Linux-Advocacy Digest #175, Volume #26 Mon, 17 Apr 00 19:13:09 EDT
Contents:
DCOM versus CORBA, some history (Robert Morelli)
Re: Become a Windows Registry Expert! (dcorn)
Re: Become a Windows Registry Expert! (dcorn)
Re: Become a Windows Registry Expert! (Marty)
Re: Solaris (was Re: Windows 2000 etc.) (Bart Oldeman)
Re: simply being open source is no guarantee of security. ("Chad Myers")
Re: Become a Windows Registry Expert! ("Tim Mayer")
Re: simply being open source is no guarantee of security. (Charlie Ebert)
Re: simply being open source is no guarantee of security. (Tesla Coil)
Re: Backdoors in Windows 2000 or server software? (Rob S. Wolfram)
----------------------------------------------------------------------------
From: Robert Morelli <[EMAIL PROTECTED]>
Subject: DCOM versus CORBA, some history
Date: Mon, 17 Apr 2000 04:05:09 -0400
Reply-To: [EMAIL PROTECTED]
This post is partly a response to a current thread about Microsoft's putative
advantage in the enterprise. The issue centers around Microsoft's CORBA
counterpart, DCOM, and their proposed supporting XML technology as a stand
in for lack of Java support. The first misconception is that Microsoft's
DCOM has no counterpart outside Windows. That is obviously false. The
second misconception is that DCOM is an extension of CORBA. This is also
false. DCOM is not an example of "embrace and extend"; it's simply an
example of incompatibility with open standards.
There's some interesting history behind this. When MS was first
promoting DCOM back in 1995, there was an obvious question why they were flouting
the open CORBA standard, and deliberately introducing incompatibilities and hassles
for their customers. At a convention, an MS representative started his presentation
by reading the definition of "standard" from a dictionary. He then slammed the
dictionary shut and announced that Webster's definition of standard "was dead." The
"new definition," he explained, was that "de facto is de standard," and "de facto is
Windows." I can't think of any single incident that better sums up Microsoft's
combination of arrogance, contempt, and brutishness. If you accept this kind of
disrespect and go on supporting MS and advocating for them, I think you need to go
to a doctor and get your balls examined.
The term 'hubris' (excessive arrogance) is appropriate here. The ancient Greeks
believed
that hubris invokes nemesis, a form of divine retribution. In fact, it was about the
time of the "de facto is de standard" statement that the internet started to explode,
Java appeared, and the Linux threat started to really rear its head. In 2000, the
very
issue of CORBA compliance is coming back to haunt MS. In fact, Microsoft's position
is
now considerably weakened. First, their proposed XML technology is fairly crude, it
doesn't
even lock people into Microsoft technology, and what it accomplishes can be easily
duplicated by other technologies. In fact, it is just an attempt to salvage a
deteriorating
situation in which they are in danger of gradually losing touch with an emerging,
rich set
of e-commerce and connectivity standards. Second, Microsoft is no longer in a
position
to dictate standards. Their proposal was universally rejected out of hand by the rest
of the industry.
I won't say it's divine retribution. Rather, there's a balance in human nature that
gets
upset by something like Microsoft's arrogance. To be sure, a certain subset of the
population
will always follow. It's probably in fact controlled hormonally -- roughly speaking
the people
who are happy accepting the dominance of the Microsofts of the world, are the people
whose balls don't work too well. That, at least, is how it works in a lot of other
mammals,
where the analogue of supporting Microsoft would be the sort of submission that
can be turned on and off like a switch by blocking and unblocking testosterone
receptors (among
others). But fortunately, there's another more resilient part of the population that
doesn't
take crap as happily. That's the part of humanity we're more proud of and which we
like to
hold up as its "indomitable spirit." That's the part of human nature that will always
oppose and ultimately prevail against the Microsofts of the world, no matter how poor
the
odds may at first seem. That's what we're now witnessing with the renewed affirmation
of human freedom that the open source movement represents. And it's also what we're
seeing in the gradual destruction of Microsoft's power that's being undertaken from
many
directions at once.
------------------------------
From: dcorn <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: Mon, 17 Apr 2000 17:04:37 -0400
Bob Lyday wrote:
> Marty wrote:
> > >
> > In fairness, I've never had the registry corrupted on my Win95 partition. By
> > the same token, I use Win95 once a week, if that, whereas I'm in OS/2 for the
> > remainder of the time.
> >
> Win 95 here runs pretty good for about a month and then it needs
> a reinstall. Damn that is stupid!
> --
> Bob
> "None of us makes it through life without being shown, politely,
> what an ass he is," Kurt Vonnegut, "Mother Night".
> Remove ".diespammersdie" to reply.
That's strange - for many it works for months, even years. What are you doing
wrong?
------------------------------
From: dcorn <[EMAIL PROTECTED]>
Crossposted-To:
comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: Mon, 17 Apr 2000 17:06:18 -0400
Jim Polaski wrote:
> In article <[EMAIL PROTECTED]>,
> Eric Bennett <[EMAIL PROTECTED]> wrote:
>
> > A couple days ago, I got one of those highly entertaining mailings from
> > a company doing Windows seminars. This one is about "Managing,
> > Supporting, and Troubleshooting the Windows Registry". Now, obviously
> > these folks are heavily biased. But, their material is probably no
> > worse than other stuff that gets posted here, and in any event I found
> > it quite entertaining. Here are some excerpts, with editorial comments
> > [in brackets].
> ><
>
> Massive Snippage---
>
> --------
>
> Now, wasn't it said the other day that Win 2k has some 2800 items in the
> Registry?
>
> Sounds simple to manage to me.....and so many of the Wintellian trolls
> here claim NT to be so simple and vastly superior, why should anyone
> need such a course to figure out an mange the Registry? Don't they all
> claim that Windows has "caught up to and surpassed the Mac" in terms of
> ease of use, administration?
>
> Where is that flying 85) LB pig......
Why do you need to go to a course to 'manage' the NT registry? I don't.
And there are courses in how to use the Mac, too - the local community
college has several of them, including "Introduction to the Macintosh" or
somesuch. Just because a course is out there doesn't mean people need it.
------------------------------
From: Marty <[EMAIL PROTECTED]>
Crossposted-To:
comp.sys.mac.advocacy,comp.os.os2.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: Mon, 17 Apr 2000 22:26:59 GMT
George Graves wrote:
>
> In article <[EMAIL PROTECTED]>, Marty <[EMAIL PROTECTED]>
> wrote:
>
> >George Graves wrote:
> >>
> >> Don't worry, I won't. I have learned that the only thing that Apple
> >> could ever do to please Wintrolls who post on CSMA is to roll over,
> >> belly-up and die. With Apple gone, they wouldn't have that little
> >> nagging voice in their head that keeps saying "did I choose the wrong
> >> platform?" Because with no Apple, there would be only ONE platform and
> >> the Wintrolls could sleep secure in their beds with no nasty Apple
> >> confusing them with that pesky Macintosh.
> >
> >A common misconception. PC owners are becoming increasingly aware that
> >there are alternatives to MS based products, thus there are far for than
> >"one" platform available.
>
> With what, pray tell, to run on them?
It's called "software" I think.
------------------------------
From: Bart Oldeman <[EMAIL PROTECTED]>
Subject: Re: Solaris (was Re: Windows 2000 etc.)
Reply-To: [EMAIL PROTECTED]
Date: Mon, 17 Apr 2000 21:59:55 GMT
[restricted to one newsgroup]
On Mon, 17 Apr 2000, Mike Marion wrote:
> Bart Oldeman wrote:
>
> > host% ls --color
> > ls: illegal option -- -
> > usage: ls -1RaAdCxmnlogrtucpFbqisfL [files]
> > host% tar xzvf foo.tar.gz
> > tar: z: unknown option
> > Usage: tar {txruc}[vfbFXhiBEelmopwnq[0-7]] [-k size] [tapefile]
> > [blocksize] [exclude-file] [-I include-file] files ...
> > host% locate file
> > locate: Command not found
>
> 1. the color flag is something that's more of a Linux thing IIRC.
It's also a GNU thing.
> 2. the z flag to tar is a gnutar thing. Pure tar doesn't know it.
> 3. locate is there as fastfind.
I couldn't find fastfind (machines running
"SunOS 5.7 Generic October 1998").
> Just because the commands aren't identical to your standard Linux install
> doesn't mean they're wrong.
Not wrong, just unfriendly. I mean, what's the point for Sun for keeping
csh if tcsh is available and using UNIX tar if GNU tar is there (and
all are "backwards" compatible, as far as I know).
> > Tab doesn't work either.
>
> Yeah, but Esc does...
But not by default. You have to do "set filec" first.
> Remember, this is one of the things about Unices that most of us like: The
> ability to customize all of this stuff so that we can use the keys we want.
True if you are root. But if you're on a 10 MB quota you can't just
install all GNU utilities next to your normal work (this of course has
everything to do with a friendly admin).
(not that i'm in that situation anymore).
> Just because their default doesn't match what you like doesn't mean it's a bad
> default.
> BTW, personally I hate the color coded ls output.. I like a black background (or
> a transparent Eterm) and the dark blue default is hard to read... gee I guess
> that default sucks because I don't like it. :)
But it's not a default on most linuxes either. Just a capability.
> P.S. I use both Linux and Solaris every day. I like both of them, but don't
> think that either one has a "better" default. I setup my system the way _I_
> like it... which is what I like about Unix. I can make both Linux and Solaris
> look and feel almost identical.
I know this now, you know this. I have also used HP-UX which was set up in
such a way that arrow keys and Tab "worked". Then you're suddenly
confronted with Solaris where this isn't the case. Well, at least it's a
learning experience, in
a) setting your .login in such a way that you get tcsh or bash by default.
b) trying to convince your sysadmin to install tcsh or bash if they are
not there ;-)
Bart
------------------------------
From: "Chad Myers" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: simply being open source is no guarantee of security.
Date: Mon, 17 Apr 2000 17:32:58 -0500
"Donovan Rebbechi" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >move than other OSes. They are finding bugs easily without the source.
>
> This would seem to lend strength to the point that "security by obscurity"
> does not work.
No, just the opposite. That it does work, and it's not that hard to find holes
in it if there are flaws, which seems to be one of the Open Source clan's
biggest
gripes ("We can't find holes easily because we don't have source code!")
It's no less secure, really, than Open Source, and it's about as easy to find
bugs when they do exist.
Are you saying that Open Source is pefect and never has holes?
> >memory properly or doing bounds checks for input, thus resulting in buffer
> >overruns. These are fairly easy to test and diagnose without the source.
>
> Exactly. But some are also much easier to fix with the source.
And some aren't, as illustrated in this article. What's your point?
> >Or even the good guys inserting backdoors into the login process or
> >the cc compiler.
>
> The good guys don't do this unless they're really dumb.
but it happens nonetheless.
> >Perhaps Open Source would be more useful if it were actually reviewed by
> >boards with autority? If an authority for ceritfying peer reviewers of
> >source code were set up, perhaps the dream that the Open Source advocates
> >promote would become a reality?
>
> This is the kind of thing that OpenBSD shoots at. They have an audit team
> that actually do audit code all the time. It seems to pay off, because
> OpenBSD has an exceptional security track record.
Of course, there's nothing really preventing, say, Microsoft from hiring
an audit team. One of the purported advantages of Open Source was that ANYONE
could review the source, not just some priveleged group of few. However, since
that doesn't appear to be of much help, they're going back to a group of few,
which Microsoft has and uses frequently (they submitted Win2K source to several
audit firms for security and other flaw review). So, what advantage does
Open Source have here? Pretty much nothing.
> >SendMail continues to be plauged by remotely exploitable bugs.
>
> Not entirely true. The bug reports have faded somewhat in the last few
> years. Still, it's a bit of a mess ( ie very complex piece of software
> that usually is run as root ).
Exactly my point. Open Source sounds good on paper (kinda like Communism)
but it's not effective in practice.
-Chad
------------------------------
From: "Tim Mayer" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: Mon, 17 Apr 2000 22:44:05 GMT
<jansens_at_ibm_dot_net (Karel Jansens)> wrote in message
news:L9BY9tzSDwrQ-pn2-dmqWWCKWdZTk@localhost...
> "Tim Mayer" <[EMAIL PROTECTED]> wrote:
>
> > > Waddayamean? There's nothing more natural than hitting [F7 - N - Y] to
> > > end an application, or [SHIFT+F7 - 7] to print a document. Toddlers
> > > learn this in kintergarten, chimpansees instinctively push their
> > > fingers in similar patterns, bacteria have been found with those key
> > > combinations hard-coded into their DNA.
> > >
> > > WordPerfect's user interface is modeled after the universe itself.
> > >
> >
> > Sorry! I forgot to update my research regarding the correlation between
> > human and fruit fly genetic information published by Celera and the
> > key-combinations developed by WordPerfect. I always wondered why I
> > instinctively felt the need to hit [F7 - N - Y] every time I ran
> > WordPerfect. ;-)
> >
>
> Apostate! Begone with thee!
>
> (Seriously: you don't like WordPerfect? I see it as one of the most
> capable wp's in the field today. The old interface was indeed somewhat
> - clunky, but once learned, it stays with you forever. And these days
> you can choose your own interface with WordPerfect or, indeed, make a
> new one)
I like WordPerfect, and even both recognize and accept that PerfectOffice
is every bit as good as MS Office (based on a Gartner Group report). Now
that it's bundled with Corel PerfectLinux, I like it even more.
Tim
------------------------------
From: Charlie Ebert <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: simply being open source is no guarantee of security.
Date: Mon, 17 Apr 2000 22:52:19 GMT
Chad Myers wrote:
> "Donovan Rebbechi" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
>
> > >move than other OSes. They are finding bugs easily without the source.
> >
> > This would seem to lend strength to the point that "security by obscurity"
> > does not work.
>
> No, just the opposite. That it does work, and it's not that hard to find holes
> in it if there are flaws, which seems to be one of the Open Source clan's
> biggest
> gripes ("We can't find holes easily because we don't have source code!")
>
> It's no less secure, really, than Open Source, and it's about as easy to find
> bugs when they do exist.
>
> Are you saying that Open Source is pefect and never has holes?
>
> > >memory properly or doing bounds checks for input, thus resulting in buffer
> > >overruns. These are fairly easy to test and diagnose without the source.
> >
> > Exactly. But some are also much easier to fix with the source.
>
> And some aren't, as illustrated in this article. What's your point?
>
> > >Or even the good guys inserting backdoors into the login process or
> > >the cc compiler.
> >
> > The good guys don't do this unless they're really dumb.
>
> but it happens nonetheless.
>
> > >Perhaps Open Source would be more useful if it were actually reviewed by
> > >boards with autority? If an authority for ceritfying peer reviewers of
> > >source code were set up, perhaps the dream that the Open Source advocates
> > >promote would become a reality?
> >
> > This is the kind of thing that OpenBSD shoots at. They have an audit team
> > that actually do audit code all the time. It seems to pay off, because
> > OpenBSD has an exceptional security track record.
>
> Of course, there's nothing really preventing, say, Microsoft from hiring
> an audit team. One of the purported advantages of Open Source was that ANYONE
> could review the source, not just some priveleged group of few. However, since
> that doesn't appear to be of much help, they're going back to a group of few,
> which Microsoft has and uses frequently (they submitted Win2K source to several
>
> audit firms for security and other flaw review). So, what advantage does
> Open Source have here? Pretty much nothing.
>
> > >SendMail continues to be plauged by remotely exploitable bugs.
> >
> > Not entirely true. The bug reports have faded somewhat in the last few
> > years. Still, it's a bit of a mess ( ie very complex piece of software
> > that usually is run as root ).
>
> Exactly my point. Open Source sounds good on paper (kinda like Communism)
> but it's not effective in practice.
>
> -Chad
Sticking your head up your ass again Chad?
Charlie
------------------------------
From: Tesla Coil <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: simply being open source is no guarantee of security.
Date: Mon, 17 Apr 2000 17:04:04 -0500
On 17 Apr 2000, Chad Myers replied to Dresdin Black:
>> Sure, the source code is available. But is anyone reading it?
>
> It seems there are more watchdog groups eyeing Microsoft's
> every move than other OSes. They are finding bugs easily
> without the source. Because, most common bugs are usually
> in hashing passwords, or not allocating memory properly or
> doing bounds checks for input, thus resulting in buffer overruns.
> These are fairly easy to test and diagnose without the source.
>
>> The fact is, most open source users run the software, but don't
>> personally read the code. They just assume that someone else
>> will do the auditing for them, and too often, it's the bad guys.
Open source is a disadvantage to security because it just
makes it easier for bad guys to find exploits, but it's too
inconvenient for good guys to examine. Besides, the most
common holes are easily found without reference to source.
The mere possibility that MS code at all resembles the
logic of its advocates is reason enough for me to avoid it.
------------------------------
From: [EMAIL PROTECTED] (Rob S. Wolfram)
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.os2.advocacy,comp.sys.mac.advocacy
Subject: Re: Backdoors in Windows 2000 or server software?
Date: 17 Apr 2000 22:35:11 GMT
Reply-To: [EMAIL PROTECTED]
[lines reordered]
Drestin Black <[EMAIL PROTECTED]> wrote:
>"Rob S. Wolfram" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Drestin Black <[EMAIL PROTECTED]> wrote:
>> >This is entirely untrue - There IS NO BACKDOOR IN FRONTPAGE
>>
>> Oh? I take it you have a source license for Frontpage which enables you
>> to verify that?
>The string found in that DLL in that version of FP98 for those types of
>servers is not a backdoor.
>
>Specific enough?
No, just correct (I assume because of all hearsay. There's no way I can
verify it myself). Your previous statement was not.
Does backing out on your previous statement also mean that you agree
with me that close sourced software is inherently less secure than open
source software because you cannot verify the absence of a backdoor
while with open source you can, and you cannot verify the correct
implementation of security algorithms, while with open source, you can?
/me wonders....
Rob (happily using *backdoor free* software).
--
Rob S. Wolfram <[EMAIL PROTECTED]> PGP 0x07606049 GPG 0xD61A655D
"I think there is a world market for maybe five computers."
-- Thomas Watson, Chairman of IBM, 1943
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
