Linux-Advocacy Digest #60, Volume #30 Sun, 5 Nov 00 14:13:07 EST
Contents:
Re: A Microsoft exodus! ("Les Mikesell")
Re: Chad Meyers: Blatent liar (sfcybear)
Re: A Microsoft exodus! ("Christopher Smith")
Re: A Microsoft exodus! ("Bruce Schuck")
Re: A Microsoft exodus! ("Christopher Smith")
Re: The Sixth Sense ("Bruce Schuck")
Re: Linux growth rate explosion! ("Les Mikesell")
Re: more stuff I wish linux did ("Nigel Feltham")
Re: Why Linux is great ("Les Mikesell")
Re: Why Linux is great ("James")
Re: KDE vs GNOME: specific issues (mlw)
----------------------------------------------------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Sun, 05 Nov 2000 18:49:08 GMT
"Christopher Smith" <[EMAIL PROTECTED]> wrote in message
news:8u40bt$hf3$[EMAIL PROTECTED]...
>
> > But, it does not tell you what is going to run if you choose 'open'.
>
> If people are dumb enough to open attachments they know nothing about, do
> you really think knowing what program was going to open it would help ?
Yes. And the mailer should never hand off directly to a program
that allows the content to take control.
> > > YOU choose whatever to ignore it or not.
> >
> > How can you make a reasonable choice with no relevant
> > information?
>
> How would knowing that the file was going to be opened by the program
> "vbscript" help the average user ?
The mailer should know that it is not in the list of
harmless programs (if there is such a thing under windows)
and not run it. For harmless programs there is no need for
the annoying warning.
> > > I'm talking about users either ignoring or disabling the warning that
> > > outlook issues them when they try to open an attachment. How can you
> blame
> > > the OS/Outlook for the users *ignoring* very clear warning?
> >
> > It is not clear at all.
>
> It is perfectly clear. "Do this and it might break your system". How
much
> clearer can it be ?
It is not clear. How many corporate and government offices
have to have their systems shut down by viruses to prove it?
> > Opening mail is a typical thing to do and
> > there is no way of knowing what will happen if you do.
>
> Sure there is. Opening the mail does nothing. Opening the _attachment_
wil
> launch another program.
>
> Please don't try to propogate the myth that simply opening the email will
> execute the attachment.
OK, viewing the attachments to mail is a typical thing to do.
And we are back where we started.
>
> Bullshit. Any mailer that allows an attachment to be handed off to a
shell
> to be delt with does _exactly the same thing_.
That's the point. They don't blindly hand off to a shell that
knows nothing about the content source.
> Pine in Unix, for example.
Wrong.
> KMail in KDE, for another.
I haven't tried that one but I would bet that it never
feeds an attachment to the shell when you open it.
> I don't know personally of any Mac mailers which do the same thing, but I
> have no doubt most of them do.
You would be able to tell by the number of reported virus attacks.
> > Reasonable mailers have hard-coded or configurable lists of programs
> > they will use to process different attachment types and will not
> > automatically start any others.
>
> I guess that makes Outlook a reasonable mailer, since the list is
> configurable. The list is in the registry and determined by filetype. It
> is the shell that actually executes the program.
If you think it is reasonable to have to configure your entire system
to never execute shell and interpreter programs just so you can
use email safely. I don't.
> Just like, say, KDE. Mime types mapped to programs.
>
> This is called "reusing resources". Instead of having to have filetypes
> defined in every app, they are defined globally.
It is called insanity. The uses aren't equivalent and thus
shouldn't be treated the same.
> > These do not include script interpreters.
>
> Depending on your config. They *might* include script interpreters.
There
> is no intrinsic reason why they can't.
If you enjoy spreading virii at someone else's whim.
> > Outlook doesn't even know what it is about to start.
>
> Because *it* doesn't start it. Outlook hands the file off to the *shell*
to
> be dealt with.
If it wasn't obvious from the start that this is an insane design,
hindsight should make it clear. If you are going to do that you
at least need some sort of 'safe' environment like the java
sandbox.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: sfcybear <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Chad Meyers: Blatent liar
Date: Sun, 05 Nov 2000 18:36:54 GMT
In article <1MfN5.123476$[EMAIL PROTECTED]>,
"Bruce Schuck" <[EMAIL PROTECTED]> wrote:
>
> "Les Mikesell" <[EMAIL PROTECTED]> wrote in message
> news:Zm8N5.13161$[EMAIL PROTECTED]...
> >
> > "Bruce Schuck" <[EMAIL PROTECTED]> wrote in message
> > news:8c1N5.123098$[EMAIL PROTECTED]...
> > >
> > > > >> As usual, you are a blatent liar.
> > >
> > > How about this one:
> > >
> > > It lets remote users shut down a workstation on RedHat 6.0, 6.1,
and
> 6.2.
> > >
> >
> > And the current version of RedHat is????
>
> The current version selling? Or the current version in server rooms or
> desktops?
>
> The list for 7.0 is very long, and is growing every day.
And how does that list compare with other OS's? The good part about
Redhat is we can SEE the bug list they have MS? not a chance! their bug
list is so bad they HIDE it away from every one!
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Christopher Smith" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: A Microsoft exodus!
Date: Mon, 6 Nov 2000 04:55:02 +1000
"Stefan Ohlsson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Christopher Smith wrote:
> >"Les Mikesell" <[EMAIL PROTECTED]> wrote in message
> >>But, it does not tell you what is going to run if you choose 'open'.
> >If people are dumb enough to open attachments they know nothing about, do
> >you really think knowing what program was going to open it would help ?
> >
> Excuse me for answering a question not directed at me, but this is news
> after all :)
>
> It would probably not help the average user. People who know what the
program
> is will know not to go through with it though. On the other hand, those
people
> won't execute an attachment anyway.
>
> Now, it has happened more than once that worms/viruses/whatever has spread
> through this _flaw_ in Outlook.
It is not a flaw by any definition of the word flaw I am aware of. Outlook
does nothing without asking. Outlook does nothing you do not tell it to.
Outlook does nothing that many other mailers (yes, even Unix ones) also do.
> Clearly, its negative sides outweigh the
> positive sides as demonstrated by the ILOVEYOU.txt.vbs thing.
The negative sides are stupid people will lose their data. This particular
afflication also applies to programs like "rm". Should we remove "rm"
because stupid people might delete their files ?
> Unix companies have alreadly learned this lesson and has this feature
> disabled.
Bullshit. I can pipe a script attachment containing "rm -rf /*" to /bin/sh
from Pine 4.21. If I'm not mistaken that's a fairly recent version.
> >>It is not clear at all.
> >It is perfectly clear. "Do this and it might break your system". How
much
> >clearer can it be ?
> >
> Looking at all the damage that has been caused by malicious scripts, it's
> not clear enough. Or, it's just ineffective. That's why I think that all
> running of scripts should be completely disabled per default.
Outlook doesn't run the script. It hands the file off to the *shell* to be
dealt with by their default handler. In the case of .vbs files this is the
script interpreter (unsurprisingly).
Conceptually, it is *exactly* the same as doing something like piping an
attachment from a Unix mailer to some program, like sh or perl.
> >>Opening mail is a typical thing to do and
> >>there is no way of knowing what will happen if you do.
> >Sure there is. Opening the mail does nothing. Opening the _attachment_
wil
> >launch another program.
> >
> Wasn't there something about a preview box in Outlook that opened the
> attachment as soon as the mail was opened?
No. There was, IIRC, a buffer overflow at one stage involving the date
field, but I believe that has been fixed. No attachments are ever executed
unless the user asks.
> >> No other OS processes mail the way Outlook does.
> >Bullshit. Any mailer that allows an attachment to be handed off to a
shell
> >to be delt with does _exactly the same thing_.
> >Pine in Unix, for example.
> >KMail in KDE, for another.
> >
> Only if enabled first.
It's "enabled" by default. I just opened up a message with an attachment in
Pine and hit "|" then "/bin/sh" and it tried to pipe the attachment to sh.
> >I don't know personally of any Mac mailers which do the same thing, but I
> >have no doubt most of them do.
> >
> Isn't Outlook available for Mac?
Outlook is not. Outlook Express is, but I don't know if it has this
functionality. I would _assume_ it does, as I would assume nearly every
other Mac mail program does.
> >I guess that makes Outlook a reasonable mailer, since the list is
> >configurable. The list is in the registry and determined by filetype.
It
> >is the shell that actually executes the program.
> >
> The flaw is that Outlook uses the global, system-wide list.
This is for convenience's sake. That's so you don't get a different program
depending on where you launch a filetype from.
> Therefore,
> execution of scripts cannot be disabled unless Outlook itself is made
aware
> of what is scripts and what is not.
Which is a maintenance nightmare. Why should Outlook have to do this when
no other program does ?
Disabling the execution of scripts is easy - just set the default handler
from vbscript to notepad.
> >This is called "reusing resources". Instead of having to have filetypes
> >defined in every app, they are defined globally.
> >
> In Unix/Linux there is a mime-type list that is used for mail/news
programs,
> one could say it's global for the mail programs.
And the browser and in KDE, IIRC, the shell.
> >Depending on your config. They *might* include script interpreters.
There
> >is no intrinsic reason why they can't.
> >
> I don't know of any distribution that has this enabled per default. Do
you?
Dunno, never looked.
However, that's irrelevant. The argument is that this "problem" is somehow
a) only present in Outlook and b) inherently impossible under Unix (or any
other OS).
------------------------------
From: "Bruce Schuck" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Sun, 5 Nov 2000 10:57:47 -0800
"Les Mikesell" <[EMAIL PROTECTED]> wrote in message
news:K8hN5.13194$[EMAIL PROTECTED]...
>
> "Bruce Schuck" <[EMAIL PROTECTED]> wrote in message
> news:mCgN5.123493$[EMAIL PROTECTED]...
> >
> > >
> > > Look as the SAN's digest from about 2 months ago. Outlook can
> > > infect the system even if you don't run the attachment. My memory
> > > is a bit sketchy as I don't run Outlook, but it had to do with the
> > > fact that Outlook opened the attachment to see if there was a virus
> > > to enable it to warn you that there was one there.
> >
> > Fixed.
> >
>
> What service pack level do you have to run to get this fix?
No service pack for windows.
If you have Office 2000, you need the SR-1 update.
If you have Office 97, you just need the patch.
>From the website:
The Outlook E-mail Security Update provides the following security measures:
a.. E-mail attachment security prevents users from accessing several file
types when sent as e-mail attachments. Affected file types include
executables, batch files, and other file types that contain executable code
often used by malicious hackers to spread viruses.
b.. Object Model Guard prompts users with a dialog box when an external
program attempts to access their Outlook Address Book or send e-mail on
their behalf, which is how insidious viruses such as ILOVEYOU spread.
c.. Heightened Outlook default security settings increase the default
Internet security zone setting within Outlook from "Internet" to "restricted
sites." In addition, active scripting within restricted sites is disabled by
default. These security features help protect users from many viruses that
are spread by means of scripting.
------------------------------
From: "Christopher Smith" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Mon, 6 Nov 2000 04:56:53 +1000
"lyttlec" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Bruce Schuck wrote:
> >
> > "Les Mikesell" <[EMAIL PROTECTED]> wrote in message
> > news:TbfN5.13183$[EMAIL PROTECTED]...
> > >
> > > "Ayende Rahien" <[EMAIL PROTECTED]> wrote in message
> > > news:8u3unv$6c4$[EMAIL PROTECTED]...
> > > >
> > > > >
> > > > > It gives the same error message whether the program that might
> > > > > view it is allowed to execute insecure commands from the
> > > > > attachment itself or not. When the warning is given all
> > > > > the time with no way to tell if there is a problem or not
> > > > > people will just ignore it.
> > > >
> > > > What error message?
> > > > It warns you that the attachment (any type) may harm you, and ask
you
> > what
> > > > you want to do with it.
> > >
> > > But, it does not tell you what is going to run if you choose 'open'.
> >
> > Actually, it does in most cases. A .doc file has a Word icon beside it,
an
> > XLS file has an Excel icon beside the attachment etc.
> What help is that? Every time I open an *.xls file or *.doc file, I get
> a warning that the file *might* contain macros that are dangerous. No
> hint whatsoever about what the macro is, even if it exists. So what do I
> do, send an email out to everyone in the company asking if anyone
> attached a dangerous macro to the file? How long do I wait for a
> response before I open the file?
You open the file with Macros disabled and then use the Macro editor to
"audit" the Macros included in the file.
------------------------------
From: "Bruce Schuck" <[EMAIL PROTECTED]>
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: The Sixth Sense
Date: Sun, 5 Nov 2000 10:58:44 -0800
"Christopher Smith" <[EMAIL PROTECTED]> wrote in message
news:8u46c1$uo7$[EMAIL PROTECTED]...
>
> <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > "Aaron R. Kulkis" wrote:
> > >
> > > I see Windows users all around me. They're stupid, and they don't
even
> know it.
> > >
> >
> > Windows users are often more ignorant than stupid!
>
> Unlike Aaron, who has the dubious honour of being ignorant _and_ stupid.
And asleep.
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To:
comp.lang.java.advocacy,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Linux growth rate explosion!
Date: Sun, 05 Nov 2000 18:58:02 GMT
"Bruce Schuck" <[EMAIL PROTECTED]> wrote in message
news:PegN5.123488$[EMAIL PROTECTED]...
>
> > > Access databases are used as to serve up dynamic content on IIS.
> >
> >
> > Databases are used for big websites. Access is not a big database.
> > Therefore it's fairly silly to use Access in this context.
>
> Many small sites use Access for threaded discussions, catalogues etc
before
> users wish to invest in a more expensive solution.
Only the ones that don't know about the free versions of these that run
under apache with php or mod_perl with mysql or postgresql as the
database.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "Nigel Feltham" <[EMAIL PROTECTED]>
Subject: Re: more stuff I wish linux did
Date: Sun, 5 Nov 2000 18:55:13 -0000
>3) and last of which, I really want to use software that won't write to a
>network drive (version 4.x of the adaptec cd-burner software) because they
know
>better than me that a 2MB/s scsi-2 drive is *always* faster than 15MB/s
ultra-2
>scsi drive on the other end of a 100mbps network. I'm so glad that windoze
>software writers know so much. I'm glad that they know that I couldn't
possibly
>want to use my empty 3.3GB drive instead of a subdirectory of where the
software
>was installed. It should require fifteen mouseclicks to over-ride doing
that.
>Using the empty drive is *so* dangerous!
This also pisses me off about windows software - I have installed Mandrake
7.1 on our CD burning machine at work and now instead of having to spend a
fun half an hour manually creating the CD writing project then fifteen
minutes making an image file before burning a CD each week for our weekly
backups I can single-click an icon on the desktop which runs a script (using
find and cat commands) to make a CD burning project containing all
directories created within the past 2 weeks (to allow a safety overlap
between disks) and starts KISOCD. I then open the project file and burn the
CD while reading source data directly off the server (this is to a 2xspeed
writer). This saves half an hour of user time plus 15 minutes machine time
every week - try telling me Windblows is more efficient.
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Subject: Re: Why Linux is great
Date: Sun, 05 Nov 2000 19:02:35 GMT
"James" <[EMAIL PROTECTED]> wrote in message
news:3a05882a$0$[EMAIL PROTECTED]...
> More FUD:
>
> Fact:
> CDRW software for Win2k: Installing Adaptec Get latest Adaptec software
and
> run setup.exe. No problemo.
>
> Now to get my usb scanner working I will probably have to fiddle with an
> beta quality Linux kernel (2.4) and obscure, if non-existent, drivers.
> Hardly non-trivial.
>
Or update to Mandrake 7.2. Time-consuming but trivial and worth it.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "James" <[EMAIL PROTECTED]>
Subject: Re: Why Linux is great
Date: Sun, 5 Nov 2000 21:06:43 +0200
"Les Mikesell" <[EMAIL PROTECTED]> wrote in message
news:f9iN5.13203$[EMAIL PROTECTED]...
>
> "James" <[EMAIL PROTECTED]> wrote in message
> news:3a05882a$0$[EMAIL PROTECTED]...
> > More FUD:
> >
> > Fact:
> > CDRW software for Win2k: Installing Adaptec Get latest Adaptec software
> and
> > run setup.exe. No problemo.
> >
> > Now to get my usb scanner working I will probably have to fiddle with an
> > beta quality Linux kernel (2.4) and obscure, if non-existent, drivers.
> > Hardly non-trivial.
> >
>
> Or update to Mandrake 7.2. Time-consuming but trivial and worth it.
Yup, that is what I am doing right now. Should be up & running by next
weekend. :-)
>
> Les Mikesell
> [EMAIL PROTECTED]
>
>
>
------------------------------
From: mlw <[EMAIL PROTECTED]>
Crossposted-To:
linux.redhat,alt.os.linux,comp.os.linux.misc,comp.unix.solaris,alt.os.linux.mandrake
Subject: Re: KDE vs GNOME: specific issues
Date: Sun, 05 Nov 2000 14:07:56 -0500
Jeff Jeffries wrote:
>
> I need to choose either GNOME or KDE. I will be doing computationally
> intensive C++, with very heavy disk I/O. Results will be displayed in 3D
> preferrably with OpenGL.
>
> 1. Are GNOME and KDE C++ and/or object oriented? How will this affect
> developing with C++?
KDE is mostly C++ while GNOME is a bogus, bloated, pseudo-object
oriented hack.
>
> 2. I know GNOME has gtkglarea; does KDE?
>
> 3. What else should a C++ developer know?
Make a choice and go with it. I use gnome, but am thinking that I should
switch back to KDE. For looks, I think Gnome is better looking, for
software design, I think KDE is better.
>
> Thanks!
--
http://www.mohawksoft.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
