Linux-Advocacy Digest #172, Volume #26 Mon, 17 Apr 00 16:13:11 EDT
Contents:
Re: Mandrake is listening! It's "Da Bomb"! (SamIam)
Re: simply being open source is no guarantee of security. (mlw)
Re: Become a Windows Registry Expert! ("Tim Mayer")
Re: MS caught breaking wind ("aCiD fEiNd")
Re: Rumors ... ("Erik Funkenbusch")
Re: Become a Windows Registry Expert! (George Graves)
----------------------------------------------------------------------------
From: SamIam <[EMAIL PROTECTED]>
Subject: Re: Mandrake is listening! It's "Da Bomb"!
Date: Mon, 17 Apr 2000 13:55:32 -0500
I'm also a happy Mandrake 7.0 user. I've been using Mandrake since
6.0. I've tried many other GPL distros but none have even come close to
Mandrake. I see a lot of people make references to SuSe but I tried the
free version and I didn't see what all the hubub's about. I guess
SuSe's great off the shelf but I'm highly satisfied with my GPL version
of Mandrake 7.0.
The Cat wrote:
>
> I've just installed Mandrake 7.0 and it appears that they are
> listening to the Windows community as to what issues we have with
> Linux and they are addressing them.
>
> So here is a mini-review from a Winvocate's point of view.
>
> Boot the CD and if you can't install this puppy in 30 minutes or less,
> and that's actually reading everything, you should go back to computer
> school :)
>
> Mandrake offers a nice gui install that is pretty much automated but
> allows you complete control over everything. This is in contrast to
> Corel which makes almost every decision for you. Good for newbies
> (generally) but could be a major problem if things go wrong.
>
> One thing I liked was the "just do it" option when setting up file
> systems. For the first time I actually have my file systems laid out
> on different physical/logical partitions correctly on my hard drive.
> Previously I have always had just a / mount point and a swap partition
> only because I didn't really know how to set things up more
> efficiently. Excuse the terminology but you get the point.
>
> I still dual boot (via boot magic) so I appreciated be given the
> option of using the root partition instead of clobbering my mbr.
>
> Ok so now I'm installed, nothing really new here since every other
> distribution installed ok for me on the same system in the past, so
> what's really new here?
>
> EVERYTHING WAD!!!!!!!!!!!!!!!!!!!!!!!!
>
> (Works as designed)
>
> I got fsking sound!!!! My SBlive works right from the get-go!!!!!
> I started kde mixer and didn't get the dreaded mixer not opened
> message. Was I ever surprised:)
>
> This is a biggie for me.
>
> IMWheel is right in there also.
>
> Guess what?
>
> Wine is already setup and configured for the most part!!!!
>
> And yet another surprise, Agent runs just about perfectly under it!!!
>
> wine /mnt/hda5_DOS/agent/agent.exe and I was up and running!!
>
> In fact although I haven't figured out how to auto-launch attachments
> and url's yet, Agent actually runs FASTER under wine than native
> Windows and it has not crashed once in 3 or 4 days of use.
> Previous experience had Agent running but very unstable no matter what
> version of Wine or distribution I used.
> Even under Win98SE the latest version of Agent goes out to lunch every
> now and then although it always recovers if you leave it alone. Hasn't
> done it yet under Wine.
>
> Want more?
>
> How about xfs installed as default. Yep the TrueTypes are coming. I
> just visited Donovan's excellent page and will be "borrowing" my
> Windows fonts. Good bye to ugly Netscape.
>
> How about a ton of nice Themes and the manager installed for kde?
>
> Sure you can grab them off the net, but it's nice to get them in the
> box.
>
> All paths work, unlike RedHat which always seems to screw this up.
> All your drives are already setup with icons on the desktop and are
> auto mounted. Same with CDrom.
>
> Here's a beauty: If you select set up modem during install it sets up
> kppp with your id, password, DNS etc and you are ready to go. Worldnet
> is a bas****d because of CHAP and it worked right from the first click
> for me. No file editing needed.
>
> Tons of programs are in the menu's and THEY ALL WORK when you click on
> them. Every single one.
>
> Update icon right on desktop and it works. Imwheel had a root exploit
> bug and it found it and did all my updating automatically.
>
> I could go on and on but I think you get the point. Mandrake has
> finally convinced me that Linux can provide an easy to use quality
> operating system and for the $6.00 the Magazine with the free CD
> (actually 2 of them as Storm Linux was also included) this has got to
> be the bargain of the century.
>
> Ok so what did I find wrong?
>
> First when you are given the selection of setup modem/networking it is
> an either/or decision box. I would advise setting up the modem here
> and networking later as I did it the other way around the first time
> and I had problems.
>
> SoundBlaster Live sometimes goes silent and I have to start the mixer
> to revive it. Seems to be a known issue. No biggie though, I'm happy
> it even works :)
>
> Canon scanner still no workie. With the amount of scanning I do I can
> boot to Windows.
>
> I'm using an IBM Proprinter x24e and had to select Epson 9 pin to make
> it work. I'm looking to buy an inexpensive PS laser printer soon
> anyway. I gave the Canon BJ4400 to my wife. Damm thing is an ink
> waster extreme anyway.
>
> The latest version of Pan (newsreader) doesn't seem to work too well
> for me. It hangs all the time. I'm happy that Agent works so I'll use
> that until Pan works a little better which shouldn't be too long
> considering how fast it has come along.
>
> Apparently there is some bug in sendmail but I don't use that program
> so it doesn't effect me.
>
> In conclusion, I certainly don't wish to start a distribution war but
> if you are a Winvocate, and have had less than spectacular results
> with other versions of Linux in the past, give Mandrake 7.0 a try and
> see how it works for you. I think you will be pleasantly surprised at
> what a properly set up Linux system can do.
>
> I'm convinced and I am also excited that I can finally stop sending my
> paycheck to Mr. Gates.
>
> TheCat
>
> "Agent under Wine and powered by Mandrake 7.0"
------------------------------
From: mlw <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: simply being open source is no guarantee of security.
Date: Mon, 17 Apr 2000 14:59:39 -0400
This is all well and good, but, in light of recent Microsoft news,
(Microsoft is the quintessential closed source vendor) one might not
think much about closed source, nor should they.
You make a big deal about security flaws being found by the bad guys.
Well, that is true. Many of the exploits are quite subtle and require a
certain kind of thinking to spot them. However, when confronted with a
security breach, many more than the one or two engineers in a closed
source vendor, will be trying to figure out how the bad guy got in. As
we see on a regular basis, once discovered, security flaws get fixed
very fast.
So rather than enter a bug in a bug tracking software, where then a
manager assigns the bug to an engineer, who the manages his time and
attempts to get to it in a reasonable amount of time. In open source,
anyone can try to figure it out, and there is a lot of ego competition
to fixing the problem.
The only thing I would say open source provides, is a way for obvious
security breaches to be found by audit, and a way to have many minds
working on proven security breaches found by hackers.
Microsoft's famous "easter eggs" while cute and playful, are a sad
commentary about the willingness and ability to hide extensive amounts
of code and data within an OS and/or application. Should anyone sit back
and think about it, no one really knows what Microsoft software has
hidden in it, nor does any accountable group in Microsoft, know every
thing that is in any particular Microsoft product. The whole dvwssr.dll
incident proves this.
Open source is not a panacea, and the article posted wants to imply that
open source advocates are zealots, clearly the author was not drafting
this article from an impartial position. However, open source will not
have hidden code. Open source software will usually have fewer security
problems over time. Security issues in open source have been proven to
be fixed faster and more completely than closed source counterparts.
Drestin Black wrote:
>
> From: http://www.securityfocus.com/commentary/19
> Wide Open Source
> Is Open Source really more secure than closed? Elias Levy says there's a
> little security in obscurity.
> By Elias Levy April 16, 2000 11:59 PM PST
>
> One of the great rallying cries from the Open Source community is the
> assertion that Open Source Software (OSS) is, by its very nature, less
> likely to contain security vulnerabilities, including back doors, than
> closed source software. The reality is far more complex and nuanced.
>
> Advocates derive their dogmatic faith in the implicit security of Open
> Source code from the concept of "peer review," a cornerstone of the
> scientific process in which published papers and theories are scrutinized by
> experts other than the authors. The more peers that review the work, the
> less likely it is that it will contains errors, and the more likely it is to
> become accepted.
>
> Open Source apostles believe that releasing the source code for a piece of
> software subjects it to the same kind of peer review as a quantum physics
> theory published in a scientific journal. Other programmers, the theory
> goes, will review the code for security vulnerabilities, reveal and fix
> them, and thus the number of new vulnerabilities introduced and discovered
> in the software will decrease over time when compared to similar closed
> source software.
>
> It's a nice theory, and in the ideal Open Source world, it would even be
> true. But in the real world, there are a variety of factors that effect how
> secure Open Source Software really is.
>
> Sure, the source code is available. But is anyone reading it?
>
> If Open Source were the panacea some think it is, then every security hole
> described, fixed and announced to the public would come from people
> analyzing the source code for security vulnerabilities, such as the folks at
> OpenBSD, the Linux Auditing Project, or the developers or users of the
> application.
> There have been plenty of security vulnerabilities in Open Source Software
> that were discovered, not by peer review, but by black hats.
>
> But there have been plenty of security vulnerabilities in Open Source
> Software that were discovered, not by peer review, but by black hats. Some
> security holes aren't discovered by the good guys until an attacker's tools
> are found on a compromised site, network traffic captured during an
> intrusion turns up signs of the exploit, or knowledge of the bug finally
> bubbles up from the underground.
>
> Why is this? When the security company Trusted Information Systems (TIS)
> began making the source code of their Gauntlet firewall available to their
> customers many years ago, they believed that their clients would check for
> themselves how secure the product was. What they found instead was that very
> few people outside of TIS ever sent in feedback, bug reports or
> vulnerabilities. Nobody, it seems, is reading the source.
>
> The fact is, most open source users run the software, but don't personally
> read the code. They just assume that someone else will do the auditing for
> them, and too often, it's the bad guys.
>
> Even if people are reviewing the code, that doesn't mean they're qualified
> to do so.
>
> In the scientific world, peer review works because the people doing the
> reviewing possess a comparable, or higher, technical caliber and level of
> authority on the subject matter than the author.
>
> It is generally true that the more people reviewing a piece of code, the
> less likely it is the code will have a security flaw. But a single
> well-trained reviewer who understands security and what the code is trying
> to accomplish will be more effective than a hundred people who just recently
> learned how to program.
>
> It is easy to hide vulnerabilities in complex, little understood and
> undocumented source code.
>
> Old versions of the Sendmail mail transport agent implemented a DEBUG SMTP
> command that allowed the connecting user to specify a set of commands
> instead of an email address to receive the message. This was one of the
> vulnerabilities exploited by the notorious Morris Internet worm.
>
> Sendmail is one of the oldest examples of open source software, yet this
> vulnerability, and many others, lay unfixed a long time. For years Sendmail
> was plagued by security problems, because this monolithic programs was very
> large, complicated, and little understood but for a few.
>
> Vulnerabilities can be a lot more subtle than the Sendmail DEBUG command.
> How many people really understand the ins and outs of a kernel based NFS
> server? Are we sure its not leaking file handles in some instances? Ssh
> 1.2.27 is over seventy-one thousand lines of code (client and server). Are
> we sure a subtle flaw does not weakening its key strength to only 40-bits?
>
> There is no strong guarantee that source code and binaries of an application
> have any real relationship.
>
> All the benefits of source code peer review are irrelevant if you can not be
> certain that a given binary application is the result of the reviewed source
> code.
>
> Ken Thompson made this very clear during his 1983 Turing Award lecture to
> the ACM, in which he revealed a shocking, and subtle, software subversion
> technique that's still illustrative seventeen years later.
>
> Thompson modified the UNIX C compiler to recognize when the login program
> was being compiled, and to insert a back door in the resulting binary code
> such that it would allow him to login as any user using a "magic" password.
>
> Anyone reviewing the compiler source code could have found the back door,
> except that Thompson then modified the compiler so that whenever it compiled
> itself, it would insert both the code that inserts the login back door, as
> well as code that modifies the compiler. With this new binary he removed the
> modifications he had made and recompiled again.
>
> He now had a trojaned compiler and clean source code. Anyone using his
> compiler to compile either the login program , or the compiler, would
> propagate his back doors.
>
> The reason his attack worked is because the compiler has a bootstrapping
> problem. You need a compiler to compile the compiler. You must obtain a
> binary copy of the compiler before you can use it to translate the compiler
> source code into a binary. There was no guarantee that the binary compiler
> you were using was really related to the source code of the same.
>
> Most applications do not have this bootstrapping problem. But how many users
> of open source software compile all of their applications from source?
>
> A great number of open source users install precompiled software
> distributions such as those from RedHat or Debian from CD-ROMs or FTP sites
> without thinking twice whether the binary applications have any real
> relationship to their source code.
>
> While some of the binaries are cryptographically signed to verify the
> identity of the packager, they make no other guarantees. Until the day comes
> when a trusted distributor of binary open source software can issue a strong
> cryptographic guarantee that a particular binary is the result of a given
> source, any security expectations one may have about the source can't be
> transferred to the binary.
>
> Open Source makes it easy for the bad guys to find vulnerabilities.
>
> Whatever potential Open Source has to make it easy for the good guys to
> proactively find security vulnerabilities, also goes to the bad guys.
>
> It is true that a black hat can find vulnerabilities in a binary-only
> application, and that they can attempt to steal the source code to the
> application from its closed source. But in the same amount of time they can
> do that, they can audit ten different open source applications for
> vulnerabilities. A bad guy that can operate a hex editor can probably manage
> to grep source code for 'strcpy'.
>
> Security through obscurity is not something you should depend on, but it can
> be an effective deterrent if the attacker can find an easier target.
>
> So does all this mean Open Source Software is no better than closed source
> software when it comes to security vulnerabilities? No. Open Source Software
> certainly does have the potential to be more secure than its closed source
> counterpart.
>
> But make no mistake, simply being open source is no guarantee of security.
> ===============
>
> Elias Levy is CTO of SecurityFocus.com, and the long-time moderator of
> BUGTRAQ, one of the most read security mailing lists on the Internet. He's
> served as a computer security consultant and security engineer, a UNIX
> software developer, network engineer and system administrator.
--
Mohawk Software
Windows 9x, Windows NT, UNIX, Linux. Applications, drivers, support.
Visit http://www.mohawksoft.com
"We've got a blind date with destiny, and it looks like she ordered the
lobster"
------------------------------
From: "Tim Mayer" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.os2.advocacy,comp.os.ms-windows.nt.advocacy,comp.sys.mac.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: Mon, 17 Apr 2000 14:48:07 -0400
<jansens_at_ibm_dot_net (Karel Jansens)> wrote in message
news:L9BY9tzSDwrQ-pn2-J1EkYcdddkEJ@localhost...
> "Tim Mayer" <[EMAIL PROTECTED]> wrote:
>
> >
> > I'm tempted to draw this conclusion as well. Once you've learned a
> > particular interface, no matter how complicated, it becomes comfortable.
As
> > an example, look at WordPerfect and how comfortable people became with
it's
> > cryptic interface.
> >
> Waddayamean? There's nothing more natural than hitting [F7 - N - Y] to
> end an application, or [SHIFT+F7 - 7] to print a document. Toddlers
> learn this in kintergarten, chimpansees instinctively push their
> fingers in similar patterns, bacteria have been found with those key
> combinations hard-coded into their DNA.
>
> WordPerfect's user interface is modeled after the universe itself.
>
Sorry! I forgot to update my research regarding the correlation between
human and fruit fly genetic information published by Celera and the
key-combinations developed by WordPerfect. I always wondered why I
instinctively felt the need to hit [F7 - N - Y] every time I ran
WordPerfect. ;-)
Tim
------------------------------
From: "aCiD fEiNd" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.linux.development.system,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy,comp.os.linux.networking,comp.os.linux.security,comp.os.ms-windows.networking.tcp-ip,alt.conspiracy.area51
Subject: Re: MS caught breaking wind
Date: Mon, 17 Apr 2000 20:10:52 +0100
Reply-To: "aCiD fEiNd" <[EMAIL PROTECTED]>
he he he he he
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Rumors ...
Date: Mon, 17 Apr 2000 15:12:00 -0500
abraxas <[EMAIL PROTECTED]> wrote in message
news:8df47s$2q07$[EMAIL PROTECTED]...
> In comp.os.linux.advocacy Erik Funkenbusch <[EMAIL PROTECTED]> wrote:
>
> > 1) The findings of law claim that neither Microsoft or it's OEM's
believe
> > that any other OS could viably be shipped by the OEM's in the
"foreseeable
> > future", yet many of those same OEM's are shipping Linux in both server
and
> > desktop configurations.
>
> > 2) The findings of fact claim that Microsoft deliberately embedded the
> > browser into the shell for the sole reason of thwarting Netscape, yet
> > Microsoft has memos going back to 1993 talking about their plans to
> > integrate internet functionality into the OS and include an integrated
WAIS
> > engine. That was almost a year before netscape even existed as a
company.
>
> Ohhh. They have memos.
>
> I see.
>
> Well that just proves everything.
Considering that the DOJ based a large part of their case on internal memos,
I guess it does.
------------------------------
From: George Graves <[EMAIL PROTECTED]>
Crossposted-To:
comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: Mon, 17 Apr 2000 20:07:40 GMT
In article <[EMAIL PROTECTED]>, Mayor
<[EMAIL PROTECTED]> wrote:
>In article <gmgravesii-
>[EMAIL PROTECTED]>, George Graves
><[EMAIL PROTECTED]> wrote:
>>In article <[EMAIL PROTECTED]>,
>>[EMAIL PROTECTED] (C Lund) wrote:
>>
>>>In article <gmgravesii-
>[EMAIL PROTECTED]>,
>>>George Graves <[EMAIL PROTECTED]> wrote:
>>>
>>>> >But all is
>>>> >not lost , I think with OS X the Mac will finally crawl
> >> >out from under the rock a bit.
>
>>>> A BIT! It should leave that Windows crap so far back in the
>>>>dust, that M$ will be struggling for years playing catch-up
>>>>and copying OSX features and look-and-feel.
>>>
>>>Hrmff..
>>>
>>>"Windows2002" will sport a new and "innovative" GUI that
>>>coincidentially resembles the Aqua interface. Underneath
>>>this "groundbreaking" new interface, the same old WindowsX
>>>will be lurking. The result will be yet another kludgy, ugly
>>>OS from Microsoft, and the Wintrolls will be all over
>>>CSMA telling us how much better it is than the lousy ol' Mac
>>>because it supports the floppy drive or some such thing.
>>>
>>>OS X will probably leave Microsoft in the dust, but don't
>>>think for a second the WIntrolls will admit it.
>>
>>Don't worry, I won't. I have learned that the only thing that
>>Apple could ever do to please Wintrolls who post on CSMA is to
>>roll over, belly-up and die. With Apple gone, they wouldn't
>>have that little nagging voice in their head that keeps
>>saying "did I choose the wrong platform?"
>
>So you think that no other platform would exist without Apple?
>How does Apple provide needed sustenance for Sun, SGI or any of
>the several OSs that run on Intel HW?
Frankly, I laugh when I hear the Mac called a "niche computer". SGI, Sun
and any of the several OSs that run on Intel HW, now THOSE are "niche
computers" with market shares so low, they don't even cause a blip on
the radar.
>>Because with no Apple, there would be only ONE platform and
>>the Wintrolls could sleep secure in their beds with no nasty
>>Apple confusing them with that pesky Macintosh.
>
>Who's confused by Macintosh, George? I was considering a Sun or
>SGI along with the PC when I bought my computer. Apple wasn't
>even in the running.
Now, those ARE "niche computers."
>And you might have a point about no one knowing that anything
>but Windows and Mac existing if it weren't for the fact that you
>can get Linux at Wal-Mart these days.
To run what on? A server? Word Perferct, GIMP? And you talk about there
being no software or hardware for the Mac?
--
George Graves
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
