[waldojim]

deepsand, on 10 April 2012 - 07:51 PM, said:

Linux is indeed a Unix derivative.

No, it is not.
Linux is a clone of, not derived of Unix.

The difference here is quite vast. Namely that there is absolutely no shared code, apart from what Unix has TAKEN from Linux.

[Excalibur]

Clients are expendable, available in quantities that dwarf those of servers, and are easily had. They are the low hanging fruit that obviate the need for the use of servers for anything other than command and control.

[linuxrants7xpg]

Excalibur, on 10 April 2012 - 08:48 PM, said:

Clients are expendable, available in quantities that dwarf those of servers, and are easily had. They are the low hanging fruit that obviate the need for the use of servers for anything other than command and control.

All that says is that the servers are harder to get, not that there's no reason to get one. That's not security through obscurity. That's security through security.

[Excalibur]

linuxrants7xpg, on 10 April 2012 - 08:18 PM, said:

deepsand, on 10 April 2012 - 07:51 PM, said:

You're the one who raised the issue of security through obscurity, implying that the converse was the equal or better.

I called it what it is, he/she brought it up. My personal opinion, yes I think open source is better than security through obscurity.

No, I did not raise the issue of security through obscurity.

And, it is not physically possible that transparency re. source code be inherently the more secure. How such code is maintained with regards to vulnerabilities is not dependent on whether or not it is public information.

[Excalibur]

linuxrants7xpg, on 10 April 2012 - 08:50 PM, said:

Excalibur, on 10 April 2012 - 08:48 PM, said:

Clients are expendable, available in quantities that dwarf those of servers, and are easily had. They are the low hanging fruit that obviate the need for the use of servers for anything other than command and control.

All that says is that the servers are harder to get, not that there's no reason to get one. That's not security through obscurity. That's security through security.

There is no need for such servers.

Bot-nets are run as business enterprises. Seeking to compromise the servers of other enterprises entails additional costs and risks without a commensurate benefit.

[linuxrants7xpg]

Excalibur, on 10 April 2012 - 08:54 PM, said:

No, I did not raise the issue of security through obscurity.

Yea, you did. You claimed (and I quote), "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." That implies that closed source makes it harder for would be miscreants. That's really not the case. Open source also allows for non-miscreants to find and fix vulnerabilities long before they're exploited. That code is subjected to scrutiny the world over, not just by a couple people in the QA department. No, Open Source makes for a more secure system.

Excalibur, on 10 April 2012 - 08:54 PM, said:

And, it is not physically possible that transparency re. source code be inherently the more secure. How such code is maintained with regards to vulnerabilities is not dependent on whether or not it is public information.

It's not only physically possible, it's fact.

[linuxrants7xpg]

Excalibur, on 10 April 2012 - 08:57 PM, said:

There is no need for such servers.

Bot-nets are run as business enterprises. Seeking to compromise the servers of other enterprises entails additional costs and risks without a commensurate benefit.

NEED??

Again, this is NOT security through obscurity. If it's easier to get a desktop, that doesn't mean that the server was "obscure". It just means it's harder to get. There's a reason it's harder to get. It's more secure.

[Excalibur]

linuxrants7xpg, on 10 April 2012 - 08:58 PM, said:

Excalibur, on 10 April 2012 - 08:54 PM, said:

No, I did not raise the issue of security through obscurity.

Yea, you did. You claimed (and I quote), "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." That implies that closed source makes it harder for would be miscreants. That's really not the case. Open source also allows for non-miscreants to find and fix vulnerabilities long before they're exploited. That code is subjected to scrutiny the world over, not just by a couple people in the QA department. No, Open Source makes for a more secure system.

Excalibur, on 10 April 2012 - 08:54 PM, said:

And, it is not physically possible that transparency re. source code be inherently the more secure. How such code is maintained with regards to vulnerabilities is not dependent on whether or not it is public information.

It's not only physically possible, it's fact.

The statement "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." is a physically indisputable fact. And, saying that does not speak to any other characteristic relating to source code and how it is maintained.

And, since it is less physically secure than is open source code, it cannot be inherently more secure.

Conflating the nature of the code and how it is maintained is to ignored a distinction with an important difference.

[Excalibur]

linuxrants7xpg, on 10 April 2012 - 09:02 PM, said:

Excalibur, on 10 April 2012 - 08:57 PM, said:

There is no need for such servers.

Bot-nets are run as business enterprises. Seeking to compromise the servers of other enterprises entails additional costs and risks without a commensurate benefit.

NEED??

Again, this is NOT security through obscurity. If it's easier to get a desktop, that doesn't mean that the server was "obscure". It just means it's harder to get. There's a reason it's harder to get. It's more secure.

My statement re. machines being obscured was regarding Linux clients, not servers of any kind. There simply aren't enough of them to make them worth looking for.

[linuxrants7xpg]

Excalibur, on 10 April 2012 - 09:11 PM, said:

The statement "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." is a physically indisputable fact. And, saying that does not speak to any other characteristic relating to source code and how it is maintained.

And, since it is less physically secure than is open source code, it cannot be inherently more secure.

Conflating the nature of the code and how it is maintained is to ignored a distinction with an important difference.

Yea, physically indisputable fact? I dispute that. As to the rest, ignored.

[linuxrants7xpg]

Excalibur, on 10 April 2012 - 10:48 PM, said:

My statement re. machines being obscured was regarding Linux clients, not servers of any kind. There simply aren't enough of them to make them worth looking for.

Also false. No matter how you try to redirect this, you're still wrong. A desktop Linux user uses the same OS as millions of servers on the Internet. Client or server, it's the same. A vulnerability discovered at the server level would affect desktop users as well. Due to that fact, desktop Linux users enjoy less "obscurity" than other OSs like OSX. And judging by what I saw on NetCraft's survey, there's more than enough Linux systems to make the platform desirable. That, is indisputable fact.

[Excalibur]

linuxrants7xpg, on 10 April 2012 - 11:01 PM, said:

Excalibur, on 10 April 2012 - 09:11 PM, said:

The statement "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." is a physically indisputable fact. And, saying that does not speak to any other characteristic relating to source code and how it is maintained.

And, since it is less physically secure than is open source code, it cannot be inherently more secure.

Conflating the nature of the code and how it is maintained is to ignored a distinction with an important difference.

Yea, physically indisputable fact? I dispute that. As to the rest, ignored.

How can you dispute the fact that that which is physically held as a secret is more secure than that which is made publicly available?

[Excalibur]

linuxrants7xpg, on 10 April 2012 - 11:13 PM, said:

Excalibur, on 10 April 2012 - 10:48 PM, said:

My statement re. machines being obscured was regarding Linux clients, not servers of any kind. There simply aren't enough of them to make them worth looking for.

Also false. No matter how you try to redirect this, you're still wrong. A desktop Linux user uses the same OS as millions of servers on the Internet. Client or server, it's the same. A vulnerability discovered at the server level would affect desktop users as well. Due to that fact, desktop Linux users enjoy less "obscurity" than other OSs like OSX. And judging by what I saw on NetCraft's survey, there's more than enough Linux systems to make the platform desirable. That, is indisputable fact.

It was my statement; so, please do not presume to tell me what I meant.

I was not speaking of anything other than the miniscule number of Linux clients to be had.

[YellowEagle]

RickDobbelmannqbtt, on 09 April 2012 - 11:36 PM, said:

Open source will ALWAYS be the safest operating system in regards to security. You run in to trouble when your code is closed source. M$, Apple, Google App Market..

With Apple, Google, and M$ you have to wait until their programmers or AV companies to come up with a fix. With Open Source everyone can look at the code not to mention the Linux kernel is updated daily.

Switched to Linux when Ubuntu 10.04 was in beta and have never looked back. I will never ever ever in a million years ever go back to Micro$oft. Linux offers so much more. Think about it, Windows is still using old the kernel based on Windows NT.

When is comes to Apple, all OSX is a is a Graphical User Interface and a set of apps stacked on top of a 100% free open source operating system called darwin. Thats right your MAC is OPEN SOURCE!!!! Unfortunately the software they stack on top of Darwin is closed source. You can build the OS yourself In fact when using the terminal(command prompt) in osx and linux most of the commands are the same.

There is no reason to pay for software or an operating system, ever!

Do you use ClamAV ? if not, why not?

[waldojim]

Excalibur, on 10 April 2012 - 09:11 PM, said:

The statement "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." is a physically indisputable fact. And, saying that does not speak to any other characteristic relating to source code and how it is maintained.

And, since it is less physically secure than is open source code, it cannot be inherently more secure.

Conflating the nature of the code and how it is maintained is to ignored a distinction with an important difference.

I would like to make mention of a recent heavy hitter here. First, a source.
Now the opening quote:

Quote

Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.

Read the rest if you will. Here is the readers digest version:

There was a security hole in the Linux kernel itself. This hole allowed for root level access on any machine running a Linux kernel released during that EIGHT YEAR time span. This is not a small problem, nor a simple regression.

The LINUX COMMUNITY found the hole and determined there was a serious problem. Then they fixed it. NOT EVEN ONCE has there been a known attack using that vulnerability. So the question is, was the community protected by the community? OR are the crackers too lazy to read the code for 8 years?

You decide how you want to view this. The way I see it, the Community stumbled upon something, and took care of it. This isn't like the MICROSOFT 8 year long vulnerability that was not only exploited, but actually KNOWN to them for that entire run!

[waldojim]

Excalibur, on 10 April 2012 - 11:20 PM, said:

How can you dispute the fact that that which is physically held as a secret is more secure than that which is made publicly available?

How about, because that code isn't exactly a secret? It never is.

Think about the number of people who acquired the Windows 2000 source code (before launch) if you really need proof.

[Excalibur]

waldojim, on 11 April 2012 - 12:53 AM, said:

Excalibur, on 10 April 2012 - 09:11 PM, said:

The statement "Open source simply makes it easier for would be miscreants to identify and exploit vulnerabilities." is a physically indisputable fact. And, saying that does not speak to any other characteristic relating to source code and how it is maintained.

And, since it is less physically secure than is open source code, it cannot be inherently more secure.

Conflating the nature of the code and how it is maintained is to ignored a distinction with an important difference.

I would like to make mention of a recent heavy hitter here. First, a source.
Now the opening quote:

Quote

Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.

Read the rest if you will. Here is the readers digest version:

There was a security hole in the Linux kernel itself. This hole allowed for root level access on any machine running a Linux kernel released during that EIGHT YEAR time span. This is not a small problem, nor a simple regression.

The LINUX COMMUNITY found the hole and determined there was a serious problem. Then they fixed it. NOT EVEN ONCE has there been a known attack using that vulnerability. So the question is, was the community protected by the community? OR are the crackers too lazy to read the code for 8 years?

You decide how you want to view this. The way I see it, the Community stumbled upon something, and took care of it. This isn't like the MICROSOFT 8 year long vulnerability that was not only exploited, but actually KNOWN to them for that entire run!

Functionally there is no difference between not detecting something for eight years and then acting immediately, and detecting it and not acting for eight years. In both case the vulnerability existed for eight years.

And, how any vendor responds to a particular incident is of no material bearing on whether or not easy access to source code enables earlier detection of potential exploits by both those with good intentions and bad.

[Excalibur]

waldojim, on 11 April 2012 - 12:56 AM, said:

Excalibur, on 10 April 2012 - 11:20 PM, said:

How can you dispute the fact that that which is physically held as a secret is more secure than that which is made publicly available?

How about, because that code isn't exactly a secret? It never is.

Think about the number of people who acquired the Windows 2000 source code (before launch) if you really need proof.

That it is held in secret by a group does not render it less secret than were it made publicly available.

[waldojim]

Excalibur, on 11 April 2012 - 01:14 AM, said:

Functionally there is no difference between not detecting something for eight years and then acting immediately, and detecting it and not acting for eight years. In both case the vulnerability existed for eight years.

And, how any vendor responds to a particular incident is of no material bearing on whether or not easy access to source code enables earlier detection of potential exploits by both those with good intentions and bad.

I can't view it that way. Vulnerabilities will exist. There are no ands, ifs, or buts about it. The fact is, the Linux community spotted the mistake, and fixed it immediately. Only, it took them 8 years to find it. Microsoft new about theirs, and took 8 years to fix it. Microsoft's was also heavily exploited. The reason the Linux hole wasn't exploited, I would imagine, it how obscure the problem was. If it took 8 years for a coder familiar with the code to spot that problem, imagine how long that would take someone who is NOT familiar with it.

And YES, how the vendor/community responds, is most certainly material to this matter. If a hole is patched immediately upon identification, then the hole is useless. If a hole is left wide open for 8 years for all to exploit, then it remains a constant threat. There is a massive difference here.

[waldojim]

Excalibur, on 11 April 2012 - 01:17 AM, said:

waldojim, on 11 April 2012 - 12:56 AM, said:

Excalibur, on 10 April 2012 - 11:20 PM, said:

How can you dispute the fact that that which is physically held as a secret is more secure than that which is made publicly available?

How about, because that code isn't exactly a secret? It never is.

Think about the number of people who acquired the Windows 2000 source code (before launch) if you really need proof.

That it is held in secret by a group does not render it less secret than were it made publicly available.

Your secret is no longer secret once the public is aware. Lesson learned as a child.