[BLU] Re: [BLU] RE: [REDHAT] Dell knocks Linux off the desktop (fwd)

[david at thekramers.net (David Kramer)]

On Wed, 8 Aug 2001, Derek Martin wrote:

> On Wed, Aug 08, 2001 at 08:44:16PM -0400, Scott Ehrlich wrote:
>
> Today I have been forced to submit to a reduction in the Internet
> service I am afforded, precisely because people don't regard their
> systems as needing to be secured.  AT&T now filters all requests to
> port 80 across their entire network.  So despite the fact that I have
> made every effort to keep *MY* system secure, and don't even use the
> software or OS affected by the plague of the day, I suffer a loss of
> service at the hands of people who chose to run services without
> regard to their responsibility to keep them secure.

Funny, mine was not changed.  Maybe they're doing it area by area.  Too
bad DSL sucks.  Not many options.

> Now I know that some people will be quick to respond to my little rant
> above by pointing out that MediaOne, and subsequently AT&T, have
> always had a no server clause in their ToS.  Which is fine and dandy,
> except that it has always been tolerated provided you do not pose a
> threat or abuse your bandwidth, and I used the service knowing that.

This is not the case.  Their MediaOne's policy for the past few years has
been that it is OK to run servers as long as you don't ask for support
related to the servers, and when you call support you are using a Windows
machine, and the servers are not used for any commercial purposes, and do
not tax the localnet too much.  Several years ago it was much more
restrictive.

> I shouldn't end this without thanking Microsoft.  If it were not for
> their shoddy software, none of this would be possible.  They have
> repetedly ignored security issues in order to satisfy requests for
> features from their "customers" (which I'm now convinced really means
> their business partners that want to sell you stuff, and pay MS for
> the privilege to get in your face).  And, for a company that touts
> themselves as hiring only the best and the brightest, they seem to be
> remarkably unable to hire programmers that understand the concept of
> bounds checking.

OK, let's have a fair, factual debate.  Two things here:

The lack of security MODEL in most versions of Windows was a
well-thought-out design decision, not shoddy programming.  That is what
the majority of IIS/IE exploits have relied upon.  Not buffer overflow.
The software bends over backwards and begs to run downloaded executables
in the name of doing what [teh software thinks] the user wants without
having to know how to do it.

Now, if you track the CERT UNIX security advisories and Red Hat's security
list, you will see a few buffer overflow exploits A MONTH listed for
various Linux distributions.  Who'se got shoddy software?

>
> And no, I have not forgotten that Linux software (and Unix for that
> matter) can be vulnerable too.  But I also know that the Linux
> community is generally MUCH, MUCH better about responding quickly and
> responsibly to security issues than are MS and their users, and much
> more likely to design security into their programs than MS.

Holes are patched much faster, but is the average Linux home user with a
cablemodem or DSL really more diligent about applying them?  I think not.

-------------------------------------------------------------------
DDDD   David Kramer                   http://thekramers.net
DK KD
DKK D  Football is not a contact sport; it is a collision sport.
DK KD  Dancing is a contact sport.              --Vince Lombardi
DDDD

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).