Linux-Advocacy Digest #95, Volume #30 Tue, 7 Nov 00 00:13:04 EST
Contents:
Re: Chad Meyers: Blatent liar ("Les Mikesell")
Re: A Microsoft exodus! ("Christopher Smith")
Re: A Microsoft exodus! ("Les Mikesell")
Re: A Microsoft exodus! ("Les Mikesell")
Re: A Microsoft exodus! ("Les Mikesell")
Re: A Microsoft exodus! ("Les Mikesell")
Re: Linux growth rate explosion! (Goldhammer)
Re: A Microsoft exodus! ("Les Mikesell")
Re: Chad Meyers: Blatent liar ("Bruce Schuck")
Re: Linux growth rate explosion! ("Les Mikesell")
----------------------------------------------------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Chad Meyers: Blatent liar
Date: Tue, 07 Nov 2000 04:24:28 GMT
"Bruce Schuck" <[EMAIL PROTECTED]> wrote in message
news:PQKN5.123765$[EMAIL PROTECTED]...
>
> How does anybody get any work done with Linux? Do you have any time left
> after downloading all the security fixes, compiling them and installing
> them?
First, since the linux distributions include so many programs, it often
turns out that you aren't running the one in question anyway. You'd
have to buy a whole store full of add-on products for the equivalent
under Windows. Then for the cases where you do have to update,
the distributors all have packaged updates that install with a single
command, and (unlike anything from MS) if it isn't the kernel you
don't even have to reboot. Most of the distributions include a tool
to automatically pick up the updates for you.
> > but those poor Windows users have no idea what horors MS is hiding from
> > them because MS does not publish it's bug list!
>
> It's called the knowledge base. It has all the issues. It's searchable.
How often has MS published something there before someone else
made it public?
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "Christopher Smith" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: A Microsoft exodus!
Date: Tue, 7 Nov 2000 14:28:59 +1000
"Stefan Ohlsson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Christopher Smith wrote:
> >"Stefan Ohlsson" <[EMAIL PROTECTED]> wrote in message
> >>I think it's a flaw by design. The default behaviour is wrong.
> >The default behaviour is to pop up a warning box that says "save".
> >
> Was that default also when ILOVEYOU.txt.vbs was spreading?
Yes.
> If it was
> it was not enough.
Once again, I sincerely doubt that anything short of a large black man
beside each end user with a gun would have made a significant difference in
the ILOVEYOU thing. If a user is dumb enough to open an attachment, they're
dumb enough to save it and run it.
> There are several possible reasons for this. Number one is nag, nag nag.
> It asks about every single file type every time until you tell it to stop.
> Then it doesn't say anything about that file type any more. So the user
> got tired of it warning for harmless files like pictures and didn't
> believe the warning any more. It's like the boy who cried wolf. When the
wolf
> really came no one believed him.
This is a good point, but the converse of the problem is maintaing a list of
"safe" and "unsafe" attachments _and_ keeping said list up to date and
present on machines.
> It's good that Outlook warns, but handling of scripts should be completely
> disabled until enabled, and then it should ask the questions, and only for
> files that really are potentially dangerous.
You'll be pleased to know the betas for the newest version of office stop
scripts from silently running commands that do things like delete files and
access your address book.
Personally I think this is unecessary, an over the top reaction and going to
create a maintainability nightmare, but that's me.
> >>>>Clearly, its negative sides outweigh the
> >>>>positive sides as demonstrated by the ILOVEYOU.txt.vbs thing.
> >>>The negative sides are stupid people will lose their data. This
> >>>particular
> >>>afflication also applies to programs like "rm". Should we remove "rm"
> >>>because stupid people might delete their files ?
> >>I don't buy that as a parallel to the Outlook problem. Rm's only purpose
> >>is to delete files. Outlook was never meant to do that.
> >You are implying that programs that cause Bad Things to happen to Stupid
> >People should not be allowed.
> >
> I don't mean that. Not at all. However, the programs should behave
Sensibly
> and prevent Accidents. You don't have to be stupid to click through a
> requester that you shouldn't have.
Indeed. But the point is Outlook already behaves sensibly in that it *asks*
the user, with a *default* of "not execute" whether they really want to
execute the attachment.
> >Well, I daresay rm has caused more Bad Things to happen that Outlook
could
> >ever dream of.
> >
> I have deleted important files by accident. I have restored them from
backup
> and/or recovered them through a safeguard in the file system I use.
> Basically it deletes the file but keeps a reference in a directory called
> .deldir so it can be copied back if nothing has overwritten the physical
> sectors it used yet.
>
> There is a diffrence between rm and Outlook. Rm is meant to delete files,
> Outlook is not.
Outlook is meant to behave consistently with the rest of the Windows
interface. That means when you double click on a file, it gets executed.
> >>>>Unix companies have alreadly learned this lesson and has this feature
> >>>>disabled.
> >>>Bullshit. I can pipe a script attachment containing "rm -rf /*" to
> >>>/bin/sh
> >>>from Pine 4.21. If I'm not mistaken that's a fairly recent version.
> >>You can specificially pipe it, yes. But that rm does not get run, by
> >>default, if you choose to display the attachment. In Outlook, if you
> >>choose to display (open) the attachment it _will_, by default, be run.
> >
> >When you do the exact same thing you do anywhere else in Windows (double
> >click on an icon) it does the exact same thing it does everywhere else in
> >Windows (launch whatever default handler is specified).
> >
> That is the core of the problem. The border between secure and insecure
> gets blurred. Things coming from a place as untrustable as the Internet
> _must_ be handled differently.
But not all mail comes from the internet. Indeed, in some environments a
_majority_ of it is probably internal.
> >By double clicking that icon, the user is telling outlook to open that
icon.
> >Nothing is different about the way they'd open that icon at any other
time.
> >This is exactly the same as piping something out of a mail program - I
> >wouldn't expect the mailer to act differently to some other program when
I
> >piped content out of it.
> >
> No. When you pipe (via Pine for example) you say _specifically_ what
program
> is to take care of the attachment. When you doubleclick on the icon in
> Outlook you have _no control_ over where it goes. Unless you're an admin
> and have altered the registry to suit.
Anyone can change (their) filetype mappings in a default setup.
> The equivalent to a pipe would be Rightclick->SendTo->program
> Why? Because there is no default pipe. You always have to tell it where
> to go.
The point is the exact same thing could have happened if the email had
instructions on how to pipe out of the mailer. And probably would have.
This is also consistent with Unix's interface as well - you do have to
specifically tell it which programs open which files every time. In Windows
you operate with files and objects, not with programs and data files.
> >>Allright, all handing off of scritps to the *shell* should be
> >>disabled by default.
> >How do you decide what a script is ?
> >
> Interesting dilemma. It would have to have some sort of table to look up
in.
The problem is not in maintaining the table (although a separate table for
each program offends my sense of good design), the problem is in
*maintaining* that table with "safe" and "unsafe" filetypes. And also
deciding what "safe" and "unsafe" filetypes are.
> >>>It's "enabled" by default. I just opened up a message with an
attachment
> >>>in Pine and hit "|" then "/bin/sh" and it tried to pipe the attachment
to
> >>>sh.
> >>That is _not_ the same thing. The equivalent in Outlook would be
> >>something like: Right-click on the attachment, select "Sent To"
> >>and "Windows Scripting Host". A very specific action.
> >Not at all. When you double click an icon in Windows, you are
"activating"
> >it. That means whatever default behaviour is defined for that filetype
will
> >be performed.
> >If you doubleclick some icon in Outlook, it is exactly the same as piping
> >the attachment to some other handler program.
> >
> No. The action on double-click is pre-set per file type. The Pine-pipe
> is not. You can pipe a jpeg file to /bin/sh if you want.
> It won't do much good, but you can.
Sorry, what I meant was it is the same from the perspective of how the user
always interacts with the system. On Windows, you manipulate icons while on
Unix you run programs on datafiles.
> >>Convenience has its backsides, it seems. It's all about finding the
right
> >>balance I guess.
> >Indeed. And IMHO this is one place where the balance is currently "good
> >enough".
> >
>
> >Think about it for a while - if people are dumb enough to run a .vbs file
> >called "ILOVEYOU" they get in their email, then they're more than dumb
> >enough to run some random executable that gets emailed to them called
> >"ILOVEYOU". The end result would have been _exactly_ the same and the
> >fallout zone would have been only marginally smaller.
> >
> They most likely didn't know they ran a .VBS file. The full name was
> ILOVEYOU.TXT.vbs. Windows hides extensions for known file types per
default
> so it appeared as ILOVEYOU.TXT. Hey, what's dangerous about a .txt file?
The icon would have been different from a text file. And given that's how a
person *used* operating in "hidden extensions" mode would be to identifying
filetypes, it would have been no different to not having extensions hidden
and noticing the .vbs.
> >How would you propose a mailer protect against that ?
> >
> Don't run it unless specifically enabled. Or better yet, don't run it at
all.
I was speaking of how a mailer would protect people from saving files and
executing them later.
> >>>Which is a maintenance nightmare. Why should Outlook have to do this
when
> >>>no other program does?
> >>For security reasons?
> >It would be a total and utter waste of resources. See above for why.
> >
> Security is not a waste.
It is if time spent designing and coding a plethora of special cases would
be better spent on a 2 page LARTing document.
(Useful) Security is all about trading off convenience against safety.
Computers are here to make our lives more convenient, but to do that they
have to make assumptions. Security is about refining those assumptions to
the point where they are the same assumptions we would make in the same
position.
> >>Granted. Downside is that you disable execution system-wide.
> >>No double-clicking on script icons any more (unless you want to edit
them
> >>in Notepad of course). Personally, I'd disable it easy.
> >You can, of course, define an alternate action (say, "Execute") that will
> >appear on .vbs file context menus. Then you can just right click ->
> >execute. It's nearly as quick. This is what we did where I work.
> >
> That is good. View on doubleclick, execute when selected specifically.
But it's inconvenient to some. Some users who actually use VBScript a bit
asked to have the association changed on their machines. We relented
eventually, under dire warnings of "If your stupidity fucks you up, don't
come crying to us".
[chomp]
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: A Microsoft exodus!
Date: Tue, 07 Nov 2000 04:29:35 GMT
"Christopher Smith" <[EMAIL PROTECTED]> wrote in message
news:8u5r0r$lkd$[EMAIL PROTECTED]...
>
> >
> > Yes, but you have to do it _explicitly_. It doesn't do it merely by
> > "opening" the attachment.
>
> I have to _expicitly_ tell Outlook to execute an attachment as well.
No, you tell it to 'open' and it is the sender's choice whether it
executes or not.
>
> You are trying to use Unix terminology in Windows, and it doesn't work.
> Files aren't "viewed" or "edited" or "opened" in Windows, there is no
> distinction, they are just objects that are "executed".
Yes, you do understand the problem...
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Tue, 07 Nov 2000 04:41:30 GMT
"Christopher Smith" <[EMAIL PROTECTED]> wrote in message
news:8u5s3i$k49$[EMAIL PROTECTED]...
> > > Where can I find this list of "harmless programs" under other OSes ?
> Who
> > > maintains it ?
> >
> > On unix-like systems it is typically /etc/mailcap and it is a part of
the
> > default distribution but can be locally maintained like most things. It
> > often contains entries that are commented out with the reasons a
> > particular program should not be run.
>
> Who maintains it ? How could this "list" be reconciled against the
entirely
> different UI of Windows whilst retaining things like UI consistency ?
You don't want it to do the same things that you would do with
trusted content. That's the point of having a separate list. And
it can't be any more trouble to maintain than the other one.
> > > I see. If the machine started playing Hall of the Mountain King,
> flashed
> > > the screen red and poppoed the CDROM tray in and out, would that be
> clear
> > > enough ?
> >
> > Not as long as it does exactly the same thing before starting a harmless
> > viewer as it does for a script interpreter.
>
> And who gets to determine what a "harmless" filetype is ? Who gets to
field
> all the support calls asking why some filetypes are dealt with differently
> by different programs ?
The same people who are now trying to figure who has broken in and
stolen what and explain why it wasn't prevented. A very reasonable
trade in my opinion.
> > > Sure they do. What checking does pine do before piping an attachment
to
> > the
> > > program I tell it to ?
> >
> > Would you mind repeating that so we both know you understand *you* are
> > making this choice, not accepting one hidden from you?
>
> There is no choice hidden from me. I have to *explicitly* tell outlook to
> execute the attachment. I get a wanring box with a file icon depicting
the
> filetype. The filetype behaves exactly as it would anywhere else in the
> system.
You tell it to 'open' the attachment, and you have no way of knowing
what will happen when you do.
> Do you sincerely think the situation would have been noticably different
if
> the ILOVEYOU email had contained "drag this file onto your desktop then
> double click on it to see how much I love you !" ?
Yes.
> > Usually there is a direct correlation between being able to do something
> > and actually doing it.
>
> Once it's been normalised against a reason for doing it.
Planting a trojan that allows access to your files is always a reason
for some people.
> > No, the victim is normally unaware of anything unusual because the
> > mailer hides the actual operation before, during, and after the fact.
>
> The mailer doesn't hide the operation any more than the entire GUI does.
> Which is one of the whole points of the GUI.
And your point is???
> > The sender is the one who is given control in this design.
>
> This would only be true if they could execute the attachment without the
> sender's consent.
No, it is true because it is next to impossible to know what will
happen when you 'open'.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Tue, 07 Nov 2000 04:45:49 GMT
"Ayende Rahien" <[EMAIL PROTECTED]> wrote in message
news:8u657i$1ph$[EMAIL PROTECTED]...
>
> >
> > It is much more dangerous to put them in normal disk files, losing
> > track of the fact that the source is untrusted. At that point any
> > accidental double-click is bound to launch them. They are likely
> > to be forgotten, perhaps backed up and restored later, and what
> > do you expect the person who finds them to do first?
>
> And, of course, it's all outlook's fault, isn't it?
Yes because it does not give you a reasonable handler for
untrusted content which is mostly what it handles.
> You saved an attachment to disk, what would you do with it now? Run
it/edit
> it/hex it.
> It's all depend on the *user*! *Not* outlook!
It is dangerous to save it to disk, and it would be unnecessary if
the mailer handled it correctly.
> Do you realize how silly your arguement is?
> If you save a virus attachment in unix, forget about it, what would happen
> when you try to run in?
But you wouldn't do that. You would open it and either get a viewer
that did not accept embedded commands or it would be some sort
of error if it did not contain the expected data for one of the
configured viewers. Both are harmless situations.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Tue, 07 Nov 2000 04:47:36 GMT
"Ayende Rahien" <[EMAIL PROTECTED]> wrote in message
news:8u657k$1ph$[EMAIL PROTECTED]...
>
> > > > You would have to go very much out of your way to
> > > > achieve the same result under Unix.
> > >
> > > If I run an unknown binary on Unix, wouldn't it be able to access all
of
> > my
> > > files? How so?
> >
> > Of course. That is why mailers won't start unknown binaries or
> > unsafe programs to process attachments by default.
>
> Surprise! Surpise.
> Guess what? Neither does outlook!
What does happen when you open them?
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: Goldhammer <[EMAIL PROTECTED]>
Crossposted-To:
comp.lang.java.advocacy,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Linux growth rate explosion!
Date: Tue, 07 Nov 2000 04:41:26 GMT
In article <YLKN5.123763$[EMAIL PROTECTED]>,
"Bruce Schuck" <[EMAIL PROTECTED]> wrote:
>
> "Goldhammer" <[EMAIL PROTECTED]> wrote in message
> news:8u7n4s$cum$[EMAIL PROTECTED]...
> > If Access could squeeze oranges and press your shirts in
> > the morning, you or Schuck will be claiming it has unmatched
> > database development functionality.
>
> And a bunch of *nix using bozos would claim that mySQL squeezes
> oranges better even though it wouldn't know what an orange was.
If MS added juice-squeezing functionality to Access (they probably
will, shortly before discontinuing the whole product), then
a comment you are likely to hear from "*nix using bozos" would be:
Access is a better juicer than MySQL, but MySQL is a better
database management system.
>*nix users don't have anything close to the usability and
>functionality of Access in combination with MSDE
>(SQL Server runtime).
1. What is the largest database size allowed by MSDE?
2. How many users does MS claim MSDE is "optimized" for?
> As for:
http://x54.deja.com/=dnc/getdoc.xp?AN=690222620&CONTEXT=973560457
>> Could anyone point me to some Windows-based program that would allow
>> me to interact with an MS Access database via a regular command line
>> interface? I want to be able to do things like SELECTs, UPDATEs etc.
>> without having to use the mouse or drag & drop columns. The SQL view
>> in Access isn't what I'm looking for. What I'd like is more like SQL+
>> for Oracle or MySQL's standard interface.
>
> Why not? The SQL view is even more powerful than SQL+.
The author of the above quote didn't think so.
--
Don't think you are. Know you are.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Tue, 07 Nov 2000 04:51:35 GMT
"The Ghost In The Machine" <[EMAIL PROTECTED]> wrote in
message news:[EMAIL PROTECTED]...
> In comp.os.linux.advocacy, Les Mikesell
> <[EMAIL PROTECTED]>
> wrote
> >
> >And I'm amazed that they haven't fixed this:
> >
> >[les@crown les]$ whois microsoft.com
> >[whois.crsnic.net]
> >
> >Whois Server Version 1.3
> >
> >Domain names in the .com, .net, and .org domains can now be registered
> >with many different competing registrars. Go to http://www.internic.net
> >for detailed information.
> >
> >MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.ORG
> >MICROSOFT.COM.OWNED.BY.MAT.HACKSWARE.COM
>
> [rest snipped]
>
> What's to fix? This isn't an OS bug.
>
Oh, I am not surprised about their OS bugs taking a long time to fix.
This is a PR situation, something they never fail to manipulate.
(And it is still there).
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: "Bruce Schuck" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Chad Meyers: Blatent liar
Date: Mon, 6 Nov 2000 20:59:57 -0800
"Les Mikesell" <[EMAIL PROTECTED]> wrote in message
news:0uLN5.13437$[EMAIL PROTECTED]...
>
> "Bruce Schuck" <[EMAIL PROTECTED]> wrote in message
> news:PQKN5.123765$[EMAIL PROTECTED]...
> >
> > How does anybody get any work done with Linux? Do you have any time left
> > after downloading all the security fixes, compiling them and installing
> > them?
>
> First, since the linux distributions include so many programs, it often
> turns out that you aren't running the one in question anyway.
It seems to me, most have to do with standard services.
>You'd
> have to buy a whole store full of add-on products for the equivalent
> under Windows.
But most of those wouldn't be so insecure to allow root access.
> Then for the cases where you do have to update,
> the distributors all have packaged updates that install with a single
> command,
Most of the ones I've seen need multiple package installations like this
one:
http://www.suse.com/de/support/security/adv5_draht_glibc_txt.txt
SPECIAL INSTALL INSTRUCTIONS:
Note that the complete update consists of three (3) binary rpm
packages and one source rpm package per distribution and platform.
libc-*.rpm contains the static libraries, libd is the package for
the profiling+debugging version of the libraries.
If at all possible, keep your machine calm while you perform the
update.
Keep your machine calm?
> and (unlike anything from MS) if it isn't the kernel you
> don't even have to reboot.
But you do have to keep your machine calm. :)
> Most of the distributions include a tool
> to automatically pick up the updates for you.
But there are so many that allow root access. How do you keep up?
>
> > > but those poor Windows users have no idea what horors MS is hiding
from
> > > them because MS does not publish it's bug list!
> >
> > It's called the knowledge base. It has all the issues. It's searchable.
>
> How often has MS published something there before someone else
> made it public?
They try and post the fix when they publish the problem.
------------------------------
From: "Les Mikesell" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.java.advocacy
Subject: Re: Linux growth rate explosion!
Date: Tue, 07 Nov 2000 05:03:05 GMT
"Matt Kennel" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :He worded it badly; he was talking server-side. JScript is client-side.
>
> OK. But isn't it a rather curious model to have code in HTML pages?
>
> Shouldn't it be that code MAKES should be making HTML and that pieces
> of HTML would be embedded in program source code?
>
> Why do people do the reverse?
Most people aren't good at both writing program code and doing
good looking HTML layout. If the program generates HTML
then you are stuck with a programmer making all the changes.
If you write the bulk of the program code as a library that
snippets of code embedded in the HTML invoke for the
dynamic parts people who know HTML can deal with it. Also,
the server-side processors for these embedded languages
are usually optimized to cache the code they have seen and
automatically detect and reload modified pages.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
