Re: Is open source more secure? [was Re: Moving to Linux]

[Shlomi Fish]

Hi!

Just wanted to note that I fully agree with everything Amos Shapira said on 
this message. Hear, hear!

Regards,

Shlomi Fish

On Saturday 14 May 2005 03:33, Amos Shapira wrote:
 On 5/13/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
  common as a server. So the crackers develop means to break linux
  servers. If/When linux is very common on the desktop, you'll start
  seeing the same there.

 Same flawed FUD used by the MS camp. Apache is the most common
 web server in the world and still it is cracked much less than IIS.
 Same situation (server, public net) still different results.


-
Shlomi Fish  [EMAIL PROTECTED]
Homepage:http://www.shlomifish.org/

Tcl is LISP on drugs. Using strings instead of S-expressions for closures
is Evil with one of those gigantic E's you can find at the beginning of 
paragraphs.

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Uri Bruck]

Shlomi Fish wrote:

It's bread and circuses in English, AFAIR. Comes from Latin, if I know.
Right and Right.
http://www.bartleby.com/61/39/B0463950.html

--
Thanks,
Uri
http://translation.israel.net
=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Yedidyah Bar-David]

On Sat, May 14, 2005 at 10:33:42AM +1000, Amos Shapira wrote:
 On 5/13/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
  common as a server. So the crackers develop means to break linux
  servers. If/When linux is very common on the desktop, you'll start
  seeing the same there.
 
 Same flawed FUD used by the MS camp. Apache is the most common
 web server in the world and still it is cracked much less than IIS.
 Same situation (server, public net) still different results.
 
  To get to even more philosophical ideas - I must say I do not accuse MS
  for behaving the way it behaves. I accuse the users. Users want Bread
 
 I *DO* accuse MS. They kept reasoning that people want convenience
 and that they must compromise security to give it to them.

I never intended to imply that in order to give convenience you have
to compromise security. What I wanted to say is that MS gives people
what they want. Most people do not care much about security, so MS
does not invest in it. Of course doing both is possible, as you showed.

Or maybe I should say, people do not care _enough_ about security. They
(most of them) would not consider moving off Windows only because it's
not (less?) secure. I also guess that most people say to themselves that
Windows can't be _that_ bad, or else less and less people would use it.
A billion flies can't be wrong. Eat shit!.

All of this, BTW, refers to a few years ago. Recent years changed
both the understanding of the average users and their options. But I
am not sure that we are close to World Domination (tm). I am
personally waiting for this since 1997, when Byte first had the item
Linux in a Gray Flannel Suit. Oh was I excited! 
-- 
Didi


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Amos Shapira]

On 5/14/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
 On Sat, May 14, 2005 at 10:33:42AM +1000, Amos Shapira wrote:
  On 5/13/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
   common as a server. So the crackers develop means to break linux
   servers. If/When linux is very common on the desktop, you'll start
   seeing the same there.
 
  Same flawed FUD used by the MS camp. Apache is the most common
  web server in the world and still it is cracked much less than IIS.
  Same situation (server, public net) still different results.
 
   To get to even more philosophical ideas - I must say I do not accuse MS
   for behaving the way it behaves. I accuse the users. Users want Bread
 
  I *DO* accuse MS. They kept reasoning that people want convenience
  and that they must compromise security to give it to them.
 
 I never intended to imply that in order to give convenience you have
 to compromise security. What I wanted to say is that MS gives people

I was stressing the point that it is MS's fault (as opposed to your I
do not accuseMS quoted above). They made the decisions to
provide insecure software. What could their users do about MS's
software?

 what they want. Most people do not care much about security, so MS
 does not invest in it. Of course doing both is possible, as you showed.

So what's wrong with what users did? They eat what MS feeds them.

--Amos

To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Yedidyah Bar-David]

On Sat, May 14, 2005 at 09:10:59PM +1000, Amos Shapira wrote:
 On 5/14/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
  On Sat, May 14, 2005 at 10:33:42AM +1000, Amos Shapira wrote:
   On 5/13/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
common as a server. So the crackers develop means to break linux
servers. If/When linux is very common on the desktop, you'll start
seeing the same there.
  
   Same flawed FUD used by the MS camp. Apache is the most common
   web server in the world and still it is cracked much less than IIS.
   Same situation (server, public net) still different results.
  
To get to even more philosophical ideas - I must say I do not accuse MS
for behaving the way it behaves. I accuse the users. Users want Bread
  
   I *DO* accuse MS. They kept reasoning that people want convenience
   and that they must compromise security to give it to them.
  
  I never intended to imply that in order to give convenience you have
  to compromise security. What I wanted to say is that MS gives people
 
 I was stressing the point that it is MS's fault (as opposed to your I
 do not accuseMS quoted above). They made the decisions to
 provide insecure software. What could their users do about MS's
 software?
 
  what they want. Most people do not care much about security, so MS
  does not invest in it. Of course doing both is possible, as you showed.
 
 So what's wrong with what users did? They eat what MS feeds them.

Microsoft is a company. It makes money. That's its goal. There are good
companies, there are bad ones. This one is bad. So what? Noone forces
people to be customers. Of course MS puts a very strong pressure on
people to be. So strong most of them do not even realize they have a
choice. I do not claim I am happy about the situation. But I do not
think MS could have arrived to where it is today if most of the people
in the world would behave and think like we (without defining what
exactly is we) do.
-- 
Didi


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Michael Vasiliev]

On Friday May 13 2005 15:42, Shlomi Fish wrote:
   Actually, a default install of Fedora took several months to break
   into. As opposed to less than 20 minutes for Windows.
 
  Could you please provide the source for that claim?  I remember an
  anecdotial honeypots research in recent years done to test that. But
  there they actually have made the installation less secure than the
  default (bad passowrds, extra services available).

 I heard of the 20 minutes of Windows from two different sources. I found
 the Linux one on LWN.net IIRC. (or Slashdot?)

 BTW, the Fedora system wasn't updated with timely updates, which makes it
 even more impressive.

OK, this is just not true. The fact that windows boxes mooning the whole Net 
get hacked in number of minutes represent only the sole fact that hackers 
love the windows boxes more. Why? Let's look on that from cracker's point of 
view:

1) Majority of windows users are bereft of gorm. They don't have anything to 
protect them. They don't patch up vulnerabilities on regular basis. Thus, 
writing automatic tools to scan, try a number of latest win exploits, if 
successful, upload zombie software and patch the hole, rinse, repeat whole 
network segments actually pays up in gold. There are people earning their 
living off that. As of linux users, you can expect a clue from someone who 
managed to eventually install it. 

2) As previously said, there are far more windows boxes than linux ones. 
Moreover, there are more windows workstations than linux ones. Servers are 
generally harder to crack, as they are set up by a professional. See #1.

3) One can live for years on a windows box. Only thing one have to worry about 
is the plain old format c:; reinstall windows. Be a good guy, make yourself 
a silent backdoor, clean up the viruses and spyware, patch up the holes in 
time, perform the maintenance tasks and don't slow up the games too much. As 
long as user feels no discomfort, the cracker is safe. As of linux, the 
system administrator actually pays attention at what's running and bandwidth 
usage.

4) Statistically speaking, windows workstations has less uptime than linux 
ones. So, they change IPs more. Do I have to mention why this is good?

There is almost no difference in how the default install of windows or 
non-hardened linux is hard to break. Any default install is weak, even with 
latest updates, and cannot withstand brainstorming by a team of crackers. The 
interesting experiment of a default install caught in a sweep of automatic 
cracking software only shows that spammers and DDOS coordinators still have 
the money to pay for zombies by the thousand, and not by quality. Only way to 
get thousands is to mass-crack windows workstations. Who has the time to do 
it manually?
Setting a honeypot is much like throwing a theoretical hook to a random 
location in the ocean. There is a tiny chance to catch a small fish, 
infinitesimally small chance to catch a big one, and a big chance of having 
your hook caught in someone else's fishing net.

-- 
Sincerely Yours,
Michael Vasiliev

...this does not mean that some of us should not want, in a rather
dispassionate sort of way, to put a bullet through csh's head.
Larry Wall in [EMAIL PROTECTED]

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Omer Zak]

On Fri, 2005-05-13 at 10:18 +0300, Ori Idan wrote:
 I think this is an academic debate if GNU/Linux is more secured or not.
 
 For the simple people, let us look at the facts:
 
 1. When was the last time any of this list members has seen a virus in
 his GNU/Linux desktop? (I guess the answer is never)
 
 2. When was the last time you had a spyware in your desktop? (again the
 answer is never)

Another criterion is the level of severity of publicized vulnerabilities
in MS-Windows based vs. Free Software based operating systems and
applications.

The non-quantified gut feeling is that the typical case is that a
MS-Windows/IE vulnerability is a critical one, which allows a malicious
hacker to take over your PC and turn it into a zombie at one step.  This
can happen even if you do not make the mistake of authorizing malicious
software to be installed.

The typical serious Linux/FireFox vulnerability still requires some
additional vulnerabilities and/or operator mistakes to cause a break-in.

This reminds me of recent news about Symbian OS based viruses.  It turns
out that so far, in every case, in order for a virus to actually spread,
the Symbian OS based cellular phone user needs to explicitly permit the
receipt of a message and/or installation of software on his cellular
phone.  So the stories about Symbian OS viruses look to me thus far like
a spin by their competitors.
   --- Omer
-- 
MS-Windows is the Pal-Kal of the PC world.
My own blog is at http://www.livejournal.com/users/tddpirate/

My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS:  at http://www.zak.co.il/spamwarning.html


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Yedidyah Bar-David]

On Fri, May 13, 2005 at 10:18:49AM +0300, Ori Idan wrote:
 I think this is an academic debate if GNU/Linux is more secured or not.
 
 For the simple people, let us look at the facts:
 
 1. When was the last time any of this list members has seen a virus in
 his GNU/Linux desktop? (I guess the answer is never)
 
 2. When was the last time you had a spyware in your desktop? (again the
 answer is never)
 
 So the end result is: GNU/LINUX IS MORE SECURED.

No, the end result is that the members of this list are more
security-aware than the average. Much more so. I'd make a wild guess -
even if all of the members here used XP/MS Office regularly, they would
still have much much less virii/spywares than the average. OTOH, if 80%
of the world's computer users used Linux, you'd see more viruses and
spyware in Linux. Maybe not as much, maybe with less average damage, but
while I agree to your conclusion, I do not agree to the reasoning.

This reminds me of Paul Graham's articles, in which he claims that LISP
programmers are better. But why is it so (whether or not you agree to
the conclusion)? There are at least two opposite reasons: 1. Because
programmers that learned LISP become better 2. Because good programmers
prefer LISP when they come to know it.

Just to prove my point - everyone here will agree that putting a default
install of most major distros open in the net without some kind of
firewall or hardening will very quickly make it broken into (I know
about exceptions, no need to remind me). Why?  Because linux is very
common as a server. So the crackers develop means to break linux
servers. If/When linux is very common on the desktop, you'll start
seeing the same there.

To get to even more philosophical ideas - I must say I do not accuse MS
for behaving the way it behaves. I accuse the users. Users want Bread
and fun (LECHEM VESHA`ASHU`IM). Users do not want freedom. They do
not want security. Nor power, nor robustness. They want a lot of
software, that doesn't require them to read anything or to think in
order to use it (note I did not use the shorter term easy to use, I
know it won't pass some tests). So that's what MS sells to them. It's
not that I agree to all of MS's policies - but I think this is the root
cause.
-- 
Didi


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Shlomi Fish]

On Friday 13 May 2005 12:05, you wrote:
 On Fri, May 13, 2005 at 10:18:49AM +0300, Ori Idan wrote:
  I think this is an academic debate if GNU/Linux is more secured or not.
 
  For the simple people, let us look at the facts:
 
  1. When was the last time any of this list members has seen a virus in
  his GNU/Linux desktop? (I guess the answer is never)
 
  2. When was the last time you had a spyware in your desktop? (again the
  answer is never)
 
  So the end result is: GNU/LINUX IS MORE SECURED.

 No, the end result is that the members of this list are more
 security-aware than the average. Much more so. I'd make a wild guess -
 even if all of the members here used XP/MS Office regularly, they would
 still have much much less virii/spywares than the average. OTOH, if 80%
 of the world's computer users used Linux, you'd see more viruses and
 spyware in Linux. Maybe not as much, maybe with less average damage, but
 while I agree to your conclusion, I do not agree to the reasoning.


Possibly.

 This reminds me of Paul Graham's articles, in which he claims that LISP
 programmers are better. But why is it so (whether or not you agree to
 the conclusion)? There are at least two opposite reasons: 1. Because
 programmers that learned LISP become better 2. Because good programmers
 prefer LISP when they come to know it.

No. 1 is true, naturally. No. 2 is not true - I know LISP but I prefer Perl. 
Other like Python, etc. The reasons I don't prefer LISP are:

1. The standards of Common LISP and Scheme don't define anything practical.
2. LISP is at the moment incredibly verbose.
3. As Larry Wall noted, all LISP code comes in parenthesis and so it all looks 
the same. (Perl is the exact opposite in this regard).
4. I cannot make heads nor tails of serious LISP code. Many LISPers create so 
many macros and use them along with regular LISP code, so you keep having to 
refer to the previous definitions, and make a lot of research to get you 
started.

SICP Scheme is easy and fun. But serious LISP code can take too much time to 
understand. OTOH, recently I had little problem reading the source code of 
other Perl programmers, and extending it or fixing bugs. (likewise for 
Python). 


 Just to prove my point - everyone here will agree that putting a default
 install of most major distros open in the net without some kind of
 firewall or hardening will very quickly make it broken into (I know
 about exceptions, no need to remind me). Why?  Because linux is very
 common as a server. So the crackers develop means to break linux
 servers. If/When linux is very common on the desktop, you'll start
 seeing the same there.

Actually, a default install of Fedora took several months to break into. As 
opposed to less than 20 minutes for Windows.


 To get to even more philosophical ideas - I must say I do not accuse MS
 for behaving the way it behaves. I accuse the users. Users want Bread
 and fun (LECHEM VESHA`ASHU`IM). 

It's bread and circuses in English, AFAIR. Comes from Latin, if I know.

 Users do not want freedom. They do 
 not want security. Nor power, nor robustness. They want a lot of
 software, that doesn't require them to read anything or to think in
 order to use it (note I did not use the shorter term easy to use, I
 know it won't pass some tests). So that's what MS sells to them. It's
 not that I agree to all of MS's policies - but I think this is the root
 cause.

From my experience mundane users want computers and software that just 
works. Gets the job done, has no bugs, that has all the necessary features, 
that does things the way you're used to. Somewhat like a toaster. I believe 
Linux does that much better than Windows. The main problem of Linux right now 
is compatiblity with Windows formats and protocols. But it's getting better.

Regards,

Shlomi Fish

-
Shlomi Fish  [EMAIL PROTECTED]
Homepage:http://www.shlomifish.org/

Tcl is LISP on drugs. Using strings instead of S-expressions for closures
is Evil with one of those gigantic E's you can find at the beginning of 
paragraphs.

To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Tzafrir Cohen]

On Fri, May 13, 2005 at 12:05:45PM +0300, Yedidyah Bar-David wrote:
 On Fri, May 13, 2005 at 10:18:49AM +0300, Ori Idan wrote:
  I think this is an academic debate if GNU/Linux is more secured or not.
  
  For the simple people, let us look at the facts:
  
  1. When was the last time any of this list members has seen a virus in
  his GNU/Linux desktop? (I guess the answer is never)

Actually you should compare Linux here to Mac, due to a more similar
market share.

 Just to prove my point - everyone here will agree that putting a default
 install of most major distros open in the net without some kind of
 firewall or hardening will very quickly make it broken into (I know
 about exceptions, no need to remind me). 

The default installation of most major distros (not Debian, though) does
include a firewall and does remove most unnecessary services. Has been
in the recent two years or so.

-- 
Tzafrir Cohen | [EMAIL PROTECTED] | VIM is
http://tzafrir.org.il |   | a Mutt's  
[EMAIL PROTECTED] |   |  best
ICQ# 16849755 |   | friend

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Tzafrir Cohen]

On Fri, May 13, 2005 at 02:20:26PM +0300, Shlomi Fish wrote:
 On Friday 13 May 2005 12:05, Didi wrote:

The reasons I don't prefer LISP are:

[snip]

We're here for windows vs. linux religous wars. Hackers-il is for
languages religious wars. This thread is long enough as it is.

  Just to prove my point - everyone here will agree that putting a default
  install of most major distros open in the net without some kind of
  firewall or hardening will very quickly make it broken into (I know
  about exceptions, no need to remind me). Why?  Because linux is very
  common as a server. So the crackers develop means to break linux
  servers. If/When linux is very common on the desktop, you'll start
  seeing the same there.
 
 Actually, a default install of Fedora took several months to break into. As 
 opposed to less than 20 minutes for Windows.

Could you please provide the source for that claim?  I remember an
anecdotial honeypots research in recent years done to test that. But
there they actually have made the installation less secure than the
default (bad passowrds, extra services available). 

Too lazy to dig out a link, though.

-- 
Tzafrir Cohen | [EMAIL PROTECTED] | VIM is
http://tzafrir.org.il |   | a Mutt's  
[EMAIL PROTECTED] |   |  best
ICQ# 16849755 |   | friend

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Shlomi Fish]

On Friday 13 May 2005 15:01, Tzafrir Cohen wrote:
 On Fri, May 13, 2005 at 02:20:26PM +0300, Shlomi Fish wrote:
  On Friday 13 May 2005 12:05, Didi wrote:
 
 The reasons I don't prefer LISP are:

 [snip]

 We're here for windows vs. linux religous wars. Hackers-il is for
 languages religious wars. This thread is long enough as it is.


Hmmm... yes. Well, feel free to reply to me in private, or to transfer the 
reply to Hackers-IL.

   Just to prove my point - everyone here will agree that putting a
   default install of most major distros open in the net without some kind
   of firewall or hardening will very quickly make it broken into (I know
   about exceptions, no need to remind me). Why?  Because linux is very
   common as a server. So the crackers develop means to break linux
   servers. If/When linux is very common on the desktop, you'll start
   seeing the same there.
 
  Actually, a default install of Fedora took several months to break into.
  As opposed to less than 20 minutes for Windows.

 Could you please provide the source for that claim?  I remember an
 anecdotial honeypots research in recent years done to test that. But
 there they actually have made the installation less secure than the
 default (bad passowrds, extra services available).


I heard of the 20 minutes of Windows from two different sources. I found the 
Linux one on LWN.net IIRC. (or Slashdot?)

BTW, the Fedora system wasn't updated with timely updates, which makes it even 
more impressive.

Regards,

Shlomi Fish

-
Shlomi Fish  [EMAIL PROTECTED]
Homepage:http://www.shlomifish.org/

Tcl is LISP on drugs. Using strings instead of S-expressions for closures
is Evil with one of those gigantic E's you can find at the beginning of 
paragraphs.

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Amos Shapira]

On 5/13/05, Ori Idan [EMAIL PROTECTED] wrote:
 I think this is an academic debate if GNU/Linux is more secured or not.
 
 For the simple people, let us look at the facts:
 
 1. When was the last time any of this list members has seen a virus in
 his GNU/Linux desktop? (I guess the answer is never)
 
 2. When was the last time you had a spyware in your desktop? (again the
 answer is never)
 
 So the end result is: GNU/LINUX IS MORE SECURED.

It's a bit like concluding that pickles are dangerous to your health -
after all 100% of people who have eaten pickles eventually die.

--Amos

To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Is open source more secure? [was Re: Moving to Linux]

[Amos Shapira]

On 5/13/05, Yedidyah Bar-David [EMAIL PROTECTED] wrote:
 common as a server. So the crackers develop means to break linux
 servers. If/When linux is very common on the desktop, you'll start
 seeing the same there.

Same flawed FUD used by the MS camp. Apache is the most common
web server in the world and still it is cracked much less than IIS.
Same situation (server, public net) still different results.

 To get to even more philosophical ideas - I must say I do not accuse MS
 for behaving the way it behaves. I accuse the users. Users want Bread

I *DO* accuse MS. They kept reasoning that people want convenience
and that they must compromise security to give it to them.
Well:
1. See OS X.
2. See the linux desktops - they are coming close and nobody thinks
of giving up security. (my conclusion - you don't have to give up security
in order to give convenience, not like MS did).
3. I've just heard yesterday that MS announced that Longhorn will make
viruses and malware a thing of the past. If they can do it in Longhorn then
why couldn't they do it before?

 and fun (LECHEM VESHA`ASHU`IM). Users do not want freedom. They do
 not want security. Nor power, nor robustness. They want a lot of
 software, that doesn't require them to read anything or to think in
 order to use it (note I did not use the shorter term easy to use, I
 know it won't pass some tests). So that's what MS sells to them. It's
 not that I agree to all of MS's policies - but I think this is the root
 cause.

Again - you imply there is a correlation between conveneience is opposite
of secure, you seem to have just been convinced by MS's flawed reasoning.
I do not agree with you and ask you to re-think it.

 --
 Didi

--Amos

To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word unsubscribe in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]