At 02:32 PM 5/6/2003 -0500, you wrote: > > Windows 2003 accepts logins via the serial port for administrative control > > if this is what you mean? Also, you can control a lot of NT and Win2k > > functions via telnet/SSH and scripts albeit not as well as you can a UNIX > > system. > >No, what I mean is that the windows server installs a GUI, like it or >not. If the GUI has holes, you are stuck firewalling them. If an >intruder gets in behind your firewall, those holes are open. Because >Microsoft likes backdoors such as windows update, this issue will not go >away.
I thought you wanted to only focus on what the average desktop user actually uses? If so, how many desktop users do not run X? > > Unfortunately, from my experience a very large number of users log in as > > root on their desktops. Under NT a lot of users give themselves > > Administrator privileges and then run dangerous code. Same issue here. The > > major problem in most situations is not so much the code as user education. > >Oh come on, users will be educated. Most installs walk the user through >it and I'm sure you tell people why they should not do that. Is it >possible to run Outlook or IE as anything but Admin? Um, yes. :) > >>Extrapolating from a few DoS venerabilities in one or two projects is > more hazardous than extrapolating from Microsoft's record of root > exploits and internet destabilizing worms. > > > > > Good thing that wasn't done here. Anyway, my point was that most open > > source code has not had the benefit of a world of active eyeballs. And a > > lot of code that is commonly used still hasn't had the rigorous testing > > that is needed. Finally, the bad state of documentation of a lot of open > > source contributes to problems, security-related and otherwise. (A recent > > issue with Courier-MTA (a server application, I know) and a fellow LUG > user > > brings that to mind.) That being said, I personally do prefer open source > > to closed source. > > > >That was done here. A little bug in Ximian had you asking lots of strange >questions. I've had fun hyperboling them and hope I'm not putting words >into your mouth. No, I simply used the Evolution vulnerability as a starting point. There is a difference between basing an entire argument on one issue and simply using that one issue to broach the subject. :) And I don't think that discussing Linux desktop security issues means that I am asking "strange questions," but rather pursuing an entirely valid line of questioning. >You seem to be worried that the free software world, particularly on the >desktop, is doomed to the same poor security that Windoze has suffered >when you said, "It appears to me that the Linux desktop is quickly finding >itself in the same position as the Windows desktop when it comes to >security." In this message you assert, "the problem here is simply the >abundance of complicated and non-audited code. That problem is just >as big in the open source world as in the closed source world." > >Once again, I say bull. The vast choice of software available will keep >this from being a problem until the code matures, even if we discount the >benefits of more developers and peer review and distribution >models. Let's imagine that someone makes a terrible KDE worm that works >by email. It won't bother people who use other mail software such as >Mozilla, Gnome, Mutt, Pine, Balsa and half a dozen trees. Of course we >should not discount the other factors at work. The complexity you cite >affects monoliths like Microsoft more than it affects free software which >is well modularized. How do you eat an elephant? One bite at a time and >ants do it best. I have worked with open source software and trust me, it's not all very well written or modularized. Some is but a lot of it isn't. As a side note, if a worm hits KDE-based email clients then we are going to be in a world of hurt. >You also seemed to blame the users for Microsoft security concerns and >implied that it would happen the same way in the free software world when >you said, "Microsoft has done well recently in issuing patches for >vulnerabilities and bugs, but users typically don't apply them. Is the >same going to be true for Linux users?" I pointed out that updating was >much easier and more efficient under free software and that not even >Microsoft can keep up using their methods. In this message you pointed to >sloppy habits some people had carted from the windows world, and I pointed >out that people will use the right methods if they are available. I don't entirely blame users. However, educating users is a great way to reduce your vulnerability to attacks, active or passive, in any network. Also, there is a certain expectation that most desktops users will keep their machines updated. If that isn't the case then open source loses much of its cachet. That is, the fact that open source can be quickly updated against a new vulnerability doesn't mean much if nobody applies the patch. As far as updating being easier and more efficient under open source I am not sure that is always true. up2date is no better than Windows Update, and recompiling from source definitely is not easier. >Then you asked us to compare the failure of Linux desktop security to that >of Windows, "can we now compare the failure of the Linux desktop with >the failure of the Windows desktop in terms of security as an apples to >apples comparison?" That I did. I said that there had not been a free >software desktop failure yet, just a few DoS attacks out on the bleeding >edge. There are plenty of well tested tools in the free software world >that can be used, whereas older software in the Windoze world is always >full of holes. Has it gotten any better in doze land? I'm not going to >say it's impossible to break into a free computer, but I will say that we >will never see them abused like Microsoft computers have been. I wish only fringe software was the cause, but unfortunately it's not. Rather, core software used by Linux desktops continues to have vulnerabilities. Just a quick scan showed significant problems for this week (http://www.linuxsecurity.com/vuln-newsletter.html), including sendmail, balsa, pptp, kdebase, mgetty, lprng, micq, zlib, man, and xinetd. Most of these are root exploits and not simply DoS attacks. All of these will probably be running at some point on many desktops. Again, I like and use open source whenever I can. However, I recognize that currently most open source software on the desktop has the potential to be more secure, but that isn't necessarily the case at this point. There are of course exceptions. >Free software documentation problems pale in compassion to closed source >problems. I would disagree and I think a lot of others have problems with the current state of open source documentation: http://linuxnewbies.editthispage.com/tips/20000126 http://www.devx.com/opensource/Article/11839 http://www.vivtek.com/open_source.html and so on... --- Dustin Puryear <[EMAIL PROTECTED]> Puryear Information Technology Windows, UNIX, and IT Consulting http://www.puryear-it.com
