Linux-Advocacy Digest #267, Volume #30 Thu, 16 Nov 00 10:13:03 EST
Contents:
Re: Of course, there is a down side... ("Chad Myers")
Re: The Sixth Sense ("Ayende Rahien")
Re: OT: Could someone explain C++ phobia in Linux? (mlw)
Re: A Microsoft exodus! ("Sam Morris")
Re: Of course, there is a down side... ("Chad Myers")
Re: Windoze 2000 - just as shitty as ever ("Ayende Rahien")
Re: Of course, there is a down side... ("Chad Myers")
Re: RedHat BugList Summary (Ketil Z Malde)
Re: Microsoft Speaks German! (=?iso-8859-1?Q?Andr=E9_P=F6nitz?=)
Re: The Sixth Sense ("Christopher Smith")
Re: The Sixth Sense ("Christopher Smith")
----------------------------------------------------------------------------
From: "Chad Myers" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Of course, there is a down side...
Date: Thu, 16 Nov 2000 13:56:23 GMT
"Gary Hallock" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >
> >
> > Do you use Linux?
>
> Yes
>
> >
> >
> > If yes, then you've used a "version" of Unix which doesn't have ACLs.
> >
>
> No
>
> >
> > HP-UX? HP-UX doesn't have ACLs without special add-ons. Even if it
> > does have ACLs (new improvement?) it isn't up to snuff because it
> > isn't even considered for audit by the TSEC.
> >
>
> HP, yes
Not by default.
>
> >
> > Solaris? Nope.
>
> Solaris, yes
Not by default.
> >
> >
> > BSD? Nope.
>
> Never used BSD
>
> >
> >
> > What versions have you used that DO have ACLs?
> >
>
> Linux, HP, AIX, Solaris
None by default, and still, many applications will
not function with ACLs involved because of the
overriding dependency on permission bits.
-Chad
------------------------------
From: "Ayende Rahien" <[EMAIL PROTECTED]>
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: The Sixth Sense
Date: Thu, 16 Nov 2000 16:13:20 +0200
"Giuliano Colla" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Chad Myers wrote:
> >
> > "Giuliano Colla" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > Christopher Smith wrote:
>
> > > [snip]
>
> > > Easy example. I put in an html page (or html e-mail) a link. Visible
> > > string tells anything reasonable such as www.microsoft.com, or
> > > Photograph, etc. Underlying link (which you don't see) contains:
> > > "C:\WINDOWS\rundll.exe User,ExitWindows". This, with crappy MS
software
> > > (OS+IE or OS+OE) will shut down your computer even if you have
disabled
> > > ActiveX, VB, and Javascript.
> > > Technically is a trojan, but anybody can be fooled and no other OS (IE
> > > is now part of the OS, they say!) in the world, however bad, is
> > > vulnerable to such a simple trick.
> >
> > You can't shut down the system in Linux? What? You can as root, but
> > not a user?
> >
> > Same way in NT, so this argument is really irrelevant.
>
> I'm afraid you failed to grasp what my example shows.
>
> It's not related only to shutdown, it is just an example.
>
> What I've shown is that it is possible, by clicking an
> apparently innocent link, to have your computer to perform
> ANY operation that you could type on the ->Start->Run box,
> with you being completely unaware of that.
> A malicious e-mail, a malicious site, or, much more
> commonly, a buggy e-mail or a buggy site may produce any
> destructive result, without you being able to tell until
> it's too late.
You are wrong.
Explorer will present you with a download question: "do you want to save or
open the file"
It won't execute it automatically.
------------------------------
From: mlw <[EMAIL PROTECTED]>
Subject: Re: OT: Could someone explain C++ phobia in Linux?
Date: Thu, 16 Nov 2000 09:15:30 -0500
Donovan Rebbechi wrote:
>
> On 16 Nov 2000 10:04:05 +0200, Michael Livshin wrote:
> >[EMAIL PROTECTED] (Donovan Rebbechi) writes:
> >
>
> >it depends on what you consider the issue. if your issue is "but C++
> >is better than C" then sure.
>
> Fair enough. I understand your "issue" now.
>
> Your points about lacking memory management are well taken, and I agree that
> there are certainly advantages to using a GC language. However, there are
> issues including performance, and toolkit availability. THese are the
> main two reasons why I use it. If performance wasn't an issue, I'd move
> to python or possibly java at the drop of a hat.
Maybe I'm just old school here, if I don't have a full understanding
about how the code I write translates to actual machine instructions, I
find it difficult to work in the environment.
For instance:
for(int i=0; i < 100; i++)
;
I have a good general knowledge about how that will translate in C++ to
assembly. Take:
for($i; $i < 100; $i++)
;
In PHP is not nearly as efficient, worse yet, it is very hard to figure
out how inefficient it is. One has to crawl around the insides of PHP
and figure out how all the tokens are translated and executed. The same
goes for Java, python, etc. In C/C++ almost all the compilers will
generate assembly from C/C++ source.
I think the huge complaint these days about "bloatware" is that students
are not taught how to code. A lot of the kids comming out of collage
hardly know C/C++ at all, and focus on something like Java. Most have
never seen assembly code. I think this is important, our schools are
creating a legion of business app developers, with very few qualified to
work on operating system, low level or performance related software. It
is a shame.
>
> --
> Donovan
--
http://www.mohawksoft.com
------------------------------
From: "Sam Morris" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.unix.advocacy
Subject: Re: A Microsoft exodus!
Date: Thu, 16 Nov 2000 14:18:08 -0000
> > > And now that you have saved the file on the disk and forgotten about
> > > it, what happens when you or someone else comes along later
> > > and double-clicks it? It is a loaded gun - giving it your blessing
> > > to live in the filesystem is very dangerous.
> >
> > So what do you people want to happen? It's unsafe to run it, it's unsafe
> > to save it and view it in Notepad... What else are we supposed to do
with our
> > attachments?
>
> The mailer should either provide a safe viewer or warn you that
> there is no safe viewer (and it should *not* warn for normal
> attachments where a safe action is possible). That way if you
> get something unsafe and unexpected you will know not to execute
> it.
Se let's say that Notepad is the safe viewer for .vbs files. When you open a
VBS attachment from within OE it is saved to the Temp folder and opened by
Notepad. It's still getting saved to the disk.
Besides, you still have the problem of informing the mailer what is safe and
what isn't. Who gets to edit/update the list? Who gets to decide whether a
viewer is safe or not?
> > Besides, in a properly configured system, if I save a file to the disk,
> > /only/ I can run it, since other people can't access my files.
>
> Will you remember forever not to execute it yourself? Is this
> a business computer that might eventually be used by someone
> else?
Personally, I'd delete it after viewing. I am tidy. :)
Someone else viewing it doesn't really come into the equation, since this
computer is 'properly configured' - noone else can read my files.
> Les Mikesell
> [EMAIL PROTECTED]
--
Cheers,
Sam
_o/
>\
------------------------------
From: "Chad Myers" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Of course, there is a down side...
Date: Thu, 16 Nov 2000 14:01:02 GMT
"Craig Kelley" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Chad Myers" <[EMAIL PROTECTED]> writes:
>
> > "Gary Hallock" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > [EMAIL PROTECTED] wrote:
> > >
> > > > My my but we are getting nasty today.
> > > >
> > > > You're starting to sound like jedi :(
> > > >
> > > > Pretty soon you might start adding the word "hardly" to every
> > > > sentence.
> > > >
> > > > claire
> > > >
> > >
> > > But it really is very simple to install wine. If you can't do it, then
you
> > > have no brain:
> > >
> > > rpm -Uvh wine*.rpm
> >
> > This is brain dead? Why not rpm wine*.rpm?
> >
> > Why not have one wine file, why are their multiple?
> >
> > What's -v and -h for? Yes, I'm sure that it's all in the docs (if
> > there are any), but seriously, simply extract an rpm file I must
> > really have THREE command line arguments?
> >
> > How many are required to get a listing of the contents of the rpm?
> > 8? 9?
>
> Click on the GNOME menu.
>
> Click on gnorpm.
>
> Click install.
>
> Or, just browse to the file using the mouse and double-click on the
> RPM. This is not brain surgery.
This is much better. Gary began explaining how to do relatively
simple and frequent tasks with RPM which involve 3-5 command line
arguments. What the hell were they thinking?
> > > man wine.conf
> >
> > Ah yes, two things here:
> >
> > - man the always unintuitive, vague, and rarely helpful Jargon-o
> > Machine that seems to only really assist the people who actually
> > developed the application you're attempting to get assistance for.
> >
> > And "man"? I want "help" or "assistance". The term "man" is
> > completely back-asswards. Like everything, I guess, in Linux and
> > Unix.
>
> Ahem, just like 'winipcfg' and 'musermgr'?
Big difference....
RPM - Used frequently, and typically required, to install many new
applications downloaded from the Internet. Almost as ubiquitous
as .ZIP on the Windows platform.
MAN - The basic help system, used frequently.
winipcfg - used infrequently by sysadmins to troubleshoot IP problems
musermgr - never heard of it. You mean usermgr.exe? Also only used
by sysadmins for user configuration.
See the difference? The basic help system, and the basic application
installer vs two sysadmin tools.
If we're going to compare apples to apples, compare RPM to ZIP in
ease of use (or the gnomerpm to WinZIP) and MAN to Windows HELP.
-Chad
------------------------------
From: "Ayende Rahien" <[EMAIL PROTECTED]>
Crossposted-To: alt.destroy.microsoft,comp.os.ms-windows.advocacy
Subject: Re: Windoze 2000 - just as shitty as ever
Date: Thu, 16 Nov 2000 16:15:09 +0200
<[EMAIL PROTECTED]> wrote in message news:8v0ljc$73i$[EMAIL PROTECTED]...
> Your reply makes me laugh. It seems that whenever
> Windows cocks up, it is always the fault of the users
> ah?
>
> You still have not even addressed the fact that such
> things will never happen to any Unix operating system
No, but in most cases, it is the fault of the users.
As for Unix not having these problems, it doesn't have these users, that is
why it lack these problems.
------------------------------
From: "Chad Myers" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Of course, there is a down side...
Date: Thu, 16 Nov 2000 14:02:58 GMT
"Tom Wilson" <[EMAIL PROTECTED]> wrote in message
news:1dMQ5.154$[EMAIL PROTECTED]...
>
> "Chad Myers" <[EMAIL PROTECTED]> wrote in message
> news:MCIQ5.8699$[EMAIL PROTECTED]...
> >
> > "Gary Hallock" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > [EMAIL PROTECTED] wrote:
> > >
> > > > My my but we are getting nasty today.
> > > >
> > > > You're starting to sound like jedi :(
> > > >
> > > > Pretty soon you might start adding the word "hardly" to every
> > > > sentence.
> > > >
> > > > claire
> > > >
> > >
> > > But it really is very simple to install wine. If you can't do it, then
> you
> > > have no brain:
> > >
> > > rpm -Uvh wine*.rpm
> >
> > This is brain dead? Why not rpm wine*.rpm?
> >
> > Why not have one wine file, why are their multiple?
> >
> > What's -v and -h for? Yes, I'm sure that it's all in the docs (if
> > there are any), but seriously, simply extract an rpm file I must
> > really have THREE command line arguments?
>
> Nahh... If you want, you could have more!
> Free OS / Free Country
> Knock yourself out!
>
> >
> > How many are required to get a listing of the contents of the rpm?
> > 8? 9?
>
> Hmmm.... rpm -qilp wine*.rpm
>
> four
Oh that's MUCH better.
Why not just rpm -l wine*.rpm?
Why do I need FOUR, count them FOUR, arguments just to list the contents?
>
> >
> > > man wine.conf
> >
> > Ah yes, two things here:
> >
> > - man the always unintuitive, vague, and rarely helpful Jargon-o
> > Machine that seems to only really assist the people who actually
> > developed the application you're attempting to get assistance for.
> >
> > And "man"? I want "help" or "assistance". The term "man" is
> > completely back-asswards. Like everything, I guess, in Linux and
> > Unix.
>
> alias help='man'
> alias assistance='man'
And the average joe user is expected to know this?
What if I didn't know what alias was? How would I find out that
it existed?
I'd have to buy a For Dummies book just to do basic stuff.
With Windows, there are how-tos, wizards, walk-throughs, and a
comprehensive, searchable, indexed help system.
-Chad
------------------------------
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: RedHat BugList Summary
From: Ketil Z Malde <[EMAIL PROTECTED]>
Date: Thu, 16 Nov 2000 14:44:53 GMT
"Chad Myers" <[EMAIL PROTECTED]> writes:
> What? Have you even looked at the numbers? Win2K has like a 3rd or
> less of the exploits that Red Hat alone has.
According to BugTraq,
http://www.securityfocus.com/frames/?content=/vdb/stats.html
Windows 2000 has had 58 security issues, and is right behind NT4,
which leads the pack with 71. Red Hat's highest is the 6.2 version,
with 34. And it is also the highest of Linux distros, Debian 2.1 has
16, and SuSE 15.
I wonder where you get your numbers? Oh, that's right, you make them
up.
-kzm
--
If I haven't seen further, it is by standing in the footprints of giants
------------------------------
From: =?iso-8859-1?Q?Andr=E9_P=F6nitz?= <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Microsoft Speaks German!
Date: 16 Nov 2000 14:48:03 GMT
In comp.os.linux.advocacy Chad Myers <[EMAIL PROTECTED]> wrote:
> G.W.Bush is in the lead and will rectify the situation.
By having some more people executed perhaps?
SCNR,
Andre'
--
André Pönitz ........................................ [EMAIL PROTECTED]
------------------------------
From: "Christopher Smith" <[EMAIL PROTECTED]>
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: The Sixth Sense
Date: Fri, 17 Nov 2000 00:53:29 +1000
"Giuliano Colla" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Christopher Smith wrote:
> [snip]
> > > I assumed it operated on the same bugs that so many other virii have
> > > taken advantage of.
> >
> > Such as ?
> >
> > > So replace ILOVEYOU with the virus of your choice
> > > that IS related to the above problems, and the point is still valid.
> >
> > Examples ?
> >
> > > Is ILOVEYOU another one of the fireworks/south park attachment clones
> > > instead? If it's an attachment the user has to run manually, it's not
a
> > > virus...
> >
> > Yes, it has to be run manually. No, it's not a virus. It's a trojan
and,
> > as such, is possible under any OS.
>
> That's a rather bold assertion.
Nevertheless, it is true.
> Easy example. I put in an html page (or html e-mail) a link. Visible
> string tells anything reasonable such as www.microsoft.com, or
> Photograph, etc. Underlying link (which you don't see) contains:
> "C:\WINDOWS\rundll.exe User,ExitWindows". This, with crappy MS software
> (OS+IE or OS+OE) will shut down your computer even if you have disabled
> ActiveX, VB, and Javascript.
Unsurprisingly, you are completely wrong. The above scenario will result in
a dialog asking you if you want to download and save or open the file,
defaulting to save.
> Technically is a trojan, but anybody can be fooled and no other OS (IE
> is now part of the OS, they say!) in the world, however bad, is
> vulnerable to such a simple trick.
It is not vulnerable at all.
------------------------------
From: "Christopher Smith" <[EMAIL PROTECTED]>
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: The Sixth Sense
Date: Fri, 17 Nov 2000 00:56:43 +1000
"Giuliano Colla" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Chad Myers wrote:
> >
> > "Giuliano Colla" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > Christopher Smith wrote:
>
> > > [snip]
>
> > > Easy example. I put in an html page (or html e-mail) a link. Visible
> > > string tells anything reasonable such as www.microsoft.com, or
> > > Photograph, etc. Underlying link (which you don't see) contains:
> > > "C:\WINDOWS\rundll.exe User,ExitWindows". This, with crappy MS
software
> > > (OS+IE or OS+OE) will shut down your computer even if you have
disabled
> > > ActiveX, VB, and Javascript.
> > > Technically is a trojan, but anybody can be fooled and no other OS (IE
> > > is now part of the OS, they say!) in the world, however bad, is
> > > vulnerable to such a simple trick.
> >
> > You can't shut down the system in Linux? What? You can as root, but
> > not a user?
> >
> > Same way in NT, so this argument is really irrelevant.
>
> I'm afraid you failed to grasp what my example shows.
I'm afraid you fail to grasp your example is _wrong_.
> It's not related only to shutdown, it is just an example.
>
> What I've shown is that it is possible, by clicking an
> apparently innocent link, to have your computer to perform
> ANY operation that you could type on the ->Start->Run box,
> with you being completely unaware of that.
No, what you've shown is that you have no clue.
> A malicious e-mail, a malicious site, or, much more
> commonly, a buggy e-mail or a buggy site may produce any
> destructive result, without you being able to tell until
> it's too late.
False.
> Well, this problem result from the MS inability to tell
> apart "open a document with an application" from "run an
> application". And this is an MS-ONLY issue. No other OS is
> so crappy. No other Browser or e-mail client is so crappy.
> The feature is common on Desktop environment, and it is
> handy. But it must be (as it is on any other OS's) limited
> to desktop, it can't be a system wide feature.
Even if the problem as you described it existed, it would have nothing to do
with "MS inability to tell apart "open a document with an application" from
"run an application"". An "inability" which is neither a) unique to
Microsoft (KDE, for example, "suffers" from the same "problem") nor b)
originated by them.
> > In an enterprise environment, the workstations would/should be locked
> > down in such a way that viruses become irrelevant.
>
> When the browser can't tell apart url addresses from
> executables on your box, it's not a trivial task.
Except IE can.
> The only way is to rule out MS crapware. No other way out.
Or just use IE, because it works fine.
> > Email viruses are easily defeated with rules and virus scanning
software.
> >
>
> What will be your rule when a link appears just to be
> "report.doc" coming from a trusted site? (and it was
> intended to be, but the guy pasted the wrong thing, maybe
> the last command he typed on ->Start->Run?)
Won't make any difference. The browser will still prompt before opening it.
> According a recent survey from the American Society for
> Information security roughly 75% of security breaches comes
> out of "casual errors" (i.e. bugs or unexpected operations).
> As MS accounts for 90% of installed stations, you may easily
> draw your conclusions.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
