On Fri, 19 Sep 2003 12:54:13 +1200
Christopher Sawtell <[EMAIL PROTECTED]> wrote:
> On Fri, 19 Sep 2003 11:49, you wrote:
> > On Fri, Sep 19, 2003 at 11:27:33AM +1200, Christopher Sawtell wrote:
> > > You don't, you pass laws which forbid the sale of insecure boxes to
> > > consumers, AND pass the liability of costs back to the manufacturer of
> > > Grannies insecure o/s.
> >
> > Who determines that the operating system and all of the installed
> > software is secure?
>
> > How do they determine this?
> Of course we all know that it's impossible to prove a negative, but even an
> attempt to improve the effectiveness of the quality control would be appreciated
> by us all. How? In exactly the same way as the virus and worm writers discover
> the holes. It would be sensible to offer real prizes to the virus writers.
> The cost would be miniscule compared to the cost of the clean up operations.
> But if that were to happen the whole anti-virus industry would become redundant,
> so it won't happen. Thre are too many billions involved.
>
> Theo de Raadt and his helpers have made a (nearly)secure o/s. I say
> 'nearly' above because, as I understand it, it is impossible to make a totally
> secure o/s on the x86 architecture, because there is no possibility at the
> hardware level, of preventing buffer overflows, or bit patterns in the stack
> area of memory being executed, or the text area of a program being written over.
> That's my understanding of the x86 archetecture, I'd love to be corrected.
> x86 was a wonderful little micro and did great things 20 years ago, but imho
> it cannot safely support what it is being asked to do today and should be declared
> 'Deprecated'.
>
> There is absolutly no reason why William Gates III and his helpers cannot
> spend a mere bagatelle of their umpteen billions to at least attempt to
> emulate the OpenBSD ideal.
>
> > Who assumes liability for free operating systems like Linux, HURD and
> > {Free,Net,Open}BSD?
> That's the rub for us isn't it? Some sort of fidelity fund I suppose.
>
The thing is that all oses and software that sits on top of them have
flaws. openssh just had one or two.
all of the recent MS problems could have been fixed if users patched
when MS released the fixes, well ahead of the ensuing attacks. that is a
two headed issue - the fscked MS patch system AND (perhaps more
importantly) a user issue. I posted a link in recent times to an article
about the patching system.
I dare say there are plenty of linux/bsd machines out there with
unpatched openssh, sendmail, and probably plenty of other programs, and
without adequate firewalling because they connect direct to the net via
a modem (analog, cable, dsl, whatever).
anyway, you all know what i think of MS, but don't blame them entirely
for users failing to patch their machine.
> --
> Sincerely etc.,
> Christopher Sawtell
>
--
Nick Rout <[EMAIL PROTECTED]>
