You mean Linux vs BSD :) --JMS ----- Original Message ----- From: "Dustin Puryear" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 03, 2001 3:48 PM Subject: Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ... <p><em>> All good points, but let me remark on your comment "Can it be locked <em>> tighter than Win98...Yes." What does that mean anyway? It is near <em>> impossible to remotely comprimise a default install of Windows 9x unless <em>> the user a) shares his %systemroot% with write access or b) runs a <em>> trojan. Almost every default install of Linux installs at least some <em>> services, such as lpd, that can often be exploited. <em>> <em>> So in this case Windows 9x users have to actually actively weaken <em>> Windows 9x network security by installing a program that is remotely <em>> exploitable, while most Linux users have to disable services and run <em>> hardening scripts. <em>> <em>> And yes, we are comparing apples to oranges in many ways, but I think <em>> the original point was that vendors should setup their systems to <em>> install in a secure configuration, especially when selling to home users <em>> that don't have the time or desire to work at securing their machines. <em>> <em>> Don't get me wrong now. Once a Windows 9x user runs a trojan the game is <em>> over, but the same can be said of the Apple OS (pre-OS X) and other <em>> consumer grade operating systems. So is Microsoft more at fault simply <em>> because it has more customers? Why aren't we arguing about Apple vs Linux? <em>> <em>> Regards, Dustin <em>> <em>> <em>> <em>> john beamon wrote: <em>> <em>> > I'll bite here. "Yes; there's no excuse for selling a system that's <em>> > insecure by default." That's been in print since the RSA patents expired <em>> > last September and ssh technology became so much more widespread. Red Hat <em>> > released version 7 the weekend following the expiration of that patent, <em>> > and it installed openssh by default in every prefab install option. <em>> > That...was a good move. <em>> > <em>> > A friend of mine installed Win2K Advanced Server at home and put it on his <em>> > cable modem. He found out later that Win2K installed ftp, anonymous ftp, <em>> > by default. Anonymous user upload was also turned on by default. <em>> > Basically, complete strangers port-scanned his @home net, found an ftp <em>> > server, tried an upload with thier fingers crossed, and found themselves a <em>> > warez box. That...is just wrong. <em>> > <em>> > Red Hat does not install ftpd by default, which is good. When it does <em>> > install it, anonymous-ftp is an option you have to select intentionally, <em>> > which is good. But, for all the tweaking RH did to shape that <em>> > /usr/local/wu-ftpd tarball into /etc and /usr/sbin, they left "real user" <em>> > access turned on. A real user, any user, can login and browse all over <em>> > the box. They can retrieve anything from any world-readable folder, /etc <em>> > for example, and start running crack on your /etc/shadow file. That, <em>> > imho, is broken, especially when there was already so much tweaking done <em>> > during the rpm build. <em>> > <em>> > Now that the ssh patent situation is less restrictive, there's no reason <em>> > at all that any distro should do the following, imho: <em>> > <em>> > * allow an installation to continue beyond "root pw" without REQUIRING an <em>> > unprivileged user. <em>> > <em>> > * install telnetd or wu-ftpd at all. Admins who need a real ftpd can go <em>> > grab wu-ftpd or proftpd or ncftpd and configure it to be anonymous-only. <em>> > A user who really *needs* to see the contents of /etc can get sudo or the <em>> > root pw and ssh in, but they /etc just shouldn't be visible by ftp! <em>> > <em>> > * install the Berkeley r-tools without installing (or at least strongly <em>> > recommending) ssh to tunnel them through. <em>> > <em>> > There are plenty more, and that's by no means authoritative, but it gives <em>> > you the idea I have in mind. There's no real reason to allow a user to <em>> > browse around without the sysadmin providing them either filesystem <em>> > permissions or a sudo account. Is Linux more insecure out-of-box than <em>> > Win98? Yes. Can it be locked up tighter than Win98 in about ten minutes? <em>> > Yes. The automated security setups in the RH 7.1 install and the recent <em>> > Mandrake installs go a long way toward solving this problem for people who <em>> > take them seriously. <em>> > <em>> > -j <em>> > <em>> > On Tue, 3 Jul 2001, Dustin Puryear wrote: <em>> > <em>> > <em>> >>Date: Tue, 03 Jul 2001 13:57:25 -0500 <em>> >>From: Dustin Puryear <[EMAIL PROTECTED]> <em>> >>Reply-To: [EMAIL PROTECTED] <em>> >>To: [EMAIL PROTECTED] <em>> >>Subject: Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM <em>> >> ... <em>> >> <em>> >>Well, I don't see this as a Microsoft-thing. Like I said earlier, raw <em>> >>sockets have been available for a long time just about everywhere. And <em>> >>there is little doubt that, ignoring trojans, a base RH 6.2 or even RH 7 <em>> >>install is much more hackable than a base Windows NT or definately a <em>> >>Windows 9x box. So can't it be said that UNIX and Linux vendors should <em>> >>be held just as responsible? <em>> >> <em>> >>Regards, Dustin <em>> >> <em>> >>John Hebert wrote: <em>> >> <em>> >> <em>> >>>Dustin, <em>> >>> <em>> >>>IMHO, this is exactly why Steve Gibson is in a huff. <em>> >>>He's basically saying that M$ irresponsibility <em>> >>>concerning security in XP is going to cause a huge <em>> >>>increase in DDOS attacks. <em>> >>> <em>> >>>This is going to be seen as another point of <em>> >>>competition between OSs, because your typical home <em>> >>>user will be pretty upset when they find out their <em>> >>>machine has been hacked. This is not an apocalyptic <em>> >>>scenario, it will instead cause some good changes, in <em>> >>>that lots of people will start to learn about security <em>> >>>for the first time. I'm looking forward to seeing the <em>> >>>M$ propaganda campaign to convince the user it is his <em>> >>>fault. <em>> >>> <em>> >>>I say let M$ innovate. When the Internet starts to <em>> >>>come to a crawl, we will either make hackers into <em>> >>>terrorists or blame Microsoft. Either one is <em>> >>>interesting with far reaching implications. <em>> >>> <em>> >>>John <em>> >>> <em>> >>> <em>> >>>--- Dustin Puryear <[EMAIL PROTECTED]> wrote: <em>> >>> <em>> >>> <em>> >>>>john beamon wrote: <em>> >>>> <em>> >>>> <em>> >>>> <em>> >>>>>I don't look to make Linux any "easier" for new <em>> >>>>> <em>> >>>>> <em>> >>>>users. I look for new <em>> >>>> <em>> >>>> <em>> >>>>>users who will at least recognize problems and <em>> >>>>> <em>> >>>>> <em>> >>>>devote a few minutes a <em>> >>>> <em>> >>>> <em>> >>>>>week to staying on top of their updates. <em>> >>>>> <em>> >>>>> <em>> >>>>Well, here is a fundamental difference in opinion on <em>> >>>>what users should <em>> >>>>and should not need to do. I don't feel a computer <em>> >>>>should be like a car <em>> >>>>where users need extensive training to use them. <em>> >>>>Rather, a computer <em>> >>>>should be like a TV where it can be turned on and <em>> >>>>just work. <em>> >>>> <em>> >>>>Users will not "devote a few minutes a week" to <em>> >>>>installing updates. <em>> >>>>Hell, who has the time? Users should just do their <em>> >>>>jobs and use <em>> >>>>computers like they use any other work-related tool. <em>> >>>>Vendors and <em>> >>>>administrators have the responsibility of properly <em>> >>>>configuring and <em>> >>>>maintaining systems. <em>> >>>> <em>> >>>>As far as home users, vendors should properly <em>> >>>>configure their products <em>> >>>>with reasonable security. Home users may be required <em>> >>>>to do more <em>> >>>>maintenance work than a business user, but only a <em>> >>>>little more. It should <em>> >>>>not be a daily or weekly task to check a vendor's <em>> >>>>website, download <em>> >>>>patches, backup system, install patches, check <em>> >>>>patches, ad nauseum. <em>> >>>> <em>> >>>>Regards, Dustin <em>> >>>> <em>> >>>> <em>> >>>> <em>> >>>> <em>> >>>>>-j <em>> >>>>> <em>> >>>>>On Tue, 3 Jul 2001, Ricky Salmon wrote: <em>> >>>>> <em>> >>>>> <em>> >>>>> <em>> >>>>> <em>> >>>>>>Date: Tue, 3 Jul 2001 09:31:33 -0500 <em>> >>>>>>From: Ricky Salmon <[EMAIL PROTECTED]> <em>> >>>>>>Reply-To: [EMAIL PROTECTED] <em>> >>>>>>To: [EMAIL PROTECTED] <em>> >>>>>>Subject: RE: [brluglist] Fw: Steve Gibson's <em>> >>>>>> <em>> >>>>>> <em>> >>>>July/2001 News from GRC.COM <em>> >>>> <em>> >>>> <em>> >>>>>> ... <em>> >>>>>> <em>> >>>>>>Well, to give M$ a little credit (duck), XP is <em>> >>>>>> <em>> >>>>>> <em>> >>>>supposed to have a fair <em>> >>>> <em>> >>>> <em>> >>>>>>amount of security by default. <em>> >>>>>> <em>> >>>>>>But, there's always that relationship between <em>> >>>>>> <em>> >>>>>> <em>> >>>>Security and Usability (is <em>> >>>> <em>> >>>> <em>> >>>>>>that a word?). I'm sure some <em>> >>>>>>developers/admins will love the fact that they <em>> >>>>>> <em>> >>>>>> <em>> >>>>finally get to use Raw <em>> >>>> <em>> >>>> <em>> >>>>>>Sockets, but that in turn decreases <em>> >>>>>>some amount of security. As people continue to <em>> >>>>>> <em>> >>>>>> <em>> >>>>add these new features, you <em>> >>>> <em>> >>>> <em>> >>>>>>can't always an "Idiot Proofing" mechanism that <em>> >>>>>> <em>> >>>>>> <em>> >>>>works well... It's a nice <em>> >>>> <em>> >>>> <em>> >>>>>>double edged sword... <em>> >>>>>> <em>> >>>>>>As for current windows machines, a million and one <em>> >>>>>> <em>> >>>>>> <em>> >>>>trojans already exist. <em>> >>>> <em>> >>>> <em>> >>>>>>So my question is, is it the responsibly of the <em>> >>>>>> <em>> >>>>>> <em>> >>>>Vendor to make sure the <em>> >>>> <em>> >>>> <em>> >>>>>>users know how to use a computer, or is it the <em>> >>>>>> <em>> >>>>>> <em>> >>>>responsibility of the user to <em>> >>>> <em>> >>>> <em>> >>>>>>know how to use a computer? <em>> >>>>>> <em>> >>>>>>As much as I love that certain vendor (sarcasm), <em>> >>>>>> <em>> >>>>>> <em>> >>>>their main focus is to put <em>> >>>> <em>> >>>> <em>> >>>>>>out more productive products with a fair amount of <em>> >>>>>> <em>> >>>>>> <em>> >>>>security. There aren't <em>> >>>> <em>> >>>> <em>> >>>>>>enough resources in the world to make sure that <em>> >>>>>> <em>> >>>>>> <em>> >>>>every Joe Blow isn't leaving <em>> >>>> <em>> >>>> <em>> >>>>>>themselves open... <em>> >>>>>> <em>> >>>>>>My 2 cents... <em>> >>>>>> <em>> >>>>>>Ricky <em>> >>>>>> <em>> >>>>>> <em>> >>>>>> <em>> >>>>>>-----Original Message----- <em>> >>>>>>From: [EMAIL PROTECTED] <em>> >>>>>> <em>> >>>>>> <em>> >>>>[mailto:[EMAIL PROTECTED] <em>> >>>> <em>> >>>> <em>> >>>>>>Behalf Of John Hebert <em>> >>>>>>Sent: Tuesday, July 03, 2001 9:02 AM <em>> >>>>>>To: [EMAIL PROTECTED] <em>> >>>>>>Subject: Re: [brluglist] Fw: Steve Gibson's <em>> >>>>>> <em>> >>>>>> <em>> >>>>July/2001 News from GRC.COM <em>> >>>> <em>> >>>> <em>> >>>>>>... <em>> >>>>>> <em>> >>>>>> <em>> >>>>>> <em>> >>>>>>--- Dustin Puryear <[EMAIL PROTECTED]> wrote: <em>> >>>>>> <em>> >>>>>> <em>> >>>>>> <em>> >>>>>>>Hmm. Is this about the raw socket deal with <em>> >>>>>>> <em>> >>>>>>> <em>> >>>>Windows <em>> >>>> <em>> >>>> <em>> >>>>>>>XP? Raw sockets have <em>> >>>>>>>been available in the UNIX world for a while, so <em>> >>>>>>> <em>> >>>>>>> <em>> >>>>I <em>> >>>> <em>> >>>> <em>> >>>>>>>guess that means UNIX <em>> >>>>>>>vendors are no better? <em>> >>>>>>> <em>> >>>>>>> <em>> >>>>>>> <em>> >>>>>>>From my understanding of Gibson's writings, he <em>> >>>>>> <em>> >>>>>> <em>> >>>>says <em>> >>>> <em>> >>>> <em>> >>>>>>that raw sockets are a problem in Windows XP <em>> >>>>>> <em>> >>>>>> <em>> >>>>because <em>> >>>> <em>> >>>> <em>> >>>>>>most people use M$ Windows operating systems <em>> >>>>>>(well, duh) AND M$ doesn't seem to have its act <em>> >>>>>>together when it comes to network security (hmmm, <em>> >>>>>>he's got a point). So, distributing M$ Windows XP <em>> >>>>>>with raw sockets for home users who don't properly <em>> >>>>>>secure their machines will only give DDOS script <em>> >>>>>>kiddies more platforms to attack from. <em>> >>>>>> <em>> >>>>>>:P <em>> >>>>>> <em>> >>>>>>John <em>> >>>>>> <em>> >>>>>>__________________________________________________ <em>> >>>>>>Do You Yahoo!? <em>> >>>>>>Get personalized email addresses from Yahoo! Mail <em>> >>>>>>http://personal.mail.yahoo.com/ <em>> >>>>>>================================================ <em>> >>>>>>BRLUG - The Baton Rouge Linux User Group <em>> >>>>>>Visit http://www.brlug.net for more information. <em>> >>>>>>Send email to [EMAIL PROTECTED] to change <em>> >>>>>>your subscription information. <em>> >>>>>>================================================ <em>> >>>>>> <em>> >>>>>>================================================ <em>> >>>>>>BRLUG - The Baton Rouge Linux User Group <em>> >>>>>>Visit http://www.brlug.net for more information. <em>> >>>>>>Send email to [EMAIL PROTECTED] to change <em>> >>>>>>your subscription information. <em>> >>>>>>================================================ <em>> >>>>>> <em>> >>>>>> <em>> >>>>>> <em>> >>>>>> <em>> >>>>>================================================ <em>> >>>>>BRLUG - The Baton Rouge Linux User Group <em>> >>>>>Visit http://www.brlug.net for more information. <em>> >>>>>Send email to [EMAIL PROTECTED] to change <em>> >>>>>your subscription information. <em>> >>>>>================================================ <em>> >>>>> <em>> >>>>> <em>> >>>>> <em>> >>>>> <em>> >>>>> <em>> >>>>-- <em>> >>>>Dustin Puryear <[EMAIL PROTECTED]> <em>> >>>>http://members.telocity.com/~dpuryear <em>> >>>>In the beginning the Universe was created. <em>> >>>>This has been widely regarded as a bad move. - <em>> >>>>Douglas Adams <em>> >>>> <em>> >>>>================================================ <em>> >>>>BRLUG - The Baton Rouge Linux User Group <em>> >>>>Visit http://www.brlug.net for more information. <em>> >>>>Send email to [EMAIL PROTECTED] to change <em>> >>>>your subscription information. <em>> >>>>================================================ <em>> >>>> <em>> >>>> <em>> >>> <em>> >>>__________________________________________________ <em>> >>>Do You Yahoo!? <em>> >>>Get personalized email addresses from Yahoo! Mail <em>> >>>http://personal.mail.yahoo.com/ <em>> >>>================================================ <em>> >>>BRLUG - The Baton Rouge Linux User Group <em>> >>>Visit http://www.brlug.net for more information. <em>> >>>Send email to [EMAIL PROTECTED] to change <em>> >>>your subscription information. <em>> >>>================================================ <em>> >>> <em>> >>> <em>> >>> <em>> >>> <em>> >> <em>> >> <em>> > <em>> > ================================================ <em>> > BRLUG - The Baton Rouge Linux User Group <em>> > Visit http://www.brlug.net for more information. <em>> > Send email to [EMAIL PROTECTED] to change <em>> > your subscription information. <em>> > ================================================ <em>> > <em>> > <em>> > <em>> <em>> <em>> -- <em>> Dustin Puryear <[EMAIL PROTECTED]> <em>> http://members.telocity.com/~dpuryear <em>> In the beginning the Universe was created. <em>> This has been widely regarded as a bad move. - Douglas Adams <em>> <em>> ================================================ <em>> BRLUG - The Baton Rouge Linux User Group <em>> Visit http://www.brlug.net for more information. <em>> Send email to [EMAIL PROTECTED] to change <em>> your subscription information. <em>> ================================================ <em>> ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================ <!-- body="end" --> <hr noshade> <ul> <li><strong>Next message:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Previous message:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>In reply to:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Next in thread:</strong> John Hebert: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Messages sorted by:</strong> [ date ] [ thread ] [ subject ] [ author ] [ attachment ] </ul> <hr noshade>
<small> <em> This archive was generated by hypermail 2.1.2 : <em>Thu Sep 06 2001 - 11:10:54 CDT</em> </em> </small> </body> </html>
