On Thu, Oct 23, 2003 at 02:32:37PM -0500, Curt Purdy wrote:
This is the reason open-source is inherently more secure.
well, maybe, but in absolute terms often still poor. often, not always.
(you think IBM recommended Linux without going over every single line of
code?)
yes.
--
Henning
, October 26, 2003 11:56 PM
Subject: Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
On Sun, 26 Oct 2003, Bill Royds wrote:
You are saying that a language that requires every programmer to check
for
security problems on every statement of every program is just as secure
as
one
On Sun, 26 Oct 2003, Bruce Ediger wrote:
...
Well, no, but I don't believe your theory either. VMS usually gets
held up as an example of an OS without significant security problems.
Sorry to tell you, but DEC wrote VMS mainly in VAX-11 assembler.
The Alpha-CPU port of VMS involved writing a
On Mon, 27 Oct 2003, Bill Royds wrote:
Actually most of VMS was written in a programming language called BLISS-32
which was designed to write an OS.
...
The result of BLISS was VAX assembler code rather than raw machine code,
which is why the port to Alpha went the way it did. Bliss
An alternate way of viewing the security of an application or
operating system is to evaluate the nature of the discovered
vulnerabilities. Are they blatantly obvious, ancient bugs that could
have been found in basic auditing or testing? Or are they new classes
of bugs, and/or more subtle? Do
Okay, first how about a mea culpa - are you part of the OpenBSD group?
Because this sounds suspiciously like the kind of observation, albeit
justified, that would be posted by them. No slander intended, just
curious.
Second, I disagree, and here's why:
, regardless of what language/tool the
--On Sunday, October 26, 2003 12:45 PM -0500 Bill Royds
[EMAIL PROTECTED] wrote:
Actually there is a significant difference between OS that get a large
number of vulnerabilities released like Windows, Linux etc. and those OS
like VMS and OS/400 that do not.
The real difference is the programming
On Mon, 27 Oct 2003, Brett Hutley wrote:
char buf[10];
const char *str1 = OVER;
const char *str2 = FLOW!;
sprintf(buf, %s%s, str1, str2);
Admittedly a contrived example. The best way to handle this type of
stuff is to provide safe functions - like a sprintfn() that takes the
maximum
Ted Unangst wrote:
On Mon, 27 Oct 2003, Brett Hutley wrote:
char buf[10];
const char *str1 = OVER;
const char *str2 = FLOW!;
sprintf(buf, %s%s, str1, str2);
Admittedly a contrived example. The best way to handle this type of
stuff is to provide safe functions - like a sprintfn() that takes
: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
I agree that inherent OS features have much to do with their
security, but must observe that OSs like VMS and OS/400 have
very few security issues (even, in the first case, where heavily
tested in wide networks) and are not open source (though
it easier to
goof than be correct.
- Original Message -
From: Paul Schmehl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, October 26, 2003 5:15 PM
Subject: Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
--On Sunday, October 26, 2003 12:45 PM -0500 Bill Royds
[EMAIL PROTECTED
On Sun, 26 Oct 2003 11:55:15 PST, Gregory A. Gilliss said:
experts. Mudge and Aleph1 found buffer overflows BITD. Route discovered
Were Mudge and Aleph1 already doing that stuff when the Morris Worm went out in
late 1988 and abused some buffers in fingerd? Smashing the stack for fun and
profit
Title: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
Just a question. We are counting bugs, right? Why arent we counting the bugs that got fixed in, for example, SP4 for windows 2000? That was released this year, correct? It contains atleast 670 bugs fixed. Are we counting remotely
On Sun, 26 Oct 2003, Bill Royds wrote:
You are saying that a language that requires every programmer to check for
security problems on every statement of every program is just as secure as
one that enforces proper security as an inherent part of its syntax?
And I suppose that you also
Hi!
In 2003 there have been 43 security advisories for SUSE Linux according to
SUSE's website:
http://www.suse.com/de/security/announcements/index.html
RedHat has had 53 during the same time period:
https://rhn.redhat.com/errata/rh9-errata-security.html
Debian has had 176 during the
Hi!
Let's compare apples to apples, so to speak, if we're going to
invest the effort in the first place, into making silly comparisons.
Do you really believe it matters what the exact numbers are?
Yes, exact numbers matter a great deal! Because by discussing numbers, you can
divert away from
You're *all* clueless, you see, you all have a myopic view of what the
real world *is* like. I'm *n*ot complaining, mind you*.* It simply *shows*
your ignorance *of* the issues.
First of all, it's *not* my fault. Secondly, *I* wasn't whining. Thirdly,
you'd better hope and pray there are people
Paul Schmehl wrote:
The bottom line is that there is a company in Canada, QNX Software
Systems, that writes an OS that simply does not fail and does not have
bugs in it. Their website is here if you want to take a look:
http://www.qnx.com/. Their software powers cars and laser surgery
devices
Question about Linux vs. Windows security.
(first off, I'm a linux newbie)
I can determine when a Windows box has been owned fairly easily.
How do you determine if you have a KLM on your Linux box? (serious question
from someone who does not know) I'm asking specifically about Red Hat
because
On Thu, 23 Oct 2003 17:15:07 CDT, Paul Schmehl [EMAIL PROTECTED] said:
This is an apples to oranges comparison. Netware is a network OS.
Windows includes all the applications that come with Windows, whether
they are part of the base OS, part of the networking functions or addons.
(IE,
On Fri, Oct 24, 2003 at 06:09:12AM -0700, [EMAIL PROTECTED] wrote:
I can determine when a Windows box has been owned fairly easily.
Can you? Really? Hm maybe I should use windows.
How do you determine if you have a KLM on your Linux box? (serious question
from someone who does not know)
On Fri, 24 Oct 2003 06:09:12 PDT, [EMAIL PROTECTED] said:
How do you determine if you have a KLM on your Linux box? (serious question
from someone who does not know) I'm asking specifically about Red Hat
because I am a Corporate America slave and IBM has made this the distribution
that
On Thu, 23 Oct 2003, William Warren wrote:
This is am IBM problem not a Redhat and/or Linux problem.
No, red-hat problem really. IBM does the backend contract for support, be
the dist Suse or red-hat. Red-hat holds the responsibility for
maintaining the RPM's. Now, if the RPM's are not kept
Sven Hoexter wrote:
On Fri, Oct 24, 2003 at 06:09:12AM -0700, [EMAIL PROTECTED] wrote:
I can determine when a Windows box has been owned fairly easily.
Can you? Really? Hm maybe I should use windows.
Yeah, it's easy. Here's what you do:
Look around in back. Next to the Cat-5 cable, there
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 8:09 AM
To: [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
Question about Linux vs. Windows security.
(first off, I'm a linux newbie)
I
Hi,
--On Friday, October 24, 2003 06:09:12 -0700 [EMAIL PROTECTED] wrote:
(first off, I'm a linux newbie)
I can determine when a Windows box has been owned fairly easily.
How do you determine if you have a KLM on your Linux box? (serious
question from someone who does not know)
Your first
I agree that inherent OS features have much to do with their
security, but must observe that OSs like VMS and OS/400 have
very few security issues
snip
Agreed, I believe OS/400 may be the most secure out-of-the-box system out
there. But never underestimate a lousy vendor. My last audit was
On Thu, 23 Oct 2003, Michal Zalewski wrote:
On Wed, 22 Oct 2003, Curt Purdy wrote:
http://www.linuxunlimited.com/why-linux.htm
``Properly configured and maintained, Linux is one of the
most secure operating systems available today.''
The key words here are properly configured.
Well,
http://www.linuxunlimited.com/why-linux.htm
``Properly configured and maintained, Linux is one of the
most secure operating systems available today.''
The key words here are properly configured.
Well, once properly configured, pretty much _any_ operating
system would
make it to the
On Thu, 23 Oct 2003, Curt Purdy wrote:
This is the reason open-source is inherently more secure.
Oh please. Count Apache bugs this year. Compare to IIS in the same period.
There's nothing inherent to any of the development models. There are good
developers and bad developers on both sides.
Message-
From: Curt Purdy [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 23, 2003 3:33 PM
To: 'Michal Zalewski'
Cc: [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
http://www.linuxunlimited.com/why-linux.htm
``Properly configured and maintained, Linux
[SNIP]
First, people can actually audit it for security (you think IBM
recommended Linux without going over every single line of code?)
Yes.
To support this, take red-hat on the s390 platform;
red-hat pushes out the product, which IBM is the back channel support for.
I ask in
This is am IBM problem not a Redhat and/or Linux problem.
Ron DuFresne wrote:
[SNIP]
red-hat pushes out the product, which IBM is the back channel support for.
I ask in the very first meeting with the red-hat sales-lizard; Umm, there
was a vuln released today that affects the kernel, I see
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SNIP
To support this, take red-hat on the s390 platform;
red-hat pushes out the product, which IBM is the back channel support for.
I ask in the very first meeting with the red-hat sales-lizard;
SNIP
No that it helps your support situation,
--On Thursday, October 23, 2003 02:32:37 PM -0500 Curt Purdy
[EMAIL PROTECTED] wrote:
I hardily disagree. When you have inherently more secure code in OS's
like *NIX and Netware, as evidenced by the paltry number of patches
required by those OS's (1 in Netware vs. 38 for Windows in the same
Paul should know better than most. He sits on his ass all day
reading/replying to posts instead of fixing the almost insurmountable # of
vulns in his domain.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl
Sent: Thursday, October
AMEN!!!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl
Sent: Thursday, October 23, 2003 6:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
--On Thursday, October 23, 2003 02:32:37 PM -0500 Curt
--On Thursday, October 23, 2003 7:10 PM -0400 Andy Wood
[EMAIL PROTECTED] wrote:
Paul should know better than most. He sits on his ass all day
reading/replying to posts instead of fixing the almost insurmountable # of
vulns in his domain.
And I get paid well for doing it, which
--On Thursday, October 23, 2003 5:11 PM -0700 Dan Wilder [EMAIL PROTECTED]
wrote:
Among those advisories you mention on the Linux sites, I see subjects
including tomcat4, openssl, freesweep, marbles, gopher, sendmail,
mah-jong, wu-ftpd, exim, perl, phpgroupware, mutt, qpopper, squirrelmail.
And
I have never heard of a Linux vendor saying that Linux is
secure out of the
box.
More than enough people assert that Linux is secure. Just
enter Linux is
secure in Google and you see what I mean:
http://www.linuxunlimited.com/why-linux.htm
``Properly configured and maintained, Linux is
40 matches
Mail list logo