Know what you're doing

[Linuxgirl]

It seems like a decent product, at least it works well on a clean system.
It's nice to see MS at least trying to cope with their leaky old systems
but too many posts here are from people who should never be testing a beta.

Don't install this thing unless you're reasonably proficient with the
Windoze OS and you have read through at least some of the posts here.

or get Linux.

 

[Andrew Z Carpenter [MVP]]

It seems like a decent product, at least it works well on a clean system.
It's nice to see MS at least trying to cope with their leaky old systems
but too many posts here are from people who should never be testing a
beta.

Don't install this thing unless you're reasonably proficient with the
Windoze OS and you have read through at least some of the posts here.

or get Linux.

OK.. think about that for a minute. You are addressing an audience that
in your own words "should never be testing a beta" and are not "reasonably
proficient with the Windoze [sic] OS".

Then, in the next breath you are saying they should get Linux.

Could you explain to me in what way Linux is suitable for that audience?

 

[Linuxgirl]

It seems like a decent product, at least it works well on a clean system.
It's nice to see MS at least trying to cope with their leaky old systems
but too many posts here are from people who should never be testing a
beta.

Don't install this thing unless you're reasonably proficient with the
Windoze OS and you have read through at least some of the posts here.

or get Linux.

OK.. think about that for a minute. You are addressing an audience that
in your own words "should never be testing a beta" and are not "reasonably
proficient with the Windoze [sic] OS".

Then, in the next breath you are saying they should get Linux.

Could you explain to me in what way Linux is suitable for that audience?

Read it again. I did not say they should get Linux. I said they should know
what they're doing before loading a beta.

You will notice that I also said it worked well for me ( on my XP Pro
system ).

I said "or" get Linux which doesn't have all the problems Windows has with
security.

I see the "MVP" and I would guess that you believe there is no alternative
to Windows.

 

[Andrew Z Carpenter [MVP]]

Read it again. I did not say they should get Linux. I said
they should know what they're doing before loading a beta.

You will notice that I also said it worked well for me ( on
my XP Pro system ).

I said "or" get Linux which doesn't have all the problems
Windows has with security.

I see the "MVP" and I would guess that you believe there is
no alternative to Windows.

This is an age old argument, one to which there is no real
answer. Sure Windows can be made more secure. Yes, there
is still work to do. But the biggest problem is educating the
users to know how to practice safe computing. And that is
something that is completely independent of operating system.

Sure there are alternatives to Windows. I've just not met
one yet that 'mom & pop' can use.

 

[Bill Sanderson]

I said "or" get Linux which doesn't have all the problems Windows has with
security.

If you truly believe the above statement, you have some more to learn about
Linux, I'm afraid. You could split hairs and weasel on the "all" but the
fact is that every OS available has significant security issues out of the
box and the real issue is how well they are being addressed by the
particular vendor you choose--and that goes just as much for a specific
Linux distribution as it does for Windows.

And I'll admit to being an MVP as well, just so I don't appear to be
concealing anything!

 

[Linuxgirl]

If you truly believe the above statement, you have some more to learn
about
Linux, I'm afraid. You could split hairs and weasel on the "all" but the
fact is that every OS available has significant security issues out of the
box and the real issue is how well they are being addressed by the
particular vendor you choose--and that goes just as much for a specific
Linux distribution as it does for Windows.

I'll admit that all OSs have some security problems but having used various
Linux systems since 96, Windows since 3.0 and various Macs, it's hands down
that windows has always had the most security problems. Granted, the main
reason is that it is the most targeted but it is also because their
products were usually unfinished and poorly tested when released.

I ran MSA on my XP systems and it came up blank. My other systems, including
this one are also clean but the most time keeping them that way is spent on
Windoze.

Mae

 

[Max Burke]

Linuxgirl scribbled:

snip....

I said "or" get Linux which doesn't have all the problems Windows has
with security.

FYI:

<quote>
Using 'advanced static analysis': "cd drivers; grep copy_from_user -r ./* |
grep -v sizeof", I discovered 4 exploitable vulnerabilities in a matter of
15 minutes. More vulnerabilities were found in 2.6 than in 2.4. It's a
pretty sad state of affairs for Linux security when someone can find 4
exploitable vulnerabilities in a matter of minutes. Since there was no point
in sending more vulnerability reports when the first hadn't even been
responded to, I'm including all four of them in this mail, as well as a POC
for the poolsize bug. The other bugs can have POCs written for just as
trivially. The poolsize bug requires uid 0, but not any root capabilities.

The scsi and serial bugs depend on the permissions of their respective
devices, and thus can possibly be exploited as non-root. The scsi bug in
particular has a couple different attack vectors that I haven't even
bothered to investigate. Some of these bugs have gone unfixed for several
years.

The PaX team discovered the mlockall DoS. It has been fixed in PaX for 2
years. I have attached their mail and exploit code.

I'd really like to know what's being done about this pitiful trend of Linux
security, where it's 10x as easy to find a vulnerability in the kernel than
it is in any app on the system, where isec releases at least one critical
vulnerability for each kernel version. I don't see that the 2.6 development
model is doing anything to help this (as the
spectrum of these vulnerabilities demonstrate), by throwing experimental
code into the kernel and claiming it to be "stable". Hopefully now these
vulnerabilities will be fixed in a timely manner.
http://neworder.box.sk/explread.php?newsid=13050
<end quote>

http://www.partyvibe.com/flavour/linux/security.htm
http://www.linuxsecurity.com/content/blogcategory/0/76/
http://lists.debian.org/debian-security-announce/debian-security-announce-2005/threads.html
http://neworder.box.sk/subject.php?subject=Exploits ->%20Linux

The only thing worse than the millions of Windows user that are unaware of
the need to protect their computers from attack on the internet, are the
millions of Linux users that believe they're immune from attack because
they're running Linux.....

HTH & GL.

And yes I DO use several distro's of Linux, just not as my 'production' OS.
They're simply not up to the useability standard I require for an everyday
OS.

The average Windows user would not be able to 'cope' with the Linux learning
curve or requirements (especially it's security requirements) neither should
they have to, when they can use and secure Windows far more easily that they
could Linux.

 

[Bill Sanderson]

I went looking for some stats to back up my opinion, and found some agreeing
with me, but they were pretty old. I don't think this has changed, though.
I've seen some very carefully measured comparative studies (which I can't
find to cite now!) that as I recall made Windows come out with around 60-70%
as many vulnerabilities as Linux. There are lots of complexities to such
analyses, but the presenter I was listening to was bending over backwards to
do things carefully, I thought.