Re: Testing security of SM 1.x and 2.x
Dennis McCunney a exprimé avec précision : > On 4/2/2010 4:30 PM, * JeffM: >> Paul wrote: >>> I also don't see why every one is so worried about viruses, zombies, etc. >>> >> When you use an OS that has you always running as root >> (e.g. the standard version of Puppy), >> drive-by infections and the ability of any user to bork the OS >> are constant worries. >> >> The logical solution is to get an OS that has proper user levels. >> There has been a Puplet with this feature since November 2009. > Puppy gets away with it because it's an explicitly single-user system. > There *aren't* other users to bork the OS. If Puppy was a shared > system, that would be an issue, but if you expect others besides you to > ever use the box, Puppy isn't what you run. > (I've seen discussions on the Puppy forum who want to set up the system > so others like family members can use it. That's not a simple task.) > And the likelihood of "drive by infections" is minimal, considering that > it's a Linux system, and by default uses SeaMonkey 1.1X as the > browser/email client. > If you think about it, MS-DOS, and Windows up to Vista used the "the > logged on user is administrator with all powers" approach. Vista caused > much wailing and gnashing of teeth because it defaulted to a "power > user" profile and required "run as admin" settings for many things > people were used to doing, but it's arguably what Windows should have > done to begin with. > I run Puppy, as well as Ubuntu 9.10 on an old Fujitsu Lifebook p2110 > with an 867mhz Crusoe processor, 256MB RAM, and a 40GB UDMA 4 HD. I got > Puppy because I was looking for a distro that would actually run > acceptably on limited hardware. Puppy does, more or less. I originally > installed Xubuntu along with Puppy, but it was snail slow. Wiping the > partition, reformatting as ext4, and installing Ubuntu from the > MinimalCD to get a bare bones command line instalaltion, then grabbing > Xfce4 and other preferred packages with apt-get produced a system that > isn't as sprightly as Puppy, but is usable if I'm patient. > I have static builds of SM 1.1.19 and 2.04, and Opera 10.10 installed > under Puppy, as well as Google Chrome 5.0 Beta, Firefox 3.6 and a few > other things like Midori and Dillo installed. To the extent I browse > from the Puppy box, I use SM 1.1.19. FF 3.6 is my preferred browser on > my desktop, bit it's just too bag and slow on the Puppy box (it takes > over 30 seconds just to load, and is sluggish once up.) SeaMonkey 2.04 > isn't much better. Unfortunately, current versions of Mozilla products > just aren't suitable for lower end kit. They need more horsepowwer than > the box is likely to have. > Puppy tends to get installed on lower end hardware that things like Red > Hat, SuSE and Ubuntu are simply too much for. (My Puppy box is about in > the middle of what is run in Puppy land. There are machines with 200mhz > CPUs and 64MB RAM successfully running versions of Puppy. Try that with > most distros, and see how far you get.) > I started using *nix in the 80's with AT&T System V Release 2, and have > used a variety of flavors since. Puppy's "All root, all the time" > approach took considerable adjustment, and I'd like to run a multi-user > version. (Puppy forum member Pizzasgood's puplet is based on the 4.21 > release, and reproducing his work in the current 4.31 release would be a > challenge.) So I grit my teeth, and run s root, but security isn't my > big concern when I do so. > __ > Dennis Hi, nice to see you here as well. There is nothing I can add to this. Béèm -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
On 4/2/2010 4:30 PM, * JeffM: > Paul wrote: >> I also don't see why every one is so worried about viruses, zombies, etc. >> > When you use an OS that has you always running as root > (e.g. the standard version of Puppy), > drive-by infections and the ability of any user to bork the OS > are constant worries. > > The logical solution is to get an OS that has proper user levels. > There has been a Puplet with this feature since November 2009. Puppy gets away with it because it's an explicitly single-user system. There *aren't* other users to bork the OS. If Puppy was a shared system, that would be an issue, but if you expect others besides you to ever use the box, Puppy isn't what you run. (I've seen discussions on the Puppy forum who want to set up the system so others like family members can use it. That's not a simple task.) And the likelihood of "drive by infections" is minimal, considering that it's a Linux system, and by default uses SeaMonkey 1.1X as the browser/email client. If you think about it, MS-DOS, and Windows up to Vista used the "the logged on user is administrator with all powers" approach. Vista caused much wailing and gnashing of teeth because it defaulted to a "power user" profile and required "run as admin" settings for many things people were used to doing, but it's arguably what Windows should have done to begin with. I run Puppy, as well as Ubuntu 9.10 on an old Fujitsu Lifebook p2110 with an 867mhz Crusoe processor, 256MB RAM, and a 40GB UDMA 4 HD. I got Puppy because I was looking for a distro that would actually run acceptably on limited hardware. Puppy does, more or less. I originally installed Xubuntu along with Puppy, but it was snail slow. Wiping the partition, reformatting as ext4, and installing Ubuntu from the MinimalCD to get a bare bones command line instalaltion, then grabbing Xfce4 and other preferred packages with apt-get produced a system that isn't as sprightly as Puppy, but is usable if I'm patient. I have static builds of SM 1.1.19 and 2.04, and Opera 10.10 installed under Puppy, as well as Google Chrome 5.0 Beta, Firefox 3.6 and a few other things like Midori and Dillo installed. To the extent I browse from the Puppy box, I use SM 1.1.19. FF 3.6 is my preferred browser on my desktop, bit it's just too bag and slow on the Puppy box (it takes over 30 seconds just to load, and is sluggish once up.) SeaMonkey 2.04 isn't much better. Unfortunately, current versions of Mozilla products just aren't suitable for lower end kit. They need more horsepowwer than the box is likely to have. Puppy tends to get installed on lower end hardware that things like Red Hat, SuSE and Ubuntu are simply too much for. (My Puppy box is about in the middle of what is run in Puppy land. There are machines with 200mhz CPUs and 64MB RAM successfully running versions of Puppy. Try that with most distros, and see how far you get.) I started using *nix in the 80's with AT&T System V Release 2, and have used a variety of flavors since. Puppy's "All root, all the time" approach took considerable adjustment, and I'd like to run a multi-user version. (Puppy forum member Pizzasgood's puplet is based on the 4.21 release, and reproducing his work in the current 4.31 release would be a challenge.) So I grit my teeth, and run s root, but security isn't my big concern when I do so. __ Dennis ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Paul wrote: >I also don't see why every one is so worried about viruses, zombies, etc. > When you use an OS that has you always running as root (e.g. the standard version of Puppy), drive-by infections and the ability of any user to bork the OS are constant worries. The logical solution is to get an OS that has proper user levels. There has been a Puplet with this feature since November 2009. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Paul a émis l'idée suivante : > Bernard Mercier wrote: >> Dans son message précédent, Paul a écrit : >>> Bernard Mercier wrote: I have discussion in the puppy linux forum about SM security. A forum member claims that the developers say: *even the devs are saying it is not secure enough.* I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. SM 2.0.3 passed all tests ok. Is this a valid test link? Are there others? What is your opinion? >> >>> SM 1117 passed all tests. >>> "Congratulations! The test has found no vulnerabilities in your browser!" >> Yes, but as Robert Kaiser pointed out in a reply to me, those tests aren't >> really meaningful. > I agree. I also don't see why every one is so worried about > viruses, zombies, etc. Personally I am not worried. I run linux as root (puppy linux) and wine for several years already and never had an issue. But I was engaged in a discussion about this in the puppy linux forum. Hence my post. -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Bernard Mercier wrote: Dans son message précédent, Paul a écrit : Bernard Mercier wrote: I have discussion in the puppy linux forum about SM security. A forum member claims that the developers say: *even the devs are saying it is not secure enough.* I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. SM 2.0.3 passed all tests ok. Is this a valid test link? Are there others? What is your opinion? SM 1117 passed all tests. "Congratulations! The test has found no vulnerabilities in your browser!" Yes, but as Robert Kaiser pointed out in a reply to me, those tests aren't really meaningful. I agree. I also don't see why every one is so worried about viruses, zombies, etc. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Dans son message précédent, Paul a écrit : > Bernard Mercier wrote: >> I have discussion in the puppy linux forum about SM security. >> A forum member claims that the developers say: *even the devs are saying it >> is not secure enough.* >> >> I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. >> SM 2.0.3 passed all tests ok. >> >> Is this a valid test link? >> Are there others? >> What is your opinion? > SM 1117 passed all tests. > "Congratulations! The test has found no vulnerabilities in your browser!" Yes, but as Robert Kaiser pointed out in a reply to me, those tests aren't really meaningful. -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
JeffM avait énoncé : > Bernard Mercier wrote: >> I have discussion in the puppy linux forum about SM security. >> > You use *Puppy* and you're worried about *security*?? > http://google.com/search?q=cache:gp3jKi0UjncJ:www.linux.com/archive/feature/137880+*-*-not-meant-*-*-*-*-*-*-*.*-*-*+inc+Unix.permissions+running-*-*-root-*+Single.User-Mode+*-*-*-destroy-*-*-*-*-*-*-*-.*.*-*-*-*-*-*-*-*.*-*-*-.*-*.*-*.*-*-*-*.*-*-*-*-*+sudo+writable-*+inc+turkey+*.*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-separate-*-accounts.*-*-*-*-*-*-*-*+inc+*-*-*-*-*-touted-*-*-*-*-*-*-*+*-root-*-account+*-shares-*-*-*-*-Win95+*-*-*-*-*.*-*-*-*-convinced-*-*-*+inc+*-*-*-*-puzzling+Grafpup.a-*-*-*+*-Barnum-*-*&strip=1 > http://tinyurl.com/Puppy-AsSecureAsWin9x > http://www.linux.com/archive/feature/137880 > At least say you're using the multi-user puplet. > http://google.com/search?q=%22+puppy-4.2.1-MULTIUSER-r3.iso If you would have read my initial post, you would have seen I am not the one fearing security. Mostly it are newbies. I run puppy for several years as root, and the only security issue is myself doing the wrong things. So be happy with puppy. ;-) -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Robert Kaiser a formulé ce donderdag : > Bernard Mercier wrote: >> Would you have another link to site which test browsers? > I don't think there can be any site that reliably tests browser > security. Only long-going deep-level investigation and comparison of > what vulnerabilities are reported publicly and how vendors react can > tell the story of security. No automated test can do that. > Robert Kaiser OK thanks for the update. -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Bernard Mercier wrote: I have discussion in the puppy linux forum about SM security. A forum member claims that the developers say: *even the devs are saying it is not secure enough.* I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. SM 2.0.3 passed all tests ok. Is this a valid test link? Are there others? What is your opinion? SM 1117 passed all tests. "Congratulations! The test has found no vulnerabilities in your browser!" ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Bernard Mercier wrote: Would you have another link to site which test browsers? I don't think there can be any site that reliably tests browser security. Only long-going deep-level investigation and comparison of what vulnerabilities are reported publicly and how vendors react can tell the story of security. No automated test can do that. Robert Kaiser ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Bernard Mercier wrote: >I have discussion in the puppy linux forum about SM security. > You use *Puppy* and you're worried about *security*?? http://google.com/search?q=cache:gp3jKi0UjncJ:www.linux.com/archive/feature/137880+*-*-not-meant-*-*-*-*-*-*-*.*-*-*+inc+Unix.permissions+running-*-*-root-*+Single.User-Mode+*-*-*-destroy-*-*-*-*-*-*-*-.*.*-*-*-*-*-*-*-*.*-*-*-.*-*.*-*.*-*-*-*.*-*-*-*-*+sudo+writable-*+inc+turkey+*.*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-separate-*-accounts.*-*-*-*-*-*-*-*+inc+*-*-*-*-*-touted-*-*-*-*-*-*-*+*-root-*-account+*-shares-*-*-*-*-Win95+*-*-*-*-*.*-*-*-*-convinced-*-*-*+inc+*-*-*-*-puzzling+Grafpup.a-*-*-*+*-Barnum-*-*&strip=1 http://tinyurl.com/Puppy-AsSecureAsWin9x http://www.linux.com/archive/feature/137880 At least say you're using the multi-user puplet. http://google.com/search?q=%22+puppy-4.2.1-MULTIUSER-r3.iso ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Robert Kaiser a exposé le 31/03/2010 : > Bernard Mercier wrote: >> I have discussion in the puppy linux forum about SM security. >> A forum member claims that the developers say: *even the devs are saying it >> is not secure enough.* >> >> I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. >> SM 2.0.3 passed all tests ok. >> >> Is this a valid test link? >> Are there others? >> What is your opinion? > Not sure of how much value that test is, but I can tell you there are no > known/published security vulnerabilities affecting SeaMonkey 2.0.4 at > this point (there are some affecting 2.0.3 which are fixed in 2.0.4), > but there are a number affecting every 1.x release, including 1.1.19. > The most current 2.0 release is as secure as it can get for a browser or > mail client right now, to our knowledge. > Robert Kaiser Thank you for your reply. Would you have another link to site which test browsers? -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Bernard Mercier wrote: I have discussion in the puppy linux forum about SM security. A forum member claims that the developers say: *even the devs are saying it is not secure enough.* I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. SM 2.0.3 passed all tests ok. Is this a valid test link? Are there others? What is your opinion? Not sure of how much value that test is, but I can tell you there are no known/published security vulnerabilities affecting SeaMonkey 2.0.4 at this point (there are some affecting 2.0.3 which are fixed in 2.0.4), but there are a number affecting every 1.x release, including 1.1.19. The most current 2.0 release is as secure as it can get for a browser or mail client right now, to our knowledge. Robert Kaiser ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Testing security of SM 1.x and 2.x
Bernard Mercier a écrit : > I have discussion in the puppy linux forum about SM security. > A forum member claims that the developers say: *even the devs are saying it > is not secure enough.* > I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. > SM 2.0.3 passed all tests ok. > Is this a valid test link? > Are there others? > What is your opinion? The person was merely speaking about the End Of Life of SM 1.x -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Testing security of SM 1.x and 2.x
I have discussion in the puppy linux forum about SM security. A forum member claims that the developers say: *even the devs are saying it is not secure enough.* I did a test with this link: http://bcheck.scanit.be/bcheck/ on my SM 2.0.. SM 2.0.3 passed all tests ok. Is this a valid test link? Are there others? What is your opinion? -- [URL=http://users.kbc.skynet.be/fi001005] *Belgische Ardennen - Ardennes Belge [/URL] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey