He was out last weekend. Should be out again the weekend after next...

is that when you visit the sauna or the gym?

or just when your blood alcohol level goes over a certain number?

JM

Funniest joke you've ever made, Jon. Well done!

That was supposed to be a joke? He hit the nail right on the head. It's usually when I go to the bathhouse...

Insert obvious gay bathouse joke here.

lol insert LOL

60 Security patches on an already (basically) secure OS?

Far be it from me to lecture you on anything computer related, but I would wonder how typicaly your experience is. All of my friends who have used Linux have nothing but praise for it.

I do know that the ability to mess up your OS is nothing unique to Linux. Plenty of people accomplish that all the time with Windows.

The sooner people get away from the assumption that Linux and MacOS code is secure, the better you will all be. Linux and MacOS are just not actively targetted.

There are more security patches for commonly used Linux apps than Windows apps. Linux and its common applications are developed under less rigorous security practices with people who are not necessarily qualified.

Again, I don't challenge your 1337-nees, but this is what I have been told by Comp Sci friends of mine of why Linux is more secure:

-Linux does not run as root by default, and is more suited towards use as non-root
-it is naturally more difficult to install programs in Linux. For you to run a virus you would have to willingly download a malicious program, install it via the command line, and enter in your root password as required
-being open source, the code is viewed much more often and vulnerabilities are much more likely to be discovered.

This is true enough, but with the dozens of local privledge-escalation exploits in Linux it's really nothing more than safeguard against people's stupidity of running evil programs.

This is the case for malware, not necessarily with viruses. Viruses tend to exploit vulnerabilities -- you open an OpenOffice doc with macros, for instance, and it uses a privledge escalation vulnerability to toast your hardrive. Even then, it doesn't need a privledge escalation vulnerability. By far, the most valuable stuff on your computer is your data...which is accessible by your user account, not just root. You download a file, you type ./install and...pow, there goes your documents.

This is a largely discredited theory that was nice in theory, but impractical in the real world. It turns out in real software, that is usually pretty complicated, there are very few people who understand the code well enough to contribute to it, let alone inspect it for security issues.

In commercial software, there are regularly used tools such as static analysis and MS' stack overflow tools that cannot be afforded by most OSS projects. There's also the psychological fact that reviewing code for security problem sucks. It doesn't have the immediate reward that hacking out code does, very few people do it -- especially very few people qualified to do it.

In most commercial software now, as part of their jobs, there are several rounds of security inspections that are mandatory before code is committed.

In brief, OSS is around the 1980s of commercial software in terms of software engineering practices. Read this research paper for a lot more detail on this.

Under my current Windows system, I have the latest patches for Windows XP, use the latest version of firefox, use a 2-way firewall, run as a non-root user for ordinary usage, use anti-virus and anti-spyware programs. I've never had a malware problem running my Windows security like this, snf I've never had to run 60 security patches in a month. Does this mean that marketshare issues aside I am as secure using Windows I am when I use Linux?

How difficult is it for a virus once introduce into Linux to be able to escalate to root without a password, all while running itself automatically without any intervention from the user?

Yes, but without the ability to install profitable malware such as adware and keyloggers, the incentive to attack a system is greatly reduced. Would I be able to open up an infencted Open Office Document, have the virus escalate to root, and then install adware then would pop up ads on my system on a regular interval? Would it be able to do this without me ever giving the malware permission? If so, how difficult would be to create such malware?

Also, keep in mind Broswer exploits is one of the most common methods of malware distribution. It seems like it'd be a lot harder to do a drive by download in Linux.


I backup all data that I would really miss if something happened to my computer. I'm a lot more concerned with someon messing up my OS- or even worse my greatest fear is the threat of a keylogger on my system being used to steal my bank account information.

Well let's compare IE vs. Firefox. Firefox is a rare case of an open source product which has gained enough marketshare that someone would be able to make a good amount of money if someone made some good malware for it. And yet,



When you compare known unpatched vulnerabilites, IE does far worse. I don't even if know that list contains a more recent exploit which makes address bar spoofing much easier...

As difficult as it is under windows.

Yes, that's possible with vulnerabilities that have been discovered in OpenOffice and the Linux kernel.

If you've got a vulnerability, it's the same difficulty. That's the whole point. There are many vulnerabilities for Linux and many common Linux apps -- more so than with Windows -- but they are not exploited because the market is so small.

Reinstallation of an OS is trivial compared to losing valuable data.

Well I know for a fact that the chart is inaccurate.

There are all kinds of known unpatched security issues with Mozilla. Do a query for "security": https://bugzilla.mozilla.org/buglist...ntent=security

Notice some really old ones like the ability to spoof the security bar identifying you're on a secure site.

What we're now entering is the field of psychology: it's far more likely that the kind of people who bother exploiting software are the kind that are less a fan of Microsoft and more a fan of open source software. Mozilla has a policy identical to MS in that high severity security bugs are not visible by the public -- the really important bugs are actually not visible in bugzilla except to core Mozilla folk. The psychology of thse folk is usually such that they'll make the MS bugs public and will leave the Mozilla bugs private -- they're usually out to make a point against MS but wouldn't want to harm the "friendly OSS" partner...

Shi, your friends are correct. Asher is just nuts.

Shi's friends exhibit the common opinions by the commoner Linux zealot, just like your opinions, Aggie, exhibit the common opinions of artsy Mac fans who don't understand the technology they use but feel fit to comment on it.

I noticed you avoided the many articles posted recently by security experts from around the world saying the exact same things I am right now. You ignore them because they're contrary to your nonsense, and they're contrary to your nonsense because you have no idea what you're talking about, much like every Philosophy major I've ever met. You guys have a knack for studying how to say vacuous things with big words, and getting your ass handed to you in the harsh empirical world.

This is the third time I've asked this -- still waiting, Aggie. Silence speaks volumes.