Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Ol' gatesy is gettin worried huh ?

Reply
Thread Tools

Ol' gatesy is gettin worried huh ?

 
 
Lawrence DčOliveiro
Guest
Posts: n/a
 
      10-29-2004
In article <92ngd.23932$(E-Mail Removed)>,
Nathan Mercer <(E-Mail Removed)> wrote:

>thing wrote:
>> Matthew Poole wrote:
>>
>>> In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
>>>
>>>> http://www.reuters.co.uk/newsArticle...storyID=663243
>>>> 7&se
>>>>
>>>> ction=news
>>>
>>>
>>>
>>> I loved the comment about Windows having fewer security
>>> vulnerabilities than Linux. Which planet's rarified atmosphere does
>>> the man live in? Flaws with IE, given MS's insistence that IE cannot
>>> be separated from Windows, are Windows flaws. And I've lost count of
>>> the number of moderately or highly critical flaws in IE that've come
>>> out of Secunia this year.
>>> Linux has had its share, to be sure, but they're not usually highly
>>> critical remote code execution flaws. Or if they are, they're in
>>> shared libraries that are optional.
>>>

>>
>> This does a good bunk of what he is saying,
>>
>> http://www.theregister.co.uk/securit...dows_vs_linux/

>
>Drivel!


Explain.
 
Reply With Quote
 
 
 
 
thing
Guest
Posts: n/a
 
      10-29-2004
Lawrence DčOliveiro wrote:
> In article <92ngd.23932$(E-Mail Removed)>,
> Nathan Mercer <(E-Mail Removed)> wrote:
>
>
>>thing wrote:
>>
>>>Matthew Poole wrote:
>>>
>>>
>>>>In article <(E-Mail Removed)>, (E-Mail Removed) wrote:
>>>>
>>>>
>>>>>http://www.reuters.co.uk/newsArticle...storyID=663243
>>>>>7&se
>>>>>
>>>>>ction=news
>>>>
>>>>
>>>>
>>>>I loved the comment about Windows having fewer security
>>>>vulnerabilities than Linux. Which planet's rarified atmosphere does
>>>>the man live in? Flaws with IE, given MS's insistence that IE cannot
>>>>be separated from Windows, are Windows flaws. And I've lost count of
>>>>the number of moderately or highly critical flaws in IE that've come
>>>>out of Secunia this year.
>>>>Linux has had its share, to be sure, but they're not usually highly
>>>>critical remote code execution flaws. Or if they are, they're in
>>>>shared libraries that are optional.
>>>>
>>>
>>>This does a good bunk of what he is saying,
>>>
>>>http://www.theregister.co.uk/securit...dows_vs_linux/

>>
>>Drivel!

>
>
> Explain.


As a MS employee what did you expect from Nathan?

Trouble is Nathan, MS has a history of being highly selective in
publishing "testing" results, paying for "independant" reports and
cherry picking dates from selected criteria.

Take this back to your masters for me,

MS is losing credibility, but now its got to the stage people who matter
like CIOs and Government agencies can see the hollowness of your claims
and even at times outright lies. Less and less they believe...

You are failing in your FUD. If you bring in IP challenges all you will
do is get people's backs up at all levels. You will sew the seeds of
your own destruction, instead of taking the world with you you are
intent on crushing it, it wont work. The world is not the USA, while you
may have IP in the US (and that is being seen more and more as a
disaster, the 3rd World will not. Even if European Politicians are
stupid enough to allow US style IP, the 3rd world will not.

Too many Countries see the results of US IP meaning they cannot have
drugs at prices they can afford. The US trades in farming produce in its
terms, trapping many third world countries in poverty because they
cannot compete fairly. Many of these Governments see OSS as one of the
keys to bring their country out of poverty, do you really think they
will allow the US to chain them into perpetual misery? like it has done
with food, minerals and drugs?

You may not see it Nathan in your ivory tower but many people are sick
of being treated badly and are sick of watching others being treated
badly, so stay in MS land earning your nice salary by squashing people
and inovation or step out and get a life.

regards

Thing

















 
Reply With Quote
 
 
 
 
thing
Guest
Posts: n/a
 
      10-29-2004
steve wrote:
> Troglodyte wrote:
>
>
>>http://www.reuters.co.uk

>
> newsArticle.jhtml?type=internetNews&storyID=663243 7&section=news
>
> Rely on Reuters to publish Microsoft ads as news.
>
> They used to be a credible news agency.......but over the past 4 years they
> have been shown to pervert the news to support their political and economic
> agenda.
>
> One need only read their coverage of events in Venezuela over the past 3
> years to discern the clear pattern at play.
>
> US uber alles.
>


Most US news agencies are totally reliant on advertising, since 9/11
they are so afraid of a consumer backlash causing a deserting of their
services/programming hence a collapse in advertising revenue that they
are now only highly pro-US in stance. Forget US news for a balanced
view. My concern is the BBC might go that way too....

regards

Thing

 
Reply With Quote
 
Matthew Poole
Guest
Posts: n/a
 
      10-29-2004
In article <92ngd.23932$(E-Mail Removed)>, Nathan Mercer <(E-Mail Removed)> wrote:
>thing wrote:

*SNIP*
>Drivel!
>

*SNIP*

My response to this, Nathan:
http://www.p00le.net/wvl-yr.png

I didn't add in any transparency, since your favourite browser still
hasn't learned that trick!

--
Matthew Poole Auckland, New Zealand
"Veni, vidi, velcro...
I came, I saw, I stuck around"

My real e-mail is mattATp00leDOTnet
 
Reply With Quote
 
Patrick Dunford
Guest
Posts: n/a
 
      10-29-2004
In article <i5ygd.23995$(E-Mail Removed)> in nz.comp on Sat, 30
Oct 2004 09:53:12 +1300, thing <(E-Mail Removed)> says...
> steve wrote:
> > Troglodyte wrote:
> >
> >
> >>http://www.reuters.co.uk

> >
> > newsArticle.jhtml?type=internetNews&storyID=663243 7&section=news
> >
> > Rely on Reuters to publish Microsoft ads as news.
> >
> > They used to be a credible news agency.......but over the past 4 years they
> > have been shown to pervert the news to support their political and economic
> > agenda.
> >
> > One need only read their coverage of events in Venezuela over the past 3
> > years to discern the clear pattern at play.
> >
> > US uber alles.
> >

>
> Most US news agencies are totally reliant on advertising, since 9/11
> they are so afraid of a consumer backlash causing a deserting of their
> services/programming hence a collapse in advertising revenue that they
> are now only highly pro-US in stance. Forget US news for a balanced
> view. My concern is the BBC might go that way too....


Oh come on, you expect us to take your leftie biased tosh as fact, Steve
the conspiracy theorist and capitalism hater? What kind of world do you
live in?
 
Reply With Quote
 
EMB
Guest
Posts: n/a
 
      10-30-2004
Matthew Poole wrote:

> My response to this, Nathan:
> http://www.p00le.net/wvl-yr.png


Fsck that's funny, the sad thing is that it's true and most of the
pro-MS brigade won't acknowledge that.


--
EMB
 
Reply With Quote
 
Brendan
Guest
Posts: n/a
 
      10-30-2004
On Sat, 30 Oct 2004 11:46:04 +1300, Patrick Dunford wrote:

> Oh come on, you expect us to take your leftie biased tosh as fact, Steve
> the conspiracy theorist and capitalism hater? What kind of world do you
> live in?


**** off Patrick. Capitalism is a pathological ideology.

--

.... Brendan

"'He says gods like to see an atheist around. Gives them something to aim at.'" -- Terry Pratchett, _Small Gods_

Note: All my comments are copyright 30/10/2004 11:27:50 p.m. and are opinion only where not otherwise stated and always "to the best of my recollection". www.computerman.orcon.net.nz.

************************************************** **********************
* THE BELOW ADVERT IS NOT MY WORK AND IS APPENDED AGAINST MY WISHES. *
* NEWSFEEDS.COM'S CLAIM OF 100,000 GROUPS IS BOGUS AS MANY OF THEM *
* ARE ILLEGITIMATE AND DELETED BY MOST OTHERS. NEWSFEEDS.COM CANNOT *
*BE TRUSTED. THEY USE YOUR DISCUSSION AS A VEHICLE FOR SPAMMING USENET.*
************************************************** **********************


----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= East/West-Coast Server Farms - Total Privacy via Encryption =---
 
Reply With Quote
 
Nathan Mercer
Guest
Posts: n/a
 
      10-31-2004
X-No-archive: yes

Lawrence DčOliveiro wrote:
>>>>I loved the comment about Windows having fewer security
>>>>vulnerabilities than Linux. Which planet's rarified atmosphere does
>>>>the man live in? Flaws with IE, given MS's insistence that IE cannot
>>>>be separated from Windows, are Windows flaws. And I've lost count of
>>>>the number of moderately or highly critical flaws in IE that've come
>>>>out of Secunia this year.
>>>>Linux has had its share, to be sure, but they're not usually highly
>>>>critical remote code execution flaws. Or if they are, they're in
>>>>shared libraries that are optional.
>>>>
>>>
>>>This does a good bunk of what he is saying,
>>>
>>>http://www.theregister.co.uk/securit...dows_vs_linux/

>>
>>Drivel!

>
> Explain.


Well, Nicholas Petreley is not exactly known to be subjective for a
start, and this is supposedly a objective report based on facts?!

The facts most of his arguments are based on - have a number of flat out
innacurracies. Here are just a few of them...

One of the first claims made is is that CERT reports more severe
vulnerabilities in Windows than Linux. This is a clear twisting and
subversion of the CERT data.

The CERT severity metric takes into account things like market
penetration and risk to the overall internet infrastructure, both areas
where Microsoft products are more crucial to the internet as a whole
than nearly any other vendor, than maybe Cisco. Consequently, identical
vulnerabilities in Windows will be rated more severe than
vulnerabilities in, say Debian. Further, CERT uses this metric to
prioritise their response, and things that fall below a certain severity
threshold simply won't be reported on the CERT web site due to lack of
cycles.

"From the CERT Web site:

Metric
The metric value is a number between 0 and 180 that assigns an
approximate severity to the vulnerability. This number considers several
factors, including:
Is information about the vulnerability widely available or known?
Is the vulnerability being exploited in the incidents reported to US-CERT?
Is the Internet Infrastructure at risk because of this vulnerability?
How many systems on the Internet are at risk from this vulnerability?
What is the impact of exploiting the vulnerability?
How easy is it to exploit the vulnerability?
What are the preconditions required to exploit the vulnerability?

Because the questions are answered with approximate values that may
differ significantly from one site to another, users should not rely too
heavily on the metric for prioritizing vulnerabilities. However, it may
be useful for separating the very serious vulnerabilities from the large
number of less severe vulnerabilities described in the database.
Typically, vulnerabilities with a metric greater than 40 have been
candidates for a CERT advisory, and we will continue to use this metric
for US-CERT Technical Alerts. The questions are not all weighted
equally, and the resulting score is not linear (a vulnerability with a
metric of 40 is not twice as severe as one with a metric of 20)."

It is claimed as a fact that "When it comes to web servers, the biggest
target is Apache, the Internet's server of choice. Attacks on Apache are
nevertheless far fewer in number, and cause less damage."
The reality is just way different. Check out the Zone-H stats "Todays
Verified Attacks" just about any day of the week and you will almost
always see that Linux Web site defacements are higher than Windows by a
ration of almost 3:1.

He waffles on about how bad IIS is, brings up the Code Red worm BO which
is fair enough. But what isn't fair is that he had to go back 4 months
or so to get 40 vulns for RH and a whole year for Windows Server 2003.
MSFT and their customers knew IIS4/5 was bad, so put it through the
TrustWorthy Computing ringer, and designed the thing from the ground up
and rewrote it to be significantly more secure. IIS6 is built into
Windows Server 2003, and it is widely acknowledged to be the most secure
version of IIS ever. Regardless IIS5 can be made to be secure, just
like earlier versions of Apache can be - its just that you have to jump
through hoops, and it is too easy for people to get the configuration
wrong and then get 0wned.
If he's going to be be fair and base arguement on facts we would be
comparing IIS4/5 with dodgy old versions of Apache too - I don't think
you want to go there right? There has been 1 vuln with IIS6 IIRC
throughout its life, I'm damn sure Apache can't claim the same,
especially when you look at a real work workload like an Application
Server, not just a "static web httpd"

Once again he is comparing Windows old stuff with Linux new stuff. Sure
IE is built into the Windows platform and can't be removed. Fact is tho
that XPSP2/Server 2003 SP1 brings the browser security to a whole new
level. Most of the recent IE vulns don't apply to XPSP2 and Server 2003
with IE lockdown. Likewise a bunch of them are mitigated by running as
a user. Not rocket science there

His assertion that Linux servers are ideal for headless non-local
administration is exactly the same for Windows Server 2003. Windows
Server 2003 locks down the browser, and it certainly is not recommended
to run a browser locally on the Server logged in as root. Same for Linux.

Look at Mozilla FireFox, there has been a bunch of vulns just recently
going through the RC and PR releases that needed updates. We have seen
a significant rise in vulnerability reports in Mozilla and the entire
Mozilla suite. Especially as the much publicised migration of users
from IE to Mozilla on the basis of what was originally believed to be a
product suite less vulnerable to attack. Expect more - attackers are
clearly targetting the increasing usage of Mozilla.

The codswallop titled "Patches and Vulnerabilities Affecting Microsoft
Windows Server 2003" is a laugh - all the admins I know leave the IE
settings on the server alone, and certainly don't surf untrusted
websites while logged in as administrator. The attack vectors that he
states are mitigated by running as an unprivleged user under Linux are
exactly the same as for Windows Server 2003 too. Albeit slightly harder
to achieve under Windows, but this is a admin training/education issue
rather than an inherent fault. I really don't think Microsoft promotes
the "local familiar Windows desktop as the prime advantage to Windows
Server 2003" Anyone who is serious about server computing will setup
remote administation, automated monitoring etc. This is not unique to Linux

There's probably more inaccuracies, thats a start to get the ball
rolling. If some of these fundamental things are wrong, what else can
be wrong too?

Nice rant. Full of holes. Linux has its own set of challenges, and
Windows isn't so bad afterall.

Insert head back into sand...
 
Reply With Quote
 
thing
Guest
Posts: n/a
 
      10-31-2004
Nathan Mercer wrote:
> X-No-archive: yes
>
> Lawrence DčOliveiro wrote:
>
>>>>> I loved the comment about Windows having fewer security
>>>>> vulnerabilities than Linux. Which planet's rarified atmosphere
>>>>> does the man live in? Flaws with IE, given MS's insistence that IE
>>>>> cannot be separated from Windows, are Windows flaws. And I've lost
>>>>> count of the number of moderately or highly critical flaws in IE
>>>>> that've come out of Secunia this year.
>>>>> Linux has had its share, to be sure, but they're not usually highly
>>>>> critical remote code execution flaws. Or if they are, they're in
>>>>> shared libraries that are optional.
>>>>>
>>>>
>>>> This does a good bunk of what he is saying,
>>>>
>>>> http://www.theregister.co.uk/securit...dows_vs_linux/
>>>
>>>
>>> Drivel!

>>
>>
>> Explain.

>
>
> Well, Nicholas Petreley is not exactly known to be subjective for a
> start, and this is supposedly a objective report based on facts?!


He is biased because he does not accept MS's drivel? and MS is renowned
for its unbiased nature? Who started the latest advertising campaign Nathan?

Who usually gets selected data from so called but in reality bought and
paid for analysts? Or twists their data, or releases selective snippets?
sometimes against the analysts wishes?

Linux maybe? dont think so.....

Credability Nathan........

> The facts most of his arguments are based on - have a number of flat out
> innacurracies. Here are just a few of them...
>
> One of the first claims made is is that CERT reports more severe
> vulnerabilities in Windows than Linux. This is a clear twisting and
> subversion of the CERT data.


Not from waht I have read and others have written, lies, damn lies and
statistics as they say.

> The CERT severity metric takes into account things like market
> penetration and risk to the overall internet infrastructure, both areas
> where Microsoft products are more crucial to the internet as a whole
> than nearly any other vendor, than maybe Cisco. Consequently, identical
> vulnerabilities in Windows will be rated more severe than
> vulnerabilities in, say Debian. Further, CERT uses this metric to
> prioritise their response, and things that fall below a certain severity
> threshold simply won't be reported on the CERT web site due to lack of
> cycles.
>
> "From the CERT Web site:
>
> Metric
> The metric value is a number between 0 and 180 that assigns an
> approximate severity to the vulnerability. This number considers several
> factors, including:
> Is information about the vulnerability widely available or known?
> Is the vulnerability being exploited in the incidents reported to US-CERT?
> Is the Internet Infrastructure at risk because of this vulnerability?
> How many systems on the Internet are at risk from this vulnerability?
> What is the impact of exploiting the vulnerability?
> How easy is it to exploit the vulnerability?
> What are the preconditions required to exploit the vulnerability?
>
> Because the questions are answered with approximate values that may
> differ significantly from one site to another, users should not rely too
> heavily on the metric for prioritizing vulnerabilities. However, it may
> be useful for separating the very serious vulnerabilities from the large
> number of less severe vulnerabilities described in the database.
> Typically, vulnerabilities with a metric greater than 40 have been
> candidates for a CERT advisory, and we will continue to use this metric
> for US-CERT Technical Alerts. The questions are not all weighted
> equally, and the resulting score is not linear (a vulnerability with a
> metric of 40 is not twice as severe as one with a metric of 20)."
>
> It is claimed as a fact that "When it comes to web servers, the biggest
> target is Apache, the Internet's server of choice. Attacks on Apache are
> nevertheless far fewer in number, and cause less damage."
> The reality is just way different. Check out the Zone-H stats "Todays
> Verified Attacks" just about any day of the week and you will almost
> always see that Linux Web site defacements are higher than Windows by a
> ration of almost 3:1.


If I look at Zone-hs verified attacks for today, it shows 56.5% Windows
v 36.8% Linux...

Pulling a MS Nathan? being selective in our statistics are we?

> He waffles on about how bad IIS is, brings up the Code Red worm BO which
> is fair enough. But what isn't fair is that he had to go back 4 months
> or so to get 40 vulns for RH and a whole year for Windows Server 2003.


MS has been renowned for taking sample periods from public data to show
Linux is weaker, yet moving that sample period by as little as 25% shows
a different result.

> MSFT and their customers knew IIS4/5 was bad, so put it through the
> TrustWorthy Computing ringer, and designed the thing from the ground up
> and rewrote it to be significantly more secure. IIS6 is built into
> Windows Server 2003, and it is widely acknowledged to be the most secure
> version of IIS ever.


Someone once told me this, while mentioning a country's top submariner,
"its like spotting the tallest amongst midgets, big deal".

Regardless IIS5 can be made to be secure, just
> like earlier versions of Apache can be - its just that you have to jump
> through hoops, and it is too easy for people to get the configuration
> wrong and then get 0wned.
> If he's going to be be fair and base arguement on facts we would be
> comparing IIS4/5 with dodgy old versions of Apache too -


Lets go there, lets look at how many exploits and holes there are in say
5 years of apache and 5 years of IIS, still want to go there Nathan?

I don't think
> you want to go there right? There has been 1 vuln with IIS6 IIRC
> throughout its life, I'm damn sure Apache can't claim the same,
> especially when you look at a real work workload like an Application
> Server, not just a "static web httpd"


Apache still has the biggest active site numbers, give up trying to
compare apples with oranges.

>
> Once again he is comparing Windows old stuff with Linux new stuff. Sure
> IE is built into the Windows platform and can't be removed. Fact is tho
> that XPSP2/Server 2003 SP1 brings the browser security to a whole new
> level. Most of the recent IE vulns don't apply to XPSP2 and Server 2003
> with IE lockdown. Likewise a bunch of them are mitigated by running as
> a user. Not rocket science there
>
> His assertion that Linux servers are ideal for headless non-local
> administration is exactly the same for Windows Server 2003. Windows
> Server 2003 locks down the browser, and it certainly is not recommended
> to run a browser locally on the Server logged in as root. Same for Linux.


Yes a bit pointless.

> Look at Mozilla FireFox, there has been a bunch of vulns just recently
> going through the RC and PR releases that needed updates. We have seen
> a significant rise in vulnerability reports in Mozilla and the entire
> Mozilla suite. Especially as the much publicised migration of users
> from IE to Mozilla on the basis of what was originally believed to be a
> product suite less vulnerable to attack. Expect more - attackers are
> clearly targetting the increasing usage of Mozilla.


That may well be, but at present running Mozilla/Firefox etc on NTx
gives users a breathing space of safety.

Running Mozilla/Firefox on Linux means that when exploits do start to
arrive for these platforms they will be far more limited in effect.

>
> The codswallop titled "Patches and Vulnerabilities Affecting Microsoft
> Windows Server 2003" is a laugh - all the admins I know leave the IE
> settings on the server alone, and certainly don't surf untrusted
> websites while logged in as administrator. The attack vectors that he
> states are mitigated by running as an unprivleged user under Linux are
> exactly the same as for Windows Server 2003 too. Albeit slightly harder
> to achieve under Windows, but this is a admin training/education issue
> rather than an inherent fault.


Didnt Gates say win2kx was easier to setup and use than Linux?

I really don't think Microsoft promotes
> the "local familiar Windows desktop as the prime advantage to Windows
> Server 2003" Anyone who is serious about server computing will setup
> remote administation, automated monitoring etc. This is not unique to
> Linux
>
> There's probably more inaccuracies, thats a start to get the ball
> rolling. If some of these fundamental things are wrong, what else can
> be wrong too?
>
> Nice rant. Full of holes. Linux has its own set of challenges, and
> Windows isn't so bad afterall.
>
> Insert head back into sand...


Well we have round 3 from Novell,

http://news.zdnet.co.uk/software/lin...9171756,00.htm

"...Novell's Hogan also questioned Ballmer's statement that the reports
cited are independent, giving an example where Microsoft was permitted
to fine-tune a set-up, while Linux was run off an emulator..."

Credability Nathan.

Its MS's to loose not Linux to take it away.

regards

Thing








 
Reply With Quote
 
NOSPAM@NOSPAM.invalid.com
Guest
Posts: n/a
 
      10-31-2004
On Mon, 01 Nov 2004 09:15:27 +1300, thing wrote:

> If I look at Zone-hs verified attacks for today, it shows 56.5% Windows
> v 36.8% Linux...


And then you also have to factor in the fact that *nix based websites are
the majority and Windows based websites are a minority.

And then the above statistics look even worse.


Divine

--
43 - for those who require slightly more than the answer to life, the universe
and everything.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
gettin all pages in a website kkrish Java 5 07-18-2006 04:13 PM
problem with index.html .(page is automatically gettin redirected to index.html) karthikeyavenkat Java 2 03-17-2005 10:01 PM
Recon ol Bills gettin worried ? Nick NZ Computing 8 06-29-2004 01:37 AM
GETTIN SQUIRRELLY WITH THE D60 !!! Annika1980 Digital Photography 14 05-05-2004 12:09 PM
why do i keep gettin this message.......... monique Computer Support 2 11-15-2003 05:59 AM



Advertisments