Linux-Advocacy Digest #381, Volume #26 Fri, 5 May 00 18:13:05 EDT
Contents:
Re: This is Bullsh&^%T!!! (Brian Langenberger)
Re: This is Bullsh&^%T!!! ("Christopher Smith")
Re: Dvorak calls Microsoft on 'innovation' (Leslie Mikesell)
Re: Virus on the net? (Bastian)
Re: Windows2000 sale success.. (Mike Marion)
Re: Microsoft: STAY THE FUCK OFF THE NET!!! ([EMAIL PROTECTED])
Re: apache.org defaced (A transfinite number of monkeys)
Re: This is Bullsh&^%T!!! (Seán Ó Donnchadha)
Re: Virus on the net? ("Erik Funkenbusch")
Re: Virus on the net? ("Erik Funkenbusch")
Re: Dvorak calls Microsoft on 'innovation' (Mathias Grimmberger)
Re: This is Bullsh&^%T!!! ("Erik Funkenbusch")
----------------------------------------------------------------------------
From: Brian Langenberger <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: 5 May 2000 21:12:05 GMT
In comp.os.linux.advocacy Christopher Smith <[EMAIL PROTECTED]> wrote:
<snip>
:> That's what "sudo" is for. But how convenient the process of securing
:> files is was not the original issue. If you have a more convenient
:> method of securing files from deletion I'd love to hear it.
:>
: From *deletion* ? ACLs in NT will do exactly that - allow writes but not
: deletion.
Bad phrasing on my part. Seperating writes from deletion will keep
the file on disk, but won't prevent its destruction through
overwrites. It would be wise to keep both secured.
: The whole point here is that Unix is no more inherently resistant than NT,
: and people who run scripts or programs which they know nothing about are
: equally vulnerable on both platforms.
I think Unix and NT can lock down files with similar effectiveness.
It's the consumer-grade Windows users that have these sorts of
problems since the system makes the user "all powerful" at
the cost of system security.
Very annoying, I must say.
------------------------------
From: "Christopher Smith" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Sat, 6 May 2000 07:27:13 +1000
"Brian Langenberger" <[EMAIL PROTECTED]> wrote in message
news:8evdf5$dq0$[EMAIL PROTECTED]...
> In comp.os.linux.advocacy Christopher Smith <[EMAIL PROTECTED]> wrote:
>
> <snip>
>
> :> That's what "sudo" is for. But how convenient the process of securing
> :> files is was not the original issue. If you have a more convenient
> :> method of securing files from deletion I'd love to hear it.
> :>
>
> : From *deletion* ? ACLs in NT will do exactly that - allow writes but
not
> : deletion.
>
> Bad phrasing on my part. Seperating writes from deletion will keep
> the file on disk, but won't prevent its destruction through
> overwrites. It would be wise to keep both secured.
I figured as much :).
>
> : The whole point here is that Unix is no more inherently resistant than
NT,
> : and people who run scripts or programs which they know nothing about are
> : equally vulnerable on both platforms.
>
> I think Unix and NT can lock down files with similar effectiveness.
> It's the consumer-grade Windows users that have these sorts of
> problems since the system makes the user "all powerful" at
> the cost of system security.
>
> Very annoying, I must say.
But considered necessary for "ease of use". Dealing with security is a
PITA, not only is it annoying to have to set permissions on files every time
you use them, but also requires understanding of a reasonably advanced OS
concept - multiple users.
DOS based Windows and MacOS are inherently insecure because they aren't
multiuser. But don't worry, both are on their way out :).
------------------------------
From: [EMAIL PROTECTED] (Leslie Mikesell)
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.lang.java.advocacy
Subject: Re: Dvorak calls Microsoft on 'innovation'
Date: 5 May 2000 16:24:08 -0500
In article <8etjfd$p1q$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>
>It is difficult to tell whether you are trolling or just clueless. But
>here's a clue: the first operating system native to VAX was VMS, which
>supported virtual memory. VMS came out four years before BSD (which was
>the first Unix to support virtual memory).
>
>Other DEC systems such as the 36 bit systems supported virtual memory
>long before VMS. All of this was way before Unix. Way before. But I'm
>sure you didn't know this because since you're a Linux weenie you think
>that Linus Torvalds invented operating systems.
Oh yeah - DEC.... The company whose president was famous for saying
that no one would ever want a computer at home. I'm sure we
should trust their vision. I thought there was something really
odd about DECnet too, but I've tried to forget. Maybe it was
that all interfaces on a box were required to have the same
MAC address.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Bastian)
Subject: Re: Virus on the net?
Date: 5 May 2000 21:29:45 GMT
On 05 May 2000 10:08:28 EDT, CG wrote:
>On 5 May 2000 06:07:47 GMT, [EMAIL PROTECTED] wrote:
>
>>On Sun, 4 May 3900 23:08:37, Mig Mig <[EMAIL PROTECTED]> wrote:
>>
>>>
>>> Hmm.. i was hit by it but didnt execute the script. I had a look at the
>>> script and even not being to strong on Visual Basic it is easy to
>>> understand that this was a "bad program"
>>>
>>
>>What exactly did you find? How did you inspect it? What was the clue
>>to it being malevolent? Please give actual examples (snippets) so we
>>can
>>be better prepared.
>>
>>Thanx.
>
>here it is in all its glory.
>[snip]
Who said this crap is easy to understand? I can read/write C and C++,
batch files and shell scripts, but I looked over this code for like five
minutes and I didn't have a clue what it does.
Bastian
------------------------------
From: Mike Marion <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Windows2000 sale success..
Date: Fri, 05 May 2000 21:36:02 GMT
[EMAIL PROTECTED] wrote:
> the same denial of existence. This certainly makes me want to rush
> right out and pay the big bucks for SQL-server, IIS, and whatever else.
Heh.. I tried to go look at the mcafee info page on the ILOVEYOU virus yesterday
(while our NT people were scurrying around and we chuckled of course) and kept
getting:
HTTP/1.1 Server Too Busy
as the only reponse to the page. :)
Last time we bombed someone (I forget who) I went to both cnn and msnbc. Cnn
was dog slow, but finally came up. Msnbc gave me an error page telling me a
change I should try in the server's registry. Yeah, that's what you should show
users... not!
I use this traffic page often:
http://www.dot.ca.gov/dist11/d11tmc/sdmap/mapmain.html
got this as the map one morning:
http://miguelito.org/bad-map.gif
Had to save that one.. :)
Sometimes when I'm in a computer room here, if there's no vt100 terminal for me
to use to get to a console server (using serial consoles on Suns), I'll log into
a windows server. It drives me nuts when, logged in as a user, I get admin
dialog boxes telling me backups completed, or there were errors, etc.
--
Mike Marion - Unix SysAdmin/Engineer, Qualcomm Inc.
Yo' momma's so fat she makes emacs look like pico!
-- Another stolen from /.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy,alt.fan.bill-gates
Subject: Re: Microsoft: STAY THE FUCK OFF THE NET!!!
Date: Fri, 05 May 2000 21:42:48 GMT
In article <[EMAIL PROTECTED]>,
Jeff Szarka <[EMAIL PROTECTED]> wrote:
> On Thu, 4 May 2000 19:51:58 -0700, "Stephen S. Edwards II"
> <[EMAIL PROTECTED]> wrote:
[snip]
> The fact Microsoft has not prevented Outlook Express / Outlook from
> running any executable programs is an outrage. E-mail was never meant
> to transfer large binary files. If you want to share files, use an
> online backup provider. A simple setting in Outlook could have stopped
> this whole thing. Obviously Microsoft was to busy working on Windows
> ME(TM) aka Windows 98 SSE (super SE) to plug up a simple security
> problem that has now created 2 huge (in NBC Nightly News sense) virus
> breakouts.
Well, it's all part of this integration of things, web stuff,
interactive apps, e-mail, to try make it all look the same.
Needless to say, that makes it easy for beginners to use,
but makes it easy to hack as well.
I still don't know why we need M$Word to read a friggin'
text file that is ten times the size it should be with
all kinds of biary data. And HTML mail suchs too.
Yes, people try to make the mailers more "capable" and "seamless"
but that makes them far more vulnerable as well.
FWIW, the hole is still there. Anyone who wants to can just
alter the fprmatting of the ILOVEYOU VBS script so it sneaks
through the virus scans, and start this thing anew.
Right now, they have a filter on my Micro$ux Exchange
server that strips any .vbs attachments from incoming
mail, and to be sure, I don't think anyone will be the worse
for it.
[snip]
Cheers,
-- Arne Langsetmo
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (A transfinite number of monkeys)
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: apache.org defaced
Date: Fri, 05 May 2000 21:47:16 GMT
On Fri, 5 May 2000 11:30:30 -0400,
Drestin Black <[EMAIL PROTECTED]> wrote:
: http://www.attrition.org/mirror/attrition/2000/05/03/www.apache.org/
:
: say... what's that at the bottom of the page?!
Read the account on bugtraq.
It's not a Linux server. It's FreeBSD. It's proof that any OS can be
rooted if you configure your software poorly.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
------------------------------
From: Seán Ó Donnchadha <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Fri, 05 May 2000 17:52:43 -0400
Brian Langenberger <[EMAIL PROTECTED]> wrote:
>:
>: Wow, kinda like the MS-DOS read-only attribute. What an innovation for
>: Linux! By the way, what would prevent a script from using chattr to
>: remove the 'i' attribute before blowing away the file?
>
>Only the superuser can set or remove the 'i' attribute.
>
>[...]
>
>Thus, the script is out of luck.
>
Are you saying that the student must get an admin to remove the
attribute every time he wants to work on his thesis, then get an admin
to assign the attribute every time he wants to read email? Is this for
real?
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Subject: Re: Virus on the net?
Date: Fri, 5 May 2000 17:05:29 -0500
Rob S. Wolfram <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >Really, and here i've been lead to believe by all those Unix enthusiests
> >that piped command lines are easier than GUI's.
>
> Once again you're twisting words to suit your own point. I never made a
> reference to how hard or easy it is to write such a virus. I made
> references to your ignorance that email clients like elm or pine have
> common and well known filenames for mail aliases.
I'm not twisting words. Unix advocates have been telling us for years that
GUI's suck and that CLI's are the only way to get real work done simply and
easily.
You are claiming that the elm and pine do not have common and well known
filenames for their aliases?
> Still I'd like to make clear that your statement above is false. At
> least one Unix enthousiast (/me) will not say that CLI solutions are
> easier than GUI's. I will say this:
> - Using a CLI is not difficult
> - Using a GUI is not intuitive
> - A CLI is extremely powerful for certain tasks (like process
> automations) and very lousy for others (like 3D image manipulation).
> - A CLI pipeline is magnitudes more /flexible/ than a GUI for about any
> administrative task I can think of.
>
> Good enough for you?
Sure.
> >How difficult is it to use perl or grep and awk? Not very. And just
about
> >as easy as the code below.
> >
> >I love this. Unix users crow on and on about how powerful and easy
> >scripting and command lines are until a possible exploit is found and
then
> >suddenly it's too difficult and impossible to do something.
>
> Powerful and easy? Hell, yes. At least I don't think it's rocket
> science. Easier than a GUI? That would depend on the task at hand.
> Easier than a GUI for Joe Sixpack? Hell, no.
You really think someone capable of writing something like this couldn't
figure out the grep and awk syntax to scan your home directory for a regular
expression?
> >> In any case, it is far more difficult than the way ILOVEYOU does this:
>
> And if you once again fail to read correctly, the phrase "more
> difficult" here compares the way LOVE-LETTER-FOR-YOU.TXT.vbs retrieves
> the info to the way you suggested (well known and common names etc.)
No. You said "far" more difficult. You printed 3 lines of VBScript code,
the same could be done to scan a users home directory for an email regular
expression in a single shell script line.
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Subject: Re: Virus on the net?
Date: Fri, 5 May 2000 17:08:11 -0500
JEDIDIAH <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Fri, 5 May 2000 12:31:45 -0500, Erik Funkenbusch <[EMAIL PROTECTED]>
wrote:
> ><[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> >No, but there's a mail aliases list in the users home directory that
> >could
> >> >easily be read.
> >> >
> >> >> 2) Linux doesn't run VBS. :)
> >> >
> >> >No, instead it has sh.
> >>
> >> So fucking what? No linux e-mail client automatically executes
> >> attachments.
> >
> >And no windows e-mail client does either. Get it through your head.
This
> >virus does *NOT* auto-execute. The user chooses to open it, that's the
only
> >way it spreads.
>
> ...at which point it 'auto-executes'.
Sure, in the same way that typing a command in at the command line
"auto-executes".
> This scheme places a burden of being saavy and careful upon a
> userbase not particularly well known for either characteristic.
>
> Whereas, you would be hard pressed to find any Unix mail app that
> would equate 'open it' to 'execute it' either in an interactive
> context or non-interactive one.
OS's like MacOS X and BeOS are moving to using MIME types to identify
document formats. The mere act of executing a document will execute it's
application. A shell script will automatically get sh or whatever.
I don't see how it can be very long before Linux does the same.
------------------------------
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.lang.java.advocacy
From: Mathias Grimmberger <[EMAIL PROTECTED]>
Subject: Re: Dvorak calls Microsoft on 'innovation'
Date: Fri, 5 May 2000 21:07:03 GMT
"Erik Funkenbusch" <[EMAIL PROTECTED]> writes:
> Mathias Grimmberger <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Jen <[EMAIL PROTECTED]> writes:
> > > I'm growing weary of this "where is the Microsoft innovation" crap.
> >
> > So, a hard and fast question: Where is the MS innovation?
>
> Have you looked at Microsofts 1,227 Patents?
No. Too boring. Although the one about a door hinge might be funny.
> By definition, a patent is an innovation is it not?
Huh? No. A patent is a patent, a monopoly granted by the government for
a limited time.
What has been patented may be an innovation, but it really doesn't have
to be. That is not how the patent system works. Whoever gets the patent
*first* has it, no matter whether the "invention" is old stuff or
somebody else invented it earlier. And overturning patents is hard.
> > Hmm, nobody has claimed that Linux was the latest and greatest
> > innovation AFAIK. In fact that it is build on the principles of Unix
> > (which have been proven to actually work over a long time :-) is one of
> > the big selling points of it.
>
> And where are the Linux patents?
Who cares? A patent doesn't imply innovation.
What would qualify as a "Linux patent" anyway? I doubt MS's patents have
"Windows" written into them. Not the door hinge one anyway ;-)
> > Now MS seems to have announced it's intention to include biometrics into
> > the Windows API and all sorts of journalists get excited about it.
>
> Which OS has biometrics built in?
None, I guess. No sensible OS should have that built in - it is not an
OS feature. The hooks needed to implement various (maybe even unknown
today) authentication schemes are an OS feature. Heck, even Windows has
such hooks, they are just not documented very well. Exchanging the GINA
DLL is a supported feature in NT.
And PAM is a supported feature on some Linux distros.
> > Hmm, guess what, the company I worked for back in 1997 (or was it 1996?)
> > had a demo of biometric access control for WinNT back then. Yes, our own
> > GINA DLL doing biometrics. Since MS did such a great job (not!) of
> > documenting the API we could not do a genuine logon (with the published
> > API you *must* have a cleartext password to do a user logon), we could
> > only unlock the screen lock. Other companies had such demos too (which
> > AFAIK where basically a fake though). We could have easily done a
> > complete version of that for any Unix had our management wanted one.
>
> Biometrics support is more than just logins.
Of course, but you probably want to start there (where else?). With NT 4
you can't (I hear with W2K one could make it work).
> And Biometrics include a host of technologies including fingerprint,
> voiceprint, retinal, image recognition (such as face paterning), etc..
Which is precisely the reason why the actual implementation should not
be part of the OS. If you are going to tell me MS (or any company out
there for that matter) will provide working implementations of all these
you are just naive.
The stuff doing the actual authentication must be easily exchangeable,
after all there are lots of issues which affect a particular customers
choice of that. Price, security, ease of use, hardware needed and so on.
> > So, MS is innovating, leading the industry, whatever, ... once again? I
> > don't think so...
>
> A standardized Biometrics API is certainly new. Today, if you want to write
> Biometric aware applications, you need to write to someone's API. And
> that's different for each product.
Layering. Software engineering is not *that* difficult.
Now a standard API is certainly something good. It would also be
something incredibly hard to get right (has to work for all biometric
technologies, known and unknown today - the actual technology used must
be *exchangeable* or it is largely worthless). Somehow I don't trust MS
to be able to pull that one off.
BTW, I fail to see how a standardized API for anything could be called
"innovation", this is a quite old concept. If it's so easy to innovate
I'm innovating quite a lot every day at work.
MGri
--
Mathias Grimmberger <[EMAIL PROTECTED]>
Eat flaming death, evil Micro$oft mongrels!
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Fri, 5 May 2000 17:14:22 -0500
Brian Langenberger <[EMAIL PROTECTED]> wrote in message
news:8ev251$btk$[EMAIL PROTECTED]...
> : Is it going to take someone to write such a virus for Linux to wake you
> : people up?
>
> Been there, done that.
>
> http://www.albion.com/security/intro-5.html
>
> In reality, no UNIX email program executes scripts or apps directly from
> the spool. If someone goes to the trouble of saving such a script and
> executing it - and that script finds addresses to send to - for the
> worm to propagate it will require *lots* of other people to do the
> same.
>
> I'm not sure how you're going to get a significant number of
> UNIX users to mindlessly execute such a script without sending
> it to "more" first for a glance at what it does.
How many people in Unix labs across the world really know much about Unix?
How many people would do something if an email from a trusted friend told
them to do it and gave them instructions how? Witness the popularity of
things like the Craig what'shisname that wanted the most greeting cards.
Someone says "send this email to everyone you know" and they do it. This
was going around the internet for years before it became the commercial
success it is today.
> Maybe it's just a different mindset, but popularity has nothing to
> do with it. There's certainly more people using UNIX-like systems
> now than in 1988...
Maybe. There are certainly more Unix-like installations than in 1988. But
then there used to be hundreds of thousands of college students using the
labs to access the net, today they have their own computers for the most
part running Windows (again, for the most part).
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
