----- Original Message ----- From: "Dan Bartley" <[EMAIL PROTECTED]> To: "Tim Greer" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, July 04, 2003 12:58 PM Subject: RE: Ten least secure programs
> One more time. I'll admit to being sucked in one last time. :-( This > really will be my last word on this thread, label that however makes you > feel better about it. I have no feelings about it either way. If someone not agreeing with you updates you this much, it's probably better you leave the topic alone anyway. > I can only assume you live in a bubble of self involvement. Sure, why not, I don't agree with you and you think highly of yourself, so it's just illogical to you. Good thing you're mature enough to try and belittle people for not agreeing with you and your logic, to illustrate how much of a bugger person than I. > You outright > said in earlier posts that you have no security issues, I said I do not have security issues with the programs I code. > that you have no > need for security tools, I did not say this. Quote where I said there's no need for anyone, or where I said that I personally have no need. As for the need, it depends on the type of tool. I said that I have no need for anti-virus tools... this bothers you? I use platforms that don't have the ability to have viruses, or not very many over years anyway, and I don't open executables and run them like a fool. Why would I need an anti-virus tool? IDS, why? This can be useful, but only for a specific purpose. There's no harm in using one. Firewalls, I use them, but not to mask an underlying problem, such as you seem to suggest is the solution. If you choose to construe that as me making irrational and arrogant claims out of insanity because I think everything's perfect, then feel free. > that you have fixed or selected software where > no security issues exist and do not require security prevention. That is correct for many aspects of software I run and how I run it. That is not a claim I made for all services I run and some need to be watches or updated more than others. It all depends. But yes, I have never had or seen any problems or reports for Qmail, nor djbdns, I configure and run them properly and they do not require any concern as other services inevitably do. If there's an issue one day, I'll update or find out how and why it's an issue and see if there's anything I can do to prevent it in the future. Unless you care to explain exactly how your solution of an antivirus, firewall and IDS will help prevent a problem with a service such as this on a web server that requires the ability for anyone to send me email or for me to send out, or resolve my domain to do this and other type of accesses. The point is, they do not. The point is, these solutions you think are solutions, are not solutions. They are not worthless and they have a use, but you don't just throw software at a problem because of poor choices of the software you use--well, maybe you do, but I don't. I know, how egotistical of me to have the nerve to say that I use software that has absolutely no history of security issues over several years of it being very popular on thousands of heavily used web services and the gall to actually say that the more control you have over your system the more control you have, and this better security--provided you know what you're doing. Oh, what was I thinking, trying to explain this to the great, uh, you. > Perhaps > you want to clarify what you really meant as opposed to what you > actually said? Or perhaps you can actually consider the idea of just actually reading what I said instead? Or does telling you twice actually matter? > Which part of you have solved all security issues did I > misinterpret? I'd first like to know exactly where you get the idea that I ever said what you just claimed. Grow up and stop trying to act like someone realizing the ability of more control means that they are claiming that they've managed to somehow come to the self realization that they are perfect and have the solution to every security issue. I never said any such thing, stop acting like a child and be a man. > I am not interested in bashing Linux or any other OS users. Yes you are, or people that don't agree with you anyway, no matter how valid the points are--you prefer to take them personally and attack people with untrue claims, such as you did above. This is helpful? > I am against > arrogant admins Do you exclude yourself and your stubborn standpoint in that list? Do your own rules not apply to you? > or users (of any OS) who feel they have all the answers > and dispense advice based on that assumption. I agree, and you should stop. > Unfortunately for the > growth potential of a promising OS, *some* of the more vocal Linux users > tend to be very immature, arrogant and closed to learning new things. I didn't realize you were a Linux user, then? This is true of many platforms and users, not just Linux. > Sadly, this has caused Linux (most flavors) to remain a struggling > platform. You're just being a jerk now... not that this seems new in this thread, but get real. Your bias is pathetic. Apparently Linux is struggling... that's a good one. You're like any other self-proclaimed person that thinks they know what they are talking about, when they don't (painfully obvious). I'm not saying this to come off like a troll, like you are, but simply because it's blatantly obvious. Why do I say this? Simply because I never did anything but compare two and mention the platforms. I am more of a *BSD user than anything, and I use Windows a lot (for home stuff--I'm using it now, as a matter of fact, and I like it (for this purpose)). yet, because I mention it, you, like any other fool that can't make a valid point in his own favor, just assumes that the other person is some Linux nut who mindlessly bashes MS. Are your feelings hurt because you got yourself a worthless MSCE and feel jipped? Is that it? I can't blame you. > I would like to see it be otherwise, it has tremendous > potential for specific areas. Potential... a more popular and better performing platform for web servers over Windows... well, you're right, I guess Linux has potential... maybe one day we'll be hearing more about this mysterious OS... you biased oaf! > What planet are you from? I don't recall, it's been too long to remember. The fact is, I don't agree with your uneducated and egotistical and defensive position, so you are just a wreck when trying to deal with it. Grow---up... > You did not know that IBM and HP make some of > the most widely used and secure UNIX flavors? You said IBM and HP have come out best in the last year. I said they are brand names, not OS'es... if you want to mention and OS, version, dist, mention it. It's like someone saying "I program computers"... what the hell does that mean? "I work in IT, I do IT". Huh? Say what you want to say... name specific things and exactly what "came out best" compared. Where are these versions and your statistics you keep going on about. Let's see them, biased boy! > Or are you just grasping > for a bashing implement by pretending to be a master of semantics? I could never be like you... you've got this 'down'. I would never try. > Hey! I've got an idea Finally... using it, eh? > (based on your apparent logic pattern). You mean "sense"... but I'm sure it's senseless by the time your mind processed the information. > It might > rain somewhere one day. Just never go outside, then you don't need a > raincoat. If you really think that makes sense. So, apparently because I don't recommend wearing a raincoat 24 hours day, inside, outside, no matter what the region you live in has weather like or the forecast, etc., even when your sleeping or showing, you should put on your raincoat, hat, galoshes, etc., I'm apparently being too extreme in my comments that "If you don't need to, don't just put a raincoat on anyway".. you really think this equates to meaning that I am recommending people take an extreme to the other degree? You have been posting insanely ludicrous solutions that don't solve anything, and I recommend the right tool for the right problem only or avoiding the problem to not need the tool, or using the tool for the right reasons only, and you come up with this response? I bet you really think you are making a valid point too. > You clearly limit the options of whoever it is you are consulting for > with that kind of approach. I do not recommend anyone here take that > lead. No, I am just actually qualified, unlike you, and don't recommend throwing software at a problem, without actually solving that problem. And yes, we all realize you don't recommend taking anyone's approach that you don't like. Poor you. > Yes, the original subject of this thread. And you should maybe try sticking to that original subject. > Take note that I have made > suggestions, repeatedly, in every post geared directly toward that > original subject. No, you suggested non issues, that didn't relate to the topic and just wanted to let everyone know how special your mother told you that you were today. I really don't care, or care what your little problem is. The facts are that you did not participate in the discussion in any productive manner. Instead, you wanted to just blurt out what you thought was the solution, because you lack the skills and education to know what you're talking about. Perhaps you don't like me for pointing out that fact, but I really can't care less. Lest someone follow your advice and get a false sense of security and end up on a big mess. > Listing 10 specific applications to avoid is > ridiculous and unproductive. I'm sure it is, and I'm so very happy to see that you opted to take that mentality and run with it. > It is an exercise in both futility and > arrogance. Again, refer to above. Personally, I'd like to see reasonable, rational and sensible discussions, not like nut trying to just mask the problem and accuse anyone that doesn't agree with their methods of thinking they have the 1 perfect solution for everything. Person 1: I wrote a program, and it's secure. There's no functions in it that could open a potential exploit. Person 2: Liar, all programs have exploits. Person 1: (Gives very easily understood examples of the differences). Person 2: So, you think you can secure any program and OS to never be insecure. Person 1: When did I say that? I use some software (lists software) that has never had any issues. Maybe some will be found one day in those, but the program I spoke of doesn't have functions that would ever be potentially exploitable. Person 2: I'm the best in the world, if you don't agree with me, you're a big baby! (insert accusations that Person 1 claimed to solve all the problems for daring to say that some programs are actually more or less secure compared to each other). > Instead I have tried to make suggestions on an attitude to > approach these matters with, so options are not limited and forward > thinking is embraced. You have not. You ran over the same rehashed, non solution as any other person that has no skills in this field would blurt out. But, good thing you claimed there's stats about how the OS you like less than the one you like personally, is the least secure--even though you obviously meant when in the hands of an unskilled person (which is a problem with any OS (or kernel)), and even though you never did show those stats. Hmmmmmmmmmmm. Good job. > It concerns me to think that young and creative > minds here would get advice that, in essence, says, "This is the only > way to do it, any other way and you are wrong" That would concern me too, sort of like how it concerns me that someone wants to throw firewalls, IDS and anti-virus on a problem, instead of simply running more secure software that aren't vulnerable to viruses, need to be publicly accessible, etc... again, not that these don't have a purpose, but a pathetic way to try and defend or justify a poor choice of software to run in the first place. Are you keeping up? > I do not recommend that any security or IT people take the attitude that > they have it all figured out. Nor do I... and, in fact, I'd have to question the qualifications of someone that won't listen to everyone else, not to mention if they assume that someone saying that a program has no history of security issues is better than a program that has major one's all the time, somehow equates to that person thinking that they have it "all figured out", simply because it opposes their own views on how it's actually logical to run the less secure program. I'll get you time to evolve and figure out what I just said. > I recommend that they keep their options > open, consider the possibilities, be proactive, and provide solutions > that allow a business to function in today's interactive world in a way > the *business* wants. I agree... and yes, if that means that the company wants to run insecure programs and services, that yes, you actually do what you even said, and you can throw anti-virus software to try and prevent that poor choice of an email program from being infected, for example. Apparently the fact that someone that knows better than to have to resort to that, and uses software without any vulnerability history is somehow not open minded enough? Did I ever say that you shouldn't be prepared or able to deal with whatever software and services a company wants to run that you have no choice in the matter? No, in fact I said in another post that this is why people should be able to secure other less secure platforms, since it keeps you in a job for one thing, and that you can do everything you can to secure it, with what you have, for another thing. However, this discussion was about software being insecure or not. We are *all* quite aware that management decisions may prevent them from running the best software, but that wasn't what this discussion was about. > I always thought the correct work ethic was to > provide the service to the customer, not force the customer to do it "my > way or the highway" And who ever said it wasn't? Stop trying to make excuses, seriously... this is foolish. This discussion was about software, what one's are more insecure than the other. We never had this topic discussing the policies of how to deal with management or client choices. You can try and make excuses to justify your view, but what it came down to (and what really happened), was that you had poor ideas of how to deal with a problem, rather than solving it, you masked it and the problem remained. This is a flaw in logic and you refuse to budge on your view. So be it, though you should try and not make a fool out of yourself and act like anyone that says there's a better alternative is somehow trying to force clients to use their favorite software, or as if they are victimizing anyone. > They are, after all, paying me to provide what they > ask for and need. I hope my creativity does not become so stagnant that > I ever have to say, "There is only way to do any of this" No one ever said this, this is the impression you alone have. > And to help you out Mr. Greer. "Duh! That is obvious!" Yes it is, isn't > it? Yes, hence "Duh".... and I believe you are the cap who requires the assistance in getting a clue. Refer to my long-winded response now... are you keeping up? > Bears being said anyway, particularly for the those in an early > learning curve. Too bad that approach seems to be outside your thinking > sphere. Okay, and I said "Duh (obviously)" to something and you now claim that this concept is somehow beyond my reach because I said it was so, when you did too? You're not very good at this 'debate' thing, are you? So, one of the few things I agree with you about, you try and accuse me of not grasping the item that you agreed on? Wow, that's super smart. You're very cool, don't let anyone tell you otherwise. > As for the poster who asked for things to be cited regarding the > compromise and flaw rankings, it has been in the media, in trade > reports, on web sites, in security newsletters. So, you can provide a link to these stats then,.... riiiiiight???? What's preventing you from showing us? Come on then... and again, I'm not talking about lack of skills being the cause, but the software, kernel, OS, etc. you claim is statistically inferior. We're waiting.... > I read these things, I > research and keep current. Too bad you don't listen for that to matter. > Google it yourself, don't ask me to do all > the work for you. Hey, that's a great way to actually avoid the issue and back up what you yourself claimed. Nicely played... I don't think I'll buy it though. Besides, if I had you do my work for me, I'd be in another line of work or broke. > Please don't take the old and tired approach that if > it is negative about MS, IBM or whoever it is completely true, but if it > is negative about Linux, its Linux bashing and lies. Linux deserves > better than that. Don't worry, I won't and didn't and don't plan to... that's your job, just the opposing extreme. I never claimed Linux didn't have problems. I did state that you can better secure it and exampled why. Apparently that's arguable anyway, for you, even though you have the source code to do anything you want. Hey, if you don't have the skills, and you obviously do not or you'd immediately know the advantages to that, then don't assume that it's not relevant or not a valid point. The simple fact you argued it, is what the problem is, partly anyway. > That attitude didn't work for MS or IBM, it isn't > going to work for Linux either. No, it's not, and I wish you'd realize that and stop. > Also, if anyone is going to try to make swipes on semantics or someone's > interpretation of statements, don't turn around and do it yourself in > the same sentence. That gives such an air of desperation and closed > mindedness. Then stop it. > Perhaps wrongly, I assumed the security basics list was all encompassing > where it relates to security basics. It is, but how is you talking about off topic aspects in an 'Insecure programs list" changing that fact? > I did not view it as belonging to a > select few based on their personal view of what constitutes a computer > expert and what they view as the only correct options. How friggin' ironic are you? Are you a comedian. Now because you can't deal with other people's opposing views, you want to whine about how those people think the list somehow belongs to them? Is that what you feel when you argue here? Hmm? is that your view and motivating process to be acting to ridiculously arrogant? Stop whining already! As for what qualifies as a computer expert, I'd imagine that would be actually knowing what you are doing. If those type offend you, then I feel pity for the list you feel comfortable posting to. > I don't know, > seems to me the world is just a little more diverse than that. You'd think, but not for lack of your efforts. No, I'm not going to bow to you, so don't wait on it. > Best Regards, I'm sure. > Dan Bartley Indeed. Yew havf yerd'seldf a goewd d'ay dar' Dayn. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting. -----Original Message----- From: Tim Greer [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 14:32 To: Dan Bartley; [EMAIL PROTECTED] Subject: Re: Ten least secure programs ----- Original Message ----- From: "Dan Bartley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 6:25 PM Subject: RE: Ten least secure programs > Your comments appeared to have a clear slant to them. They also were > contrary to the statistics. No, only someone that's hard up to bash Linux users would assume this. Nothing was contrary to what _you_ claim. This is getting nowhere. --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
