue.

Trusted OS's did not started hiding what users had Admin powers without very good reasons.

Does not matter how good you think your security is. If a attacker can detect when they have won and are free to do what they like you are screwed from that point on. Its the key to true security that must be insanely hard for them to be 100 percent sure they have control of the system and that is not just another honey pot trap to collect there method to stop it from working in future.

Yes that is the other thing trusted solarias allows 100 percent fake administrators as well. Were the actions go forward just like a admin just stored for future reference.

How to make a attackers game a nightmare are true trusted OS's. Never sure if anything is real or just another trap.

Its far far too easy to detect a victory under windows. Its also far far too easy to detect when you application has been granted extra privileges for real. Lack of being fine grained security model only makes this worse.

By the way the flash attack on Linux only granted the normal user. So user would have to be running as admin for it to do any damage outside user. Reason adobe don't run a higher service on linux. All of flash under linux as the normal user.

Same attack on solarias setup up well completely pointless. Since flash and firefox are inside a container. So have no real access to anything above the like guest user rights under windows. Even does not have access to the users complete profile.

This is what IE sandbox should have been. Everything IE and its plugins are interfacing with inside the sandbox. No where to go attempting to get out is death.

You are making a huge mistake. I am not a freetard. I have paid for in the past OS's with good security. Some cases in the past over 10 thousand dollars per OS.

Linux is not the most secure OS out there. Its not the weakest either.

Windows people want to believe that its great. That windows is safe is a really dangerous myth. Almost everyone of windows so call security features leaves a dangerous flaw.

Too Detectable.
Too Forgiving.
Too Course.

Windows people need to wake up to the importance of Containers. Need to wake up to the importance of hiding Administrators. Future security depends on it.

Microsoft deals with them and one day we might be able to call it a secure OS. With the title of Trusted Windows. Until then its just another sitting duck out there on the internet.

Of course I would not say that there are no Linux users out there who are not sitting ducks either. Because that would be a lie. Even that Linux kernel gives them most of the tech they need to make close to what would be classed as Trusted Linux lot of distrobutions fail to provide that to end users. Instead follow the flawed models of Unix.

The idea that Linux is Unix design and Unix design methods are god is the biggest stupidity holding Linux security back.

Take Linux drop the old Unix security ideas take the modern security ideas and you have a really solid system. Annoying Linux kernel can be built both ways from source. Do the quick check around distrobutions with working root users every one with working root or sudo to root is old school. This sadly is a large percentage of distrobutions in existence.

Anonymous said...

Just ignore or leave the freetard alone. BTW, I miss Julian from the original Linux Haters Blog. He/She was smarter then oiaohm.

Kyle said...

oiaohm,

I think that you, quite frequently, have a lot of good information in your posts. It's like wading through a swamp to get at it, though.

I'd much rather read a post of yours that is half the length, well thought out, and proof read for grammar, than an epic-length post filled to the brim with incomprehensible facts. I'm an American, so I already slaughter the English language, but at the very least, my writing is understandable to the vast majority of English speakers.

I'm not saying this to be an ass or anything, but would it help if I recorded myself reading one of your posts aloud so that you can hear where native speakers stumble?

oiaohm said...

Problem is security is complex. I am using a lot of security terminology does make reading it really hard for normal people who don't know it. I have tried to make it simple then people say they don't get it. Having a really hard time getting the balance right to this group of listeners.

Many people try to talk about secuirty when they simply don't have a clue. Even worse they throw insults instead of facts.

English is my native language. Yes nightmare that I can say really complex bits and not stumble. Lack of grammar is a major issue in my typing. Problem is if I normally put grammar in words end-up scrambled

If it was not serous I could really laugh at the person trying to defend windows.

Shims cannot be used as a solid security feature for the same reason as most of windows security it has a critical hole. Shims are user space only. I repeat user space only. So by calling threw to kernel directly you can find out straight up if you have been faked out or not.

Linux world equals to shims are based on ptrace a kernel based feature. Can make all kernel calls match up to the lie the application is seeing.

Setting up a 100 percent secure network requires auditing everything. Problem for anyone trying to defend windows I have already been everywhere threw XP and 2003. Audit on 2008 and Vista I am only just starting. Every feature I have checked so far in them is flawed. So if you are lucky you might find something in there that is good.

By the way Linux Hater and me did commonly have direct disputes over content. Most cases Linux Hater lost because of out of date or not enough research. I am a good researcher. There were cases where Linux Hater won. Linux Hater left the building simply because list of valid flaws was running dry.

So far Linux Hater's Redux is failing to hit the right places.

Attacking people for incompetence above board. Backing myths about security or anything else is a kill able setup.

Anonymous said...

Linux Hater left the building simply because list of valid flaws was running dry.

Actually, I agree. Of course, the problem is that most of the deal breakers flaws are intrinsic to the Linux anarchic model and thus they can't never be fixed.

Anonymous said...

@oiaohm:

It's not really about who's really *secure* in the absolute but about who's secure *enough*; I think nobody is complaining about Linux/Unix security on servers, real LH/LHR's point are

* clueless fanboys
* Linux on the desktop

It's not about how rich the platform is, since most of the features will ever be *touched* by a common user; it's about whether they're secure *enough*: and IMO, on the desktop, they both are, if properly configured.

But fanboys just ignore it and state the nothing-ness about how cooler is their Linux if compared with "dat-M$-shit".

And that's just idiotic.


Bye

oiaohm said...

The issue sadly that it not true that windows is secure enough.

There are clueless on both sides and they annoy the hell out of me. I have run honey pots. I have monitored first hand how the attackers work.

Attackers use there exploits as stepping stones. This is where windows and weaker Linux Distrobutions fails. Attacker gets in if can detect and avoid most of the security system allows them to keep on probing until they find a weakness that lets them were they want to be.

This kind of attack of pure determination is also starting to appear as part of internet worms.

Linux almost has tech in place to respond and the tech that is there is solid.

Windows sorry its swiss cheese. Ok enough to slow an attacker down. Likely hood of stopping an attacker dead in there tracks extremely unlikely with anything else than the most perfect security settings. Problem with the most perfect security settings lot of applications don't work. So I call its security a Failure waiting to happen. Sticking on anti-virus software only slows the process down does not stop it.

Actually, I agree. Of course, the problem is that most of the deal breakers flaws are intrinsic to the Linux anarchic model and thus they can't never be fixed.

List them. Saying Linux model is anarchic would be really interesting to see the defects. Since the most secure OS's ever made are made from related model to Linux.

Issue for Linux Hater lot of things he stated were impossible to fix are going to disappear.

Binary drivers in Linux kernel. Guess what AMD in ATI has shown there is more than one way to skin that cat. On all new ATI cards is a thing called a AtomBios. The AtomBios containers a processor and OS neutral byte code that describes how to control video cards. Could in theory be expanded to other devices. So yes all ATI video cards from now on will just have 1 kernel driver for Linux.

Other companies have been using firmwares the like to do equal things.

Basically if all the companies who want closed source/closed spec hardware put there heads together and came up with a neutral solution problem of need for closed source drivers would disappear. Basically just take on MS idea of a .net OS and apply it to Linux.

The ball is really in the closed source driver court on that one. Reason Linux has already been burnt once with the Unix Unified Driver model. Complete support for kernel level binary compatible drivers were built into the Linux kernel then almost no companies even released drivers for it. A complete waste of programming time. Nvidia never once used it. So even if Linux made a stable kernel driver ABI now nothing says anyone would use it instead just keep on going straight past it to use the internal improved version because its faster.

Linux Hater was calling for stable binary driver model. Completely the wrong thing since it had already been provided and rejected by driver makers.

Same is true for a lot of the other Linux Hater impossible to fix. Linux Haters repeated ones also were going to fail out right.

If you say windows applications there are even answers for that underway.

http://en.wikipedia.org/wiki/Linux_Unified_Kernel and http://ring3k.org/ question is what one of the many options under way gets there first.

Yes its possible for a Linux kernel to stay a Linux kernel and not have a Unix model on top. But its a bit like windows. Unix model is where a large number of applications are. Its a little hard to let go. Just like Microsoft has trouble letting go of its past version support.

Drop the idea of impossible and list the wish list.

Anonymous said...

Oiaohm, now I am convinced that I wasted my time debating with you. You may have, as you been, "been through all of windows", but going by your observations in several posts, you understood very little. Perhaps you are not as qualified as you think you are.

You are entitled to your opinions. You have not managed to substantiate them at all with me. I do not wish to attack your arguments, because poking holes in others' solutions is not what I am good at. Your attacks have also not given me any proof that my system of choice is flawed in any way.

I leave you with this thought: you know nothing about Windows. What you claim to know about "security", well, please get more knowledgeable.

Anonymous said...

Your attacks have also not given me any proof that my system of choice is flawed in any way.

What's the point in having ACLs and group policies if shatter attacks have been possible for ~10 years?

Anonymous said...

Linux is more secure then Windows, but I am not going to say exactly why because then the Microsoft employees who post here will try to steal Linux's secret sauce. :(

Anonymous said...

I think the biggest advantage of Linux is really, and I know the Wintards who post here will be like LOL U SO DUMB!! is that Linux is free software. And as a person who uses computers a lot this is very important to me. I want to know how the software on my computer is built, and I don't want to be restricted by scary EULAs and licensing issues. I truly feel more free, and because I am more free, I get real happiness and joy by using Linux. And happiness is worth more then anything else in the world.

shevegen said...

oiaohm, please ... can't you find some MS blog to troll.

First, the Linux Unified Kernel exists since at least 3 years. That is a bit more than 50% of the time I am using Linux. What impact has it made? 0.0%?

Even the old aiglx has made a bigger impact. And when I want to run windows programs I either go to my windows xp computer or compile the latest wine source releases.

Second, "Unix model is where a large number of applications are" what kind of logic is that? Unix was Unix because of a programming language called C. I hope that you know this tidbit Mister oiahm. In fact C and C++ were the most successful for an Operating System altogether, with Microsoft trying to make a shift towards more "managed" code as in C# and their .NET project. Some ideas within it are not bad. But I as a user do not care what is behind something. I want things to work. I dont want to be drowned in boring technical details. Why is it that in the year 2008 Linux HAS STILL NOT CONVINCED A MAJORITY OF COMPUTER USERS TO USE IT HEAVILY?

Even if Linux Hater Redux is sometimes wrong about his statements - who cares? As long as the underlying reasons are correct your troll crusade here isn't doing anything good, oiahm.

Would be better for you to start a blog on your own.

Really.

Anonymous said...

"I think the biggest advantage of Linux is really, and I know the Wintards who post here will be like LOL U SO DUMB!! is that Linux is free software. And as a person who uses computers a lot this is very important to me. I want to know how the software on my computer is built, and I don't want to be restricted by scary EULAs and licensing issues. I truly feel more free, and because I am more free, I get real happiness and joy by using Linux. And happiness is worth more then anything else in the world."

Translation: I am too cheap to pay for software.

Anonymous said...

If I was too cheap to pay for software, I'd just pirate it like everyone else. It's not just software that is free of charge, all software is free of charge on The Pirate Bay. It's software that's free to look at, extend, learn from, and share in ways you simply can not to with Windows. That's the real Linux advantage, and it's something Windows will probably never have.

Anonymous said...

It's software that's free to look at, extend, learn from, and share in ways you simply can not to with Windows. That's the real Linux advantage, and it's something Windows will probably never have.

That's great, enjoy it! That's something you and three other people care about. I just want my fucking computer to work for me and not the other way around.

Anonymous said...

> What's the point in having ACLs
> and group policies if shatter
> attacks have been possible for
> ~10 years?

same as in leen00x: Lusers are doin it wrong

oiaohm said...

What is the point of having a security system that the first time someone finds the smallest hole in they can find out exactly what there limits are.

If an Attacker knows exactly what there limits are they can avoid tripping the security system. Basically Windows is exactly like having the blue prints to your building security handed to the first person to find a unlocked door. Windows don't keep security secrets.

Microsoft did this for the stupid theory that applications could avoid being killed. Its the same stupid logic that gave as .exe email attachments that worked on click.

People don't want to have to see that windows security is a joke. They have all the correct names to the parts like MAC Mandatory Access Control. Yet anyone who has followed how you are meant to set that up knows it should be secret from the application its controlling.

Problem is Windows flaws are not all like big neon signs. Everything looks like it could be right. When you do truly inspect them matching them to how they should function you start finding the holes. Holes that look harmless. Like what difference does it make if a application can see that its writing to a path has been altered. Difference is that an attacker knows that the path they just tried will not work and to move on and check another weakness.

Same with attacker finding out there true security level when admin as lowered or altered it.

A defeated Attacker is one that has had there processes killed and them kicked out the system or two think there attack as worked but its going straight to no where. Windows fails to provide enough to defeat attackers. Even ubuntu provides enough to sometimes defeat attackers. Being kicked out of a system is a little like a car alarm to attackers. A lot move on.

C2 level rating that was Windows 2000. Please note XP does not have C2 rating even that was still attainable but alterations MS did for performance reasons in XP broke the means to get a C2 rating. Microsoft has disregard System security for so long its not funny.

Vista and 2008 so far every security feature added would not have passed Orange book. I was hoping that I would find that the MAC in Vista and 2008 would stand up. Sorry it does not.

http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf

Basically if Anonymous person who was fighting me was up on basic back ground reading on windows security they would have known its a swiss cheese.

Everything up to Vista is DAC that is highly exploitable. Vista and 2008 add a half assed job of a Mandatory Access Control system that effectively is worthless.

Simple fact Linux Security model works.

If Windows Security model worked they would a leg to stand on. People should basically be yell at Microsoft FIX IT for Windows 7. Provide a true working fine grained MAC and then Windows and Linux would be back on a equal playing field until then MS security is a joke.

Sorry dyslexia struck before putting Unix instead of Posix. Ie Posix application Posix model. Posix is API that Unix is based on. Yes Microsoft idea of Posix cannot run most Posix applications.

Shift to managed is happening inside posix world.

Unified kernel is really only useful when the project is complete same was true of aiglx. Idea that stuff appears and has a effect from nowhere does not happen.

Wine from Source release bit should end in 2009 for good.

Perfectly expectable that Linux did not convert lot of Users in 2008.

List of things needed.
* DRI2 to fix up video card operations. Somewhere between now and jan 2009
* KMS to give Linux equal to a blue screen of death ie kpanic and allow ways for getting out of X11 trouble. Most likely April 2009.
* Distrobution Independent binary format LSB 4.0 should be released soon.
* Distrobution Independent install system LSB 4.1 around Middle of next year by current time table.
* Configuration system being a mess. This is now starting to cost Linux Distrobutions business. Solarias has great configuration system. So hopefully money will talk.
* Replacement to ADS. Ie freeipa. Segments heading to completion starting to be released now.

That is the basic key list form what I have seen have I missed anything.

You don't want to drown in technical issues yet you are willing to put up with a OS that is a willing invitation to attackers. Yes either Microsoft or Linux has to get better even if its just to reduce the chances attackers get.

Please no one think MS security is good it is toxic.

Anonymous said...

Please no one think MS security is good it is toxic.

Aside from a bunch of freetards, nobody thinks desktop Linux is nothing but a bad joke

oiaohm said...

Exactly. Microsoft and Linux both sux at moment so go buy a Mac Ok they sux because they are too expensive.

So everyone is currently screwed. There is no good option. I hope that at least someone will pick up the ball.

I am an OS Hater. I prefer my facts correct so I know what evil I am getting into bed with.

oiaohm said...

PS go to a Linux conference and count the Apple laptops. Yes apple laptops out number Linux ones at a Linux conference. So most of the Linux world don't disagree with the statement that the Linux/Posix Desktop is not up to scratch yet.

Anonymous said...

Microsoft and Linux both sux at moment

Hahaha. Sure, put Linux and an OS that has 90+% market share in the same sentence. There goes your credibility down the drain.

oiaohm said...

Just because something holds a large market share does not make it good.

Good example most sold car. Its not the cheepest and its not the most expensive. Its what most people think they can get away with. Now without laws protecting consumers you could see car dealers if they could sending cars out without breaks.

Exactly the same as well Linux cheaper car. Safe to be attacked by a army looks ok but don't try to adjust the seat you might just be locked out the car after being fired out on the ejector seat.

Microsoft middle of road car. All the internals of the car nicely adjust. Don't crash it or your are dead. Don't leave it unlocked anywhere because all the doors and the ingintion look like keys but in fact can opened/started with almost anything.

Mac think Volvo safe expensive. Works just don't want extras or have to fix broken parts because you will be paying.

Same thing happens in software. There is no law that Microsoft must provide a working security system. They must provide enough so marketing people can sell it to you as secure.

Now what happened if Microsoft did release a secure OS. How are they going to make you upgrade. Think about it each time they sell windows the line always comes up its more secure than the last version of windows.

Number of attempts if they were truly trying thinking the document was written in the last 1970 how to do most of it. They should have made it by now.

Con job marketing. Same kind of things of a Con Job marketing is also done when you buy a bed.

Most people are choosing the devil they know of Microsoft.

Basically people have to choose something. Linux with a not that stable desktop its fair enough to expect to to have a nothing market share. That linux has around 1 percent in market I find strange given its current state. I would be more expecting about 0.1 percent. Ubuntu and all there marketing has kinda had a effect of a OS having more market share than it should.

Now when you think about how many of you records are stored on Windows machines that are known to have defective security. Its not a nice idea.

That MS has 90 percent market share basically proves that with good marketing and support you can put any defective product out there you like as long as it looks good and users are not smart enough to wake up.

Hang on I go virus infected. Hang on that was because my OS did not have a security system that works.

Yep does not happen. Instead everyone blames the virus writers/attackers.

Also the Dos time frame also shows that how user friendly you have to be is also related to market share.

Higher your market share the more likely you will get away with serving up trash.

Microsoft has also been smart create generic catch all terms that can be thrown at anyone who finds there defects. With a generic description of what they are. Yes with a person like me they don't match up. Because the generic description is not about a person like me.

Anonymous said...

Haters haters hatin', keep them haters hatin'

Long live Linux!

Anonymous said...

Just because something holds a large market share does not make it good.

Sure. That's why FREE Linux is so much better. So good that nobody gives a fuck about it, after 17 years. Say whatever you want about Windows, but with it, people are fucking getting their work done.

Anonymous said...

This is the saddest blog on Earth. A bunch of retards hating on a free operating system. Get a fucking life Wintards!

Anonymous said...

Yes with a person like me they don't match up. Because the generic description is not about a person like me.

I noticed as well that they have an army of shills that continuously try to categorize a person's arguments against MS and typically respond from a list of possible responses. Nowadays it looks like MS marketing has run out of ideas, so they're honestly asking linux users for feedback, in order to understand how they should market the next Windows version to the public. Of course, MS engineers already know the state of Windows security, they themselves support that UAC wasn't meant as a security feature per se, so this marketing effort becomes obvious to anyone that digs a little deeper. This company makes me sick.

Anonymous said...

A bunch of retards hating on a free operating system.

That's an usual freetarded argument. Just because it's free it must not suck. Well, I'd say it's free for a reason. Ask Mr. Shuttleworth.

oiaohm said...

Free does not equal sux.

Its like a lot of things price has nothing to do with quality.

Unfortunately the statement about wintards is at least partly true. If you are a tard from either side you fight with insults and don't like facing the facts. Tards are always sure the other side has not done there homework and attack without doing theirs and expect there head not to be cut off.

Then when a Tard losses they then point to another section in the hope they can win there.

At no point did I say Microsoft did not let people get work done. Per year over 1 trillion dollars is lost in productivity due to windows and its security issues.

Good example of something that is more than wrong. Mac OS X has a open source kernel. Its market share has gone up. Virus/Malware numbers for Mac OS X did not increase.

So either there is some thresh hold that is unknown to the market vs virus/malware number or the theory is partly wrong. Correct answer its partly wrong.

As windows market share expanded so did the numbers of viruses out there faster than predicted growth rates by a factor of 20.

Its a simple case of more market with a dicely security system.

Virus scanners are a patch to a not working security system. Side effect more viruses more cpu time the Virus scanner eats up. Funny enough lot of virus scanner companies are getting really worried. They can see if virus numbers keep on going the way they are sooner or latter the amount of cpu time need to scan for viruses will be larger than the home computer. Even with cpu power increasing every year. Off loading to gpu is being looked at to expand the time.

So yes the wall is coming. Where you will either have to run without a anti-virus or have a machine that slow its useless. Basically if you want windows to remain productive you really either have to clone it with a better secuiry system or get majority up Microsoft ribs.

People forget Microsoft did create an anti-virus software in the past and it was useless. Microsoft re entering anti-virus market is due to the issue that is coming. They have to kill the companies that are going to yell from the roof top that the stuffed it.

Anonymous said...

Linux is a Soviet/European conspiracy to bring the American software industry down. It needs to be banned and it's users tried as felons.

Anonymous said...

Free does not equal sux.

Except in the case of desktop Linux, it really does. You talk about facts... open your eyes to them.

oiaohm said...

That is posix desktop suxs. FreeBSD Solarias... Lot of posix releated OS's us releated desktops. Not free as such some versions are closed source and you have to buy.

How hard is it really to get Linux does not have a desktop environment of its own.

Yes no one wants to talk about facts.

Anonymous said...

Ubuntu, why its wrong for America

http://shelleytherepublican.com/2007/08/18/ubuntu-%E2%80%93-why-it-is-wrong-for-america.aspx

Shelly the Republican is a voice of truth in a sea of lies. Read up some of her articles where she proves that Linux is product of Soviet communism and also, believe it or not, Satanism (Ubuntu has an official "Satanic Edition", I almost threw up when I heard this).

Linux needs to be banned and it's users and developers tried AND EXECUTED for crimes against humanity.

God bless,
Joseph

oiaohm said...

So we have another TARD Line.

Linux needs to be banned and it's users and developers tried AND EXECUTED for crimes against humanity.

Sorry you just killed IBM and HP large block of there development department.

Same with killing of a large block of Microsoft R&D department.

Same with about 70 percent of people who own cable or ADSL modems.

Doing it kinda could solve the global warming problem. We are talking about 90 percent of the world population gone.

Linux is very viral people come into contact with it daily and don't know it.

oiaohm said...

Ok 90 percent of the developed world population gone where most of the problem is coming from.

thepld said...

"Shelly the Republican is a voice of truth in a sea of lies. Read up some of her articles where she proves that Linux is product of Soviet communism and also, believe it or not, Satanism (Ubuntu has an official "Satanic Edition", I almost threw up when I heard this)."

Wasn't that some really brilliant troll site? Think someone from adequacy.org admitted to making it.

oiaohm said...

Ok I will do a joke on that one.

What could happen if the law is passed to kill all Linux Users.

Auditor comes to you house by luck not one of your devices contains linux. Then the auditor asks have anyone of you used the phone or the internet recently everyone answers yes and the Auditor proceeds to kill them.

Simply by being here the server behind this site is Linux. So you are currently a user so are dead if that law ever got past.

Same can be true for the phone exchanges. About the only people left are the ones that don't touch technology.

oiaohm said...

Sorry for so many posts. Linux Tard's inverse the kill all linux users and developers to kill all Microsoft users and Developers.

At least that one leaves enough population to keep on operating.

Tard arguments really don't change all that changes is the OS name. Never do they do the research to see what will happen if action is taken.

Anonymous said...

Shelly the Republican is NOT a troll site. This rumor needs to end. Shelly the Republican has been hating Linux well before LH. She puts up really good arguments against Linux, I really suggest you read then. Linux is a fucking disease.

oiaohm said...

The shelleytherepublican arguments there are nothing more than trolling.

I have removed Linux from many systems. Its very simple. Delete the part-ions reinstall windows.

Ok now if Linux is embedded on motherboard you are done. This is happening more and more.

I wish I had the old dos ad still. Its a laugh it had a lady in lingerie what a 5 1/4 inch disc covering privates and her arm covering breasts. Sorry porn sells even Microsoft used it to get attention. GET OVER IT.

MS puts up a squeak clean image now but when they where starting out they directly supported piracy. Sorry there is nothing there either. Bittorrent was not invented for porn or anything like that. It was invented because of a Linux problem. Over 1 million people wanting to download the same thing at the same time. Ie the Linux Kernel. Funny enough 80 percent of Bittorrent traffic is still Open Source stuff. 20 percent is the illegal bits.

Funny enough most developers of Linux are paid. Over 80 percent of them are paid to work on Linux. Even worse most who are paid work in the USA.

The idea that just because software is free that people don't get paid is a joke. Software is free support is not. Simple fact software can be mass produced at almost no cost. Now tech support and adding features needs humans.

Open source is really a true sliding scale payment system. When you a large company you want problems fixed quickly so you higher developers to do it. So effectively paying for the product.

Now if you are poor company Open Source allows you to have it for free. Fixes of course are at the mercy of the developers who are most likely paid by bigger companies.

Idea that Open Source is communism is the biggest myth going.

Microsoft sliding scale is the other way over. Bigger your company the cheaper you get your software. Along with cheaper software you get better support out of Microsoft.

How does that make capitalism work. Pay less get more. Kinda is not capitalism.

Reviews by shelleytherepublican are also crap. If you dig around for the right bits of hardware windows vista will not install. Same thing is done a lot against linux.

Its simply too late to kill Linux.

Shelleytherepublican is simply another troll after attention. Does not know enough computer history to even talk on the topics.

kerensky said...

"Just because something holds a large market share does not make it good."

Right on!

Anonymous said...

According to Wintard logic McDonalds must be a fucking five star gourmet restaurant.

oiaohm said...

tards are tards. Insulting other tards basically just proves you are one.

Tard logic is that flawed that a logical and researched response leaves them stuffed.

oiaohm said...

Configuration remains Linux's biggest security problem.

Now Linux is not alone with that problem. Most of the Posix world suffers from it.

If you are following what is going on with KDE 4.x you would have noticed something. KDE 4.2 has powerdevil what manages power setting of the OS under it and KDE 4.3 is branching out into more configuration features.

So yes another one of Linux Haters issues is dieing. The 1000 way fragmentation of Linux. Just like every thing else its been solved another way. Instead of merging distrobutions alter where they get there packages form.

So in time Linux/Posix/BSD/Mac management will all be do able from one of the generic interfaces. There is even a chance Windows will be covered.

KDE Gnome and XFCE what are classed as desktops on X11 will kinda lead the way out of the configuration problem.

Policy kit is kinda key tech that has allowed this to happen. Reason policy kit allows distribution/OS dependent bit to be done in 1 location for all X11 Desktop systems. So as long as the policy kit matches the location every thing above is good.

It is funny how history repeats. Before the Distrobution fragmentation started most common dispute was over what Windows Manager you used.

2009 is going to be a interesting year in more ways than 1. If lucky back to 3 configuration front-ends with 1 configuration backend and 1 universal package. Covering all of the Linux BSD Posix and Mac OS.

Nik said...

oiaohm, that's amasing. It is crystal clear from all your talks here that you know shit about Windows system architecture, kernel, and security model. But you keep talking about it,a nd you keep criticising it. I don't get it, really.

Anonymous said...

According to Wintard logic McDonalds must be a fucking five star gourmet restaurant.

I don't know of any fucking five star restaurant that is cheaper than McDonalds. Do you?

See, that's where your bullshit freetard logic falls apart.

Anonymous said...

According to Wintard logic McDonalds must be a fucking five star gourmet restaurant.

OK buddy. So, according to the freetard logic, those people how gather food from garbage bins eat the tastiest food on earth.

Anonymous said...

Oh fuck, it looks like the above Wintards are confusing "free as in freedom" and "free as in my foot in your ass" again.

Anonymous said...

Oh fuck, it looks like the above Wintards are confusing "free as in freedom" and "free as in my foot in your ass" again.

Lintards brag a lot about "software freedom" but in the end, they have their system filled with Flash, binary propietary codecs, and propietary drivers. They're not even consistent with the shit they preach. Oh well, what do you expect from them.

kerensky said...

http://4front-tech.com/hannublog/

I guess he never got the memo about FLOSS and selling services and support to make money either ( from thepld's rant).

kerensky said...

or maybe he has now realized that the entire house of cards freeloaders..., sorry FLOSS lusers and activists, inhabit is full of holes and lets the rain in.

Anonymous said...

@November 28, 2008 12:17 PM

Don't assume everyone who loves free software completely boycotts the use of any proprietary software. Many of us (like myself) simply prefer free software when possible. Hopefully one day Linux won't need Flash or w32codec anymore but until then I'll continue using them.

Anyway it sure beats using a OS where pretty much everything on a fresh install is closed source. AKA Windows.

Anonymous said...

Many of us (like myself) simply prefer free software when possible.

Of course. Which means you don't use propietary software unless YOU have actually need of it.

Well, here's news for you: 99% of the world have need of an OS that doesn't suck donkey balls. That's why nobody gives a fuck about Linux.

Anonymous said...

Don't assume everyone who loves free software completely boycotts the use of any proprietary software. Many of us (like myself) simply prefer free software when possible.

Don't assume everyone who loves his wife completely boycotts the use of other women. Many of us simply prefer our own wives when possible.

Anonymous said...

@November 28, 2008 2:36 PM

The only OS that truly sucks donkey balls is Windows Vista. Linux and OS X are among the best. But even so Linux is the only FOSS OS so it's the best if you are interested in computers and how they work.

Anonymous said...

@November 28, 2008 2:40 PM

Agreed.

oiaohm said...

Nik Windows system architecture, kernel, and security model. I am not targeting all of them. System architecture of windows is fine.
Kernel model is fine. Security Model not fine. If I did dig around I could give you many different security researchers saying exactly the same thing.

Nik good example is http://damnvulnerablelinux.org/ You can take something that can provide perfectly good security and stuff it up.

That is exactly what MS has done. On paper Windows NT design is good. Implementation is stuffed up badly.

Windows Security model yes object based yes what is require so it appears fine. Selinux also applies a object based security model to Linux over time that is formally turning into credentials. Linux is not Unix. Linux security is hybrid file and object.

Until you inspect security objects under windows they are not on everything they should be. If you had read http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf nik you would know the problems.

Finally, one of the most sufficient weaknesses is the fact that permissions cannot be assigned to all objects, e.g.: network access, windows subsystem objects. It means these objects are
uncontrollable and can be accessed by any user. This weakness is not directly related to DAC but rather to its Windows implementation.


Direct quote. There are more objects that are not covered. Really lot of issues with Windows are fixable if you can fix up the security object system and put a proper working Mandatory Access Control system on it. Problem only Microsoft can do that.

MIC half cooked version of a Mandatory Access Control system is not good enough. Most critical problem with MIC is that your applications have to be built for MIC. Reason to make it generic they would have had to go back and fix up the security object system they stuffed up.

All functions allowing what should be privileged operations must be covered or a security system is worthless no matter how good its design looks on paper. Do you now get the problem with Windows Nik?

oiaohm said...

Ok I did look to attack one part of NT design. Ie the Registry but that is also implementation.

You can force Registry hive to a size that must swap or system fail. Just by being able to create Registry keys. Unlimited registry keys from a application that can create registry keys what is basically all of them.

This is another case of security implementation failure. ACL's are in the registry to limit this but it does not control what keys can be created by a program only where they can be created.

Any ideas the problems a computer has starting up with a 2 GB registry hive.

Gconf was designed with this known defect in mind. Schema's provide the require limitation. Segmenting to more files on disk also makes that kind of attack if it works simpler clean up.

Registry hives not having a internal defrag tool provided by default leads to search times growing out of control. Its not like MS is without the source code to do it pagedefrag from there site. If registry had on fly internal defrag it might be able to stay faster than gconf. gconf smaller files avoid Registry having to glue entries into large files that also makes the problem worse over time more and more complex of a tree forms inside a hive due to X key would not fit in Y space so instead of it being in order now its at end of file. Small files makes it simple for gconf to replace a complete file and avoid having to patch into 1 large file.

Sometimes the gain of speed on design side is completely killed real world by the implementation on the other parts need to make the design work. Real world tests the gains of limited files of registry are lost due to other problems. Be aware size is a bigger issue for gconf than the registry. Reason on average people using a X11 desktop have more application installed than windows or mac users this equals more configuration settings to store. Gconf started life as a single file prototype it just did not scale well enough.

So 2 implementation failures. Projects like Reactos recreating windows don't have to make the mistake. Find a better implementation problem goes away.

MS had problem about doing a idea first(ie registry) you don't have the means to look at everyone else and avoid implementation mistakes. Now of course MS should be working flat to fix the implementation mistakes.

Its not like gconf will be the last registry like system designed. http://www.freedesktop.org/wiki/Specifications/config-spec So if you can see how to do it better it would be a good time to speak up now before we have to live with the final product.

If you look closer the mistakes I am pointing to are mostly implementation not design. So most are fully fixable without changing anything in the design documents of windows. It is what makes the faults more annoying that they just get left there.

MIC is design. Only design flaw I am really pointing to.

How many times to I have to say this TARDS are TARDS.

Lintards brag a lot about "software freedom" but in the end, they have their system filled with Flash, binary propietary codecs, and propietary drivers.
Wintard mirror to "software freedom" is "Open Source Software Sux and no one should use it." Yep Most of them you will catch using a open source program for something.

If you have a Tard argument there is a mirror. True world is never like the Tard's make out. Everyone uses what suits them. Tard's deserve to be disregarded. Basically anyone using a Tard argument to back a case is a Tard themselfs or too stupid to see that all Tard arguments are mirrored.

Only when you to get true facts can you sort out what is mirrored tard crap and what it truth.

Also software freedom is a goal of the open source world. Its does not work out to be productive all the time. Binary drivers are getting less in the open source world.

Just like saying you will not do banking with firefox because your bank rejects IE because you will not use open source software. People don't do that. They will do what ever gets the task done.

Anonymous said...

The only OS that truly sucks donkey balls is Windows Vista.

Hahaha. You've been reading too much badvista stallmanian crap.

Haven't you heard? Vista is a success already. Better save your freetard FUD for Windows 7.

Anonymous said...

@dumbass up top

Windows Vista is the reason I switched to Ubuntu for good. No.. I didn't have to read anything about Vista, all I had to do was use the piece of shit on my new computer.

And who gives a shit if Microsoft considers it a success? That just shows how fucking out of touch they are with their brand. Microsoft is a tech company version of the American automobile industry. They just happen to sit on more cash right now.

Give it time.

Anonymous said...

Actually to the poster above Windows Vista is a perfect example of what happens when a company basically outsources (or in-sources) it's entire development team. Yes, a fuck ton of foreigners work for Microsoft.

Bill Gates is a huge supporter of work visa programs. Microsoft has the largest number of work visa requests of any American company in existence.

So really their "American" HQ in Redmond is chuck full of Indian and other foreigners basically the whole fucking place smells like curry 24/7, and almost nobody speaks good English.

And lets not forget their rapidly growing other development office is IN India. Microsoft is not a very American-friendly company at all.

And sorry there is no software engineering in the world better then American software engineering. Their product quality in recent years is really a direct result of this company transformation.

Windows Vista is a direct result of the work of hundreds of H1B who don't give a shit about product quality and are here just to make money so they can move to their respective 3rd world shitholes and live like royalty shortly thereafter.

If anything to kill Microsoft it won't be Linux but their fucked up work visa programs and heavy outsourcing. And it will certainly kill the American software industry along with it.

Anonymous said...

Windows Vista is the reason I switched to Ubuntu for good.

Do you think anyone using Bugbuntu crap can be taken seriously? I am gonna read your future:

http://linuxhaters.blogspot.com/2008/06/evolution-of-ubuntu-user.html

No need to thank me.

Anonymous said...

And it will certainly kill the American software industry along with it.

I think things like this:
http://4front-tech.com/hannublog/
and this:

http://ask.slashdot.org/article.pl?sid=08/11/23/1447251

will kill American software industry

Anonymous said...

I think things like this:
http://4front-tech.com/hannublog/
and this:

http://ask.slashdot.org/article.pl?sid=08/11/23/1447251
will kill American software industry

If the American software industry consists of companies that try desperately to find a reason to exist, then no other is responsible for their problems but them. If open source does the job of insanely rich companies better, there's no reason for these companies to exist, at least in their current form. Saying that MS should keep making huge profits when they sell something they haven't substantially updated since win2k (8 years ago!) doesn't make sense to me. This applies to many hardware companies as well, the netbook market demonstrates this. Why would a casual user need a faster PC than one that was bought ~4 years ago?

Anonymous said...

If the American software industry consists of companies that try desperately to find a reason to exist, then no other is responsible for their problems but them. If open source does the job of insanely rich companies better, there's no reason for these companies to exist, at least in their current form.

I agree with that.

Saying that MS should keep making huge profits when they sell something they haven't substantially updated since win2k (8 years ago!) doesn't make sense to me

Well, the problem is of course that open source competition still is far from being at Win2k level even 8 years later, let alone Vista. That's why MS still makes big profits and it doesn't seem like it's something that is gonna change in the near future.

You can always buy a Mac, of couse.

Anonymous said...

Really all open source needs to finally kill Microsoft is some big government like China, Russia or the United States funding it's development.

Anonymous said...

@November 29, 2008 4:20 PM

That's a bunch of BS. I've been using Ubuntu for over a year full time, and I have not had a single problem. While in Vista I could barely use my computer it was so slow. Oh and fuck you. I've been using Windows for over 15 years. Linux was the best thing to happen to my computer.

Anonymous said...

That's a bunch of BS. I've been using Ubuntu for over a year full time, and I have not had a single problem.

Not even you can believe that. Spare me your propaganda, I know what Linux is and Ubuntu is no fucking exception.

Anonymous said...

Ok, so you haven't tried to use Eclipse, Camorama, deskbar, kde 4, Webcams in general, use video card other than intel's, import a Doc file, write a presentation, use multiple monitors, use more than one audio program at once, print duplex pages, use video chat, edit a video, edit musical score, use accounting software, manage your picture collection, etc.

In short, if you do nothing at all with your computer (since even browsing the web is a chore with Ubuntu, due to its fucked up streaming media support), than Ubuntu is the greatest thing since sliced bread.

Anonymous said...

Ok, so you haven't tried to use Eclipse,

Have tried it. Runs awesome in Ubuntu.

Camorama,
No.

deskbar,
Yes.

kde 4,
Tried it, didn't like it.

Webcams in general,
No. Don't give a shit about webcams.

use video card other than intel's,
I use in Nvidia card. Works great.

import a Doc file,
Yes many times. Works great.

write a presentation,
Done it before. OOo is great. I don't give a shit if you disagree.

use multiple monitors,
Yup. Works great.

use more than one audio program at once,
Yup. Had some problems with this in 8.04, but none in 8.10.

print duplex pages,
Printer can't do that anyway.

use video chat, edit a video, edit musical score,
See above.

use accounting software,
Use GNUCash. Works great with my bank accounts.

manage your picture collection, etc.
Nautilus. If I needed a bloated program for it I'd use Picasa, which is like the best photo management software ever created.


---
So basically all I don't use is a webcam. I don't cybersex with fat chicks. Can you blame me?

But really, Linux is good shit. I've used it as a desktop for a year, and as a server since 1998. Using Linux has done nothing but help me in my life. I have no fucking clue where you getting this "Linux is teh suck" from.

Anonymous said...

The typical "WorksForMe" and "IDontNeedThatAnyway" bullshit.

Had some problems with this in 8.04, but none in 8.10.

And yet before you said you hadn't had a single problem in one whole year. Riiiiight. That's the typical freetard attitude: every Linux pain is not only forgivable, but also forgettable.

Have you upgraded to OpenOffice 3, by the way? Maybe some freetard kind soul has prepared a repository already :P

Anonymous said...

@November 30, 2008 10:28 AM

Don't believe it then. When you are so fucking blind that you think anyone who actually enjoys Linux is a fucking liar, you are beyond hope anyway. Go break your neck falling down a flight of stairs. Asshole.

Anonymous said...

@November 30, 2008 11:17 AM

See above.

Anonymous said...

I don't give a fuck if you enjoy Linuxcrap or not. But it you say Vista is shit and Ubuntu, an OS with a release cycle of 6 months because otherwise you cannot update your fucking apps because of a lack of a damn platform is good, you are out of your mind.

Hey, there's a reason they send it to your home for free.

Anonymous said...

You have to be a completely and utter moron if you think Windows Vista is any good. Simply amazing.

And yes Ubuntu is a great operating system, it's much better then Windows XP even.

Anonymous said...

You have to be a completely and utter moron if you think Windows Vista is any good.

You are right. I read on the internets that it truly suckz

And yes Ubuntu is a great operating system, it's much better then Windows XP even.

You are right. It's all the rage among the digg crowd. And hey, a new theme/artwork is promised for the next version!

Anonymous said...

@November 30, 2008 11:41 AM

About time you came to your senses. Together with our freetard army, we shall rule the world.

Tom said...

If the American software industry consists of companies that try desperately to find a reason to exist, then no other is responsible for their problems but them.

True. But in MS proprietary model small software developer company can make a living of its work. In OSS model software development is sponsored or controlled by a government agency. When you combine this with the distributions model, which control what and when will be distributed and installed, you get one unhealthy model.

Also, in this model you get limited number of products, since, as we are being taught, the money is not in the production but in support.

If open source does the job of insanely rich companies better,

I am a developer. I don't give a f*ck about other companies but mine. I want to make a living doing what I know and like. I don't want to earn money by flipping hamburgers or supporting some 3rd party crap.

Why would a casual user need a faster PC than one that was bought ~4 years ago?

What a BS. I heard the same argument 4 years ago. Nobody is forcing you, or anybody else to buy a new PC. Also, you can't force a PC hardware industry to make the same hardware they did 4 years ago. Also, you can't force a software industry to keep making software for you and your 3 friends that don't want to buy a newer PC.

BTW, why don't you can use a proposed OSS model, just find a number of people who want their old crap supported and pay for a custom development and support.

Basically you want to force a software companies to do what you want and still call it a freedom. What a bunch of hypocrites.

Anonymous said...

@Tom

You made no fucking sense. Anyway your "right" to charge for software, also means people have a right to give software away for free. It's all economics anyway. Limited demand and unlimited supply means software's natural price is approaches zero.

Tom said...

Anyway your "right" to charge for software, also means people have a right to give software away for free.

Of course. Also, any company has a right to offshore parts of business to reduce costs. So why do you (or other anonymous above) complain when company does it?

But, no, basically you want everybody to give software for free. Why? You have Linux, which supposedly works everywhere, why does it bother you if other people charge for software and many people pay for it. You want everybody to think like you, which makes your mindset totalitarian. And, this fits nicely with the centralized distribution model and government regulation of production.

Anonymous said...

Limited demand and unlimited supply means software's natural price is approaches zero.

So does a motivation to produce something new.

Anonymous said...

@November 30, 2008 1:57 PM

Open source contradicts that idea.

@Tom
I would very much rather you think like me, but I am not going to force you to think like me. Totalitarian would be me holding a gun to your head and forcing open source down your throat. That's not what anyone is doing. I just think open source is better, and it makes more sense as a developmental model for the future.

Tom said...

Totalitarian would be me holding a gun to your head and forcing open source down your throat.

No, it wouldn't. Go and read about
totalitarism in wikipedia
. For example: It attempts to mold the private life, the soul, the spirit, and the morals of citizens to a dominant ideology. The officially proclaimed ideology penetrates into every nook and cranny of the state society; its ambition is total.

So, yes, it sounds very much like an Open Source ideology to me.

Open source contradicts that idea.

How? If we take a look at the history, we'll see that some of the great artworks were created by the artists who were employed by the courts as a teachers, engineers or portrait painters. (and most of them seemed to be quite unhappy with that). That would be like an OSS model for software development. However, it was necessary for the artist to be able to make a living creating art, to see all these new art forms, genres and ideas that we see now.

True, Mozart would probably be a great artist today, but the most of the music we know today wouldn't exist if musicians could play only what the governments or rich and powerful patrons wanted.

I really don't think that the model 'flip hamburgers and write software for free', or 'write software for free and sell the support' generally can produce variety and the new ideas. Some people will still make a great software, but for the most it's much easier to 'sell support and don't write any software' or 'flip hamburgers and watch TV'.

Anonymous said...

I just think open source is better, and it makes more sense as a developmental model for the future.

What the hell is that? What defines something as open source is its license, not the development process.

oiaohm said...

LOL Tom. You really do need to do some reading. OSS is not controlled by USA government. Example here Linux http://www.linuxfoundation.org/publications/linuxkerneldevelopment.php

Then KDE http://www.kde.org/support/thanks.php

Most OSS project are company supported or not supported at all. USA government only interferes when they want something. Same with the governments of many other countries. They drop the features they want then basically disappear.

If you looking for the true money of Linux look no further than hardware companies. IBM and HP are some of the largest funding providers.

Also they have large amount of investment in super computers.

People are not aware how much Linux controls super computers these days at 87% of that market out right ie the only OS on them and 93 percent that do contain Linux. Microsoft barely holds 1 percent in super computers.

Please be aware that super computer market brings in same amount of money as the complete desktop market. So Linux is well funded. HP IBM and other super computer builders acquire coders. Then you have owners of the super computers who also acquire coders to do there requirements.

The Linux Foundation was created to employ key coders like Linus Torvalds by a non bias entity also avoids biding wars between super computer builders and embedded companies and other interest parties. Reason none of them could afford to let a key person like Linus fall under another company control.

Linux is truly about money. Linux on Desktop has been disregarded for years because no one has shown how to extract money from it. Ubuntu is having the same problem.

Basically Linux is made to sell hardware. Just like Unix use to be.

totalitarism is not really open source.

Open Source model is a problem avoiding model. If you have 1000 companies in a room that are going to work on the common project lot will be unhappy if 1 company is allowed to keep secrets from others. If you share the code and sell the hardware or support you don't have mothers of fights.

Yes open source is part of a development model. The only model that works when you have thousands of companies working on a shared project.

Complete idea that open source is not about the money is a joke. You want to get Linux working for a particular task quickly show the commercial guys that there is money in it and it happens. Means to sell more hardware is show them the money.

Companies like Redhat work as out sourcing for hardware developers.

Yes Open Source has a really complex commercial model behind it. No less commercial than Microsoft just more companies make up its system. Remember most Unix OS's you never truly bought. Instead you acquired the hardware to get it. Open Source is really just a expand of that model.

Of course some start off as people showing of a idea. If the idea is good jobs do appear.

Anonymous said...

Also, you can't force a PC hardware industry to make the same hardware they did 4 years ago. Also, you can't force a software industry to keep making software for you and your 3 friends that don't want to buy a newer PC.

My point is that MS and Intel tried to create artificial demand in hardware and software with Vista and faster processors, which, combined with the economical crisis, resulted in the netbook market. What you, Intel and MS missed is that a lot of people think like "me and my 3 friends". One cannot find a use for a computer for every aspect of their life, it's inevitable that computer sales will reach a critical point, just like software sales. The Munich authorities demonstrated that software equal in functionality to that of 10 years ago is enough to run a large organization. The rest is marketing.

Anonymous said...

My point is that MS and Intel tried to create artificial demand in hardware and software with Vista and faster processors, which, combined with the economical crisis, resulted in the netbook market.

Hardware has always evolved, before MS even existed. Fortunately.

The Munich authorities demonstrated that software equal in functionality to that of 10 years ago is enough to run a large organization.

LOL. I'd actually say they're having a really tough time proving that.

Nik said...

Oiaohm,

Very nice reading, indeed. What strikes me first is that it is rather theoretical. If all of that is put into practice, the system will simply become unusable. This is something, which the author himself admits, if you read the article carefully.

Further, both the author and you miss something very important.
You can't simply access any object just like this. Before doing so, you need to access many other objects, to which you may be denied of access.

For example, I can control any service as long as I get access to Service Control Manager. *IF* I get access to it. In Windows, you must be an administrator to do so. In Vista, you need even to elevate yourself.

All my respect, but if you need administration rights to hack the system, then the hack is a fail. No security issues.

Anonymous said...

weren't Dell's supposed to be perfect Linux machines? http://chani.wordpress.com/2008/11/28/the-xps-m1330/

oiaohm said...

Nik large myth. You don't need to be Administrator to take control of a windows system.

Limited user is enough. Reason once you are in there are many different flaws user could have added to provide ways out.

Biggest issue is DAC jumping. If you can force a process to crash in windows you can have another process take its ID and its access rights. Services run as System higher than Administrator. Yes stupidly services can start and stop any other services even create new services. Really don't know who come up that stupidity in windows.

Linux does not have this defect. When a application dies it access rights go to the graveyard. Even in DAC mode no LSM modules like selinux its not possible to do DAC jumping in Linux. People also don't notice services under Linux most run as the own user protected from being able to start services or applications. Attackers useful targets are limited.

Everyone thinks you need multi-able objects to get from point A to point B in a windows system. Sorry nop. Lot of attackers directly syscall windows kernel to take advantage of flaws. Allowing them to go to what ever flawed object directly. Problem with the windows there are ways to call around all .dlls to get to what ever object you want as long as they are accessible to your user. All network objects are along with a lot of others.

Linux design has programs directly syscalling the kernel so security is designed with that in mind. MS model of no direct syscalling has causes major errors in security implementation because coders have over looked it. Ok no need to put validation in kernel we will put it in ntdll and hope no one works out you can call past ntdll. This is what was wrong in XP. Security on many functions are in the wrong place. Aborting before context switch to kernel is performed saves some processing time. Removing the sys-call protection in kernel saved some more. Causing XP to fail C2 certification. Should have been a wake up call to go back and fix. Nop MS just release the product anyhow. Few years latter viruses exploited it. Known flaws before XP was even released.

Performance vs Security. MS has a track record of putting Performance first.

Nice part windows updates can be rolled back. This is the problem once you are deep enough you now can create bugs attacker must never get deep enough in the first place.

Ever wonder how safedisk copy protection works out as a limited user if you are running programs you should not even if you have taken away those rights. Simple enough just call threw to kernel.

Biggest issue with windows is most people are not aware that you can root kit it and remove your application completely from all user space ways to detect it. Inside windows nt is a threading engine that works without a process table entry or any other matching user space entries. So yes start you program get it running then with the right operations you can delete all user space references that it exists. Even remove all security object limitations and program keep on running happy.

From userspace in linux if not in a container you can see all threads the kernel is running. If a process in userspace tries to disconnect itself from the process table it will be terminated. The way it should be.

Really lack of safe guards in many places makes windows a very unsafe OS. Until the flaws are fixed virus problem is not going away.

MIC is under powered because its the older defective programs that need the safe guards just as much as newly created.

Issue author refers to is the same issue as Selinux faced when it was first released. Selinux was a level 10 unstable prick at first. Yes Selinux is more than three dimensional access control matrix. Even today if you go manual on selinux you can stuff it up so bad the system cannot boot.

Reason why simpler interfaces to configure selinux has had to be created. Even learning systems and from source code systems created. Simple fact selinux without tools is too complex for most admin to be able to configure.

Smack was made simple to understand the files but even it still needs tools.

If you think for one min creating a truly secure system is not without it head aches you are wrong. Linux has already suffered threw 3 years of selinux pain to get it about right. Issue of complexity is solvable. Look at Linux Solarias FreeBSD... Lot of the old world of OS's run more than three dimensional of access control. OS's like Solarias have 5 dimensions. Good tools to manage it or it would drive you up the wall. Linux is trying to catch Solarias in security frameworks.

Yes what I say sound theory but problem is its real world.

oiaohm said...

Remember everyone Attackers don't care what the security model says on paper.

They only care about what they can do in the implementation. On paper Windows NT design looks quite good. So good that a lot of people don't think it implementation could be completely stuffed up.

Anonymous said...

I don't care if Linux is provably the most secure OS ever(Hint: it's not). It's still useless crap.

kerensky said...

finally proof UNIX is not more secure than Windows NT!!!!! drum roll......

http://support.apple.com/kb/HT2550

Anonymous said...

oiaohm, 2 ideas I had when I first used linux in 1997 were:

1.the kernel should manage the graphics card mode, because the interface between the user and the system is critical to the system's operation,
2.all X applications should survive across X crashes, i.e. X crashes should have the minimum possible impact on the system. Ati did something like this about 3 years ago, a GPU hang would reset the desktop up to 3 times without any crashes in WinXP.

Why has it taken so long to fix these issues?

oiaohm said...

Linux is not the most secure OS I have never said that was. Windows is just down right pitiful.

kerensky sorry virus scanners are a utility. Even Linux systems do use them. Virus scanners are only one of your first line of protection options. Other option for first line is HIDS Host Intrustion Detection. Can be highly annoying but is a lot more effective wall than Virus Scanners. Virus scanners are a flawed line of protection since more signatures equals more load. HIDS are a flat price. Working Secuirty system allows runtime signature list in Virus scanner to be kept smaller. Reason particular flaws are rendered useless by the security system. So the day of too much load cpu load by virus scanner to do anything with the machine never comes.

By the way 25 year old Unix had a lot of the same flaws Windows still has. Windows is a simple case of not keeping up with the times.

You want to know why it has taken so long to fix up X11.

Key point up until 3 years ago no one was really working on X11 design. Simple case of where would the money be. Linux was in embedded market and super computer market and at that time neither really need a desktop interface. About 3 years ago embedded devices changed. Now people wanted more friendly graphical interfaces on items like printers. Intel saw there chance for a market and sent a few developers in.

This gave birth to the start of redesign X11 to deal with your first section Kernel mode setting. Has taken lot longer than what we would have liked. Few designs have be dumped and reworked in that time.

Second section "all X applications should survive across X crashes" is way more complex. http://partiwm.org/wiki/xpra and its relations have existed for a long time forms of X11 persistent modes has existed before Linux existed. There is a stumbling block is opengl applications. Part of this issue is covered by DRI2.

There is basically a limit on how much you can do to the video interface without hardware makers support. ATI experiments in XP has feed into DRI2 design.

To make it worse Nvidia is partly responsible for killing the first project working on sorting out the X11 issue. http://utah-glx.sourceforge.net/ Its a cause of another delay. Great it going to get sorted out. Nop Nvidia took what they wanted started keeping secrets from the members of the group caused infighting and the group completely failed by 2003. Problem then you had a once bitten twice shy problem from the video card makers. Intel was one of the few companies that did not back away from trying to help. They have provided specs over the complete time. Of course Intel cannot send coders in if they don't see a profit.

People without the history fail to understand why even that Linux Kernel people use Nvidia binary drivers they don't bend for them. That would simply be rewarding Nvidia for bad behavior.

Lets just say nothing has gone right. Hopefully everything is now on the right path.

thepld said...

"kerensky sorry virus scanners are a utility. Even Linux systems do use them. Virus scanners are only one of your first line of protection options."

Watching yourself twist into knots to apologize and make excuses for your operating system's shortcomings is fascinating.

oiaohm said...

thepld Note the word first line protection options.

Now you don't put 1 line of troops in front of army and hope they stop them where you can.

You always put more than 1.

Virus Scanners and HIDS are first line. These you allow on the fact they may fail. Getting past the first will happen http://arstechnica.com/news.ars/post/20081130-av-programs-unreliable-during-critical-coverage-gap.html its just a question of when. Even HIDS can miss triggering on things it should have. So you know both are going to fail so you must design for it.

Second line behind them is your OS security systems. Firewalls MAC DAC Containers and application limitations. These are the ones you hope hold if the first line fails. Problem is Second line of windows is a joke with many defects. The second line is all about ok there is a flaw exploit it dam I cannot do jack with that defect. Windows is ok defect you are in lets take it over.

Final line is backups. So worst comes to worse you can recover at least something.

Trying to say I am protecting OS are you trying to make me laugh thepld or should I be felling sorry for the world about peoples lack of knowledge on how security systems should work.

Anonymous said...

thepld,

Watching yourself twist into knots to apologize and make excuses for your operating system's shortcomings is fascinating.

I just searched the clamav virus database and I couldn't find a linux virus. Have you ever seen one?

oiaohm, thanks for the answer, much appreciated.

Anonymous said...

ClamAV is a crappy anti virus, with a miserable detection rate.

Linux is extremely vulnerable to hostile takeover by bots:
http://lwn.net/Articles/222153/

Linux is both crappy and unreliable, so up your, lintards.

Anonymous said...

Even better: MOST compromised systems are Linux servers..

http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/

Supporting Linux is supporting Spam, identity theft, and fraud.

Go Linux! make us proud!

Anonymous said...

ClamAV is a crappy anti virus, with a miserable detection rate.

The question is: have you ever seen a linux virus? Clamav has 470k virus signatures at the moment, I couldn't find any linux virus in there.

Supporting Linux is supporting Spam, identity theft, and fraud.

MS isn't paying you enough, buddy, if this is all you've managed to come up with. Most linux servers are hacked because of guessable passwords (brute-force attack), there's no system safe from user stupidity. There's always the option to use certificates instead of passwords.

By your logic, MS is responsible for pornography, copyright infringement, vulnerabilities of military networks, almost all computer crimes and enabling the economical development of the enemies of the USA (!). This wouldn't sound nice as a conclusion implied by an MS employee, would it?

Go Linux! make us proud!

I would be a very miserable person if my job were to lie to or mislead people.

Nik said...

"You don't need to be Administrator to take control of a windows system.

Limited user is enough."


oiaohm, I'd really love to see how a limited user can gain access to SCM and start controlling services. Really.


Reading how you speak of virusues, I really understand why LH resigned. You never learn, indeed. Let me sum it up for you one more time - Linux doesn't have viruses, because 1) it has <1% market share on desktop, and 2) it is difficult to write any general purpose for Linux.

oiaohm said...

How limited user can do it is quite simple really. Limited can fully control the network stack. Ok case of pure stupidity from a security point of view. So yes anything are doing on the network now can have a virus injected. Attackers can afford to wait so one day you do a switch to administrator download something it can inject a executable and you are dead. Besides full control of network stack means Attacker can stop anti-virus updates anyhow. So its not like Attacker are going to be detected any time soon. So yes you are stuffed past this point. If the first virus in does not get you the others it lets in will.

Then there are system calls that are not protected when they should be. Will not give clues to what they are since they are way to fast to get the system.

Now XP and before is worse all Attackers need is one service with a defect to make it or wait for it to crash on XP and a second defect kicks in. From limited user again you can do executable replacement on a suspended thread. Crashed state equals suspended. Of course its a small window. You have to basically get into the process before cleanup kicks in remove the crash status. Effectively giving you what ever rights the program that crashed had. Yes a minor temporary drop in security. Normally a limited user cannot interfere with something that is not there user. Crashed state equals dropped security around altering the process information.

Reason that its even possible is that kernel threads and user space threads are kinda different.

Do you have a upto date copy of flash installed. Same with other applications that run services. Single defect in any one of them user from limited can now jump up to system get too many rights and do too much harm.

These two defects are linked to a common problem. Why in heck are services running with too many access rights in the first place. Its a bit like the developer trying to find a way to doing UAC protected operations without triggering UAC. Its too simple just run a service and have you application call it when ever you want it to do an administrator action. Vista swiss cheese. Surprising number of so call trusted applications are doing this.

Can you now see why limited is more than enough.

Linux version of flash does not run a service with more access rights.


Nik how many times do I have to say this Linux does get viruses. Most die out. Reason they die out security exploit they use disappears fairly quickly.

Worm class viruses mostly use exploits. Problem with windows known exploits are left open for years.

Worm class is the most common type of virus to hit Linux.

Anti-Virus programs these days do exploit filtering. Problem with that unlike Linux on windows the exploit is still there if you can avoid detect you can still use it. If you do a check of worm viruses on windows you will find on average about 2000 viruses use the same exploit over a 12 month time frame. First one normally simple uses the exploit the rest use more and more different methods to use the same exploit but avoid anti-virus detection.

Remove the exploits kill the viruses. Once virus is killed because of exploit being no more scanning for it is only required to protect other users. When enough time passes you no longer need the signature if everyone has updated because virus no longer works. This is how Linux is responding to the virus problem. Apple is also using the same response method. It not just Linux Virus numbers that are massively low. OS X virus numbers are also massively low.

If you can explain why OS X numbers are low to non existant for viruses as well as Linux you might have a leg to stand on. Then why a updated OS X no longer runs any of the viruses that use to infect it past user account level without a anti-virus software installed. Windows still runs most of its viruses.

We are talking about 10 percent of the total desktop market basically not having viruses.

It is difficult to write any general purpose for Linux. LOL Sorry its simple follow 3 simple rules.

Number 1 Don't depend on the Distrobution to provide anything.
Number 2 See rule 1.
Number 3 Really obey rule 1.

Linux kernel user-space ABI is perfectly stable. X11 interface calls are perfectly stable.

Linux Standard Base 4.0 long last catches up to what virus writers were doing on Linux in 1997. Own dynamic link loader. Effectively meaning it only depends on itself. Nothing from the distribution can effect it other than kernel security systems.

Virus and Malware writers created the 3 rules for building cross distribution on Linux.

oiaohm said...

By the way with the defects in Windows guest is really more than enough to take control of it.

If the defects are fixed then windows will be level.

Tom said...

@oiaohm
LOL Tom. You really do need to do some reading. OSS is not controlled by USA government.
Huh... you managed to cram two false premises in one sentence. First, I never mentioned USA government. I don't live in the USA and I don't really care about it either. Second, I never said that OSS is controlled by any government.

What I said is that the (corporate and) government funding and sponsorship is one of the models proposed for the OSS development. I read a few articles about that, but can't find links, and I don't really care too much to spent more time on searching.

Linux on Desktop has been disregarded for years because no one has shown how to extract money from it.

That's why the companies you mentioned invest in server and supercomputer features. They want to sell their support and consultancy and make software a commodity.

Basically Linux is made to sell hardware. Just like Unix use to be.

Yes, and it's opposite to the MS (and other) model, which is made to sell software and make hardware commodity and more or less interchangeable.

totalitarism is not really open source.

No, but the mindset of a large part of OSS community is. OSS zealots consider writing proprietary software immoral and actually compare proprietary software with drug trafficking and proprietary software developers with drug dealers.

Complete idea that open source is not about the money is a joke.

It's about the money for the consultants, support and hardware companies, not for the software developers.

oiaohm said...

The consultants and hardware companies have limitations they can tell you what it can and cannot do. They cannot alter a bit of software to suit exactly what a company needs.

Developers on the open source side get paid just as much as ones working for Microsoft. Ie paid by the hour. Microsoft does not pay on revenue the software brings in to developers.

Developer time is the most valuable thing you can sell in the open source world. Any long lasting Open Source company sells developer time to end users. Most small end users cannot afford to higher a developer in there own right so when they can get together chip in a small bit of cash they all get the feature they want.

For programmers to make money in the open source world they have to see them-selfs as an asset to be provided to the highest bidders or to a group of bidders that provide the money required to make it worth there time.

If a open source support company does not sell Developer time most cases they die in time. Reason people will move there support business to a company that is more accommodating on the features they want. Flat no that cannot be done is not an acceptable answer in the Open Source Support world. The answer is more often than not yes but it will cost X amount of money and y amount of time to do.

Its key to a long lasting open source business. This is also the reason why open source support companies want to own the best developers they can. Better the developer they pay more people they get get money from.

Open Source define of support is a lot broader. Basically anything you can pay the company to do for you or to provide to you is support. Hosting Development, Phone Support, writing manuals and so on.

"proprietary software immoral" There is a logic behind that. If program is open source and you do closed without obeying the license you are immoral.

Lot of proprietary companies have been caught doing immoral things.

Sorry proprietary developers have a lot to answer with for there bad name.

Some cases in the open source world proprietary developer and open source developer as the same person. These people are not hated. Most likely thing that pisses the open source world is project forms an agreement on the source code that is never to be used in a closed source program. Fair enough agreement companies provide code then don't fight. Then having some proprietary developer come begging for an loop hole or caught using it against license. Yes kinda has giving proprietary developers a bad name and has caused the distrust issue that proprietary developers first hit. Over time that distrust does go away once they get to know that the license will be respected. Now one slip up they kinda don't forget. Open Source people are always more than willing to explain limitations of licenses.

Surprising number are duel proprietary and open source developers basically work for who ever will pay them the most at the time.

Note proprietary companies are hated more than there developers.

When you take something that costs under 1 million dollars to make and then make quite a few billion for the company and the developers still miss out does cause problems in some peoples mind as well.

Government support is more of a myth model. Working models of open source all include the one feature of selling developer time. Some even get away with just selling developer time no other support at all.

Tom said...

as ones working for Microsoft.

I'm not talking about Microsoft. I'm talking about small software companies. The links mentioned above:
http://4front-tech.com/hannublog/
http://ask.slashdot.org/article.pl?sid=08/11/23/1447251
talk about small software companies in the OSS world.

Most small end users cannot afford to higher a developer in there own right

Of course. That's why they can buy a software for a fraction of its price (by price I mean the time and knowledge invested in research, coding, testing and development). Just as the most people can't afford a symphony orchestra, a conductor and a hall, but can buy a CD for the fraction of the price.

This is also the reason why open source support companies want to own the best developers they can.

Any company want to own the best developers. But, with OSS model, the question is how can a developer own a company.

Basically anything you can pay the company to do for you or to provide to you is support. Hosting Development, Phone Support, writing manuals and so on.

Yes. In OSS model everybody gets payed for their work, except developers.

Tom said...

"proprietary software immoral" There is a logic behind that. If program is open source and you do closed without obeying the license you are immoral.

I'm not talking about that. Here are some random quotes found:

Closed source *IS* evil and *CAN* be immoral
http://www.osnews.com/thread?223230

The whole discussion here:
http://www.mail-archive.com/gnu-misc-discuss@gnu.org/msg00928.html

RMS: Proprietary software is an antisocial practice. Our goal is to put an end to that practice.
http://www.groklaw.net/article.php?story=20060625001523547

Microsoft is doing something that is bad for software users: making software proprietary and thus denying users their rightful freedom
http://www.gnu.org/philosophy/microsoft.html

http://www.fsfla.org/svn/fsfla/site/blogs/lxo/draft/free-software-moral-proof.en

because I believe proprietary software is immoral
http://freedomdreams.wordpress.com/2008/03/16/why-do-i-still-use-proprietary-software/

http://www.theinquirer.net/en/inquirer/news/2002/11/14/free-software-foundation-compares-microsoft-to-cigarette-firm

Lot of proprietary companies have been caught doing immoral things.

Sorry proprietary developers have a lot to answer with for there bad name.


True. But, as links above show, it's not (only) about the companies. It's the mere act of writing and selling software that is considered evil and immoral by the large part of the community.

Anonymous said...

Copyright is not a good system in a world where everyone has the ability to copy. In and itself copyright is basically broken since the rise of the Internet. There is really nothing you can do about it short of pulling the plug on the Internet itself and possibly banning all computers.

Anonymous said...

Oh and I'd like to add that I completely disagree with this blog, Linux is by far the best operating system out there and Windows and Mac OS X can both suck llama balls. Especially Windows.

oiaohm said...

Issue is developers get paid.

Highest offer ever was for Linus himself. Linux Foundation was created to end a bidding war. Gets ridiculous when offers for a single years work cross the 1 Billion dollar mark.

You need to drop the idea of selling software. Now what it is really doing is selling fragments of developer time. As long as you can keep on selling fragments of developer time nothing is going bad. To work in the open source world long term you have to be truthful about this.

Both companies made the same fatal mistake. Trying to sell just closed source. No sales of developer time.

Note 4Front tried being highly closed source and got badly beat around over it.

Code weavers behind wine use a different model. They sell a closed source product cross-over and developer time. Key thing selling of that developer time companies like google come to them when they need things done. In those sales of developer time they can make over a years profit from selling the closed source version of wine.

If you don't sell developer time expertise develops outside your company to the point you don't have as much to offer. Basically make profit while you can. Of course that sold time feedback in to make the Open Source product better and the closed source version better so harder to replace. Even if someone does the good will that people know if they have the money problems can be fixed brings them back.

Closed source world is no nicer. Even if you don't give away your source code you can still end up cloned. Think Word Perfect vs MS Office and the thousands of other cases. Even Netscape vs Microsoft. Years and years have companies got crushed under.

Open Source world is still the same company destroying world and the closed source world. There is no forgiveness for error.

If you are a highly skilled developer you can simply create your own company in open source. No major overheads to startups. Yes some of these highly skilled developers run there own companies and sell there time. That is the only product there time to code on a project. The 1 item we cannot replicate is time.

Companies in the open source world are exactly like companies in the closed source world.
1) If you don't pay developers in everyone else ends up out of a job in time. Because what you are selling will be come second rate.
2) If you don't make a profit from your developers work everyone ends up out of a job in time as well. Either direct or indirect.
3) Competitors will try to destroy you so have a good offense. By the time you come to the need for defense you most likely be just a walking corpse looking for some where to die.

Only major difference is the item you sell. Software companies selling software any way they can.

Open Source companies are in the direct business of selling developer time threw any means they can. Bundled with other stuff is fine like hardware.

The key thing is what you are selling. Open Source you need to be more truthful about what is important. Because if you are not you are just a dead company walking.

Microsoft is not a good example. Free software guy said exactly what MS was upto.

Did you not notice that Linus Torvalds does not agree with the idea that closed source is evil.

There are three camps. People want to forget this. One camp classes open source as immoral. One camp classes closed source as immoral.

There is a third camp as normal the silent majority. Major speaker for it is Linus. Third camp does not care as long as you don't do copy right infringement. Stealing a closed source bit of software will get you hide beat up by them just as much as using a open source bit of code against license.

You have your percentages wrong. I was talking about the general feeling of the open source world. Not the radicals. Radicals are nothing different to the KKK or anything else that is Radicals.

Please look at Gnome and KDE they both use LGPL on there code so closed source developers can use it in a controlled way. Allowing licenses to closed source developers out number not allowing ones.

That shows the true felling of the open source world. If they hated closed source the licenses simply would not allow it.

Tom said...

..government funding and sponsorship is one of the models proposed for the OSS development. I read a few articles about that, but can't find links, and I don't really care too much to spent more time on searching.

And I didn't have to search far. There's one right here, on this blog.

We can read the following gem:
Really all open source needs to finally kill Microsoft is some big government like China, Russia or the United States funding it's development.

oiaohm said...

Russia has less income that the Linux Foundation but Russia all ready funds some. USA government is not that well off particular government departments do work on Linux for there own internal use so some funding.. China already funding some Linux Development. Lot of the Linux world is worried about the way china are going to use it. Particlarly the recent one for internet cafes that all must buy the goverment backed Linux distribution Red Flag Linux in China. Even if the machines already have Windows on them. This kind of brute force method never makes great press.

Funding is not the issue. Linux world is insanely well off. If everyone one of the major players in Linux just chipped in 1 percent of there monthly income. They would have enough money to buy Microsoft out right. The money would be more money than MS made in the last 5 years total. More than enough for a hostile take over.

The power of working as a team is the secret to open source. Sections of the team deal with particular problems.

There is no other force than Defending Linux known in the world that can afford to have over 10 000 lawyers turn up for a court case and have them all paid flights accommodation and all. Caused a major stuff up in the SCO case all the Linux interested parties sending there own lawyer to protect them.

Motivation is the issue. X11 currently has motivation from Video card developers to fix it up to sell more cards.

KDE and Gnome have motivation from there start ie must beat the other one.

Ideas to create motivation to fix up the Audio layer would be good. Preferable hardware makers that can swing the mace of we know the hardware so listen.

Tom said...

@oiaohm
selling fragments of developer time.
No sales of developer time.
Hm, how do you value time? I think it's obvious that 6 poor developers cost more and produce less than 2-3 good ones. And whatever model is used, the customer is not interested in time spent, but in finished product. You can't just say 'ok, this software whatever takes 6 months to finish, but I can work on it just 3 months. So, pay me half the price and find somebody else to finish.' Unfinished work is almost worthless, no matter how much time was spent working on it.

Actually, I worked as a developer at the company which was service/support company. Development was always treated as a 5th wheel, something nice to have, but usually considered something that uses valuable space and resources which could be better used for something else.

Closed source world is no nicer. Even if you don't give away your source code you can still end up cloned.

Of course, and some closed source areas are really cut-throat, like games.

If you are a highly skilled developer you can simply create your own company in open source.

Actually, my company is using quite a lot of OS software, when it fits. Too bad that none of the OS developers who created it, didn't get any money for that. Oh, well... that's life. But, we are charging for the software and customizations and giving away support and manuals, because software is our primary business, not writing.


Open Source companies are in the direct business of selling developer time threw any means they can. Bundled with other stuff is fine like hardware.

The key thing is what you are selling.


Yes, I completely agree. My point is that it's a bad business for the software company to give software and sell documentation, hardware or whatever else.

If you are a highly skilled developer you can simply create your own company in open source. No major overheads to startups.

If you are a small software startup on MS technology, you can get started for 0 USD and you get all the software, servers, licenses, and whatever.

I was talking about the general feeling of the open source world. Not the radicals.

Hm, that may be true, but in my experience, all the people who started using Linux became hostile towards closed source, especially MS. Just look at the BS that is written about M. de Icaza. What's even more ridiculous is that the people using Mac, the most closed platform on Earth, are blaming him of not being open.

Russia [snip]
USA government [snip]
Linux [snip]

I know that. My quote above was an example of the state of mind , proposed solutions and the hatred towards MS and closed source in general.

Anonymous said...

Linux is by far the best operating system out there

To set up a cluster, maybe. Not on my laptop, not on my desktop.

Next!

Nik said...

oiaohm, I really wonder have you ever developed anything except for your own little pleasure?

You write complete crap.

"LOL Sorry its simple follow 3 simple rules.

Number 1 Don't depend on the Distrobution to provide anything.
Number 2 See rule 1.
Number 3 Really obey rule 1.

Linux kernel user-space ABI is perfectly stable. X11 interface calls are perfectly stable."


Wow, amazing, let me do evertyhing myself! Only sissies use all the services a Windows or Mac OS environment provides ready for use, and focus on the actual problem! But I am a man, I will do everything from the scratch, and if I have time, I will actually come to what would make the program really useful.

Pathetic.

Were ever Linux kernel user-space ABI is perfectly stable, new releases wouldn't break every existing closed source driver around. And that's even more pathetic.

As for viruses. You are simply wrong. Please come back to earth. On slashdot you may tell yourselves all nice fantasy stories, but not here.

The rest is too much words saying nothing. I won't bother. You never learn, indeed.

oiaohm said...

Some companies really do forget the importance of the developer.

Some open source companies are also sneaky. Already developed the feature then find customers who want it when got enough pool of money to cover the development plus make a profit then release it open source. Of course that is betting against someone else doing it first.

You are having a real problem getting it. By the time you see the source code most cases the Developers have already been paid. This is why its free. Open Source is not doing the charging over and over and over for the same bit of work. Open Source is very much contract programming style.

IBM Redhat Google and so on paying them normal developer rates for there workmanship with nice long term contracts. Better the developer you are the better the contract you get. Notice Google in there they are like the super computer running companies and organizations.

Even cases like Oracle they need there database to run faster for there customers so they pay a programmer to go into kernel space of Linux and improve it.

Thing is selling a unknown without a track record really does not work in the open source world. You are selling a resume to customer. This developer did the following patches before this one so they do have the skills to complete this task with high quality.

If you try selling a unknown product you have a lot of trouble getting money in the open source world. 6 poor developers basically over time will bring you nothing after a while in the open source world. Reason people will not pay for crap code. Unlike closed source they will be able to inspect it and prove that your coders are crap.

You are better off with 1 high quality coder than 6 or even 100 crappy ones. The 1 high quality will always be a sell able product. Crappy ones are basically worthless.

Doing half a project does work in the open source world. As long as the project can be broken down into goals and documented how the interfacing is to be done. Yes companies needing something done will higher more than 1 firm to get it done at times.

Some of the duplication in the open source world comes from this. 2 firms put head to head on a product a company needs winner gets a long support contract. Loser still gets payed for there development time.

Open Source world is way more competitive. Now if you are a software company that does for contact projects only switching to open source you really don't notice the difference.

Part of it is type of software company. If you are a company that depends on selling your software for profit you need to do major internal redesign before releasing you key product open source. Most likely be sure you have the staff to compete in a software coded to contract model.

Closed source developers normally don't have a good resume of working code audited by other highly trusted people in the open source world. Like getting patches past Linus or AJ from code-weavers. Poor code just does not get past them into the mainline most of the time. With Linus if it does it normally has suspect comments.

There is a lot more to setup when going open source than a lot of companies dream. Part of it is building credibility of your Developers so you can sell them. Its also building respect from other staff to Developers because after a developer has a good rep you don't want them leaving because the other staff are treating them badly.

Yes the double sided sword of open source good developers must be treated with respect since they are your pay check. Poor ones can be disrespected.

Hate of MS has to be divided. I hate MS because I am always cleaning up the mess it security causes. Some people get hate because they like the means to operate without fear of getting infected all the time. Does it make me anti closed source no. If the closed source is good quality I will pay for it. If its crap I will not pay for it. Now if people like me are complaining about one of your products worry. Time to go back and look what can be improved.

Some of the hate of closed source comes from when people get use to the open source way when something is wrong you can open up the source code and fix it. So closed source becomes an annoyance. Faster response times to problems do help address this as well as keeping people in the loop. The closed source black box to development is aggravating this problem worse than it has to be. Leaving people in the dark on what is going on with no way to find out does not go well with open source people. People only having closed source are more tolerant of it.

Then there are a number that develop into true radicals both ways. Hate Linux then hate all open source because it crude. Or love linux and hate all closed source.

Remember people in here wanted to call me a Lintard because I seams extremely hostile to Microsoft. Yes I am extremely hostile to them but I do have a really good reasons. Reporting security flaws and watching them sit open for years does not help your frame of mind to a company.

Closed Source companies can do a lot to avoid the hostility. As I say some of this hostility is caused.

Bundling a group of so call MS hostiles into one large group fails to see the fine details. Human nature causes this problem. When you have a group you don't understand sticking them in one stack avoids having to see that they are not all the same.

Note this same human nature thing of grouping kicks in to creates some of the open source and closed source radicals. They just need to see good quality programs on the other side to snap them out of it.

Nice myth. OS X is half open Half closed. Graphical Interface closed. Kernel code open to anyone to inspect. http://en.wikipedia.org/wiki/Darwin_(operating_system)

Most closed OS on earth would be one of the RTOS used in embedded where you have to sign a NDA just to get full description of what it can do. Yes they don't want to be cloned ever.

oiaohm said...

Nik Were ever Linux kernel user-space ABI is perfectly stable, new releases wouldn't break every existing closed source driver around. And that's even more pathetic.

Idiot. Kernel user-space ABI is exactly that. The interface from kernel to user space. Kernel internal ABI of Linux is not stable. Reason why drivers that insert themselves into kernel space fail.

Sorry there are closed source user space drivers for Linux that don't break. Printer drivers, scanner driver and Embedded control drivers that operate from user space and so on.

You can directly talk to a PCI and other bus interfaces from user space to cards that don't have a driver connected to them in Linux. For the common sense reason that the Kernel internal ABI is not stable.

Of course Linux has not been targeted at desktop. For a long time targeted at server and super computer class where you buy hardware to match. So there is no need of a stable Kernel internal ABI in that market.

Any particular reason why Kernel internal ABI might be keep unstable for a security reason. Same reason windows signs drivers. So attacker have a harder time root kitting at the kernel level.

Now the solution to the problem you want is what is being developed now. Called userspace drivers for everything.

cuse fusd both are competing frameworks. Allowing userspace programs to create real device interfaces.

Linux kernel is going part microkernel as the answer to the need for a driver ABI.

As for viruses I am not wrong. You are aware that in 2007 ebay plushing clean up Linux servers were found defeated by worms creating the plushing interfaces.

Idea that Linux is always 100 percent virus free is a myth. Idea that running Linux with its OS security disabled as most of the machines in the plushing investigation is safe is wrong.

Yes the idea that viruses only target desktop machines is also another bad myth. I have seen windows users believing that one.

I deal in real numbers of infections and there causes NIK. Not myths.

There are huge numbers of Linux machines out there and they are just as big as target as windows ones if there defenses are not up. At least Linux distrobutions try to provide out box common sense settings and without non fixable flaws in design.

When you have done research after systems have been defeated you know a lot more about how the attackers are getting in and taking over systems.

OS X is currently at about 9 percent market share head to 10. They doubled there market share this year and the year before both times with no effect in virus numbers on that platform. To be correct the exact other way happened less. The numbers of working OS X viruses has hit the magic number 0 with a peak value of 3 over the last 5 years.

Really NIK what are you going to do if OS X gets to 25 percent and numbers have stayed the same way they are now. Researchers have accepted that the idea that percentage market share is the only controlling factor is myth.

Even when apple was the most dominate desktop OS. Dos still out numbered it on viruses. History tells us past question that the market share controlling factor should never have been believed. What happens when do do good marketing of a myth it sticks.

There are two factors. Quality of OS Security and Market Share. If Quality of OS Security is high enough attackers don't get chances to cause major problems.

Linux will most likely do the same. Other than a few stupid admins reducing security and a few stupid distributions with bad OS security.

Sorry my information is not from slashdot. My information is from front line work.

Anonymous said...

Oiaohm: We really enjoy pointless flames in Comments. If you want to write something informative to a sensible audience, f??k off and go write your own blog, rather than talking to people who just want to call each other 'tards here.

Anonymous said...

@oiaohm: even if the kernel ABI were stable, there is a whole lot of stuff keeping on changing in userland, like the whole audio stack.

The problem with (if you like GNU/)Linux is not (only?) with the kernel itself.

And you're admitting it yourself when you say you can't trust distros, you can't just rely on them as platforms, so how are (third-party) developers supposed to develop?

Anonymous said...

@Tom

Not everything is about money. 30 years ago even if you were a billionare you couldn't even buy a company like the ones people buy at Walmart now for $500. Innovation is very important.

The problem with closed source is it doesn't respect the idea that software is purely a captial labor. When you right a piece of software it takes X amount of effort and then it can be duplicated without boundry. So you have the sititution with closed source that you are to keep reinventing the wheel over and over because no one is sharing their work.

Microsoft can get sort of get away with closed source because they are so huge they can hire thousands of developers and force them to share code interally at least. But there are software problems that are much better then writing an operating system or an office suite, like developing general artitical intelligence. Someone like that is likely beyond the scope of a huge Fortune 10 company like Microsoft.

oiaohm said...

how are (third-party) developers supposed to develop?

Question you just asked is why Linux Standard Base exists to find and develop the answer.

LSB 4.0. Your application can ship with all parts it uses that are trust-able across distrobutions. Linux kernel user-space abi is stable, X11 is stable.

Audio is the only section where using a wrapper of some form to provide multi-able drivers is required.

Simple fact there is no reason for developers to depend on Distrobutions at all in Linux. Its just like saying when windows 3.11 was out developers had to develop for windows 3.11. Ie windows 3.11 instead of all distrobutions out there. Developers did not there were still lower interfaces they could use without issues. Direct kernel calls and X11 are a few of the lower interfaces on Linux that are truly dependable.

Really not that much different to what windows developers do so they don't have dll version conflicts. MSVC dll files are some of the most duplicated files on a windows system due to programs always shipping with them.

By the way Linux kernel internal ABI will become completely impossible for a closed source kernel binary driver to use safely in 2009. Yes a security alteration is to blame. The alteration is called ksplice.

Ksplice killer feature is the means to apply all kernel mode security updates and alterations without need to stop the kernel. So no more reboots.

Now simple fact for Ksplice to do this nice magical feature everything operation in kernel space must be known to Ksplice. Ksplice may remove or alter how a function works that a binary kernel module will call causing a crash effectively making the gains of not rebooting lost. So yes for a reboot less OS closed source kernel binary drivers don't work.

Sorry this is required to close down the exploit window. Driver developers who want closed source will have to go the user-space or firmware paths there is no other options.

Now after its done in kernel space same features as ksplice will be looked at being applied to user space programs. Linux developers are working there way to 100 percent uptime. 99.999 is not good enough. Stopping programs due to security problems is stuffing uptime numbers.

People don't want to having to reboot there machines. Price is no binary kernel drivers.

People really don't understand how limiting having a kernel mode standard ABI is. Then gains are remove by the limitations.

By the way Windows and Linux are mirrors. Kernel internal ABI of windows is stable but Kernel userspace ABI is unstable in windows. The stable kernel internal ABI means defective functions never can be just nuked out of existence.

Other issue is performance design defects they cannot be just removed in a stable kernel internal ABI always do they have to stay there for defective parts using them ie closed source drivers. Remember kernel defines the performance shape of your OS. User space Applications on top only can make it worse never better.

Why am I posting here simple. I am sick of Tard's spreading myths. If I run my own blog as I have in the past only non Tard's turn up. Expect to see my user-name turn up at the next Tard location I find.

I will never lie my way out of a Linux Defect. They do exist. I have listed many over my time here Linux Hater's Redux could have followed up. All of them would have left me without any way to fight back.

Linux Hater's Redux could just have a party ripping distrobutions apart for miss treating users. There are a lot I could do nothing about other than join in and rip them apart even worse than Linux Hater's Redux did. So don't complain that Linux Hater's Redux cannot win. Its not my fault.

oiaohm said...

how are (third-party) developers supposed to develop?

Question you just asked is why Linux Standard Base exists to find and develop the answer.

LSB 4.0. Your application can ship with all parts it uses that are trust-able across distrobutions. Linux kernel user-space abi is stable, X11 is stable.

Audio is the only section where using a wrapper of some form to provide multi-able drivers is required.

Simple fact there is no reason for developers to depend on Distrobutions at all in Linux. Its just like saying when windows 3.11 was out developers had to develop for windows 3.11. Ie windows 3.11 instead of all distrobutions out there. Developers did not there were still lower interfaces they could use without issues. Direct kernel calls and X11 are a few of the lower interfaces on Linux that are truly dependable.

Really not that much different to what windows developers do so they don't have dll version conflicts. MSVC dll files are some of the most duplicated files on a windows system due to programs always shipping with them.

By the way Linux kernel internal ABI will become completely impossible for a closed source kernel binary driver to use safely in 2009. Yes a security alteration is to blame. The alteration is called ksplice.

Ksplice killer feature is the means to apply all kernel mode security updates and alterations without need to stop the kernel. So no more reboots.

Now simple fact for Ksplice to do this nice magical feature everything operation in kernel space must be known to Ksplice. Ksplice may remove or alter how a function works that a binary kernel module will call causing a crash effectively making the gains of not rebooting lost. So yes for a reboot less OS closed source kernel binary drivers don't work.

Sorry this is required to close down the exploit window. Driver developers who want closed source will have to go the user-space or firmware paths there is no other options.

Now after its done in kernel space same features as ksplice will be looked at being applied to user space programs. Linux developers are working there way to 100 percent uptime. 99.999 is not good enough. Stopping programs due to security problems is stuffing uptime numbers.

People don't want to having to reboot there machines. Price is no binary kernel drivers.

People really don't understand how limiting having a kernel mode standard ABI is. Then gains are remove by the limitations.

By the way Windows and Linux are mirrors. Kernel internal ABI of windows is stable but Kernel userspace ABI is unstable in windows. The stable kernel internal ABI means defective functions never can be just nuked out of existence.

Other issue is performance design defects they cannot be just removed in a stable kernel internal ABI always do they have to stay there for defective parts using them ie closed source drivers. Remember kernel defines the performance shape of your OS. User space Applications on top only can make it worse never better.

Why am I posting here simple. I am sick of Tard's spreading myths. If I run my own blog as I have in the past only non Tard's turn up. Expect to see my user-name turn up at the next Tard location I find.

I will never lie my way out of a Linux Defect. They do exist. I have listed many over my time here Linux Hater's Redux could have followed up. All of them would have left me without any way to fight back.

Linux Hater's Redux could just have a party ripping distrobutions apart for miss treating users. There are a lot I could do nothing about other than join in and rip them apart even worse than Linux Hater's Redux did. So don't complain that Linux Hater's Redux cannot win. Its not my fault.

Anonymous said...

how are (third-party) developers supposed to develop?

Question you just asked is why Linux Standard Base exists to find and develop the answer.

LSB 4.0. Your application can ship with all parts it uses that are trust-able across distrobutions. Linux kernel user-space abi is stable, X11 is stable.

Audio is the only section where using a wrapper of some form to provide multi-able drivers is required.

Simple fact there is no reason for developers to depend on Distrobutions at all in Linux. Its just like saying when windows 3.11 was out developers had to develop for windows 3.11. Ie windows 3.11 instead of all distrobutions out there. Developers did not there were still lower interfaces they could use without issues. Direct kernel calls and X11 are a few of the lower interfaces on Linux that are truly dependable.

Really not that much different to what windows developers do so they don't have dll version conflicts. MSVC dll files are some of the most duplicated files on a windows system due to programs always shipping with them.

By the way Linux kernel internal ABI will become completely impossible for a closed source kernel binary driver to use safely in 2009. Yes a security alteration is to blame. The alteration is called ksplice.

Ksplice killer feature is the means to apply all kernel mode security updates and alterations without need to stop the kernel. So no more reboots.

Now simple fact for Ksplice to do this nice magical feature everything operation in kernel space must be known to Ksplice. Ksplice may remove or alter how a function works that a binary kernel module will call causing a crash effectively making the gains of not rebooting lost. So yes for a reboot less OS closed source kernel binary drivers don't work.

Sorry this is required to close down the exploit window. Driver developers who want closed source will have to go the user-space or firmware paths there is no other options.

Now after its done in kernel space same features as ksplice will be looked at being applied to user space programs. Linux developers are working there way to 100 percent uptime. 99.999 is not good enough. Stopping programs due to security problems is stuffing uptime numbers.

People don't want to having to reboot there machines. Price is no binary kernel drivers.

People really don't understand how limiting having a kernel mode standard ABI is. Then gains are remove by the limitations.

By the way Windows and Linux are mirrors. Kernel internal ABI of windows is stable but Kernel userspace ABI is unstable in windows. The stable kernel internal ABI means defective functions never can be just nuked out of existence.

Other issue is performance design defects they cannot be just removed in a stable kernel internal ABI always do they have to stay there for defective parts using them ie closed source drivers. Remember kernel defines the performance shape of your OS. User space Applications on top only can make it worse never better.

Why am I posting here simple. I am sick of Tard's spreading myths. If I run my own blog as I have in the past only non Tard's turn up. Expect to see my user-name turn up at the next Tard location I find.

I will never lie my way out of a Linux Defect. They do exist. I have listed many over my time here Linux Hater's Redux could have followed up. All of them would have left me without any way to fight back.

Linux Hater's Redux could just have a party ripping distrobutions apart for miss treating users. There are a lot I could do nothing about other than join in and rip them apart even worse than Linux Hater's Redux did. So don't complain that Linux Hater's Redux cannot win. Its not my fault.

Anonymous said...

how are (third-party) developers supposed to develop?

Question you just asked is why Linux Standard Base exists to find and develop the answer.

LSB 4.0. Your application can ship with all parts it uses that are trust-able across distrobutions. Linux kernel user-space abi is stable, X11 is stable.

Audio is the only section where using a wrapper of some form to provide multi-able drivers is required.

Simple fact there is no reason for developers to depend on Distrobutions at all in Linux. Its just like saying when windows 3.11 was out developers had to develop for windows 3.11. Ie windows 3.11 instead of all distrobutions out there. Developers did not there were still lower interfaces they could use without issues. Direct kernel calls and X11 are a few of the lower interfaces on Linux that are truly dependable.

Really not that much different to what windows developers do so they don't have dll version conflicts. MSVC dll files are some of the most duplicated files on a windows system due to programs always shipping with them.

By the way Linux kernel internal ABI will become completely impossible for a closed source kernel binary driver to use safely in 2009. Yes a security alteration is to blame. The alteration is called ksplice.

Ksplice killer feature is the means to apply all kernel mode security updates and alterations without need to stop the kernel. So no more reboots.

Now simple fact for Ksplice to do this nice magical feature everything operation in kernel space must be known to Ksplice. Ksplice may remove or alter how a function works that a binary kernel module will call causing a crash effectively making the gains of not rebooting lost. So yes for a reboot less OS closed source kernel binary drivers don't work.

Sorry this is required to close down the exploit window. Driver developers who want closed source will have to go the user-space or firmware paths there is no other options.

Now after its done in kernel space same features as ksplice will be looked at being applied to user space programs. Linux developers are working there way to 100 percent uptime. 99.999 is not good enough. Stopping programs due to security problems is stuffing uptime numbers.

People don't want to having to reboot there machines. Price is no binary kernel drivers.

People really don't understand how limiting having a kernel mode standard ABI is. Then gains are remove by the limitations.

By the way Windows and Linux are mirrors. Kernel internal ABI of windows is stable but Kernel userspace ABI is unstable in windows. The stable kernel internal ABI means defective functions never can be just nuked out of existence.

Other issue is performance design defects they cannot be just removed in a stable kernel internal ABI always do they have to stay there for defective parts using them ie closed source drivers. Remember kernel defines the performance shape of your OS. User space Applications on top only can make it worse never better.

Why am I posting here simple. I am sick of Tard's spreading myths. If I run my own blog as I have in the past only non Tard's turn up. Expect to see my user-name turn up at the next Tard location I find.

I will never lie my way out of a Linux Defect. They do exist. I have listed many over my time here Linux Hater's Redux could have followed up. All of them would have left me without any way to fight back.

Linux Hater's Redux could just have a party ripping distrobutions apart for miss treating users. There are a lot I could do nothing about other than join in and rip them apart even worse than Linux Hater's Redux did. So don't complain that Linux Hater's Redux cannot win. Its not my fault.

dckx said...

I just got here... and I have to say, thanks for starting LHR/forking LHB. I was hoping to have more of the Lunix/Freetarded crowd FUD debunked so that I don't have to do the heavy lifting.

I've always been a Windows power user, and I've held several Freetard FUD debunking sessions, but they all take too long. (You see, many Freetards seem to have misconceptions on exactly what this "Free" thing means, and what the terms of the GPL are. I end up having to explain what Free and GPL mean. It's pathetic.)

'course, I'm an occasional Linux and Unix user, too, since I work in IT. But I only touch Linux when I have to. Linux is only viable when there are support contracts. For the consumer market? You can forget it. Grandma has no idea what this "root" cruft is. Grandma doesn't care about setuid. Grandma doesn't want her computer to look like Ubuntu-poo brown.

In the corporate world, things are a bit different, though... you call the hardware/software vendor when issues crop up.

Thankfully there's a Lunix fart on the other end to fix the Lunix problems. (And to tell you to migrate off of Windows -- for the sake of his job security.)

Nik said...

Sorry my information is not from slashdot. My information is from front line work.

God help Linux! No, even God can't help Linux. With the kind of blind attitude you have, and your stubborn ways of denying any critics, there is no way you can make it through into a successful project.

You are focused to fight me over MS security, and you completely missed the big picture - you don't have anything good to offer to software developers. There are close to zero general purpose applications for Linux, and for 17 years and so much publicity noise you can't even meet the application base of OS/2. In stead, you tell me jokes about distribution independance.

I don't care if NT's security allows for fantastic cracks. In real life the situation is that a proper administrated network of Windows stations suffers close to no damage. What I care is that, as software engineer, I have a solid foundation to create applications.

Until you start listening to what users (and developers) want, you are doomed to keep playing with your little thingies.

Vi said...

I can't believe oiaohm is still masturbating here, all covered in his own undigested puke.

Andi. said...

Fact is: all Microsoft fans are dumbasses. Only dumbasses pay happily a couple of hundreds of dollars for an os with self-corrupting registry, with barely any usable programs (e.g. photo editing? office?) and the need to clutter the computer with "updates", "hotfixes" and "service packs". Especially since that os is a spyware on itself, sending home datas from the user's computer. How pityful...

Anonymous said...

Is LHR dead again? It kinda sucks, though understandable as there barely is anything new and rantworthy out there and we all have lives to live.

Eric Raymond gets the clue stick from uber-hacker
http://slashdot.org/firehose.pl?op=view&id=1762263

Anonymous said...

OMG OMG OMG.
This blog is dead as well.

Linux is not interesting enough even to produce failure stories.

Thanks for trying, congratulation on moving on.



/EOF

Anonymous said...

Come on! We need moar hate! Fun fact: At the tech support shop I work at, we recommend OpenOffice to people who don't have MS Office. I've installed OO for 5 clients. All 5 have returned and requested I install Office 07 for them. Apparently they hate freedom.

Anonymous said...

One more Linux haters blog died?

Anonymous said...

So is the blog dead or what?

Come on, we need more hatred ;-)

Anonymous said...

Ahahahahahahaha check the fix this guy is applying! ROTFL

http://www.linuxforums.org/forum/debian-linux-help/135722-debian-router-help-pls.html

Anonymous said...

Are you dead, LHR, or just resting?


http://www.itwire.com/content/view/22362/53/

"Windows crushing Linux in netbook market: Acer"

Who denied the coming of this? Only the deluded.

Anonymous said...

Good post. But I think you need to do a bit of a recap I've forgotten completely why you hate Linux in the first place.

Anonymous said...

What the fuck! There must be a lot of bored Wintards/Wintrolls/Lintards/lusers/fanboi s/Mactards out there! 785 Comments on linuxhaters.blogspot.com! Hasn't matched adequacy.org though.

Anonymous said...

Get a fucking life freetards...