Linux-Advocacy Digest #453, Volume #26 Thu, 11 May 00 09:13:05 EDT
Contents:
Re: German Govt says Microsoft a security risk (mlw)
Re: Linux Setup (DeAnn Iwan)
Re: Why only Microsoft should be allowed to create software (Peter Ammon)
Re: Browsers and e-mail (Fredrik Sandstrom)
Re: How to properly process e-mail ([EMAIL PROTECTED])
Re: Microsoft: STAY THE FUCK OFF THE NET!!! ([EMAIL PROTECTED])
Re: simply being open source is no guarantee of security. (abraxas)
Not so fast... (Jeff Szarka)
Re: A pox on the penguin? (Linux Virus Epidemic) (John Culleton)
Re: How to properly process e-mail (Se�n � Donnchadha)
----------------------------------------------------------------------------
From: mlw <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc
Subject: Re: German Govt says Microsoft a security risk
Date: Thu, 11 May 2000 07:58:50 -0400
Salvador Peralta wrote:
>
> I don't represent Scientology. You called it frightening, and I am
> asking what you know about it. As for German government, I believe that
> they are promoting intolerance in this stance. Their position on M$ has
> nothing to do with the product, and everything to do with paranoid
> intolerance of an alternative world view. Given the history of the
> country, that is one government that I do not like seeing actively
> promoting intolerance.
>
When you look at what happened in Germany in WWII, you will see a very
common human reaction to hard times. Slaughter of who you think is your
enemy is quite common. Look what the whites did to the indians of this
land. look at what the turks did to the armenians, look at history in
general. The german people are no more to blame for there actions than
the countless other peoples and nations which have had similar
atrocities. Fire up enough people, and one can do historic amounts of
evil in the name of god, mother, and/or nation.
As for "scientology," who cares? All religions that attempt to bring in
recruits are evil. My upbringing is that you find what you believe as
you live. I have no right telling anyone what they should believe. Why
should I be bombarded by religious zealots telling me I should believe
in some hokey 2000 year old religion about some guy who got nailed to a
dead tree?
Be it an old religion, or a new one, it does not matter. If they attempt
to extend their influence, they are dangerous. Human beings are very
irrational in their actions when it comes to pleasing a deity through
the commands of a religion. True believer's of any religion are, by very
definition, irrational.
> Christopher Browne wrote:
> >
> > Centuries ago, Nostradamus foresaw a time when Salvador Peralta would say:
> > >What do you know about Scientology, Chris?
> >
> > Nothing that particularly fits this newsgroup.
> >
> > Do you represent Scientology in some manner? Your approach of subtly
> > implicating that the German government has no right to make any dictums,
> > based on their "intolerance," is a most _wonderful_ way of causing people
> > to associate the present government with that at the time of WWII without
> > ever actually mentioning any of the "key words" that would cause anyone
> > to forcibly conclude a "Godwinning" (or "Godlosing") of the thread.
> >
> > You merely _implied_ some association between the present German
> > government and the Nazis, as opposed to coming out and saying that
> > anti-Scientology legislation indicates that they _are_ Nazis.
> >
> > I'm happy to see the thread end, and don't care to "win" any argument
> > here, so I'll call a spade a spade; you did a _good_ job of implying
> > the current government to be just another fascist government without
> > actually coming out and saying it.
> >
> > Point: Salvador Peralta.
> >
> > >My PoV is that it world government, especially the German government,
> > >should be tolerant of diversity. What I know of Scientology deals less
> > >with religion and religiosity than it does with organizational
> > >principles.
> > >
> > >Government should never actively promote intolerance
> >
> > Never?
> >
> > Ah. So governments should not promote intolerance towards child
> > molestation? They should be tolerant towards wife beating?
> >
> > I think not... It is quite clear that there _are_ things that governments
> > should be _quite_ intolerant about.
> >
> > It seems reasonable for governments to be intolerant about those that
> > commit serious crimes. That's pretty much what "prosecution" is about,
> > namely an indication that the government won't tolerate the crime.
> >
> > >Christopher Browne wrote:
> > >>
> > >> Centuries ago, Nostradamus foresaw a time when Salvador Peralta would say:
> > >> >Unfortunately, the article had nothing to do with m$ being a security
> > >> >risk from the software standpoint and everything to do with m$
> > >> >incorporating some of scientology's philosophies into their corporate
> > >> >model. The german government has already given us enough intolerance
> > >> >for the next 2 centuries, IMHO. Let's not applaud them for giving us
> > >> >more.
> > >>
> > >> Unfortunately, anything I can see of Scientology's behaviour seems to
> > >> me to be Rather Frightening.
> > >>
> > >> It is not at all obvious that being unwilling to tolerate Scientology
> > >> connections represents a move towards evil.
> > --
> > Rules of the Evil Overlord #155. "If I know of any heroes in the land,
> > I will not under any circumstance kill their mentors, teachers, and/or
> > best friends." <http://www.eviloverlord.com/>
> > [EMAIL PROTECTED] - - <http://www.hex.net/~cbbrowne/lsf.html>
>
> --
> Salvador Peralta
> [EMAIL PROTECTED]
> http://www.la-online.com
--
Mohawk Software
Windows 9x, Windows NT, UNIX, Linux. Applications, drivers, support.
Visit http://www.mohawksoft.com
"We've got a blind date with destiny, and it looks like she ordered the
lobster"
------------------------------
From: DeAnn Iwan <[EMAIL PROTECTED]>
Subject: Re: Linux Setup
Date: Thu, 11 May 2000 08:01:23 -0400
This is a multi-part message in MIME format.
==============0899EB7E739132559660E575
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
There are two primary possibilities: a hardware problem with the
cdrom and a cdrom interface that is unusual. Most cdroms sold today are
ATAPI interface, the default kernel will handle these. Some cdroms
require special servers (drivers). These can be loaded as modules.
Some things to try: find out what kind of interface/server the cdrom
requires (the manufacturer's dot.com may have this info), find out what
server Suse recommends for this cdrom, contact Suse for help (if you
have an official distribution).
John Tankersley wrote:
>
> Hello,
> My name is John Tankersley. I am seeking some help from anyone that has any
> advice or information. I am trying to install SuSE Linux 6.4 on a new
> machine. I booted the machine with the first cd installed. The machine
> started
> reading the cd. I checked the Language and Country to be installed. Next
> step, was to started loading base system. The unit does not recognize the
> cdrom player. I believe it is a Plextor unit. I went into the BIOS setup
> and checked for the boot sequence. I set it to boot A then C. saved it .
> Then retryed to installed base system. Unit still does not recognize cdrom
> player.
> What should I be looking for. I was told that some of the older machines
> need a
> module installed to recognize the cdplayer. I am not sure if the bios is
> upgradable. Thanks for any help.
>
> John Tankersley
> [EMAIL PROTECTED]
==============0899EB7E739132559660E575
Content-Type: text/x-vcard; charset=us-ascii;
name="diwan.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for DeAnn Iwan
Content-Disposition: attachment;
filename="diwan.vcf"
begin:vcard
n:;diwan
x-mozilla-html:FALSE
version:2.1
email;internet:[EMAIL PROTECTED]
fn:diwan
end:vcard
==============0899EB7E739132559660E575==
------------------------------
From: Peter Ammon <[EMAIL PROTECTED]>
Crossposted-To:
comp.sys.mac.advocacy,comp.os.ms-windows.nt.advocacy,comp.os.os2.advocacy
Subject: Re: Why only Microsoft should be allowed to create software
Date: Thu, 11 May 2000 08:08:03 -0400
Reply-To: [EMAIL PROTECTED]
Erik Funkenbusch wrote:
>
>
> That still doesn't indicate that MS's ONLY reason for the message was to
> drive them out of the market. That's the message i'm responding to, the
> fact that driving them out of the market is not the only possible reason for
> it.
That's true. Microsoft's other reasons for implementing the error
message was to get people who are using DR-DOS to call Microsoft, so
they can estimate the threat that DR-DOS poses to MS-DOS, and also to
have a ready excuse for their own buggy software.
Microsoft Vice President Brad Silverberg writes in an e-mail, "What the
guy is supposed to do is feel uncomfortable and when he has bugs,
suspect the problem is DR-DOS and then go and buy MS-DOS..." The fact
that MS-DOS might not fix the bugs isn't relevant, since the user would
have already bought it.
-Peter
------------------------------
From: [EMAIL PROTECTED] (Fredrik Sandstrom)
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Browsers and e-mail
Reply-To: [EMAIL PROTECTED]
Date: Thu, 11 May 2000 14:42:31 +0300
In article <KsmS4.15584$[EMAIL PROTECTED]>, Christopher
Browne wrote:
>--
>Real Programmers are surprised when the odometers in their cars don't
>turn from 99999 to A0000.
Lisp Programmers are surprised that it is not implicitly coerced to a
bignum.
--
- Fredrik Sandstrom [EMAIL PROTECTED] http://infa.abo.fi/~fredrik -
Computer Science at Abo Akademi University --
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: How to properly process e-mail
Date: Thu, 11 May 2000 12:14:13 GMT
In article <8fdb70$t4g$[EMAIL PROTECTED]>,
"Christopher Smith" <[EMAIL PROTECTED]> wrote:
>
> "Leslie Mikesell" <[EMAIL PROTECTED]> wrote in message
> news:8fd8so$23rj$[EMAIL PROTECTED]...
> > In article <8fd6v2$sbo$[EMAIL PROTECTED]>,
> > Christopher Smith <[EMAIL PROTECTED]> wrote:
> > >
> > >> >>
> > >> >>Does that mean that even there you can't tell the difference
between
> > >> >>a gif and a script before executing it?
> > >> >>
> > >> >
> > >> >Huh? How do you get that from what I said?
> > >>
> > >> I didn't, which is why I am still asking questions. Is the
difference
> > >> between an image and a script obvious in preview mode or not?
That
> > >> is, can you tell if 'open' is dangereous?
> > >
> > >Yes. Different icon, different file extension.
> >
> > So how does that tell you what is going to happen?
>
> If you "open" something that can execute code, it's very dangerous.
>
>
Exactly. Which begs the question, what exactly is the point of this
feature? Sendmail has been able to pipe email through programs for
decades. That has many useful applications, such as the vacation
program and email filters. But what possible reason could there be
for executing code from an email client? Has there been an overwhelming
need for people to run untested programs from their mail reader? Can
anyone ever remember being sent unsolicited software that was actually
useful? Is that the prefered environment for launching programs in
the pc world? Is this MS's attempt at a vacation program? Let's
see... I wonder if the person I'm sending email to is on vacation.
I know, I'll write a program that will be executed on his system and
look around for evidence that he's logged on. Of course, he'll have
to be there to launch the program in the first place, so that'll be a
pretty good indication that he's there. Perhaps I lack imagination.
Give me one good application for that particular feature other than
annoying the hapless user who isn't up on every potential extension
and what it does.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy,alt.fan.bill-gates
Subject: Re: Microsoft: STAY THE FUCK OFF THE NET!!!
Date: Thu, 11 May 2000 12:20:34 GMT
[EMAIL PROTECTED] (Leslie Mikesell) wrote:
> Certainly not without knowing what program is going to run. The
> result of that is 100% predictable. What basis could you possibly
> use to determine that code received in email is safe? Three
> copies of the virus in my mailbox came from the company treasurer
> who wouldn't be expected to send anything damaging. And I
> suspect that at least some of those were from his attempt
> to save and then open the attachment as a file. So, how are
> you supposed to figure out what it is when every time you
> touch it, it executes?
>
yup, there's a point. M$ assumes their users are so dumb they won't ever
do anything else with their files than what M$ intended to - you can't
even look at the files without creating a notepad icon on your desktop
first & dragging the files to it, or changing its association. so the
innocent user has no choice but starting the virus, if SHe wants to know
what it is.
helge
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (abraxas)
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: simply being open source is no guarantee of security.
Date: 11 May 2000 12:35:39 GMT
In comp.os.linux.advocacy Charlie Ebert <[EMAIL PROTECTED]> wrote:
> Chad Myers wrote:
>>
>> "Donal K. Fellows" <[EMAIL PROTECTED]> wrote in message
>> news:8dn2rt$adr$[EMAIL PROTECTED]...
>> > In article <8dh73f$v45$[EMAIL PROTECTED]>,
>> > Truckasaurus <[EMAIL PROTECTED]> wrote:
>> > > "Making source code available to costumers"
>> >
>> > But what do they do with it? Print it out (on a screen printer) and
>> > turn it into clothing? :^)
>> >
>> > (Sure, I'm making fun of a spelling mistake. But it was such a fun
>> > one to make that I couldn't help myself...)
>>
>> However, it is a rather poignant faux-paus. Linux is similar to the
>> emporer's clothing =)
>>
>> You can see everything, but it still leaves you out in the cold =)
>>
Somehow it isnt surprising that you dont understand linux OR that
story. :)
=====yttrx
------------------------------
From: Jeff Szarka <[EMAIL PROTECTED]>
Subject: Not so fast...
Date: Thu, 11 May 2000 12:37:05 GMT
As one would expect, there are many people in this group who refuse to
believe any sort of viruses or trojans could be created for Linux.
While it is true that the current fad of .vbs based viruses only
targets Windows there are a number of ways a viruses writer could
target Linux.
1) Infect source code, redistribute.
This would be very easy to do and there would be little way for a user
to detect a RPM file is infected with modified code. If you could gain
access to the FTP mirrors you could infect huge numbers of people.
Just how many users read all the source code in a program? (If any)
There would be no way to detect a modified RPM package to my
knowledge. Such a virus could install a back door, do mass mailings
(by reading mail client configurations) or destroy data. The
apache.org hacking showed not only can it be done but it can be done
to the makers of apache, that I would venture to guess runs 99.9% of
most Linux software projects web sites.
2) User stupidity
"Hey Bob, run this .pl file, it'll fix a bug. Don't worry... it's a
patch from Linus. See how fast open source is to fix bugs..."
"Hey Bob, here's an updated driver for your sound card. Don't worry...
it's safe to run..."
"Hey Bob, I got the new version of your favorite program. The mirror
sites are packed, I'll send it to you."
Etc. Maybe Bob will even get sent happy99.exe, Linux edition.
3) Lack of Linux viruses scanners
If outbreaks did occur they would be impossible to detect without
customized programs. (Which could lead you right back to point #2 two)
4) Distribution
The more distributions the more people who have access to code that
can be sent out to thousands of users. The larger name distributions
most likely would be safe (although we've seen that's not entirely
true already. See point #5) but smaller, most customized,
distributions could easily introduce back doors. (Which could lead to
outbreaks of new viruses)
5) Distribution Bloat
The sheer size of the code included with Linux opens the door for back
doors and others problems to slip by. (Which has already happened)
6) User zealotry
A virus could spread simply because everyone running Linux thinks
they're safe. I'm sure many don't give a second thought about the
possibility of a virus outbreak. How many people blindly trust RPM's
to be safe? Lots.
7) Pre-emptive strikes against security problems in open source
software
Why report the bug or fix it when you can exploit it first?
8) Lack of software upgrades
A mixed blessing but if something works its not always updated. Many
security exploits are executed on systems running older software
because they're known to be open to an attack.
9) Developers bringing bugs with them.
You can argue that UNIX developers are less prone to introducing bugs
since traditionally UNIX has been a market for high reliability / high
security applications but what happens if Windows developers jump on
the Linux bandwagon? They'll bring their bugs with them. How many
Win32 apps have we seen store their passwords in plain text in an .ini
file? How many have buffer overflow exploits?
10) Possible influx of desktop users
Aka, targets. Aka, people who run happy99.exe
These faults are not unique to Linux but do prove the point that Linux
(and every other OS ever made) is open to viruses. A recent CNN
article said Linux is safe because it is open source and promotes
competition. The above points, in some cases, take advantage of the
open source code. History also disputes this claim. There have been
glaring bugs in the past, which by this argument should have been
impossible.
Something to think about before everyone climbs up into their ivory
towers and pretends it can't happen here.
------------------------------
Subject: Re: A pox on the penguin? (Linux Virus Epidemic)
From: John Culleton <[EMAIL PROTECTED]>
Date: Thu, 11 May 2000 05:46:12 -0700
OK lets return to the original question. Is it possible to hurt
a Linux system through a mail bomb type of attachment to email?
Is it possible for an ordinary user (not root) to destroy the
system from a terminal? I think we can all concede that any
system can be destroyed from the console and any system can be
destroyed by one with superuser privileges.
A part of the problem here is that Linux source code is available
to anyone. If you have a plan of the castle it is easier to
attack it. But I would like to see/hear about a successful attack
strategy through terminal access, ftp, mail, whatever that does
not involve prior knowledge of the root password. (Attacks that
ferret out the root password through some strategy are valid.)
John Culleton
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Se�n � Donnchadha <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: How to properly process e-mail
Date: Thu, 11 May 2000 09:07:14 -0400
[EMAIL PROTECTED] (Rob S. Wolfram) wrote:
>
>Sorry, I disagree. Email attachments should *NOT* be executed by your
>MUA, period. If you get executable content via e-mail you should take
>the necessary steps to be able to execute it (i.e. save to disk and
>spawn it from the shell).
>
What's the major conceptual difference between (a) double-clicking and
issuing a confirmation and (b) saving to disk and launching from the
shell? Is it only that the former is "too easy"? Is that really the
reason behind all the vicious bashing?
>
>Nearly all MUA's available in Windows will execute email-content
>directly, possibly after issuing a security warning (remember
>Happy99.exe or ExplorerZip.exe?). The only Unix MUA I know that does
>this is dtmail.
>
Don't forget about obscure little things like Netscape Communicator
and Lotus Notes.
>
>But the latter does demonstrate that it's not an OS problem, it's an
>application problem.
>
I think it's a philosophical issue. Should mailers provide an easy way
to launch attachments, or shouldn't they?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
