Simple question about Windows .......

Mathew P. · External Since: Feb 27, 2006 Posts: 277

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-09-29, Hadron Quark spake thusly:
> Richard Rasker <spamtrap.DeleteThis@linetec.nl> writes:
>
>> Op Thu, 28 Sep 2006 17:57:11 -0500, schreef Erik Funkenbusch:
>>
>>> On 28 Sep 2006 15:27:25 GMT, Peter Hayes wrote:
>>>
>>>>> You're inability to follow Eriks explanation is frightening. And your
>>>>> last paragrpah made no sense. Maybe you're talking about something
>>>>> else?
>>>>
>>>> I'm talking about Erik's comment, quoted at the top of this post, that "
>>>> Hell, a few years back, there were these streams of very complicated
>>>> hoaxes going around that asked users to delete various files from their
>>>> hard drive, because they were claimed to be viruses." And I responded
>>>> that if viruses didn't exist these "delete virus msvc60.dll" or whatever
>>>> spoof e-mails wouldn't exist because nobody would believe them, or even
>>>> understand them. Now what's simpler than that?
>>>
>>> The point was simply that complexity is no deterrent.
>>
>> In my experience, it absolutely is. When users call me with networking
>> problems, I often have to make them enter CLI commands to quickly figure
>> out what's wrong (as I have no remote access an more due to the networking
>> trouble).
>> And boy oh boy, you should see it. It's more often than not like training
>> a dog to jump through hoops, requiring endless patience, several attempts
>> at every command, often rephrased in different ways. And with every
>> error
>
> Shh. We are assured by the regulars here that CLI is obvious to all but
> the most "retarded" users.

Cite your source. Message containing exact quotation, please.

> But most Linus users will have to use them at some time : a brief glance
> at the thousands of "how tos" to get sound, opengl, video, multiple
> desktops etc working will show you. All it needs is one hack of a
> "howto" script which is run using sudo or its equivalent and *bang*.

Yes, so you say. In one form or another, over and over. You have, of course,
taken a brief glance at thousands of "How-to's".

For a "linus" user like yourself, who has adamantly insisted he uses and likes
linux, you have gone to great troubles to pick as many nits as you can. It
started with Nvidia card drivers not working (something flatfish made much
todo about in some older threads). Then it was soundcards not working (which
was a bogus claim). When that soundcard claim fell through the floorboards,
it became a new soundcard claim; Linux can't *find* my soundcard, also a
bogus claim (and both claims made by flatfish in older threads in the reverse
order). Then you moved on to the 'sudo will bugger you with your pants on and
date your mother' rant, which you are *still* fixated on, for no apparent
reason (that I can detect anyway). It is absolutely moronic to continue on this
sudo tangent. Good god, man, give it a friggin rest. As a sidenote, I don't
recall flatfish ever sporting a woody about that particular phantom menace.

Now for the bogus d'jour (drumroll): OpenGl, Video, Muliple Desktops, and a
linux feature called "etc." All ready to self-detonate. What exactly _do_ you
*like* about linux, and would you please share with us sometime, that you
found a way to actually *use* Linux for something other than employment with
underwriters labratory?

And what the hell is a howto script? For that matter, what would a hack of
a script be? What do you think scripts are?

This is rediculous. You are just getting more rediculous and transparent
all the time. You're acting like Homer Simpson with a computer.

> Script kiddies like scripts.

Duh. You think?

Here's to hoping you get back on track.

Mathew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFHkjXlkJ5K/IU2ToRAk8FAKC54+rAZUZFtiKDLguXbVT6wo98FgCgl1vB
YqSwgV83gVoTkqvvjwJh32g=
=5x3A
-----END PGP SIGNATURE-----

--
"Always do the right thing: It will delight / Aluminum Foil Deflector Beanies
some and astound the rest" - Mark Twain / Psychotronic protection, low prices

Sinister Midget · External Since: Jun 17, 2006 Posts: 746

On 2006-09-30, Erik Funkenbusch <erik RemoveThis @despam-funkenbusch.com> posted something concerning:

> On average, the user will *NOT* stop and read them. Even if you vary what
> they say, they'll just try and figure out the quickest way to make it go
> away without comprehending what it is trying to tell them.
>
> "This action will destroy youc computer. Are you sure you want to do
> this?" [[Destroy Computer]] [[Figure out how to fix it]]
>
> At least 50% of the time they'll click Destroy Computer. People just don't
> read that stuff, they just randomly click, unless there's a clear
> affirmative. They'll even click yes to something like this:
>
> "This action will give you a painful enema. Do you wish to continue?"
> [[Yes]] [[No]]
>
> Frankly, I think the whole sudo/uac thing is a red herring anyways. I
> don't think either OSX/Ubuntu's approach or Microsoft's will solve anything
> in the long run.

It must be a really sad existence if you believe most people are so
stupid that they won't at least look at the surface of things before
moving on. I'd agree with you that most Windummies* might. But not most
ordinary people.

What I'd bet is most people skip reading the 67.000 pages of licensing
and warnings. Just as MS wants them to do (which is why it's that
long). But if it's a sentence or two, my money is on them usually
reading it the first couple of times from one vendor. After that they
may trust that they're not about to be sodomized and skip the reading
of anything over 30 words.

* Identifiable by their complete and irrational devotion to getting
reamed annally. So much so that they have themselves conditioned to
believe it's a pleasurable experience, not a painful one, just
because a rich guy's company is the one doing it.

--
Windows: When you haven't been abused enough by the IRS.

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2403

On Sat, 30 Sep 2006 11:49:58 GMT, Sinister Midget wrote:

> It must be a really sad existence if you believe most people are so
> stupid that they won't at least look at the surface of things before
> moving on. I'd agree with you that most Windummies* might. But not most
> ordinary people.

It's not a matter of intelligence. It's a matter of apathy. We're talking
about the same kinds of people that drive around for months, maybe years
with their "check engine" light on, at least until the car stops running.

Most people have conditioned themselves to believe that they won't
understand anything those dialogs tell them, anyways. And, in most cases,
they're right.

Most people don't even know what "administrator privileges" are, or what
that entails. A dialog that says something like "A program needs you to
enter your password to continue", it doesn't say why, or give them any
information to make a judgement. You're just expected to "know" what
requires a password and what doesn't. Most users won't know this, and will
comply with anything that's asked of them.

The fact of the matter is, end users don't care about the why's, they only
care about making the dialogs go away so they can continue with what they
were doing.

This is not an easy problem to solve. None of the existing solutions are
ideal, and many of them give a false sense of security. NONE of them deal
with the situation of trojaned files, or "adware" or other files that users
deliberately install as part of some other program.

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <1xa86we74cuy9.dlg RemoveThis @funkenbusch.com> Erik Funkenbusch wrote:
> On 30 Sep 2006 08:12:30 GMT, Peter Hayes wrote:
>
>>> That's because you're running an administrator account. It reasons
>>> that if you are a member of the administrator group, then what's the
>>> difference between typing in a password and clicking "ok"? Just
>>> more opportunity for your password to get hijacked by a clever
>>> trojan if you condition people to type their password all the time.

One answer is to make the user select entries from drop down boxes in
the manner of my online banking. That neatly stops keyboard loggers and
screengrabs.

>> Nice spin, Erik, but it also means the user becomes conditioned to
>> clicking boxes without really taking in what the dialogue says, like
>> <next> <next> <next> on an installer. The answer is to randomly vary
>> what the box says so the user learns to stop and read them.
>
> On average, the user will *NOT* stop and read them. Even if you vary
> what they say, they'll just try and figure out the quickest way to
> make it go away without comprehending what it is trying to tell them.
>
> "This action will destroy youc computer. Are you sure you want to do
> this?" [[Destroy Computer]] [[Figure out how to fix it]]
>
> At least 50% of the time they'll click Destroy Computer. People just
> don't read that stuff, they just randomly click, unless there's a
> clear affirmative. They'll even click yes to something like this:
>
> "This action will give you a painful enema. Do you wish to continue?"
> [[Yes]] [[No]]

Wasn't it WinZip that some years ago varied the placing of the "Yes" and
"No" boxes as a form of nagware? A few "no" boxes clicked and the user
sits up and takes notice.

But if he user won't read the dialogue there's no real improvement in
Vista over XP in this regard.

> Frankly, I think the whole sudo/uac thing is a red herring anyways. I
> don't think either OSX/Ubuntu's approach or Microsoft's will solve
> anything in the long run.
>
>> It also means that the user installing Vista is the administrator,
>> unlike Linux where the install procedure makes the user enter a root
>> password, then insists the user create an account for their day to
>> day use.
>
> You misunderstand. In Vista, being an administrator is basically the
> same as being in the wheel group. You don't have admin privs unless
> you explicitly approve them.

With one mouse click.

Whoever installs Vista is automatically root and can authenticate
anything with one mouse click.

And there's no mechanism in the Vista installation process to force the
user to create a regular user account and log them into it. That's a
fundamental flaw with Vista.

> Just like with Ubuntu. The only
> difference is that Ubuntu/MacOS require you to type your password
> again, while Vista requires you to click Ok, but it does so in a very
> jarring manner to make you realize that something is requesting admin
> privs.

And once it turns into muscle memory they'll reflexively click "yes" to
"This trojan is from an untrusted source. Do you wish to continue."

--

Peter

Tom Shelton · External Since: Aug 30, 2005 Posts: 55

Mathew P. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2006-09-29, Richard Rasker spake thusly:
> > Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:
> >
> >> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
>
> --------------------8<-----------------
>
> >>> And why is that? No, not because Windows is the dominant OS, but
> >>> because it's largely trivial to infect a Windows machine, even with lots
> >>> of "defenses" in place. One wrong click, and you're buggered, period.
> >>> Linux isn't built like that. And because making things difficult *does*
> >>> deter most people from doing it.
>
> I tend to be verbose. But at it's most basic, and bottom line level,
> this is *very* well said and sums up several key concepts at once:
>
> 1) It's trivial to crack and own a windows system.
>
> 2) It's trivial to infect a windows system with malicious software.
>
> 3) It's trivial to harvest valuable personal information from a Windows
> system. See numbers 1 & 2.
>
> 4) Windows software makes social engineering pointless. "One wrong
> click and you're buggered", pretty much sums that up.
>
> 5) Windows defense software in all it's many and varied forms is impotent.
>
> 6) Making things that are potentially disasterous, difficult to do, *is*
> effective. Period.
>
> 7) That Linux is designed to be secure with one through 6 in mind, is a
> *fact*. That Linux is hardened, and with SElinux, armored against attack,
> is a *fact*.
>
> Cool

That windows isn't, is a *fact* .
>
> >> Bullshit. Linux has been largely immune because of it's relative obscurity
> >> and higher than average technical ability of its users. MacOS has been
> >> largely immune because the tools don't exist for hacking systems on PPC as
> >> much as they do on x86. I predict we'll see a few major attacks on MacOS
> >> in the next 2 years.
>
> Why? because Apple dumped their Motorola contract, and went with the intel
> household?
>
> Vulnerability to attack isn't about the chip(s). It's about access. Physical
> access to the hardware, and/or remote access to the software systems like the
> OS.
>
> Windows leaves it's johnson flapping in the breeze as it were. It would
> do so on *any* platform, which isn't true of *nix systems. The problem
> isn't intel's johnson, it's windows. This _should_ piss off intel, AMD,
> and all the other x86 boys. It dosen't seem to, or if it does, they
> aren't letting on.
>
> Good follow up Richard.
>
> Regards,
>
> Mathew

Funny you have such a high oppion of the invulnerability of Linux
servers... Did you read on netcraft about the recent problems at
hostgator? No? They are a hosting service. They had their servers
compromised, and then were rooted by a local exploit in a common
application used by hosting services (cPanel). The attackers then
redirected all hits to pages that took advantage of the recent IE
hole... Sure, the point was to infect windows systems - but guess what
OS those hijacked servers were running?

--
Tom Shelton

Gregory Shearman · External Since: Jun 30, 2004 Posts: 492

Hadron Quark wrote:

> Gregory Shearman <ZekeGregory RemoveThis @netscape.net> writes:
>
>> Hadron Quark wrote:
>>
>>> JDS <jeffrey RemoveThis @invalid.address> writes:
>>>
>>>> On Thu, 28 Sep 2006 13:51:11 +0200, Hadron Quark wrote:
>>>>
>>>>> You can be sure as hell that *if* Linux ever gets more than 2% of the
>>>>> desktop share then the virus writers will turn their gaze towards it.
>>>>
>>>> How about the server market share? Most of the websites on the WWW
>>>> run on Apache on Linux. That's a pretty big market share. Where are the
>>>> viruses for those systems?
>>>
>>> They are hacked on a routine basis.
>>
>> Routine?
>>
>> How about you define what you mean about "routine" and supply evidence to
>> support your claims.
>
> Greg, you seem competent enough.
>
> Let me turn this around:
>
> Are web servers running apache and Linux hacked? Yes or no.

Answer my question please.

How do you define "routine" and supply evidence of your claims.

> Its the denial that freaks me out.

I've denied nothing.

--
Regards,

Gregory.
"Ding-a-ding-dang,My Dang-a-long ling-long"

Gregory Shearman · External Since: Jun 30, 2004 Posts: 492

Hadron Quark wrote:

> Gregory Shearman <ZekeGregory.DeleteThis@netscape.net> writes:
>
>> Peter Köhlmann wrote:
>>
>>> Hadron Quark wrote:
>>>
>>>> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> writes:
>>>>
>>> < snip >
>>>
>>>>> Of course, that's not taking into account that such viruses or trojans
>>>>> can try to exploit any known local privilege elevation vulnerability
>>>>> as well.
>>>>
>>>>
>>>> The nutjobs are forgetting that magic word "sudo" which accompanies
>>>> just every single "How to get Linux Working howto" out there.
>>>>
>>>
>>> Interesting. Tell us more about this "magical" sudo
>>> Whenever I try to use it on a SuSE box, I fail so miserably without
>>> setting it up (having to resort to root, naturally)
>>
>> Hmmm.... Gentoo requires the user to be part of the "wheel" group to be
>> able to "sudo".
>>
>> Presumably, you give such power only to TRUSTED users and only for
>> SPECIFIC purposes.
>>
>> I personally prefer the old
>>
>> $ su -c "<command>"
>
> "sudo" might not exist everywhere of course. But its not rocket science
> to see the point I am making. And lots of patches and upgrades need root
> access to install.

sudo can be anywhere I want it to be. I don't need it.

> The rest is how Erik explained : just convince the user they need to
> exec this stuff and *bam*.

If the user can't execute it on the /home partition or the /tmp partition
then how in hell can they execute it?

If they have administrative control and are "convinced" to run this stuff
then they deserve anything they get.

You can easily do a rm command that will hose your system.... if you have
admin access.

> Don't deny it. It just makes you look like you refuse to see the truth.

What truth is that? Administrators can do damage to their system by
installing malware?

--
Regards,

Gregory.
"Ding-a-ding-dang,My Dang-a-long ling-long"

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2403

On Sat, 30 Sep 2006 23:38:54 +1000, Gregory Shearman wrote:

>> The rest is how Erik explained : just convince the user they need to
>> exec this stuff and *bam*.
>
> If the user can't execute it on the /home partition or the /tmp partition
> then how in hell can they execute it?

If you don't make /home executable, then that means the users cannot
install any personal apps without elevating their privileges. That might
be ok, but then again, it might not.

> If they have administrative control and are "convinced" to run this stuff
> then they deserve anything they get.

That kind of attitude is part of the problem.

> You can easily do a rm command that will hose your system.... if you have
> admin access.

Indeed.

Mathew P. · External Since: Feb 27, 2006 Posts: 277

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-09-30, Gregory Shearman spake thusly:
> Hadron Quark wrote:
>
>> Gregory Shearman <ZekeGregory.DeleteThis@netscape.net> writes:
>>
>>> Peter Köhlmann wrote:
>>>
>>>> Hadron Quark wrote:
>>>>
>>>>> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> writes:
>>>>>
>>>> < snip >
>>>>
>>>>>> Of course, that's not taking into account that such viruses or trojans
>>>>>> can try to exploit any known local privilege elevation vulnerability
>>>>>> as well.
>>>>>
>>>>>
>>>>> The nutjobs are forgetting that magic word "sudo" which accompanies
>>>>> just every single "How to get Linux Working howto" out there.
>>>>>
>>>>
>>>> Interesting. Tell us more about this "magical" sudo
>>>> Whenever I try to use it on a SuSE box, I fail so miserably without
>>>> setting it up (having to resort to root, naturally)
>>>
>>> Hmmm.... Gentoo requires the user to be part of the "wheel" group to be
>>> able to "sudo".
>>>
>>> Presumably, you give such power only to TRUSTED users and only for
>>> SPECIFIC purposes.
>>>
>>> I personally prefer the old
>>>
>>> $ su -c "<command>"
>>
>> "sudo" might not exist everywhere of course. But its not rocket science
>> to see the point I am making. And lots of patches and upgrades need root
>> access to install.

Yes, it is. It takes rocket science to even follow whatever train of thought
you have rolling around in your head on the subject.

At the risk of being redundant, give it a rest. Get some new material.

In seven years of using _Linux_ , I have _never_ *needed* sudo. If you have use
for a command line super user acess tool, you are going to know what the
hell you are doing. Otherwise, you won't even know what super user access is,
and you certainly will never *need* it. Ever. I used it once in Darwin to hack
a *single line* of Safari code, because I chose to, I was dicking around for
fun; I didn't _need to_ use it at all.

Howto guides are for people who are interested enough to learn *HOW TO* . THE
CAUSUAL USER ISN'T GOING TO BE INTERESTED IN LEARNING ABOUT GOING DEEPER INTO
THE OS AND THEY _DON'T NEED TO. EVER._

Unless they want to, in which case a howto will help them learn how to do it
without self destructing. Which is what howto guides are for, you clueless twit.

> sudo can be anywhere I want it to be. I don't need it.
>
>> The rest is how Erik explained : just convince the user they need to
>> exec this stuff and *bam*.
>
> If the user can't execute it on the /home partition or the /tmp partition
> then how in hell can they execute it?
>
> If they have administrative control and are "convinced" to run this stuff
> then they deserve anything they get.
>
> You can easily do a rm command that will hose your system.... if you have
> admin access.

RM will not easily hose your system without explicitly telling it to do so
with command line switches and proper syntax.

In other words, you can't screw yourself unless you are determined to learn
to be a contortionist. You want to intentionally RM yourself into oblivion,
knock yourself out. Just don't blame it on RM.

Gee, those cryptic command line instructions you are always braying on about
actually do have an important and appropriate useage wich includes <GASP>
protection of system integrity.

Twit.

Mathew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFHvGYlkJ5K/IU2ToRAr06AJ4yGbGtZavzHaECc8ZgHdUo3Cj2wACbBmWO
G9k1zPq55K0dRRlEMJ7/8V4=
=f/Ab
-----END PGP SIGNATURE-----

--
"Always do the right thing: It will delight / Aluminum Foil Deflector Beanies
some and astound the rest" - Mark Twain / Psychotronic protection, low prices

Gregory Shearman · External Since: Jun 30, 2004 Posts: 492

Hadron Quark wrote:

>>> And, sudo still gets around everything does it not? If there is a build
>>> script which compiles & installs and is advertised to the user as
>>> legitimate he must
>>
>> Oh FFS... sudo rm -rf /
>>
>
> Sorry? You are supporting me? .....

Not in a million years.

Administrator access can cause damage to your system if you don't know what
you are doing.

>> ..will take care of most things...
>>
>>> "sudo sh ./myscript" or something.
>>
>> If a user can do this then they are an ADMINISTRATOR, not a user.
>
> All home users tend to be administrators. Welcome back to the real world
> of home and small business computing.

I've a number of users at my home... only one administrator... me.

The "real" world?

Some people use their computers and have someone remotely administer their
machine via ssh.

> And heres something else - people dont want o to disable exec. Why? I'll
> leave it as an exercise in common sense.

Sense isn't all that common.

I don't like typing my root password whenever I "su" a command, but I do it
because it is necessary for good system security.

--
Regards,

Gregory.
"Ding-a-ding-dang,My Dang-a-long ling-long"

Tom Shelton · External Since: Aug 30, 2005 Posts: 55

Peter Hayes wrote:
> In <1159683139.861911.323720 DeleteThis @m73g2000cwd.googlegroups.com> Tom Shelton
> wrote:
> >
> > Mathew P. wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 2006-09-29, Richard Rasker spake thusly:
> >> > Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:
> >> >
> >> >> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
> >>
> >> --------------------8<-----------------
> >>
> >> >>> And why is that? No, not because Windows is the dominant OS, but
> >> >>> because it's largely trivial to infect a Windows machine, even
> >> >>> with lots of "defenses" in place. One wrong click, and you're
> >> >>> buggered, period. Linux isn't built like that. And because making
> >> >>> things difficult *does* deter most people from doing it.
> >>
> >> I tend to be verbose. But at it's most basic, and bottom line level,
> >> this is *very* well said and sums up several key concepts at once:
> >>
> >> 1) It's trivial to crack and own a windows system.
> >>
> >> 2) It's trivial to infect a windows system with malicious software.
> >>
> >> 3) It's trivial to harvest valuable personal information from a
> >> Windows
> >> system. See numbers 1 & 2.
> >>
> >> 4) Windows software makes social engineering pointless. "One wrong
> >> click and you're buggered", pretty much sums that up.
> >>
> >> 5) Windows defense software in all it's many and varied forms is
> >> impotent.
> >>
> >> 6) Making things that are potentially disasterous, difficult to do, *
> >> is*
> >> effective. Period.
> >>
> >> 7) That Linux is designed to be secure with one through 6 in mind, is
> >> a
> >> *fact*. That Linux is hardened, and with SElinux, armored against
> >> attack, is a *fact*.
> >>
> >> Cool

That windows isn't, is a *fact* .
> >>
> >> >> Bullshit. Linux has been largely immune because of it's relative
> >> >> obscurity and higher than average technical ability of its users.
> >> >> MacOS has been largely immune because the tools don't exist for
> >> >> hacking systems on PPC as much as they do on x86. I predict we'll
> >> >> see a few major attacks on MacOS in the next 2 years.
> >>
> >> Why? because Apple dumped their Motorola contract, and went with the
> >> intel household?
> >>
> >> Vulnerability to attack isn't about the chip(s). It's about access.
> >> Physical access to the hardware, and/or remote access to the software
> >> systems like the OS.
> >>
> >> Windows leaves it's johnson flapping in the breeze as it were. It
> >> would do so on *any* platform, which isn't true of *nix systems. The
> >> problem isn't intel's johnson, it's windows. This _should_ piss off
> >> intel, AMD, and all the other x86 boys. It dosen't seem to, or if it
> >> does, they aren't letting on.
> >>
> >> Good follow up Richard.
> >>
> >> Regards,
> >>
> >> Mathew
> >
> > Funny you have such a high oppion of the invulnerability of Linux
> > servers... Did you read on netcraft about the recent problems at
> > hostgator? No? They are a hosting service. They had their servers
> > compromised, and then were rooted by a local exploit in a common
> > application used by hosting services (cPanel). The attackers then
> > redirected all hits to pages that took advantage of the recent IE
> > hole... Sure, the point was to infect windows systems - but guess
> > what OS those hijacked servers were running?
>
> So? You just said the attack came through a local exploit in a common
> application used by hosting services (cPanel).

Since it is a LOCAL exploit, it means that the attackers had to gain
access to the system.... That means that the system was compromised in
some form. There are several ways that could have happend - maybe it
was someone that already had a shell account. Or maybe, someone was
able to "social engineer" someone elses password (apparently this is
common). Maybe they were just plain able to crack the system. But, in
the end the system was compromised. It had to be for the privledge
escalation attack to even work.

> There lies the
> vulnerability, not in the OS. Many Windows exploits occur directly
> through IE, and IE is part of the OS, Gates stood up in court and said
> so. Spot the difference.

Not really. I see lots of instances of people here blaming MS for
holes in 3rd party applications and services - why should we cut Linux
any more slack? Oh yeah, it's that double standard thing. Run a
service with root privledges, and it is a potential vector for a
privledge escalation.

--
Tom Shelton

Mathew P. · External Since: Feb 27, 2006 Posts: 277

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-09-29, Richard Rasker spake thusly:
> Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:
>
>> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:

--------------------8<-----------------

>>> And why is that? No, not because Windows is the dominant OS, but
>>> because it's largely trivial to infect a Windows machine, even with lots
>>> of "defenses" in place. One wrong click, and you're buggered, period.
>>> Linux isn't built like that. And because making things difficult *does*
>>> deter most people from doing it.

I tend to be verbose. But at it's most basic, and bottom line level,
this is *very* well said and sums up several key concepts at once:

1) It's trivial to crack and own a windows system.

2) It's trivial to infect a windows system with malicious software.

3) It's trivial to harvest valuable personal information from a Windows
system. See numbers 1 & 2.

4) Windows software makes social engineering pointless. "One wrong
click and you're buggered", pretty much sums that up.

5) Windows defense software in all it's many and varied forms is impotent.

6) Making things that are potentially disasterous, difficult to do, *is*
effective. Period.

7) That Linux is designed to be secure with one through 6 in mind, is a
*fact*. That Linux is hardened, and with SElinux, armored against attack,
is a *fact*.

Cool

That windows isn't, is a *fact* .

>> Bullshit. Linux has been largely immune because of it's relative obscurity
>> and higher than average technical ability of its users. MacOS has been
>> largely immune because the tools don't exist for hacking systems on PPC as
>> much as they do on x86. I predict we'll see a few major attacks on MacOS
>> in the next 2 years.

Why? because Apple dumped their Motorola contract, and went with the intel
household?

Vulnerability to attack isn't about the chip(s). It's about access. Physical
access to the hardware, and/or remote access to the software systems like the
OS.

Windows leaves it's johnson flapping in the breeze as it were. It would
do so on *any* platform, which isn't true of *nix systems. The problem
isn't intel's johnson, it's windows. This _should_ piss off intel, AMD,
and all the other x86 boys. It dosen't seem to, or if it does, they
aren't letting on.

Good follow up Richard.

Regards,

Mathew

-----------------------8<---------------------

- ---
"Always do the right thing: It will delight / Aluminum Foil Deflector Beanies
some and astound the rest" - Mark Twain / Psychotronic protection, low prices

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFH1YmlkJ5K/IU2ToRAl5fAJ9M9hc3wvAeWxNLU3I16VOOEnO14ACfUOas
/54Xjfca4R3Cgqa7NB8GOEQ=
=MvT5
-----END PGP SIGNATURE-----

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <1159683139.861911.323720.DeleteThis@m73g2000cwd.googlegroups.com> Tom Shelton
wrote:
>
> Mathew P. wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 2006-09-29, Richard Rasker spake thusly:
>> > Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:
>> >
>> >> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
>>
>> --------------------8<-----------------
>>
>> >>> And why is that? No, not because Windows is the dominant OS, but
>> >>> because it's largely trivial to infect a Windows machine, even
>> >>> with lots of "defenses" in place. One wrong click, and you're
>> >>> buggered, period. Linux isn't built like that. And because making
>> >>> things difficult *does* deter most people from doing it.
>>
>> I tend to be verbose. But at it's most basic, and bottom line level,
>> this is *very* well said and sums up several key concepts at once:
>>
>> 1) It's trivial to crack and own a windows system.
>>
>> 2) It's trivial to infect a windows system with malicious software.
>>
>> 3) It's trivial to harvest valuable personal information from a
>> Windows
>> system. See numbers 1 & 2.
>>
>> 4) Windows software makes social engineering pointless. "One wrong
>> click and you're buggered", pretty much sums that up.
>>
>> 5) Windows defense software in all it's many and varied forms is
>> impotent.
>>
>> 6) Making things that are potentially disasterous, difficult to do, *
>> is*
>> effective. Period.
>>
>> 7) That Linux is designed to be secure with one through 6 in mind, is
>> a
>> *fact*. That Linux is hardened, and with SElinux, armored against
>> attack, is a *fact*.
>>
>> Cool

That windows isn't, is a *fact* .
>>
>> >> Bullshit. Linux has been largely immune because of it's relative
>> >> obscurity and higher than average technical ability of its users.
>> >> MacOS has been largely immune because the tools don't exist for
>> >> hacking systems on PPC as much as they do on x86. I predict we'll
>> >> see a few major attacks on MacOS in the next 2 years.
>>
>> Why? because Apple dumped their Motorola contract, and went with the
>> intel household?
>>
>> Vulnerability to attack isn't about the chip(s). It's about access.
>> Physical access to the hardware, and/or remote access to the software
>> systems like the OS.
>>
>> Windows leaves it's johnson flapping in the breeze as it were. It
>> would do so on *any* platform, which isn't true of *nix systems. The
>> problem isn't intel's johnson, it's windows. This _should_ piss off
>> intel, AMD, and all the other x86 boys. It dosen't seem to, or if it
>> does, they aren't letting on.
>>
>> Good follow up Richard.
>>
>> Regards,
>>
>> Mathew
>
> Funny you have such a high oppion of the invulnerability of Linux
> servers... Did you read on netcraft about the recent problems at
> hostgator? No? They are a hosting service. They had their servers
> compromised, and then were rooted by a local exploit in a common
> application used by hosting services (cPanel). The attackers then
> redirected all hits to pages that took advantage of the recent IE
> hole... Sure, the point was to infect windows systems - but guess
> what OS those hijacked servers were running?

So? You just said the attack came through a local exploit in a common
application used by hosting services (cPanel). There lies the
vulnerability, not in the OS. Many Windows exploits occur directly
through IE, and IE is part of the OS, Gates stood up in court and said
so. Spot the difference.

--

Peter

SierraTangoFoxtrotUniform · External Since: Oct 01, 2006 Posts: 4

Mathew P. wrote:
>
> I tend to be verbose.

"...full of sound and fury..." is more accurate.

> 1) It's trivial to crack and own a windows system.
>
> 2) It's trivial to infect a windows system with malicious software.
>
> 3) It's trivial to harvest valuable personal information from a
> Windows system. See numbers 1 & 2.

Since 1-3 are trivial, I look forward to having all my Windows machines
cracked and owned by midnight today. A simple hard drive overwrite will be
sufficient proof.

--
"I always pushing Linux. Because is better for people, I want friends to do
computer without bugs. Bugs like viruses, trojans, spyware. Windows crashes
or freezes or at first slow but then very slow. Linux is much better." -
Au79, a typical linux user

Peter KÃ¶hlmann · External Since: Jun 27, 2005 Posts: 1500

Tom Shelton wrote:

>
> Peter Hayes wrote:
>> In <1159683139.861911.323720.DeleteThis@m73g2000cwd.googlegroups.com> Tom Shelton
>> wrote:
>> >
>> > Mathew P. wrote:
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> On 2006-09-29, Richard Rasker spake thusly:
>> >> > Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:
>> >> >
>> >> >> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
>> >>
>> >> --------------------8<-----------------
>> >>
>> >> >>> And why is that? No, not because Windows is the dominant OS, but
>> >> >>> because it's largely trivial to infect a Windows machine, even
>> >> >>> with lots of "defenses" in place. One wrong click, and you're
>> >> >>> buggered, period. Linux isn't built like that. And because making
>> >> >>> things difficult *does* deter most people from doing it.
>> >>
>> >> I tend to be verbose. But at it's most basic, and bottom line level,
>> >> this is *very* well said and sums up several key concepts at once:
>> >>
>> >> 1) It's trivial to crack and own a windows system.
>> >>
>> >> 2) It's trivial to infect a windows system with malicious software.
>> >>
>> >> 3) It's trivial to harvest valuable personal information from a
>> >> Windows
>> >> system. See numbers 1 & 2.
>> >>
>> >> 4) Windows software makes social engineering pointless. "One wrong
>> >> click and you're buggered", pretty much sums that up.
>> >>
>> >> 5) Windows defense software in all it's many and varied forms is
>> >> impotent.
>> >>
>> >> 6) Making things that are potentially disasterous, difficult to do, *
>> >> is*
>> >> effective. Period.
>> >>
>> >> 7) That Linux is designed to be secure with one through 6 in mind, is
>> >> a
>> >> *fact*. That Linux is hardened, and with SElinux, armored against
>> >> attack, is a *fact*.
>> >>
>> >> Cool

That windows isn't, is a *fact* .
>> >>
>> >> >> Bullshit. Linux has been largely immune because of it's relative
>> >> >> obscurity and higher than average technical ability of its users.
>> >> >> MacOS has been largely immune because the tools don't exist for
>> >> >> hacking systems on PPC as much as they do on x86. I predict we'll
>> >> >> see a few major attacks on MacOS in the next 2 years.
>> >>
>> >> Why? because Apple dumped their Motorola contract, and went with the
>> >> intel household?
>> >>
>> >> Vulnerability to attack isn't about the chip(s). It's about access.
>> >> Physical access to the hardware, and/or remote access to the software
>> >> systems like the OS.
>> >>
>> >> Windows leaves it's johnson flapping in the breeze as it were. It
>> >> would do so on *any* platform, which isn't true of *nix systems. The
>> >> problem isn't intel's johnson, it's windows. This _should_ piss off
>> >> intel, AMD, and all the other x86 boys. It dosen't seem to, or if it
< snip >

>> There lies the
>> vulnerability, not in the OS. Many Windows exploits occur directly
>> through IE, and IE is part of the OS, Gates stood up in court and said
>> so. Spot the difference.
>
> Not really.

Yes really. Billy Boy vowed under oath that IE is part of the OS
Do you know better than him? Why?

> I see lots of instances of people here blaming MS for
> holes in 3rd party applications and services - why should we cut Linux
> any more slack?

Actually, nobody blames MS for non-MS bugs. MS gets blamed for its own
problems, of which there are more than enough for years to come

You would do well if you could bolster this apparant lie with some MSg-IDs.
Say, 5 to 6 different posters balimg MS like you claimed for non-MS apps

> Oh yeah, it's that double standard thing. Run a
> service with root privledges, and it is a potential vector for a
> privledge escalation.
>

Actually, you talk bollocks.
That service did not provide root for the attackers.
There seemed to be a bug which enabled attackers who already had an acount
(therefore LOCAL exploit) to gain root
This is a problem of the application, not the OS, as it also runs on BSD

--
Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
to remove offending incompatible products. Reactivate your MS software

Richard Rasker · External Since: Jul 27, 2005 Posts: 199

Op Sat, 30 Sep 2006 23:12:19 -0700, schreef Tom Shelton:

>
> Mathew P. wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 2006-09-29, Richard Rasker spake thusly:
>> > Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:
>> >
>> >> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
>>
>> --------------------8<-----------------
>>
>> >>> And why is that? No, not because Windows is the dominant OS, but
>> >>> because it's largely trivial to infect a Windows machine, even with lots
>> >>> of "defenses" in place. One wrong click, and you're buggered, period.
>> >>> Linux isn't built like that. And because making things difficult *does*
>> >>> deter most people from doing it.
>>
>> I tend to be verbose. But at it's most basic, and bottom line level,
>> this is *very* well said and sums up several key concepts at once:
>>
>> 1) It's trivial to crack and own a windows system.
>>
>> 2) It's trivial to infect a windows system with malicious software.
>>
>> 3) It's trivial to harvest valuable personal information from a Windows
>> system. See numbers 1 & 2.
>>
>> 4) Windows software makes social engineering pointless. "One wrong
>> click and you're buggered", pretty much sums that up.
>>
>> 5) Windows defense software in all it's many and varied forms is impotent.
>>
>> 6) Making things that are potentially disasterous, difficult to do, *is*
>> effective. Period.
>>
>> 7) That Linux is designed to be secure with one through 6 in mind, is a
>> *fact*. That Linux is hardened, and with SElinux, armored against attack,
>> is a *fact*.
>>
>> Cool

That windows isn't, is a *fact* .
>>
>> >> Bullshit. Linux has been largely immune because of it's relative obscurity
>> >> and higher than average technical ability of its users. MacOS has been
>> >> largely immune because the tools don't exist for hacking systems on PPC as
>> >> much as they do on x86. I predict we'll see a few major attacks on MacOS
>> >> in the next 2 years.
>>
>> Why? because Apple dumped their Motorola contract, and went with the intel
>> household?
>>
>> Vulnerability to attack isn't about the chip(s). It's about access. Physical
>> access to the hardware, and/or remote access to the software systems like the
>> OS.
>>
>> Windows leaves it's johnson flapping in the breeze as it were. It would
>> do so on *any* platform, which isn't true of *nix systems. The problem
>> isn't intel's johnson, it's windows. This _should_ piss off intel, AMD,
>> and all the other x86 boys. It dosen't seem to, or if it does, they
>> aren't letting on.
>>
>> Good follow up Richard.
>>
>> Regards,
>>
>> Mathew
>
> Funny you have such a high oppion of the invulnerability of Linux
> servers...

No-one mentioned servers in this thread until you did just now. Quite
contrary, it's mostly home users falling victim to the "one-click-mayhem"
I mentioned.
Also, no-one mentioned the word "invulnerable". Yes, we're quite convinced
that Linux is much, much more secure than Windows in any respect, but it's
not invulnerable - nor will it ever be.

So effectively, in one sentence, you've laid several words in our mouths
we haven't spoken at all. Nice job.

> Did you read on netcraft about the recent problems at hostgator? No?
> They are a hosting service. They had their servers compromised, and
> then were rooted by a local exploit in a common application used by
> hosting services (cPanel). The attackers then redirected all hits to
> pages that took advantage of the recent IE hole... Sure, the point was
> to infect windows systems - but guess what OS those hijacked servers
> were running?

Not Windows, as Linux and BSD are far more cost effective for web hosting.

In rebuttal:
1: Linux is not invulnerable, merely light years ahead of Windows
security-wise.
2: cPanel is an application, not an OS.
3: The exploit was local, not remote, as with most Windows exploits.
4: This is a relatively small incident in comparison to Windows exploits.
5: The ultimate target was, indeed ... Windows - because it's so easy to
infect reams over reams of those boxes.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Oliver Wong · External Since: Apr 27, 2006 Posts: 1398

"Mathew P." <Mathew RemoveThis @COLA.com> wrote in message
news:eb0Tg.13276$2G1.10666@trnddc07...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2006-09-28, Oliver Wong spake thusly:
>>
>> But if they delete all my
>> files, then I've lost everything since the previous backup (which for
>> most
>> users I'd assume was "never").
>
> I back up my home userspace to dvd at least once a month. (which reminds
> me,
> I haven't done it yet for this month.) It's painless. Fire up K3B and have
> a
> cup of coffee.

I'm one of those users who doesn't backup their data. Unfortunately, my
"userspace" is on the order of 400GB. I do video editing and music
composition (which involves lossless video and audio files, which can be
quite big), and complex vector graphics (where some polygons are smaller
than a single pixel when displayed at 1600x1200, for example).

If it were convenient, I'd also like to backup my save games, but games
typically store all their data in their executable directory (and not
nescessarily in a standard way). To backup the entire "Games" folder might
add another 200GB or so.

- Oliver