Operating Systems > Linux and UNIX
Linux security sucks too?
Faust:
woo old thread back to life scary... like frankenstein!!!
a lot of those security alerts are "possible exploits." Take these Debian bugs for example:
[21 Sep 2003] DSA-382 ssh - possible remote vulnerability (new revision)
[18 Sep 2003] DSA-386 libmailtools-perl - input validation bug
[17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability
[16 Sep 2003] DSA-382 ssh - possible remote vulnerability
Note the "possibles." With open source or better possibles can be fixed *BEFORE* they are exploited. With non free programs you dont know theres an exploit until some fucking bastard in a tiny country you've never heard of is using it to buy kiddy porn with your credit card, and that bug wont be fixed until the vendor sees a commercial benefit to doing so - think about it, Microsoft is a company, they are interested in money not software. Software is only of use if it gets them money, which is nice to most people but not the be all and end all to those of us with ethics. If an exploit is not popular enough to piss off enough customers why spend money on fixing it? In fact why not just spend that money on a newer Office suite to make *MORE* money, because Windows users will not spend $$$ on a new upgrade cycle for "bug fixes." (well not all of them are that stupid i guess... although i guess windows 98 etc is a point. ;) ) In fact, why not just ban users from even publishing those bugs (whice the new EULAs are covering... you cannot publish benchmarks of .NET code without MS approval.) and have a nice empty exploit report list to give consumers the opinion that you have none?
Also look at the "perl" exploit... ah perl? Unless your running cgis with it that bug is only exploitable to local users - not remotely. With the massive amount of software in say Debian, also note that those exploits arent just "linux" exploits. They also cover MySQL, Apache, sendmail, wu-ftpd etc. How much bigger do you think the MS bug report database would be if they like GNU/Linux vendors covered all the bugs in all the software that most commonly runs on their platform? If Windows like Debian was distribed with 9000+ seperate software packages all "made to work with Windows" by Microsoft how much longer would those MS bug reports be?
M51DPS:
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade? Are you aware that the MSBlaster Worm affected people who didn't upgrade months after the patch was released? Or what about how many people don't want to apply patches because it causes more problems? I have this theory that every OS has some bugs, and that maybe some OS are put into the spotlight because a certain evil corporation wants them to look bad. Anyone had a glimpse of a list of Mac OS X security updates? As long as it is, I'm not afraid to apply them and I do it as soon as possible.
Stryker:
quote:Originally posted by M51DPS:
Just a quick poll, how many people have OpenSSH active? How long did it take you to upgrade?
--- End quote ---
I have openssh active, i didn't upgrade it. I probably won't. I dont have anything important that isn't backed up, and i'm on dialup so people will probably use me alone. it's not like i go handing out my ip address to everyone.
flap:
why bother running sshd if you're on dial-up? Or if it's only for your internal network why not block it (and everything else) at the firewall?
mobrien_12:
I patched openssh within the same day as the flaw was announced. OpenSSH is one of the few services that I leave open to a relatively large number of IP addresses, and I learned long ago that if you choose to have an open service you must commit to patching it regularly.
I might have waited longer (within a week), but
1) My Linux boxes are in a "war zone" (numerous probes every day, systems other than mine on the subnet are compromised on a regular basis, and the network admins refuse to firewall the network).
2) The OpenSSH hole was one of the few OSS flaws that was being exploited before the programmers found it.
I patched MSRPC within a couple of days.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version