All good points, but let me remark on your comment "Can it be locked tighter than Win98...Yes." What does that mean anyway? It is near impossible to remotely comprimise a default install of Windows 9x unless the user a) shares his %systemroot% with write access or b) runs a trojan. Almost every default install of Linux installs at least some services, such as lpd, that can often be exploited. So in this case Windows 9x users have to actually actively weaken Windows 9x network security by installing a program that is remotely exploitable, while most Linux users have to disable services and run hardening scripts. And yes, we are comparing apples to oranges in many ways, but I think the original point was that vendors should setup their systems to install in a secure configuration, especially when selling to home users that don't have the time or desire to work at securing their machines. Don't get me wrong now. Once a Windows 9x user runs a trojan the game is over, but the same can be said of the Apple OS (pre-OS X) and other consumer grade operating systems. So is Microsoft more at fault simply because it has more customers? Why aren't we arguing about Apple vs Linux? Regards, Dustin <p><p>john beamon wrote: <em>> I'll bite here. "Yes; there's no excuse for selling a system that's <em>> insecure by default." That's been in print since the RSA patents expired <em>> last September and ssh technology became so much more widespread. Red Hat <em>> released version 7 the weekend following the expiration of that patent, <em>> and it installed openssh by default in every prefab install option. <em>> That...was a good move. <em>> <em>> A friend of mine installed Win2K Advanced Server at home and put it on his <em>> cable modem. He found out later that Win2K installed ftp, anonymous ftp, <em>> by default. Anonymous user upload was also turned on by default. <em>> Basically, complete strangers port-scanned his @home net, found an ftp <em>> server, tried an upload with thier fingers crossed, and found themselves a <em>> warez box. That...is just wrong. <em>> <em>> Red Hat does not install ftpd by default, which is good. When it does <em>> install it, anonymous-ftp is an option you have to select intentionally, <em>> which is good. But, for all the tweaking RH did to shape that <em>> /usr/local/wu-ftpd tarball into /etc and /usr/sbin, they left "real user" <em>> access turned on. A real user, any user, can login and browse all over <em>> the box. They can retrieve anything from any world-readable folder, /etc <em>> for example, and start running crack on your /etc/shadow file. That, <em>> imho, is broken, especially when there was already so much tweaking done <em>> during the rpm build. <em>> <em>> Now that the ssh patent situation is less restrictive, there's no reason <em>> at all that any distro should do the following, imho: <em>> <em>> * allow an installation to continue beyond "root pw" without REQUIRING an <em>> unprivileged user. <em>> <em>> * install telnetd or wu-ftpd at all. Admins who need a real ftpd can go <em>> grab wu-ftpd or proftpd or ncftpd and configure it to be anonymous-only. <em>> A user who really *needs* to see the contents of /etc can get sudo or the <em>> root pw and ssh in, but they /etc just shouldn't be visible by ftp! <em>> <em>> * install the Berkeley r-tools without installing (or at least strongly <em>> recommending) ssh to tunnel them through. <em>> <em>> There are plenty more, and that's by no means authoritative, but it gives <em>> you the idea I have in mind. There's no real reason to allow a user to <em>> browse around without the sysadmin providing them either filesystem <em>> permissions or a sudo account. Is Linux more insecure out-of-box than <em>> Win98? Yes. Can it be locked up tighter than Win98 in about ten minutes? <em>> Yes. The automated security setups in the RH 7.1 install and the recent <em>> Mandrake installs go a long way toward solving this problem for people who <em>> take them seriously. <em>> <em>> -j <em>> <em>> On Tue, 3 Jul 2001, Dustin Puryear wrote: <em>> <em>> <em>>>Date: Tue, 03 Jul 2001 13:57:25 -0500 <em>>>From: Dustin Puryear <[EMAIL PROTECTED]> <em>>>Reply-To: [EMAIL PROTECTED] <em>>>To: [EMAIL PROTECTED] <em>>>Subject: Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM <em>>> ... <em>>> <em>>>Well, I don't see this as a Microsoft-thing. Like I said earlier, raw <em>>>sockets have been available for a long time just about everywhere. And <em>>>there is little doubt that, ignoring trojans, a base RH 6.2 or even RH 7 <em>>>install is much more hackable than a base Windows NT or definately a <em>>>Windows 9x box. So can't it be said that UNIX and Linux vendors should <em>>>be held just as responsible? <em>>> <em>>>Regards, Dustin <em>>> <em>>>John Hebert wrote: <em>>> <em>>> <em>>>>Dustin, <em>>>> <em>>>>IMHO, this is exactly why Steve Gibson is in a huff. <em>>>>He's basically saying that M$ irresponsibility <em>>>>concerning security in XP is going to cause a huge <em>>>>increase in DDOS attacks. <em>>>> <em>>>>This is going to be seen as another point of <em>>>>competition between OSs, because your typical home <em>>>>user will be pretty upset when they find out their <em>>>>machine has been hacked. This is not an apocalyptic <em>>>>scenario, it will instead cause some good changes, in <em>>>>that lots of people will start to learn about security <em>>>>for the first time. I'm looking forward to seeing the <em>>>>M$ propaganda campaign to convince the user it is his <em>>>>fault. <em>>>> <em>>>>I say let M$ innovate. When the Internet starts to <em>>>>come to a crawl, we will either make hackers into <em>>>>terrorists or blame Microsoft. Either one is <em>>>>interesting with far reaching implications. <em>>>> <em>>>>John <em>>>> <em>>>> <em>>>>--- Dustin Puryear <[EMAIL PROTECTED]> wrote: <em>>>> <em>>>> <em>>>>>john beamon wrote: <em>>>>> <em>>>>> <em>>>>> <em>>>>>>I don't look to make Linux any "easier" for new <em>>>>>> <em>>>>>> <em>>>>>users. I look for new <em>>>>> <em>>>>> <em>>>>>>users who will at least recognize problems and <em>>>>>> <em>>>>>> <em>>>>>devote a few minutes a <em>>>>> <em>>>>> <em>>>>>>week to staying on top of their updates. <em>>>>>> <em>>>>>> <em>>>>>Well, here is a fundamental difference in opinion on <em>>>>>what users should <em>>>>>and should not need to do. I don't feel a computer <em>>>>>should be like a car <em>>>>>where users need extensive training to use them. <em>>>>>Rather, a computer <em>>>>>should be like a TV where it can be turned on and <em>>>>>just work. <em>>>>> <em>>>>>Users will not "devote a few minutes a week" to <em>>>>>installing updates. <em>>>>>Hell, who has the time? Users should just do their <em>>>>>jobs and use <em>>>>>computers like they use any other work-related tool. <em>>>>>Vendors and <em>>>>>administrators have the responsibility of properly <em>>>>>configuring and <em>>>>>maintaining systems. <em>>>>> <em>>>>>As far as home users, vendors should properly <em>>>>>configure their products <em>>>>>with reasonable security. Home users may be required <em>>>>>to do more <em>>>>>maintenance work than a business user, but only a <em>>>>>little more. It should <em>>>>>not be a daily or weekly task to check a vendor's <em>>>>>website, download <em>>>>>patches, backup system, install patches, check <em>>>>>patches, ad nauseum. <em>>>>> <em>>>>>Regards, Dustin <em>>>>> <em>>>>> <em>>>>> <em>>>>> <em>>>>>>-j <em>>>>>> <em>>>>>>On Tue, 3 Jul 2001, Ricky Salmon wrote: <em>>>>>> <em>>>>>> <em>>>>>> <em>>>>>> <em>>>>>>>Date: Tue, 3 Jul 2001 09:31:33 -0500 <em>>>>>>>From: Ricky Salmon <[EMAIL PROTECTED]> <em>>>>>>>Reply-To: [EMAIL PROTECTED] <em>>>>>>>To: [EMAIL PROTECTED] <em>>>>>>>Subject: RE: [brluglist] Fw: Steve Gibson's <em>>>>>>> <em>>>>>>> <em>>>>>July/2001 News from GRC.COM <em>>>>> <em>>>>> <em>>>>>>> ... <em>>>>>>> <em>>>>>>>Well, to give M$ a little credit (duck), XP is <em>>>>>>> <em>>>>>>> <em>>>>>supposed to have a fair <em>>>>> <em>>>>> <em>>>>>>>amount of security by default. <em>>>>>>> <em>>>>>>>But, there's always that relationship between <em>>>>>>> <em>>>>>>> <em>>>>>Security and Usability (is <em>>>>> <em>>>>> <em>>>>>>>that a word?). I'm sure some <em>>>>>>>developers/admins will love the fact that they <em>>>>>>> <em>>>>>>> <em>>>>>finally get to use Raw <em>>>>> <em>>>>> <em>>>>>>>Sockets, but that in turn decreases <em>>>>>>>some amount of security. As people continue to <em>>>>>>> <em>>>>>>> <em>>>>>add these new features, you <em>>>>> <em>>>>> <em>>>>>>>can't always an "Idiot Proofing" mechanism that <em>>>>>>> <em>>>>>>> <em>>>>>works well... It's a nice <em>>>>> <em>>>>> <em>>>>>>>double edged sword... <em>>>>>>> <em>>>>>>>As for current windows machines, a million and one <em>>>>>>> <em>>>>>>> <em>>>>>trojans already exist. <em>>>>> <em>>>>> <em>>>>>>>So my question is, is it the responsibly of the <em>>>>>>> <em>>>>>>> <em>>>>>Vendor to make sure the <em>>>>> <em>>>>> <em>>>>>>>users know how to use a computer, or is it the <em>>>>>>> <em>>>>>>> <em>>>>>responsibility of the user to <em>>>>> <em>>>>> <em>>>>>>>know how to use a computer? <em>>>>>>> <em>>>>>>>As much as I love that certain vendor (sarcasm), <em>>>>>>> <em>>>>>>> <em>>>>>their main focus is to put <em>>>>> <em>>>>> <em>>>>>>>out more productive products with a fair amount of <em>>>>>>> <em>>>>>>> <em>>>>>security. There aren't <em>>>>> <em>>>>> <em>>>>>>>enough resources in the world to make sure that <em>>>>>>> <em>>>>>>> <em>>>>>every Joe Blow isn't leaving <em>>>>> <em>>>>> <em>>>>>>>themselves open... <em>>>>>>> <em>>>>>>>My 2 cents... <em>>>>>>> <em>>>>>>>Ricky <em>>>>>>> <em>>>>>>> <em>>>>>>> <em>>>>>>>-----Original Message----- <em>>>>>>>From: [EMAIL PROTECTED] <em>>>>>>> <em>>>>>>> <em>>>>>[mailto:[EMAIL PROTECTED] <em>>>>> <em>>>>> <em>>>>>>>Behalf Of John Hebert <em>>>>>>>Sent: Tuesday, July 03, 2001 9:02 AM <em>>>>>>>To: [EMAIL PROTECTED] <em>>>>>>>Subject: Re: [brluglist] Fw: Steve Gibson's <em>>>>>>> <em>>>>>>> <em>>>>>July/2001 News from GRC.COM <em>>>>> <em>>>>> <em>>>>>>>... <em>>>>>>> <em>>>>>>> <em>>>>>>> <em>>>>>>>--- Dustin Puryear <[EMAIL PROTECTED]> wrote: <em>>>>>>> <em>>>>>>> <em>>>>>>> <em>>>>>>>>Hmm. Is this about the raw socket deal with <em>>>>>>>> <em>>>>>>>> <em>>>>>Windows <em>>>>> <em>>>>> <em>>>>>>>>XP? Raw sockets have <em>>>>>>>>been available in the UNIX world for a while, so <em>>>>>>>> <em>>>>>>>> <em>>>>>I <em>>>>> <em>>>>> <em>>>>>>>>guess that means UNIX <em>>>>>>>>vendors are no better? <em>>>>>>>> <em>>>>>>>> <em>>>>>>>> <em>>>>>>>>From my understanding of Gibson's writings, he <em>>>>>>> <em>>>>>>> <em>>>>>says <em>>>>> <em>>>>> <em>>>>>>>that raw sockets are a problem in Windows XP <em>>>>>>> <em>>>>>>> <em>>>>>because <em>>>>> <em>>>>> <em>>>>>>>most people use M$ Windows operating systems <em>>>>>>>(well, duh) AND M$ doesn't seem to have its act <em>>>>>>>together when it comes to network security (hmmm, <em>>>>>>>he's got a point). So, distributing M$ Windows XP <em>>>>>>>with raw sockets for home users who don't properly <em>>>>>>>secure their machines will only give DDOS script <em>>>>>>>kiddies more platforms to attack from. <em>>>>>>> <em>>>>>>>:P <em>>>>>>> <em>>>>>>>John <em>>>>>>> <em>>>>>>>__________________________________________________ <em>>>>>>>Do You Yahoo!? <em>>>>>>>Get personalized email addresses from Yahoo! Mail <em>>>>>>>http://personal.mail.yahoo.com/ <em>>>>>>>================================================ <em>>>>>>>BRLUG - The Baton Rouge Linux User Group <em>>>>>>>Visit http://www.brlug.net for more information. <em>>>>>>>Send email to [EMAIL PROTECTED] to change <em>>>>>>>your subscription information. <em>>>>>>>================================================ <em>>>>>>> <em>>>>>>>================================================ <em>>>>>>>BRLUG - The Baton Rouge Linux User Group <em>>>>>>>Visit http://www.brlug.net for more information. <em>>>>>>>Send email to [EMAIL PROTECTED] to change <em>>>>>>>your subscription information. <em>>>>>>>================================================ <em>>>>>>> <em>>>>>>> <em>>>>>>> <em>>>>>>> <em>>>>>>================================================ <em>>>>>>BRLUG - The Baton Rouge Linux User Group <em>>>>>>Visit http://www.brlug.net for more information. <em>>>>>>Send email to [EMAIL PROTECTED] to change <em>>>>>>your subscription information. <em>>>>>>================================================ <em>>>>>> <em>>>>>> <em>>>>>> <em>>>>>> <em>>>>>> <em>>>>>-- <em>>>>>Dustin Puryear <[EMAIL PROTECTED]> <em>>>>>http://members.telocity.com/~dpuryear <em>>>>>In the beginning the Universe was created. <em>>>>>This has been widely regarded as a bad move. - <em>>>>>Douglas Adams <em>>>>> <em>>>>>================================================ <em>>>>>BRLUG - The Baton Rouge Linux User Group <em>>>>>Visit http://www.brlug.net for more information. <em>>>>>Send email to [EMAIL PROTECTED] to change <em>>>>>your subscription information. <em>>>>>================================================ <em>>>>> <em>>>>> <em>>>> <em>>>>__________________________________________________ <em>>>>Do You Yahoo!? <em>>>>Get personalized email addresses from Yahoo! Mail <em>>>>http://personal.mail.yahoo.com/ <em>>>>================================================ <em>>>>BRLUG - The Baton Rouge Linux User Group <em>>>>Visit http://www.brlug.net for more information. <em>>>>Send email to [EMAIL PROTECTED] to change <em>>>>your subscription information. <em>>>>================================================ <em>>>> <em>>>> <em>>>> <em>>>> <em>>> <em>>> <em>> <em>> ================================================ <em>> BRLUG - The Baton Rouge Linux User Group <em>> Visit http://www.brlug.net for more information. <em>> Send email to [EMAIL PROTECTED] to change <em>> your subscription information. <em>> ================================================ <em>> <em>> <em>> <p> -- Dustin Puryear <[EMAIL PROTECTED]> http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
<!-- body="end" --> <hr noshade> <ul> <li><strong>Next message:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Previous message:</strong> John Hebert: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>In reply to:</strong> john beamon: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Next in thread:</strong> Jerald Sheets: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Reply:</strong> Jerald Sheets: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Messages sorted by:</strong> [ date ] [ thread ] [ subject ] [ author ] [ attachment ] </ul> <hr noshade> <small> <em> This archive was generated by hypermail 2.1.2 : <em>Thu Sep 06 2001 - 11:10:54 CDT</em> </em> </small> </body> </html>
