[opensuse] The new openSUSE community representative
Hi all ! I hope you read those recent news: openSUSE Welcomes Zonker - The New Community Manager http://news.opensuse.org/2008/02/04/welcome-zonker/ http://zonker.opensuse.org/ It's great to have a new community representative on team ! I'm sure, that it will help ensure future success of this great project ! However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader". Congratulations Zonker ! -- -Alexey Eremenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Alexey Eremenko wrote:
Hi all !
I hope you read those recent news: openSUSE Welcomes Zonker - The New Community Manager http://news.opensuse.org/2008/02/04/welcome-zonker/ http://zonker.opensuse.org/
It's great to have a new community representative on team ! I'm sure, that it will help ensure future success of this great project !
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
Cat herder? ;-) -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott:
Alexey Eremenko wrote:
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
Cat herder? ;-)
Horse whisperer? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Alexey Eremenko wrote:
Hi all !
I hope you read those recent news: openSUSE Welcomes Zonker - The New Community Manager http://news.opensuse.org/2008/02/04/welcome-zonker/ http://zonker.opensuse.org/
It's great to have a new community representative on team ! I'm sure, that it will help ensure future success of this great project !
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
Cat herder? ;-)
James, you're BAD! ;) Fred -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl
James Knott:
Alexey Eremenko wrote:
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
Cat herder? ;-)
Horse whisperer?
Guys, a title always gives somebody wrong connotations. Please look on what he has to say and what he will do and judge him on that. He's a manager, he'll be part of the community, gets payed by Novell - and I expect that he helps to bridge between the two of them in a much better way than I do (since I have other tasks to do). Please give him a warm welcome and work with him! Andreas -- Andreas Jaeger, Director Platform / openSUSE, aj@suse.de SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
Wolfgang Woehl
writes: James Knott:
Alexey Eremenko wrote:
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader". Cat herder? ;-) Horse whisperer? Guys, a title always gives somebody wrong connotations. Please look on what he has to say and what he will do and judge him on that. He's a manager, he'll be part of the community, gets payed by Novell - and I His title says more about Novell's intentions
Hi Andreas Andreas Jaeger wrote: then about the holder of the title. I hope you are aware that names are important carriers of messages. What does it mean when you say "he is a manager" ? Does that describe his rank in the enterprise, influencing his salary ? Or does it mean he has to direct members of the community ?
expect that he helps to bridge between the two of them in a much better way than I do (since I have other tasks to do). Please give him a warm welcome and work with him! Great to think that Novell could be investing in bridging the gap between famously detached big corporations and the users ? Is he going to participate here too ? Or is he there purely to optimise the output of the developers who are working for free.
Kind regards Philippe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Andreas Jaeger wrote:
Cat herder? ;-)
Horse whisperer?
Guys, a title always gives somebody wrong connotations. Please look on what he has to say and what he will do and judge him on that. He's a manager, he'll be part of the community, gets payed by Novell - and I expect that he helps to bridge between the two of them in a much better way than I do (since I have other tasks to do). Please give him a warm welcome and work with him!
Perhaps "Zonker" might feel inclined to introduce himself to the list? Wrt use of "manager" in the English language - it means nothing and everything. See also "pointyhaired". /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Andreas Jaeger wrote:
Cat herder? ;-)
Horse whisperer?
Guys, a title always gives somebody wrong connotations. Please look on what he has to say and what he will do and judge him on that. He's a manager, he'll be part of the community, gets payed by Novell - and I expect that he helps to bridge between the two of them in a much better way than I do (since I have other tasks to do). Please give him a warm welcome and work with him!
Perhaps "Zonker" might feel inclined to introduce himself to the list?
Wrt use of "manager" in the English language - it means nothing and everything. See also "pointyhaired".
If I recall correctly (but my memory is slipping nowadays), a WalMart store in the US advertised not too long ago a vacancy as the store's Assets Manager - which in reality turned out to be the job of collecting the trolleys left by shoppers around the area and bringing them back to the store. Ciao. -- Past experience, if not forgotten, is a guide for the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin a écrit :
Assets Manager - which in reality turned out to be the job of collecting the trolleys left by shoppers around the area and bringing them back to the store.
in France "Technicien de surface", what can be seen as a translation for asset manager, means the people that clean the ground at night... necessary, but not the same management thing we need (hope zonker don't do this outside his own home :-)) jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Alexey, and all,
It's great to have a new community representative on team ! I'm sure, that it will help ensure future success of this great project !
Thanks!
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
You are correct, of course -- I don't expect to "manage" the community in the sense of giving orders to community members or anything like that. The title is meant to reflect my role in "managing" relations between Novell and the openSUSE project, and between Novell/openSUSE and the larger open source community. This was a topic of some discussion before I started -- and we settled on "manager" in part because it seemed to be a standard title with several different projects.
Congratulations Zonker !
Thanks again, much appreciated! Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 04 February 2008 3:45:41 pm James Knott wrote:
Cat herder? ;-)
It came up during the discussion, though not seriously. ;-) -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Philippe, On Tuesday 05 February 2008 5:35:41 am Philippe Landau wrote:
His title says more about Novell's intentions then about the holder of the title.
Actually, the job was originally to be called "Chief Evangelist," if you look at the original job postings. However, we discussed the title and thought that the "community manager" title was more appropriate and sort of standard within the industry. There's a good post here about what a community manager does: http://www.web-strategist.com/blog/2006/11/16/what-a-community-manager-does/ That's not a perfect description of my role, but it certainly is close to the mark. I think Novell's intentions are to improve relations with the community, and help openSUSE grow as a project. If they were looking for a more traditional manager type, I don't think I would have been the first choice for the job.
I hope you are aware that names are important carriers of messages.
You're right. It was hoped that the community manager title was entrenched enough -- look at other community managers like Jono Bacon, for example -- that people would understand what we intended.
Great to think that Novell could be investing in bridging the gap between famously detached big corporations and the users ? Is he going to participate here too ?
Yes. I have been describing my job as part community advocate and ombudsman. I want to be able to get feedback from the community at large and go back to Novell, the openSUSE board, and openSUSE developers, to help articulate the community's needs for openSUSE and also articulate the community's wishes with respect to the direction of the project. That's not my entire role, but it is a very, very large part of it.
Or is he there purely to optimise the output of the developers who are working for free.
No. I do want to make sure that the project is efficient in terms of allowing contributors to get useful work done in areas where they're interested in contributing, my job is *not* to serve as a taskmaster. Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 February 2008 6:26:29 am Per Jessen wrote:
Perhaps "Zonker" might feel inclined to introduce himself to the list?
Hi! Please pardon my tardiness here -- there are a lot of channels of communication within openSUSE, and I'm just getting started. I do plan to be actively participating on the lists. Also, feel free to shoot me an email directly if you wish to have a discussion about something off-list. (zonker@opensuse.org or jzb@zonker.net)
Wrt use of "manager" in the English language - it means nothing and everything. See also "pointyhaired".
:-) -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
On Tuesday 05 February 2008 6:26:29 am Per Jessen wrote:
Perhaps "Zonker" might feel inclined to introduce himself to the list?
Hi!
Please pardon my tardiness here -- there are a lot of channels of communication within openSUSE, and I'm just getting started. I do plan to be actively participating on the lists. Also, feel free to shoot me an email directly if you wish to have a discussion about something off-list. (zonker@opensuse.org or jzb@zonker.net)
Wrt use of "manager" in the English language - it means nothing and everything. See also "pointyhaired".
:-)
http://dilbert.com/comics/dilbert/archive/images/dilbert20183360080205.gif ;-) -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thanks for your reply, Joe Zonker :-) There are higher-ups that don't have the courage/permission to talk about such sensitive questions on the list. What does Zonker mean ? Joe 'Zonker' Brockmeier wrote:
Joe 'Zonker' Brockmeier openSUSE Community Manager Maybe the Germans liked it because they like authority figures they can look up to and titles having that effect. To me it is a constant reminder that you are meant to be at the top.
His title says more about Novell's intentions then about the holder of the title. Actually, the job was originally to be called "Chief Evangelist," if you look at the original job postings. However, we discussed the title and thought that the "community manager" title was more appropriate and sort of standard within the industry. Interesting you should refer to the "industry". "Industry" and "Community" are not easily reconciled especially in this age of Corporatism ruling entire states and working for a Corporation focused on profits for the rich.
There's a good post here about what a community manager does: http://www.web-strategist.com/blog/2006/11/16/what-a-community-manager-does/ That's not a perfect description of my role, but it certainly is close to the mark.
I think Novell's intentions are to improve relations with the community, and help openSUSE grow as a project. If they were looking for a more traditional manager type, I don't think I would have been the first choice for the job. OK :-)
I hope you are aware that names are important carriers of messages. You're right. It was hoped that the community manager title was entrenched enough -- look at other community managers like Jono Bacon, for example -- that people would understand what we intended. Canonical/Ubuntu is a perfect example for the deception tying enthusiastic masses to commercial projects. Make-believe and hype are built up cult-like so as to extract blind loyalty, free marketing and contributions. http://justwars.com/linux/ubuntu/
I hope that isn't your role model ...
Great to think that Novell could be investing in bridging the gap between famously detached big corporations and the users ? Is he going to participate here too ? Yes. I have been describing my job as part community advocate and ombudsman. I want to be able to get feedback from the community at large and go back to Novell, the openSUSE board, and openSUSE developers, to help articulate the community's needs for openSUSE and also articulate the community's wishes with respect to the direction of the project. Excellent. Though "the community's wishes" could point to "consensus"-rule, which seems democratic but is "socialist"/dictatorial, as opposed to "wishes from the community", where individual interests are balanced not submerged.
That's not my entire role, but it is a very, very large part of it. Great. May i point you to a problem i am observing here, a disconnect and break in communication ? I don't know how interested OpenSuse is in fixing bugs. When i had difficulty searching for bugs, nobody replied. Most users seem to have given up filing bug reports because developers seem disinterested except in the cases where they are working on something already. Even Novell's own employees seem to prefer Non-OSS work-arounds then filing bug reports. (See for example "Monitor resolution").
Or is he there purely to optimise the output of the developers who are working for free. No. I do want to make sure that the project is efficient in terms of allowing contributors to get useful work done in areas where they're interested in contributing, my job is *not* to serve as a taskmaster. Looking forward to your success, Joe :-)
Kind regards Philippe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
Hi Alexey, and all,
It's great to have a new community representative on team ! I'm sure, that it will help ensure future success of this great project !
Thanks!
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
You are correct, of course -- I don't expect to "manage" the community in the sense of giving orders to community members or anything like that.
The title is meant to reflect my role in "managing" relations between Novell and the openSUSE project, and between Novell/openSUSE and the larger open source community.
This was a topic of some discussion before I started -- and we settled on "manager" in part because it seemed to be a standard title with several different projects.
Bring back SuSE distributions to the retail stores. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, On Tuesday, February 05, 2008 at 17:07:40, Philippe Landau wrote:
Joe 'Zonker' Brockmeier openSUSE Community Manager Maybe the Germans liked it because they like authority figures they can look up to and titles having that effect.
Dude where have you been the last 60 years? f'up to opensuse-offtopic Henne -- Henne Vogelsang, openSUSE. Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philippe Landau wrote:
Joe 'Zonker' Brockmeier wrote:
Joe 'Zonker' Brockmeier openSUSE Community Manager Maybe the Germans liked it because they like authority figures they can look up to and titles having that effect. To me it is a constant reminder that you are meant to be at the top.
Philippe, it's silly to get hung up on the meaning of a title. A _manager_ is merely (or at most) someone who _manages_ something. Check out this list http://www.dict.cc/?s=manage /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Alexey Eremenko wrote:
Hi all !
I hope you read those recent news: openSUSE Welcomes Zonker - The New Community Manager http://news.opensuse.org/2008/02/04/welcome-zonker/ http://zonker.opensuse.org/
Zonker... you don't wear a football helmet wherever you go, do you? :-D
It's great to have a new community representative on team ! I'm sure, that it will help ensure future success of this great project !
However, I would like to change to wording from "manager", because it is impossible to manage community, into something more appropriate, such as: "representative" or "leader".
Cat herder? ;-)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Feb 05, 2008 at 05:40:53PM -0500, Doug McGarrett wrote:
If Novell will sell SuSE with some legal drivers which are now left out,
What do you mean by this? thanks, greg k-h -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 February 2008 09:35, Joe 'Zonker' Brockmeier wrote:
On Tuesday 05 February 2008 6:26:29 am Per Jessen wrote:
Perhaps "Zonker" might feel inclined to introduce himself to the list?
Hi!
Please pardon my tardiness here -- there are a lot of channels of communication within openSUSE, and I'm just getting started. I do plan to be actively participating on the lists. Also, feel free to shoot me an email directly if you wish to have a discussion about something off-list. (zonker@opensuse.org or jzb@zonker.net)
/snip/
:-)
-- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/
Well, Zonker, I think that the consensus here on the list is that Novell should make boxed editions with manuals available for purchase, and for best effect, (IMHO) should make them available at the same time as the on-line release--before everyone finds out how crappy the release really is. I see that there was some discussion about reliability vs. bleeding edge, and I don't know what the consensus of that was, but I'm running 9.3, if that tells you anything. (And I have 10.0, which I bought.) If Novell will sell SuSE with some legal drivers which are now left out,and sell it thru Staples and/or bookstores, it would really help to spread the product around, which I assume they would like to do. And might even make some money-- who's paying for all this freeware, anyway? BTW, I'm not in favor of .pdf "manuals." I don't really want to burn a ream of printer paper and a half cup of toner just to have the manual in my lap in my armchair. That strikes me as awfully inefficient, not to mention expensive. It will be interesting to see what effect you have on Novell, and I wish you the best of luck with that endeavor. --doug Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-02-05 at 14:33 -0800, Greg KH wrote:
On Tue, Feb 05, 2008 at 05:40:53PM -0500, Doug McGarrett wrote:
If Novell will sell SuSE with some legal drivers which are now left out,
What do you mean by this?
I guess he means proprietary software/drivers/whatever for multimedia, for instance, like movies DVDs, paying whomever has the license. Or the nvidia/ati drivers. Time ago the boxed version did include proprietary software that was not included in the ftp version. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHqQJ1tTMYHG2NR9URAjc6AJ98KqOcDcjmGZyb37BZAwQ2AiKtGQCfcpCS xACtXmt0oHOHeY+eSmuE7w8= =yaPu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Joe 'Zonker' Brockmeier wrote:
On Tuesday 05 February 2008 6:26:29 am Per Jessen wrote:
Perhaps "Zonker" might feel inclined to introduce himself to the list?
Hi! Please pardon my tardiness here -- there are a lot of channels of communication within openSUSE, and I'm just getting started. I do plan to be actively participating on the lists. Also, feel free to shoot me an email directly if you wish to have a discussion about something off-list. (zonker@opensuse.org or jzb@zonker.net)
Wrt use of "manager" in the English language - it means nothing and everything. See also "pointyhaired".
:-)
http://dilbert.com/comics/dilbert/archive/images/dilbert20183360080205.gif
;-)
James, You beat me to it! :-) Ciao. -- Past experience, if not forgotten, is a guide for the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Feb 06, 2008 at 01:42:26AM +0100, Carlos E. R. wrote:
The Tuesday 2008-02-05 at 14:33 -0800, Greg KH wrote:
On Tue, Feb 05, 2008 at 05:40:53PM -0500, Doug McGarrett wrote:
If Novell will sell SuSE with some legal drivers which are now left out,
What do you mean by this?
I guess he means proprietary software/drivers/whatever for multimedia, for instance, like movies DVDs, paying whomever has the license. Or the nvidia/ati drivers.
It is Novell's public position that closed source Linux kernel drivers violate the license of the copyright holders of the Linux kernel. And as such, will not distribute them. So in a box or not, that is not something that Novell could do. thanks, greg k-h -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett wrote:
On Tuesday 05 February 2008 09:35, Joe 'Zonker' Brockmeier wrote:
On Tuesday 05 February 2008 6:26:29 am Per Jessen wrote:
Perhaps "Zonker" might feel inclined to introduce himself to the list? Hi!
Please pardon my tardiness here -- there are a lot of channels of communication within openSUSE, and I'm just getting started. I do plan to be actively participating on the lists. Also, feel free to shoot me an email directly if you wish to have a discussion about something off-list. (zonker@opensuse.org or jzb@zonker.net)
/snip/
:-)
-- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/
Well, Zonker, I think that the consensus here on the list is that Novell should make boxed editions with manuals available for purchase, and for best effect, (IMHO) should make them available at the same time as the on-line release--before everyone finds out how crappy the release really is. I see that there was some discussion about reliability vs. bleeding edge, and I don't know what the consensus of that was, but I'm running 9.3, if that tells you anything. (And I have 10.0, which I bought.) If Novell will sell SuSE with some legal drivers which are now left out,and sell it thru Staples and/or bookstores, it would really help to spread the product around, which I assume they would like to do. And might even make some money-- who's paying for all this freeware, anyway?
BTW, I'm not in favor of .pdf "manuals." I don't really want to burn a ream of printer paper and a half cup of toner just to have the manual in my lap in my armchair. That strikes me as awfully inefficient, not to mention expensive.
For a mere fraction of what you would pay for the manuals I believe you could take the pdf to a print shop and have a copy printed.
It will be interesting to see what effect you have on Novell, and I wish you the best of luck with that endeavor.
--doug
Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley
-- kr -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 February 2008 11:07:40 am Philippe Landau wrote:
Thanks for your reply, Joe Zonker :-)
Not a problem.
What does Zonker mean ?
It's just a nickname, it doesn't have a literal meaning.
Interesting you should refer to the "industry". "Industry" and "Community" are not easily reconciled
It may not be easy to find a good balance between community and "industry," but that's part of my job.
May i point you to a problem i am observing here, a disconnect and break in communication ?
Sure.
I don't know how interested OpenSuse is in fixing bugs. When i had difficulty searching for bugs, nobody replied. Most users seem to have given up filing bug reports because developers seem disinterested except in the cases where they are working on something already. Even Novell's own employees seem to prefer Non-OSS work-arounds then filing bug reports. (See for example "Monitor resolution").
Can you point me to something in bugzilla? I'm not quite sure what you're referring to here.
Looking forward to your success, Joe :-)
Thank you, I appreciate that. Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 06/02/2008 at 12:34:05, in message <47A9A93D.4000208@cybsft.com>, "K.R. Foley"
wrote: BTW, I'm not in favor of .pdf "manuals." I don't really want to burn a ream
of printer paper and a half cup of toner just to have the manual in my lap in my armchair. That strikes me as awfully inefficient, not to mention expensive.
For a mere fraction of what you would pay for the manuals I believe you could take the pdf to a print shop and have a copy printed.
That's fine but remember there are those of us using OpenSuSE that rely on this PDF. Removing it entirely would be worse. You may object to having to print out the manual, but be thankful that you have it at all! Think of those out there who actually see any kind of electronic material as a privlidge. So, yes, print away, but make sure the electronic copy stays available. Darragh -- Darragh Ó Héiligh OpenSuSE Technical Support Mentor Email + IM: doheiligh@novell.com Novell Communities Blog: http://www.novell.com/communities/blogs/doheiligh -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Darragh O'Heiligh wrote:
On 06/02/2008 at 12:34:05, in message <47A9A93D.4000208@cybsft.com>, "K.R. Foley"
wrote: BTW, I'm not in favor of .pdf "manuals." I don't really want to burn a ream of printer paper and a half cup of toner just to have the manual in my lap in my armchair. That strikes me as awfully inefficient, not to mention expensive. For a mere fraction of what you would pay for the manuals I believe you could take the pdf to a print shop and have a copy printed. That's fine but remember there are those of us using OpenSuSE that rely on this PDF. Removing it entirely would be worse. You may object to having to print out the manual, but be thankful that you have it at all! Think of those out there who actually see any kind of electronic material as a privlidge. So, yes, print away, but make sure the electronic copy stays available.
Darragh
Hi Darragh, I am not sure you understood the point I was trying to make. I too like being able to have electronic copies of manuals. In fact, I wish I could have an electronic copy of all of my many programming/reference books. It makes it much easier to carry them with you when you travel. The point I was trying to make is that for those who would prefer to have a printed copy, but don't want to print it themselves, they always have the option to get a copy printed and then they can have both. I wasn't suggesting that SuSE/Novell should print them. -- kr -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-02-06 at 13:18 -0000, Darragh O'Heiligh wrote:
That's fine but remember there are those of us using OpenSuSE that rely on this PDF. Removing it entirely would be worse. You may object to having to print out the manual, but be thankful that you have it at all! Think of those out there who actually see any kind of electronic material as a privlidge. So, yes, print away, but make sure the electronic copy stays available.
I don't think anybody sugested removing the pdf :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHqbh8tTMYHG2NR9URAuJkAJ9/5BLqWDhpDAc1Cr+/RysAAt7ofQCeLceB SX9TbOrqfaBNeLAP+wyCUak= =vvH8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 February 2008 5:40:53 pm Doug McGarrett wrote:
Well, Zonker, I think that the consensus here on the list is that Novell should make boxed editions with manuals available for purchase, and for best effect, (IMHO) should make them available at the same time as the on-line release--before everyone finds out how crappy the release really is. I see that there was some discussion about reliability vs. bleeding edge, and I don't know what the consensus of that was, but I'm running 9.3, if that tells you anything. (And I have 10.0, which I bought.) If Novell will sell SuSE with some legal drivers which are now left out,and sell it thru Staples and/or bookstores, it would really help to spread the product around, which I assume they would like to do. And might even make some money-- who's paying for all this freeware, anyway?
A couple of thoughts on this... one, I am using 10.3 right now, and I don't find it to be "crappy" at all. I think some other people have covered some of the problems with selling boxed product later in another thread, but I can just add -- when I worked with Linux Mall, it was really difficult to do well selling boxed copies of distributions, because of the short release cycle and such. And that was when more people bought boxed copies due to sparse availability of broadband -- now, even though more people are using Linux, fewer people want to buy the box set.
BTW, I'm not in favor of .pdf "manuals." I don't really want to burn a ream of printer paper and a half cup of toner just to have the manual in my lap in my armchair. That strikes me as awfully inefficient, not to mention expensive.
I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
It will be interesting to see what effect you have on Novell, and I wish you the best of luck with that endeavor.
Thanks!
Blessed are the peacemakers ... for they shall be shot at from both sides.
:-) Awesome sig. Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2008-02-06 at 09:09 -0500, Joe 'Zonker' Brockmeier wrote:
I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Does lulu.com work economically all over the world? I recall this suggestion before on this list. Some liked the idea. Others located in various parts of the world were less enthusiastic. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
On Tuesday 05 February 2008 5:40:53 pm Doug McGarrett wrote:
Well, Zonker, I think that the consensus here on the list is that Novell should make boxed editions with manuals available for purchase, and for best effect, (IMHO) should make them available at the same time as the on-line release--before everyone finds out how crappy the release really is. I see that there was some discussion about reliability vs. bleeding edge, and I don't know what the consensus of that was, but I'm running 9.3, if that tells you anything. (And I have 10.0, which I bought.) If Novell will sell SuSE with some legal drivers which are now left out,and sell it thru Staples and/or bookstores, it would really help to spread the product around, which I assume they would like to do. And might even make some money-- who's paying for all this freeware, anyway?
A couple of thoughts on this... one, I am using 10.3 right now, and I don't find it to be "crappy" at all.
Quality has definitely declined since 9.3. 10.0 and 10.1 have both been disappointments for me. Too much stuff that used to work flawlessly became problematic.
I think some other people have covered some of the problems with selling boxed product later in another thread, but I can just add -- when I worked with Linux Mall, it was really difficult to do well selling boxed copies of distributions, because of the short release cycle and such. And that was when more people bought boxed copies due to sparse availability of broadband -- now, even though more people are using Linux, fewer people want to buy the box set.
BTW, I'm not in favor of .pdf "manuals." I don't really want to burn a ream of printer paper and a half cup of toner just to have the manual in my lap in my armchair. That strikes me as awfully inefficient, not to mention expensive.
I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
That's good *ONLY* if the users are AWARE of it. Don't depend on word-of-mouth, or "community knowledge", because a lot of new users never get that kind of information for a long time. There needs to be EXPLICIT instructions, placed perhaps in ~root, and DISPLAYED when the admin logs-in (at least for the first time) so that EVERYONE knows it exists. Burying facts like this someplace in the /share/docs hierarchy, and thinking new users will just magically find it there is a pipe dream.
It will be interesting to see what effect you have on Novell, and I wish you the best of luck with that endeavor.
Thanks!
Blessed are the peacemakers ... for they shall be shot at from both sides.
:-) Awesome sig.
Best,
Zonker
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer a écrit :
On Wed, 2008-02-06 at 09:09 -0500, Joe 'Zonker' Brockmeier wrote:
I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Does lulu.com work economically all over the world? I recall this suggestion before on this list. Some liked the idea. Others located in various parts of the world were less enthusiastic.
this should be a good starting point as it's nearly free (for opensuse) jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 06/02/2008, Joe 'Zonker' Brockmeier
I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to the 9.3 admin manual, but it is getting a little outdated now. As all of the hard documentation work is still done to create the manual it's a pity that it's not available in a particularly useful form, while it is possible to get a copy printed oneself in reality one never gets around to these things. The hard copy admin manual is great for when one is stuck without an internet connection and no documentation installed and needs to work out how to configure things like dhcpd. It is also fairly unique being written as a reference manual rather than a book. -- Benjamin Weber -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Benji Weber
On 06/02/2008, Joe 'Zonker' Brockmeier
wrote: I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to the 9.3 admin manual, but it is getting a little outdated now.
I would subscribe to a service to receive the documentation for every release. I still have the manuals back to 8.1. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 February 2008 9:14:39 am Roger Oberholtzer wrote:
Does lulu.com work economically all over the world? I recall this suggestion before on this list. Some liked the idea. Others located in various parts of the world were less enthusiastic.
I can't honestly say for sure -- they do have a page on international shipping, here: http://www.lulu.com/en/help/shipping_options_intl I'm not sure if the Lulu shipping prices are in line with other sources or not. Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 February 2008 9:56:46 am Benji Weber wrote:
On 06/02/2008, Joe 'Zonker' Brockmeier
wrote: I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to the 9.3 admin manual, but it is getting a little outdated now.
I will look into this. I would like to do what we can to provide manuals and printed docs for users who want hard copy. From my perspective I *usually* prefer electronic copy -- simply because I don't have *room* for any more printed manuals, and I have a really hard time tossing out old printed manuals / books. But, there are advantages to having printed docs -- and far be it from me to discourage anyone from reading the documentation! :-)
The hard copy admin manual is great for when one is stuck without an internet connection and no documentation installed and needs to work out how to configure things like dhcpd. It is also fairly unique being written as a reference manual rather than a book.
Oh, I know all about that sort of thing. Also, it's nice to be able to browse through the manual away from the computer... Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* Benji Weber
[02-06-08 09:58]: On 06/02/2008, Joe 'Zonker' Brockmeier
wrote: I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to the 9.3 admin manual, but it is getting a little outdated now.
I would subscribe to a service to receive the documentation for every release. I still have the manuals back to 8.1.
When I was at IBM, doing 3rd level OS/2 support, I'd occasionally print out a "Redbook". Even with double sided printing, some of them took a *LOT* of paper. I'd normally print them on a night queue to the printer that used 3 hole paper. I still have one of them here, "TCP/IP Implementation in an OS/2 Warp Environment". ;-) -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Patrick Shanahan wrote:
* Benji Weber
[02-06-08 09:58]: On 06/02/2008, Joe 'Zonker' Brockmeier
wrote: I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to the 9.3 admin manual, but it is getting a little outdated now.
I would subscribe to a service to receive the documentation for every release. I still have the manuals back to 8.1.
When I was at IBM, doing 3rd level OS/2 support, I'd occasionally print out a "Redbook". Even with double sided printing, some of them took a *LOT* of paper. I'd normally print them on a night queue to the printer that used 3 hole paper. I still have one of them here, "TCP/IP Implementation in an OS/2 Warp Environment". ;-)
I forgot to mention, IBM has a lot of Linux Redbooks available here: http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=linux -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, On Mittwoch 06 Februar 2008, Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 9:56:46 am Benji Weber wrote:
On 06/02/2008, Joe 'Zonker' Brockmeier
wrote: I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go.
Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to the 9.3 admin manual, but it is getting a little outdated now.
I will look into this. I would like to do what we can to provide manuals and printed docs for users who want hard copy.
You can contact Michael Löffler. I think he did also some polls but I assume they are probably outdated now.
[...]
Tom -- Thomas Schraitle ---------------------------------------------------------------------- SUSE LINUX GmbH >o) Documentation Specialist Maxfeldstrasse 5 /\\ 90409 Nuernberg _\_v http://en.opensuse.org/Documentation_Team http://developer.novell.com/wiki/index.php/Lessons_for_Lizards --------------------------------------------------------------------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 9:56:46 am Benji Weber wrote:
I wonder if a good compromise might be for openSUSE to put the PDFs on a service like Lulu.com and allow people to buy the manual through Lulu. Since they operate on a print-on-demand system, that might be a good way to go. Certainly worth investigating. I too miss the manuals, the admin manual was always my reason for buying the box, consequently never bought one after it was dropped for 10.0. I still regularly refer to
On 06/02/2008, Joe 'Zonker' Brockmeier
wrote: the 9.3 admin manual, but it is getting a little outdated now. I will look into this. I would like to do what we can to provide manuals and printed docs for users who want hard copy.
From my perspective I *usually* prefer electronic copy -- simply because I don't have *room* for any more printed manuals, and I have a really hard time tossing out old printed manuals / books. But, there are advantages to having printed docs -- and far be it from me to discourage anyone from reading the documentation! :-)
For new users, they are essential. If you're not willing to do things for new users, then your user base is not going to expand significantly.
The hard copy admin manual is great for when one is stuck without an internet connection and no documentation installed and needs to work out how to configure things like dhcpd. It is also fairly unique being written as a reference manual rather than a book.
Oh, I know all about that sort of thing. Also, it's nice to be able to browse through the manual away from the computer...
Some people yes, some no. Don't mistake your personal preferences for universal preferences. It's impossible to browse the on-line and on-disk documentation during the middle of an installation.
Best,
Zonker
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier a écrit :
Oh, I know all about that sort of thing. Also, it's nice to be able to browse through the manual away from the computer...
also think at a version for PDA's. Most of them can read pdf (I must say than my Zire 31 is very bad on this respect - just tried) and paperless reading should become more usable now, with high def devices. however, they need much smaller files, my zire can't even open a 6Mb file like the manual - could be spread on one file by chapter and may be the page layout can be different jdd (just tried with my nokia E65, acrobat refuses to open the file - may be too big) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 February 2008 5:27:38 pm Aaron Kulkis wrote:
Zonker... you don't wear a football helmet wherever you go, do you?
Nope. I wear a hat sometimes, but no football helmets. (B.D. is the Doonesbury character that always wore a football helmet... http://en.wikipedia.org/wiki/B.D._%28Doonesbury%29) Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
Joe 'Zonker' Brockmeier wrote:
A couple of thoughts on this... one, I am using 10.3 right now, and I don't find it to be "crappy" at all.
Quality has definitely declined since 9.3.
10.0 and 10.1 have both been disappointments for me. Too much stuff that used to work flawlessly became problematic.
I run suse on dozens of computers, and IMHO 10.3 is a big improvement on 9.3 in terms of performance, hardware support and look & feel. I agree that there was a huge problem with online update and software management in 10.1 (which drove me to use smart instead of zmd) but that problem improved a lot in 10.2, and is no longer an issue in 10.3 as zypper has replaced the problematic zmd. Not to say than any distro is perfect - There's always room for improvement and I have great hopes for SuSE 11 - Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect -
There's always room for improvement and I have great hopes for SuSE 11 -
Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-) (http://tinyurl.com/2dd2vm) Best, Zonker -- Joe 'Zonker' Brockmeier openSUSE Community Manager jzb@zonker.net | zonker@opensuse.org http://zonker.opensuse.org/ | http://www.dissociatedpress.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect - There's always room for improvement and I have great hopes for SuSE 11 - Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-) (http://tinyurl.com/2dd2vm) I almost never click on a tinyurl as i don't know what it hides.
Kind regards Philippe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philippe Landau wrote:
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect - There's always room for improvement and I have great hopes for SuSE 11 -
Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-) (http://tinyurl.com/2dd2vm)
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;) Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ahoj Joe 'Zonker' Brockmeier wrote (shortened):
It's just a nickname, it doesn't have a literal meaning.
Be honest :) He is the guy that lost a lot of "Let's Make a Deal" games in germany. The price for the loser ... a "Zonk" ... so he has many :) So be prepared to see: http://upload.wikimedia.org/wikipedia/commons/thumb/f/fa/Zonk.jpg/591px-Zonk... as his avatar and mascot :) SCNR :) Greetings, Marco -- Marco "daemon" Michna -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philippe Landau wrote:
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect - There's always room for improvement and I have great hopes for SuSE 11 - Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-) (http://tinyurl.com/2dd2vm) I almost never click on a tinyurl as i don't know what it hides.
Kind regards Philippe
But you certainly don't mind clicking the reply button. -- kr -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 February 2008 12:56, Philippe Landau wrote:
...
I almost never click on a tinyurl as i don't know what it hides.
I usually prefer to know where I'm going to go, too, but as Joe says, there's really little to worry about on Linux box. However, you can configure TinyURL to show you where it's going to redirect you before you go there: http://tinyurl.com/preview.php
Kind regards Philippe
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis escribió:
Quality has definitely declined since 9.3.
And what you are doing to improve it then ? talking and whining is very easy...
10.0 and 10.1 have both been disappointments for me. Too much stuff that used to work flawlessly became problematic.
The sw management problem has been discussed to death, please read the mail archives before raising the annoying zmd thing again, that problem has been fixed. argh. -- “There is always some madness in love. But there is also always some reason in madness.” - Friedrich Nietzsche Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Cristian, sounds like your getting beat up. So here is a word from a different customer. I have been a 30 desktop 4 server SuSE customer since v7. I went to 8 but skipped 9. When I needed something new (New time zones in this case) I was in the area of 10.2 and found things had changed but mostly for the better. 10.3 is even better. Oh yea there are always things that could use better explanations (LDAP=MUSH) but for the most part all is well at the 10.2/10.3 levels. If I had to make any suggestions it would be that some of the end user desktop stuff like audio and video and various "standard" utilities in the Windoze world need major work by a smart guy to set things up. Did I just call me a smart guy? I still have not figured out IF I can upgrade systems from 10.2 to 10.3, nor can I figure out how to make a patch CD (or even if I can use it to apply fixes to all my hidden from the net computers. Not everyone can find the docs on the web like: Hacking openSUSE 10.2 HACKING OPENSUSE 10.2 Written by Jem Matzan Dec 10, 2006 at 05:25 PM This opened my eyes wide for how to make SuSE useable by some of our normal computer users. That document should be the basis for what could be done in SuSE to make it ready for normal users to make use of. I even run SuSE 10.3 on my personal home computer! For the first time I can say I can do most of what I need from Linux. With wine I have made several Windoze based apps available to SuSE but the vendors like Quicken keep making the programs harder to wine with. Quicken 2008 does not run at all in wine. (Does not run well on vista, but what does!). If I had more time I would work on more of my pet problems but for now SuSE is still not my companies Primary O/S. It does hold all of our major money making applications though! Tim Ertl V.P. MIS LMR Group 413-442-9000 x6211 -----Original Message----- From: Cristian Rodríguez [mailto:crrodriguez@suse.de] Sent: Wednesday, February 06, 2008 5:01 PM To: Aaron Kulkis Cc: Joe 'Zonker' Brockmeier; opensuse Subject: Re: [opensuse] The new openSUSE community representative Aaron Kulkis escribió:
Quality has definitely declined since 9.3.
And what you are doing to improve it then ? talking and whining is very easy...
10.0 and 10.1 have both been disappointments for me. Too much stuff that used to work flawlessly became problematic.
The sw management problem has been discussed to death, please read the mail archives before raising the annoying zmd thing again, that problem has been fixed. argh. -- There is always some madness in love. But there is also always some reason in madness. - Friedrich Nietzsche Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
Philippe Landau wrote:
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect - There's always room for improvement and I have great hopes for SuSE 11 -
Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-) (http://tinyurl.com/2dd2vm)
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;)
Same here. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect -
There's always room for improvement and I have great hopes for SuSE 11 -
Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-)
I'll have a 2nd machine up and running again, so when that's working, I'll join in the fun. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Cristian Rodríguez wrote:
Aaron Kulkis escribió:
Quality has definitely declined since 9.3.
And what you are doing to improve it then ? talking and whining is very easy...
When I was in Iraq, getting mortared and rocketed every 12 to 72 hours, fixing SuSE's distro was extremely low on my list of priorities. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier pecked at the keyboard and wrote:
On Wednesday 06 February 2008 3:36:50 pm Sloan wrote:
Not to say than any distro is perfect -
There's always room for improvement and I have great hopes for SuSE 11 -
Would this be a good time to mention that anyone interested in testing 11.0 can download the alphas and bang on those, to help ensure that we've found and squashed every bug possible? :-)
Best,
Zonker
Every day is a good day to mention it. I test every alpha, beta, RC and GM release and report every bug I find which are few. But I also only download the deltas to help reduce bandwidth requirements. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 February 2008 09:09:49 am Joe 'Zonker' Brockmeier wrote: ......<snip>......
I think some other people have covered some of the problems with selling boxed product later in another thread, but I can just add -- when I worked with Linux Mall, it was really difficult to do well selling boxed copies of distributions, because of the short release cycle and such. And that was when more people bought boxed copies due to sparse availability of broadband -- now, even though more people are using Linux, fewer people want to buy the box set.
Because you are talking about experienced users. For the new users, the converts, who don't know, which is what we are really talking about here, print on the box, in big bold letters: "Free Upgrades for Life" Then they can download to their hearts content, after they know they can. Bob S -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 February 2008 05:01:11 pm Cristian Rodríguez wrote:
Aaron Kulkis escribió:
Quality has definitely declined since 9.3.
And what you are doing to improve it then ? talking and whining is very easy...
10.0 and 10.1 have both been disappointments for me. Too much stuff that used to work flawlessly became problematic.
The sw management problem has been discussed to death, please read the mail archives before raising the annoying zmd thing again, that problem has been fixed. argh.
Ease off Cristian. The man was making a point. the ZMD thing WAS a screwup. Flawlessly indeed! Bob S -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
Bring back SuSE distributions to the retail stores.
Hear, hear. I picked up my first copy back in 1996 (or thereabouts) in Hugendubel in Munich. /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 9:14:39 am Roger Oberholtzer wrote:
Does lulu.com work economically all over the world? I recall this suggestion before on this list. Some liked the idea. Others located in various parts of the world were less enthusiastic.
I can't honestly say for sure -- they do have a page on international shipping, here:
http://www.lulu.com/en/help/shipping_options_intl
I'm not sure if the Lulu shipping prices are in line with other sources or not.
They appear to be reasonable, but there's no mention of shipping to Switzerland :-( There's also a bit of a currency issue - at the very least, any such on-demand printer should be able to deal in EUR. /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 jdd wrote:
Joe 'Zonker' Brockmeier a écrit :
Oh, I know all about that sort of thing. Also, it's nice to be able to browse through the manual away from the computer...
also think at a version for PDA's. Most of them can read pdf (I must say than my Zire 31 is very bad on this respect - just tried) and paperless reading should become more usable now, with high def devices.
however, they need much smaller files, my zire can't even open a 6Mb file like the manual - could be spread on one file by chapter and may be the page layout can be different
jdd (just tried with my nokia E65, acrobat refuses to open the file - may be too big)
This is an excellent idea except for some issues, one which you seem to have already discovered. Large PDFs usually cause problems on symbian mobile devices mainly because acrobat reader seems to try to load the whole document into "application memory". (HTML causes similar problems). Apart from the dedicated Linux e-Reader devices, Linux open source e-Reader software seems to be in short supply, but the real problem is settling on a reasonable format and pdf is not it. What would be good is to have something like Tomeraider (which is a good e-book based format for reference documents). Unfortunately, this is *not* free and *not* open source. The MobiPocket Reader is free but *not* opensource, there are some free tools to create MobiPocket documents. (The MobiPocket reader works quite well and if you raid things like the Gutenberg Project, one can get a awful lot of free books). The MobiPocket desktop client is Windows only. Neither of these suffer from the memory issues with acrobat reader on a mobile device. People with s60 phones (such as E65) could try out qreader which is free. http://www.qreader.com/ There is also something called ReadManiac that I have not tried, which seems to generate books as Java midlets.... http://www.deep-shadows.com/hax/ReadManiac/ As an approach this is intriguing.... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHqxWpasN0sSnLmgIRAuIyAJ9MZccE5RlQeaMm/tldpBQ/AgpZBgCeO6WV pKalPvSNOsQE4b0lPs8mFgk= =ayQU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Aaron Kulkis wrote:
Bring back SuSE distributions to the retail stores.
Hear, hear. I picked up my first copy back in 1996 (or thereabouts) in Hugendubel in Munich.
Even though I can download it, I prefer to have a retail version. I can look through the manuals BEFORE installation. I can give the disks WITH THE MANUALS to someone who might not otherwise be willing to try Linux, etc. And of course, I have no problem giving financial support for the continuation of high-quality SuSE products. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Joe 'Zonker' Brockmeier wrote:
On Wednesday 06 February 2008 9:14:39 am Roger Oberholtzer wrote:
Does lulu.com work economically all over the world? I recall this suggestion before on this list. Some liked the idea. Others located in various parts of the world were less enthusiastic. I can't honestly say for sure -- they do have a page on international shipping, here:
http://www.lulu.com/en/help/shipping_options_intl
I'm not sure if the Lulu shipping prices are in line with other sources or not.
They appear to be reasonable, but there's no mention of shipping to Switzerland :-(
There's also a bit of a currency issue - at the very least, any such on-demand printer should be able to deal in EUR.
Credit cards usually handle that automagically. I've used ATMs in Norway, Russia, and Kuwait, and the currency conversion was always done correctly. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis:
Sloan wrote:
Philippe Landau wrote:
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;)
Same here.
Security by insignificance? I'd consider getting rid of that habit whenever it will be judged by interested parties that linux desktops now ranged in the significant amounts. Or your specific box gets to be judged significant. The notion that malware on linux was technically not feasible is highly irrational. I think experienced senior linux users shouldn't keep on spreading this deceptive mantra. You should know better. Malware is not entirely about root, remember? John Doe user accounts with dsl pipes, privacy breaches, Apps-can-do-all etc. You know the list. I think it'd be good long-term practice to rather gossip about sound and decent security awareness. On any desktop. Be good, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Aaron Kulkis:
Sloan wrote:
Philippe Landau wrote:
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;)
Same here.
Security by insignificance? I'd consider getting rid of that habit whenever it will be judged by interested parties that linux desktops now ranged in the significant amounts. Or your specific box gets to be judged significant.
It always seems the "man in the street" assumes that microsoft suffers from such chronic security woes only because of the overwhelming popularity of ms windows, and doesn't consider that script kiddies are just taking the low hanging fruit, the easy target. I've been using unix too long to be scared by the "viruses are coming, be afraid" crowd. Sure, it's possible to exploit cartain scenarios on linux and other unix-like systems, but by the nature of the design it's not as straightforward and simple as infecting a peecee operating system. Prudence and reasonable security measures are appropriate for linux users - blind paranoia is not. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 10:55, Wolfgang Woehl wrote:
Aaron Kulkis:
Sloan wrote:
Philippe Landau wrote:
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;)
Same here.
Security by insignificance? I'd consider getting rid of that habit whenever it will be judged by interested parties that linux desktops now ranged in the significant amounts. Or your specific box gets to be judged significant.
I don't think that even comes close to characterizing Joe's statement. He knows what's possible when retrieving and interpreting HTML and JavaScript in his browser and has a reasonable belief that it cannot cause his system harm nor allow the establishment of a beachhead from which attacks may be launched against other systems
The notion that malware on linux was technically not feasible is highly irrational. I think experienced senior linux users shouldn't keep on spreading this deceptive mantra. You should know better.
No one says it's "technically not feasible." What we reasonably believe is that exploits are actively sought out by the user, security and developer community and, when found, expeditiously fixed by the developers. Thus we have far less exposure to malware exploits than do Windows users.
Malware is not entirely about root, remember? John Doe user accounts with dsl pipes, privacy breaches, Apps-can-do-all etc. You know the list.
We do know those things, and we also know that Linux software is far less susceptible.
I think it'd be good long-term practice to rather gossip about sound and decent security awareness. On any desktop.
Eh? Gossip?? The Linux user and developer community engages in an ongoing and serious discussion of security. There's a whole openSUSE list devoted to it, and that's just one forum specific to security on Linux systems and software.
Be good, Wolfgang
Make me. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 19:55, Wolfgang Woehl wrote:
Security by insignificance? I'd consider getting rid of that habit whenever it will be judged by interested parties that linux desktops now ranged in the significant amounts. Or your specific box gets to be judged significant.
The notion that malware on linux was technically not feasible is highly irrational. I think experienced senior linux users shouldn't keep on spreading this deceptive mantra. You should know better.
Why is it irrational? I disagree with that statement. Unless you can of course show me an attachment that auto-executes under linux.
Malware is not entirely about root, remember? John Doe user accounts with dsl pipes, privacy breaches, Apps-can-do-all etc. You know the list.
No, it's not all about root. But it is about doing something stupid. There's no other way to describe it. First it has to be downloaded/saved. Then it has to be made executable. Then it has to be run. If all three things are done, then yes, you have a problem. But it's a three step process.
I think it'd be good long-term practice to rather gossip about sound and decent security awareness. On any desktop.
True.. But you are a whole lot safer with linux that Microsoft products. Mike -- Powered by SuSE 10.0 Kernel 2.6.13 X86_64 KDE 3.4 Kmail 1.8 8:22pm up 176 days 0:54, 5 users, load average: 2.03, 2.13, 2.21 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 07/02/2008, Mike
The notion that malware on linux was technically not feasible is highly irrational. I think experienced senior linux users shouldn't keep on spreading this deceptive mantra. You should know better.
Why is it irrational? I disagree with that statement. Unless you can of course show me an attachment that auto-executes under linux.
Malware is not entirely about root, remember? John Doe user accounts with dsl pipes, privacy breaches, Apps-can-do-all etc. You know the list.
No, it's not all about root. But it is about doing something stupid. There's no other way to describe it. First it has to be downloaded/saved. Then it has to be made executable. Then it has to be run. If all three things are done, then yes, you have a problem. But it's a three step process.
This is not the case. A browser running as a user can do anything the user is allowed to do. For example an exploit in the browser or image viewing library which can be exploited through malicious javascript or crafted image could potentially delete all your user files. It could be used to launch a denial of service attack or spam from your machine (no need for root for this). If combined with a local root exploit (which are not uncommon) it could potentially even get root and have full control over the system. Same applies to your mail client, irc client, and other such applications. This is why it is important to both keep the software up to date, and still not run untrusted code. If you completely ignore security by blindly visiting pages with possible malware on, or running all email attachments etc, even on openSUSE/GNU/Linux you are vulnerable. There are technologies which can help, like apparmor/selinux etc, but these are not yet user friendly enough for desktop users to use. If you have an ssh server listening on the internet and you watch your logs I would be surprised if you have not noticed brute force attacks. Precautions such as strong passwords and fail2ban are important even for home machines if you run sshd. GNU/Linux systems are no less exploitable than windows. In some respects they are more exploitable due to the more powerful tools they have installed. Windows tends to be fairly locked down by default now. The only reason you have a false sense of security now is that you are not a significant enough target for malware authors. When that changes if too many people have the same attitude then there will be a problem. -- Benjamin Weber -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Benji Weber wrote:
This is not the case. A browser running as a user can do anything the user is allowed to do. For example an exploit in the browser or image viewing library which can be exploited through malicious javascript or crafted image could potentially delete all your user files. It could be used to launch a denial of service attack or spam from your machine (no need for root for this). If combined with a local root exploit (which are not uncommon) it could potentially even get root and have full control over the system. Same applies to your mail client, irc client, and other such applications.
You make it sound trivial but the fact is, a bad guy will have a hell of a lot of problems trying to get root remotely on a modern linux distro.
If you completely ignore security by blindly visiting pages with possible malware on, or running all email attachments etc, even on openSUSE/GNU/Linux you are vulnerable.
Please elaborate on the above statement - provide details, examples because it all sounds very vague and alarming but there are no specifics.
If you have an ssh server listening on the internet and you watch your logs I would be surprised if you have not noticed brute force attacks. Precautions such as strong passwords and fail2ban are important even for home machines if you run sshd.
Sure, all sorts of failed attempts to login every day, because I have ssh open, but tcp wrappers severely limits the list of IPs allowed to connect and the "allow_users" line in sshd_config severely limits the list of users allowed to connect. If that were not enough, sshd runs with privilege separation, so that if a bad guy managed to break sshd, he'd get only the rights of an unprivileged user.
GNU/Linux systems are no less exploitable than windows.
Well, that's an interesting belief, but it flies in the face of overwhelming empirical evidence.
The only reason you have a false sense of security now is that you are not a significant enough target for malware authors. When that changes if too many people have the same attitude then there will be a problem.
Right, the old "windows security problems are due solely to it's overwhelming popularity" mindset often entertained by the proverbial random "man on the street". It's IMHO a naive viewpoint, since it completely ignores the architectural differences between peecee and unix operating systems. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 12:34, Benji Weber wrote:
...
This is not the case. A browser running as a user can do anything the user is allowed to do.
A browser is just a browser. I can do only the things browsers do. It is not a compiler or a general-purpose computational agent. (JavaScript, while technically Turing-complete, is, when embedded in a browser, extremely limited in what it can do and that amounts to nothing outside the browser itself.)
For example an exploit in the browser or image viewing library which can be exploited through malicious javascript or crafted image could potentially delete all your user files.
Such things do exist. And as I said before, when found, they're fixed, and they're actively sought out by the community of developers and users. No software is free of bugs, but when you have a diligent work force that stays on top of the detection and removal of such defects, you're reasonably safe. (Assuming you apply the fixes as they're made available.)
It could be used to launch a denial of service attack or spam from your machine (no need for root for this). If combined with a local root exploit (which are not uncommon) it could potentially even get root and have full control over the system. Same applies to your mail client, irc client, and other such applications.
Not true. Mail clients can only do what mail clients do. Send and receive mail. IRC clients can only send and receive short text messages via IRC servers. "Other such applications" are likewise limited to doing what they do. Do you know of any attack servers included in any Linux distribution?
This is why it is important to both keep the software up to date, and still not run untrusted code. If you completely ignore security by blindly visiting pages with possible malware on, or running all email attachments etc, even on openSUSE/GNU/Linux you are vulnerable.
Running email attachments? No one is stupid enough to run a binary sent through email from an unknown user, and there's no way on any Linux mail client I know of to have that happen within the mail client itself (unlike Outlook, which can execute certain scripts attached to email messages.)
There are technologies which can help, like apparmor/selinux etc, but these are not yet user friendly enough for desktop users to use.
If you have an ssh server listening on the internet and you watch your logs I would be surprised if you have not noticed brute force attacks. Precautions such as strong passwords and fail2ban are important even for home machines if you run sshd.
Yes. We all do. Many times each week. And unless you're very stupid about how you choose passwords, it's nothing but a minor annoyance.
GNU/Linux systems are no less exploitable than windows. In some respects they are more exploitable due to the more powerful tools they have installed. Windows tends to be fairly locked down by default now.
GNU/Linux systems are FAR less exploitable than windows.
The only reason you have a false sense of security now is that you are not a significant enough target for malware authors. When that changes if too many people have the same attitude then there will be a problem.
What is an appropriate attitude? Either one's computer is connected to a network so its user can avail themselves of the resources of the Internet and, to listen to you, expose one's self to horrors around every corner, or it's not connected, and is then safe, though nearly worthless.
-- Benjamin Weber
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2008-02-06 at 17:30 -0500, Aaron Kulkis wrote:
Cristian Rodríguez wrote:
Aaron Kulkis escribió:
Quality has definitely declined since 9.3.
And what you are doing to improve it then ? talking and whining is very easy...
When I was in Iraq, getting mortared and rocketed every 12 to 72 hours, fixing SuSE's distro was extremely low on my list of priorities.
Do I recall correctly that you asked for a boxed set to be sent to Iraq? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Mike McMullin
On Wed, 2008-02-06 at 17:30 -0500, Aaron Kulkis wrote:
Cristian Rodríguez wrote:
Aaron Kulkis escribió: When I was in Iraq, getting mortared and rocketed every 12 to 72 hours, fixing SuSE's distro was extremely low on my list of priorities.
Do I recall correctly that you asked for a boxed set to be sent to Iraq?
That was when he posted the "whining" about openSUSE quality :^) He wasn't concerned in the '60s during the Korean Conflict either, of course there was no openSUSE/SuSE then.... But it's *always* better comparing apples to oranges.... -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 12:34, Benji Weber wrote:
This is not the case. A browser running as a user can do anything the user is allowed to do.
A browser is just a browser. I can do only the things browsers do. It is not a compiler or a general-purpose computational agent.
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard. You are right, of course: The community has a top track record of finding and solving issues. Distros don't come with trojans and vicious firefox because of that. Great, and nowhere near the outlandish security issues Windows people have seen. So, given the amount of hard work security forums put into linux security, what was good again about repeating over and over "It's safe anyway"? What are you saying? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 12:34, Benji Weber wrote:
This is not the case. A browser running as a user can do anything the user is allowed to do.
A browser is just a browser. I can do only the things browsers do. It is not a compiler or a general-purpose computational agent.
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard.
No, that is not so. Can you point me to a known exploit on Firefox (e.g.) that allows execution of arbitrary code? 'Cause that's what you're claiming.
You are right, of course: The community has a top track record of finding and solving issues. Distros don't come with trojans and vicious firefox because of that. Great, and nowhere near the outlandish security issues Windows people have seen.
So, given the amount of hard work security forums put into linux security, what was good again about repeating over and over "It's safe anyway"?
The question is, what's the good of repeating over and over again that Linux is as vulnerable as Windows (a near-absolute falsehood)?
What are you saying?
Let me see if I can phrase this another way: Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals. If that's too complicated for someone, they shouldn't be using a computer at all.
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008, Randall R Schulz wrote:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 12:34, Benji Weber wrote:
This is not the case. A browser running as a user can do anything the user is allowed to do.
A browser is just a browser. I can do only the things browsers do. It is not a compiler or a general-purpose computational agent.
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard.
No, that is not so. Can you point me to a known exploit on Firefox (e.g.) that allows execution of arbitrary code? 'Cause that's what you're claiming.
You are right, of course: The community has a top track record of finding and solving issues. Distros don't come with trojans and vicious firefox because of that. Great, and nowhere near the outlandish security issues Windows people have seen.
So, given the amount of hard work security forums put into linux security, what was good again about repeating over and over "It's safe anyway"?
The question is, what's the good of repeating over and over again that Linux is as vulnerable as Windows (a near-absolute falsehood)?
What are you saying?
Let me see if I can phrase this another way:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently? --Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 14:39, Tero Pesonen wrote:
...
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
I'd say they mostly are, but the definition for "used intelligently" would be quite a bit longer and more complicated.
--Tero Pesonen
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
IMHO using a microsoft operating system intelligently (is there an oxymoron here?) involves a number of additional restrictions and caveats, as well as extra costs, as compared to using linux intelligently, which is OTOH fairly straightforward. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 02:39:30 pm Tero Pesonen wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
By design, no. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard.
No, that is not so. Can you point me to a known exploit on Firefox (e.g.) that allows execution of arbitrary code? 'Cause that's what you're claiming.
I'm saying any app could. Minus app-armored (or the likes) stuff. Why do you think app-armor came about in the first place?
The question is, what's the good of repeating over and over again that Linux is as vulnerable as Windows (a near-absolute falsehood)?
Randall? Almost noone is saying anything like that over and over. Quite the contrary. Which is what got me into this thread.
Linux is safe when used intelligently.
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
If that's too complicated for someone, they shouldn't be using a computer at all.
True. But -- reality check -- not done. Actually I think we're not far apart in the assessment of linux security. Strong, responsive security communities, good upstream links, peer-review, all that. In that light it leaves me baffled though that people keep on downsizing this huge effort by saying "It's safe anyway". Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
I'm not overly concerned with sounding intelligent, but do please provide a link that you have think would be dangerous for me, as a linux user, to click on. Please. If you can come up with anything meaningful, anything at all, I'll bow to your superior knowledge.
In that light it leaves me baffled though that people keep on downsizing this huge effort by saying "It's safe anyway".
I think you're creating a false "straw man" position and then attacking the straw man. Nobody has said "it's safe anyway", but they are saying "it's safer because..." Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008, Sloan wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
IMHO using a microsoft operating system intelligently (is there an oxymoron here?) involves a number of additional restrictions and caveats, as well as extra costs, as compared to using linux intelligently, which is OTOH fairly straightforward.
Joe
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was. Maybe securing a desktop Linux system is easier. However, as long as it is not difficult as such on the other side, security is not a selling point. I've talked about security and Linux to Windows users. What they say is: I do not need "better" or "more" security, since security is a non-issue to begin with. If, on the other hand, OpenOffice or MS Office became magically easier to use once run on Linux, then they might become interested. Money? Well some one who buys a branded PC typically already pays for security apps etc. which bring added costs. Putting Linux on that hardware at home won't make the money they already paid for the Windows OS and Norton etc. stuff to be returned. Windows machines are now so cheap that money seems no longer to be a motivator that would work in favour of "Linux at home." Even computer magazines no longer write about Linux being free. It seems irrelevant. They write about Linux as an equal "choice" on the desktop, and not as something that is geeky yet free. (as they used to.) That's what I've gathered. Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 14:58, Wolfgang Woehl wrote:
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard.
No, that is not so. Can you point me to a known exploit on Firefox (e.g.) that allows execution of arbitrary code? 'Cause that's what you're claiming.
I'm saying any app could. Minus app-armored (or the likes) stuff. ...
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer allocated on the stack, making possible _in principle_ the crafting of an exploit that allows execution of arbitrary code. But a number of things have to happen just wrong to even allow the possibility of doing anything other than making the application crash outright.
... Why do you think app-armor came about in the first place?
And don't ask me why someone wants to invent a big complicated piece of software to try to secure programs after the fact. Security cannot come from outside and it cannot be achieved as an afterthought.
The question is, what's the good of repeating over and over again that Linux is as vulnerable as Windows (a near-absolute falsehood)?
Randall? Almost noone is saying anything like that over and over. Quite the contrary. Which is what got me into this thread.
Then you're not following this thread and the statements made herein and to which I was referring (I thought obviously enough).
Linux is safe when used intelligently.
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
Again, you're not really following what's been said here. That was stated explicitly in reference to URLs in a browser, not any arbitrary piece of script or binary executable that someone might have managed to send you via email.
If that's too complicated for someone, they shouldn't be using a computer at all.
True. But -- reality check -- not done.
SEP!
Actually I think we're not far apart in the assessment of linux security. Strong, responsive security communities, good upstream links, peer-review, all that.
In that light it leaves me baffled though that people keep on downsizing this huge effort by saying "It's safe anyway".
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Freitag, 8. Februar 2008 Sloan:
Wolfgang Woehl wrote:
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
I'm not overly concerned with sounding intelligent, but do please provide a link that you have think would be dangerous for me, as a linux user, to click on. Please.
Sloan, I was referring to an attitude that is potentially dangerous. Not to current incidents, allright? Did you actually read this thread? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Sloan, I was referring to an attitude that is potentially dangerous. Not to current incidents, allright? Did you actually read this thread?
Naturally I've been reading it. I've also commented on it, as a long time unix admin and desktop linux user. Regards, Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 16:30, Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Sloan:
Wolfgang Woehl wrote:
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
I'm not overly concerned with sounding intelligent, but do please provide a link that you have think would be dangerous for me, as a linux user, to click on. Please.
Sloan, I was referring to an attitude that is potentially dangerous. Not to current incidents, allright? Did you actually read this thread?
Joe is the person who originally said: -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- On Wednesday 06 February 2008 12:59, Sloan wrote:
Philippe Landau wrote:
...
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;)
Joe -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
Wolfgang
It is you who appear not to have read the full exchange. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer
Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever. How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 16:48, Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer
Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever.
You cannot be serious about this! Are you? A program is what it is, not a general-purpose execution agent for whomever launches it.
How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic?
We're talking about _specific_ applications. Firefox, Thunderbird, KMail, not some nebulous, ominous, evil, random bit of executable code supplied by Dr. Evil and willingly executed by J. Random Naive User. Get real!
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
Wolfgang Woehl wrote:
Aaron Kulkis:
Sloan wrote:
Philippe Landau wrote:
I almost never click on a tinyurl as i don't know what it hides.
I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;)
Same here.
Security by insignificance? I'd consider getting rid of that habit whenever it will be judged by interested parties that linux desktops now ranged in the significant amounts. Or your specific box gets to be judged significant.
It always seems the "man in the street" assumes that microsoft suffers from such chronic security woes only because of the overwhelming popularity of ms windows, and doesn't consider that script kiddies are just taking the low hanging fruit, the easy target.
In actuality, MS Windows and other products suffer chronic security problems because MS deliberately places backdoors in their products. Ever notice how it sometimes takes MONTHS between when a windows security problem is first reported, and when the problem is finally admitted, right as they are releasing the patch? That's because sometimes it takes that long to not only close the backdoor which the crackers have discovered, but to ALSO *CREATE* A NEW BACKDOOR so that they can continue monitoring (and spying upon) the customer base.
I've been using unix too long to be scared by the "viruses are coming, be afraid" crowd. Sure, it's possible to exploit cartain scenarios on linux and other unix-like systems, but by the nature of the design it's not as straightforward and simple as infecting a peecee operating system.
Yep. See above. Unix and Linux are written with the idea that multiple users will be logged in at the same time, that all of them are creative, but not infallible programmers, and the system must be resiliant enough to prevent any user's faulty code from crashing or destroying the whole system. This is the basis of the *nix security model. Windows is written with the idea that everybody is perfect, and nothing bad or unexpected happens -- EVER. This is why Windows doesn't really have a security model.
Prudence and reasonable security measures are appropriate for linux users - blind paranoia is not.
Joe
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Benji Weber wrote:
On 07/02/2008, Mike
wrote: The notion that malware on linux was technically not feasible is highly irrational. I think experienced senior linux users shouldn't keep on spreading this deceptive mantra. You should know better. Why is it irrational? I disagree with that statement. Unless you can of course show me an attachment that auto-executes under linux.
Malware is not entirely about root, remember? John Doe user accounts with dsl pipes, privacy breaches, Apps-can-do-all etc. You know the list. No, it's not all about root. But it is about doing something stupid. There's no other way to describe it. First it has to be downloaded/saved. Then it has to be made executable. Then it has to be run. If all three things are done, then yes, you have a problem. But it's a three step process.
This is not the case. A browser running as a user can do anything the user is allowed to do. For example an exploit in the browser or image viewing library which can be exploited through malicious javascript or crafted image could potentially delete all your user files. It could be used to launch a denial of service attack or spam from your machine (no need for root for this). If combined with a local root exploit (which are not uncommon) it could potentially even get root and have full control over the system. Same applies to your mail client, irc client, and other such applications.
This is why it is important to both keep the software up to date, and still not run untrusted code. If you completely ignore security by blindly visiting pages with possible malware on, or running all email attachments etc, even on openSUSE/GNU/Linux you are vulnerable.
There are technologies which can help, like apparmor/selinux etc, but these are not yet user friendly enough for desktop users to use.
If you have an ssh server listening on the internet and you watch your logs I would be surprised if you have not noticed brute force attacks. Precautions such as strong passwords and fail2ban are important even for home machines if you run sshd.
GNU/Linux systems are no less exploitable than windows. In some respects they are more exploitable due to the more powerful tools they have installed. Windows tends to be fairly locked down by default now.
The only reason you have a false sense of security now is that you are not a significant enough target for malware authors. When that changes if too many people have the same attitude then there will be a problem.
Worst-case scenario is loss of personal data, and/or run-away process which consumes resources (memory or disk space if not constrained by ulimit or quota) until there's a system crash. What you WON'T have to do is reinstall the whole system. You see...the whole Unix security model PRESUMED that a user might (either unintentionally or intentionally) write and/or execute a run-away process which could be destructive. Write-permissions (or lack of them) prevent the process from doing damage to anything other than the user's own personal files. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 04:48:00 pm Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer
Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever.
How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic?
Okay: I've read enough of this tit-for-tat. Here's the fact: Any OS can be vulnerable to an attack. I've actually written a sample buffer overflow that gained me (or rather my code) root access from a non-privileged account right on my SUSE 9.3 system. (I got the code from the February 2005 issue of Linux Magazine.) The difference between Linux and the legacy OS's like Wintendo is that the buffer overflow would have a very difficult time spreading in the wild. IIRC, there was a virus released for *nix in '97 or '98 but it quickly perished. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike McMullin wrote:
On Wed, 2008-02-06 at 17:30 -0500, Aaron Kulkis wrote:
Cristian Rodríguez wrote:
Aaron Kulkis escribió:
Quality has definitely declined since 9.3. And what you are doing to improve it then ? talking and whining is very easy...
When I was in Iraq, getting mortared and rocketed every 12 to 72 hours, fixing SuSE's distro was extremely low on my list of priorities.
Do I recall correctly that you asked for a boxed set to be sent to Iraq?
No. Just before my mobilization began in April 2006, I had purchased 10.0 in the store. Then in August 2006, after we finished our pre-deployment training, we had a 4-day pass to go home and visit for a bit before getting deployed... which is when I found 10.1 on the shelf (put together by some outfit like Walnut Creek or something). I installed 10.1 in tent in Kuwait (thank God we had electricity and air conditioning!) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
YES. They are NOT SAFE even when used intelligently.
--Tero Pesonen
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 February 2008 05:23:28 pm Tero Pesonen wrote:
Money? Well some one who buys a branded PC typically already pays for security apps etc. which bring added costs. Putting Linux on that hardware at home won't make the money they already paid for the Windows OS and Norton etc. stuff to be returned.
Something is missing. Most of security applications are trials, so you have to shell out money. Than next year comes subscription and in few years it adds up to amount for a new computer. Windows security is rather expensive must have. The only reason that it doesn't look bad is that it doesn't come at once. Say XY Internet Security, if it costs only $40.- after 10 years it is $400.- and with 2 computers to protect it is enough for 3rd computer. Besides it uses computer resources so you need better computer ie. more money than for Linux box to have the same computational power for your tasks. -- Regards, Rajko. See http://en.opensuse.org/Portal -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rajko M. wrote:
Something is missing. Most of security applications are trials, so you have to shell out money. Than next year comes subscription and in few years it adds up to amount for a new computer. Windows security is rather expensive must have. The only reason that it doesn't look bad is that it doesn't come at once.
Free versions are available. Although I haven't needed it personally, lots of folks swear by AVG. My ISP is Comcast.net, so I have the Mcafee suite available for my Windows boxes, at no additional charge. At work, we have a site license for Symantec AV. I'm sure the per-computer price for that is quite low. So yes, the subscription cost for AV is an issue for some -- but by no means for all Windows users. (My comments should not be seen as a preference for -- or an apology for -- Windows, by the way. I earn a good living writing software for it, but where I have a personal choice, I prefer to run with openSuSE.) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
There are technologies which can help, like apparmor/selinux etc, but these are not yet user friendly enough for desktop users to use.
If you have an ssh server listening on the internet and you watch your logs I would be surprised if you have not noticed brute force attacks. Precautions such as strong passwords and fail2ban are important even for home machines if you run sshd.
Yes. We all do. Many times each week. And unless you're very stupid about how you choose passwords, it's nothing but a minor annoyance.
One thing I haven't seen mentioned is using public key authentication. No amount of password guessing will get you into a system that doesn't use passwords for access. I have allowed only ssh and OpenVPN through my firewall and neither uses passwords. I've also got my WiFi outside of the firewall and it uses WPA2, in addition to requiring ssh or OpenVPN to reach my network. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
--Tero Pesonen
There are a number of flaws in the basic design of Windows that makes it more difficult to secure. One was a result of the "browser wars". When Netscape sued Microsoft for forced bundling of IE, Microsoft claim that IE couldn't be removed because it was part of the OS. At that time, it was simply another app, like Netscape. However, with the next Windows version, IE was deeply embedded in the kernel, using many common files etc. The result of this, was a security breech in IE became a breech in the kernel. There are many other examples, from the technical perspective about why Windows is inherently less secure. Ever notice how many Windows apps require a user to run with admin rights? -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Tero Pesonen wrote:
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
--Tero Pesonen
There are a number of flaws in the basic design of Windows that makes it more difficult to secure. One was a result of the "browser wars". When Netscape sued Microsoft for forced bundling of IE, Microsoft claim that IE couldn't be removed because it was part of the OS. At that time, it was simply another app, like Netscape. However, with the next Windows version, IE was deeply embedded in the kernel, using many common files etc. The result of this, was a security breech in IE became a breech in the kernel. There are many other examples, from the technical perspective about why Windows is inherently less secure. Ever notice how many Windows apps require a user to run with admin rights?
If you are using the Home Edition you have no other choice except to run it with Administrator rights. Ciao. -- Past experience, if not forgotten, is a guide for the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Aaron Kulkis:
Sloan wrote:
Philippe Landau wrote:
I almost never click on a tinyurl as i don't know what it hides. I'm a linux user, I click on anything i feel like, without fear or viruses or spyware ;) Same here.
Security by insignificance? I'd consider getting rid of that habit whenever it will be judged by interested parties that linux desktops now ranged in the significant amounts. Or your specific box gets to be judged significant.
Linux being based on Unix incorporates the Unix security model. The Unix security model EXPECTS hostile code to be run on the system. The design is for a multi-user system, and even assuming that all users are both legitimate AND use the system in good faith, it assumes that not all programmers are perfect, and that accidents DO in fact happen. That's what all of the read/write/execute permissions are about. And THAT is what keeps me and my system safe.
The notion that malware on linux was technically not feasible is highly irrational. I think experienced senior linux users shouldn't keep on spreading this deceptive mantra. You should know better.
The primary threat is the buffer-overflow problem, which was demonstrated so devastatingly in 1987 by the Morris Worm. We learned our lessen then about the use of strcat() instead of strncat(), and other similarly unlimited writes into stack space (or other memory for that matter).
Malware is not entirely about root, remember? John Doe user accounts with dsl pipes, privacy breaches, Apps-can-do-all etc. You know the list.
All of which STILL execute within the chains of R/W/X permissions. That's WHAT THEY ARE THERE FOR.
I think it'd be good long-term practice to rather gossip about sound and decent security awareness. On any desktop.
You truly don't know what you're talking about. Go buy AND READ "The Design of the Unix Operating System" by Maurice J. Bach. I paid $80 or so for the 3rd edition in the 1980's. Used copies of the 4th edition are now available for the paltry sum of $15 or so.
Be good, Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Sloan:
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :) I'm not overly concerned with sounding intelligent, but do please
Wolfgang Woehl wrote: provide a link that you have think would be dangerous for me, as a linux user, to click on. Please.
Sloan, I was referring to an attitude that is potentially dangerous. Not to current incidents, allright? Did you actually read this thread?
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer
Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever.
And that's going to happen by browsing a web page how, exactly?
How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic?
Not through a web browser, no.
Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Thursday 07 February 2008 04:48:00 pm Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever.
How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic?
Okay: I've read enough of this tit-for-tat.
Here's the fact: Any OS can be vulnerable to an attack. I've actually written a sample buffer overflow that gained me (or rather my code) root access from a non-privileged account right on my SUSE 9.3 system. (I got the code from the February 2005 issue of Linux Magazine.)
The difference between Linux and the legacy OS's like Wintendo is that the buffer overflow would have a very difficult time spreading in the wild. IIRC, there was a virus released for *nix in '97 or '98 but it quickly perished.
And as I recall, the virus writer used it to patch the very same vulnerability which allowed it to work in the first place. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
Wolfgang Woehl wrote:
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
I'm not overly concerned with sounding intelligent, but do please provide a link that you have think would be dangerous for me, as a linux user, to click on. Please.
I'll take that challenge, too. And I'm running unpatched 10.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard. No, that is not so. Can you point me to a known exploit on Firefox (e.g.) that allows execution of arbitrary code? 'Cause that's what you're claiming.
I'm saying any app could.
By what mechanism? Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here. These days, nobody writing code for Firefox is using strcat(). In fact, I would not be surprised if the dev team had a specific filter written to find any uses of strcat() so that they can be replaced with strncat(), and the same for other, similarly vulnerable buffer copying functions with their -n- sister functions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
On Friday 08 February 2008, Sloan wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all. So, are Windows XP or Vista not safe then when used intelligently? IMHO using a microsoft operating system intelligently (is there an oxymoron here?) involves a number of additional restrictions and caveats, as well as extra costs, as compared to using linux intelligently, which is OTOH fairly straightforward.
Joe
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Your parents are lucky. In Iraq, we had XP machines on a Department of Defence SECURE NETWORK which was completely cut off from the rest of the internet, and they STILL caught viruses.
Maybe securing a desktop Linux system is easier. However, as long as it is not difficult as such on the other side, security is not a selling point. I've talked about security and Linux to Windows users. What they say is: I do not need "better" or "more" security, since security is a non-issue to begin with. If, on the other hand, OpenOffice or MS Office became magically easier to use once run on Linux, then they might become interested.
Money? Well some one who buys a branded PC typically already pays for security apps etc. which bring added costs. Putting Linux on that hardware at home won't make the money they already paid for the Windows OS and Norton etc. stuff to be returned. Windows machines are now so cheap that money seems no longer to be a motivator that would work in favour of "Linux at home." Even computer magazines no longer write about Linux being free. It seems irrelevant. They write about Linux as an equal "choice" on the desktop, and not as something that is geeky yet free. (as they used to.)
We need to break the back of the mandatory bundling of Windows. Personally, I think computers sold retail should be have line-item costs, with Windows as a separate cost from the hardware. It's just like payroll taxes deducted out of the paycheck -- what people don't have to explicitly fork over extra money for, they soon forget (if they were ever aware of it in the first place). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
In that light it leaves me baffled though that people keep on downsizing this huge effort by saying "It's safe anyway".
I think the bottom line, is that it's far easier to be secure by default in Linux than Windows. There are many security attacks in Windows for which either don't exist or are much harder to exploit in Linux. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
On Friday 08 February 2008, Sloan wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
IMHO using a microsoft operating system intelligently (is there an oxymoron here?) involves a number of additional restrictions and caveats, as well as extra costs, as compared to using linux intelligently, which is OTOH fairly straightforward.
Joe
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Do they run as admin or user? Do they have any applications that force them to run as admin?
Maybe securing a desktop Linux system is easier. However, as long as it is not difficult as such on the other side, security is not a selling point. I've talked about security and Linux to Windows users. What they say is: I do not need "better" or "more" security, since security is a non-issue to begin with. If, on the other hand, OpenOffice or MS Office became magically easier to use once run on Linux, then they might become interested.
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space. The sole reason for this, was so that Microsoft could force IE bundling, as IE was now part of the OS. This goes completely against good software engineering principles and means that problems with the browser become problems with the OS.
That's what I've gathered.
"Security" in Windows comes from patching a sieve. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer
Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever.
How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic?
Wolfgang
Given that /home is owned by root and mere mortals cannot make any changes there, how would that happen, from any app a user could run? If I run some malicious piece of software, the contents of my home directory may be at risk, along with other files I have write permissions for, but not much else. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 07:21, James Knott wrote:
...
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space.
Do you know this for a fact? If so, how do you know? Where did you learn it? It really is very hard to believe, since it is such a gross violation of the principles of operating system design. I find it hard to believe even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
...
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz a écrit :
even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
fact is many windows applications don't run at all if not used as administrator, and this opens all. I *have* a windows xp box, and I'm administrator on it (and never get a virus, because i'm very cautious, but friends of mine got plenty :-(( jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
James Knott wrote:
Tero Pesonen wrote:
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
--Tero Pesonen
There are a number of flaws in the basic design of Windows that makes it more difficult to secure. One was a result of the "browser wars". When Netscape sued Microsoft for forced bundling of IE, Microsoft claim that IE couldn't be removed because it was part of the OS. At that time, it was simply another app, like Netscape. However, with the next Windows version, IE was deeply embedded in the kernel, using many common files etc. The result of this, was a security breech in IE became a breech in the kernel. There are many other examples, from the technical perspective about why Windows is inherently less secure. Ever notice how many Windows apps require a user to run with admin rights?
If you are using the Home Edition you have no other choice except to run it with Administrator rights.
Is there no way to add another user? I try to convince my friends to create a user account, separate from the admin. It sounds like another security bomb is about to go off. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* jdd (jdd@dodin.org) [20080208 16:53]:
fact is many windows applications don't run at all if not used as administrator, and this opens all.
Most do run without elevated privileges and the few I've encountered access resources that require elevated privileges. OK, there are a few stupid apps that for instance want to write their .ini file in the installation directory but for those it helps to just adjust the privileges needed to also write to that file. Like with Linux where I do most of the work as normal user, I also do most work on Windows as non-admin user. And now where's the relevance to this ml's subject? Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philipp Thomas a écrit :
resources that require elevated privileges. OK, there are a few stupid apps that for instance want to write their .ini file in the installation directory
or use the install directory for they default save position (very often, even now) and one can't expect common user to fix this jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 07:52, jdd wrote:
Randall R Schulz a écrit :
even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
fact is many windows applications don't run at all if not used as administrator, and this opens all.
Be that as it may, there is a huge difference between running an application (or all applications) with administrative privileges and being a part of the kernel. The former, while something we all know and agree is a bad idea, is not an engineering travesty (it's a security travesty). The latter most certainly is an egregious violation of OS design principles. And while I do think Linux is technologically superior to Windows in very many ways, I don't think MS OS engineers are foolish enough to put application code in the kernel.
...
jdd
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 08 February 2008 07:21, James Knott wrote:
...
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space.
Do you know this for a fact? If so, how do you know? Where did you learn it?
It really is very hard to believe, since it is such a gross violation of the principles of operating system design. I find it hard to believe even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
I have read about it in a couple of different sources, but don't have any handy at the moment. Read up on Netscape vs MS for the why. And does bad software design from Microsoft surprise you? There is certainly no technical reason for them to tie IE so closely to the operating system, yet that is precisely what they claimed. As for other such travesties, read up on Caldera vs Microsoft, which describes how Windows 3.x would test for DR-DOS and then fail with a bogus error message or how MS-CDEX would fail if it found it was running on OS/2, or how Microsoft used extortion against computer vendors (including IBM) who wanted to sell other operating systems, in addition to Windows. Or how when Borland investigated why their app performance was so poor, compared to MS apps, found MS was reserving certain hidden API for themselves, which delivered better performance. There are many reasons why MS has found itself on the losing end of lawsuits. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
Tero Pesonen wrote:
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
--Tero Pesonen
There are a number of flaws in the basic design of Windows that makes it more difficult to secure. One was a result of the "browser wars". When Netscape sued Microsoft for forced bundling of IE, Microsoft claim that IE couldn't be removed because it was part of the OS. At that time, it was simply another app, like Netscape. However, with the next Windows version, IE was deeply embedded in the kernel, using many common files etc. The result of this, was a security breech in IE became a breech in the kernel. There are many other examples, from the technical perspective about why Windows is inherently less secure. Ever notice how many Windows apps require a user to run with admin rights?
Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option. Many applications were designed to run on Windows 9x which did not have a security mechanism. One result was that there was additional requirement within many MFC applications that the application needed to be read/write (some types of editable data resources were embedded in the application). This immediately created a security issue (often compounded by issues with 3rd party drivers dropping temporary files in some very odd places). COM the basis of much of the system and application infrastructure originally had no intrinsic security mechanism. IE ActiveX controls are largely COM objects. Subverting a COM driver was a disturbingly easy thing to do. I believe this has since been addressed. Microsoft struggled for years to integrate the NT "Business" code stream with the 9x/Me "Home User" code stream and did not really succeed in any way until XP. On a another note, Novell introduced NDS for NT which effectively replaced the GINA component of NT with NDS based Netware and removed the domain services support (apparently Bill Gates went apoplectic when this happened). Therefore M$ introduced a whole set of checks into the server version of Office to ensure that it would only run with Domain Services support installed. (Domain Services had a much weaker security model than Novell Netware). This in itself created some interesting problems. Add to that the need to support workgroup peer to peer networking for Windows 16/32 bit systems with its truly dodgy security and you have a bit of a mess. Something that could have been quite good undermined by brush salesmen and sloppy program design. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHrIP7asN0sSnLmgIRAuGgAKCKnOmH/Fxu7T4wMJ2M9z2fKvBAXwCeOvIU koBuOhfMHk7YUpNUlj/9gcI= =3Wmf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 08:30, James Knott wrote:
Randall R Schulz wrote:
On Friday 08 February 2008 07:21, James Knott wrote:
...
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space.
Do you know this for a fact? If so, how do you know? Where did you learn it?
It really is very hard to believe, since it is such a gross violation of the principles of operating system design. I find it hard to believe even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
I have read about it in a couple of different sources, but don't have any handy at the moment. Read up on Netscape vs MS for the why. And does bad software design from Microsoft surprise you?
Bad design is everywhere, in every discipline. And I do not hold the belief that everything MS does is bad or of poor quality (though Outlook and Exchange are enough to earn them a special place in hell). Nor do I believe all or even most (or even many) of their engineers are unskilled. So yes, this is beyond the pale. No engineer would buy into it. They would have to be dragged kicking and screaming into such a horrible scheme.
There is certainly no technical reason for them to tie IE so closely to the operating system, yet that is precisely what they claimed. ...
Again, "tie closely to the OS" and "tied into the kernel" _are NOT the same thing_! You said IE code is in the kernel. I'm still not ready to believe that.
...
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 08 February 2008 07:52, jdd wrote:
Randall R Schulz a écrit :
even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
fact is many windows applications don't run at all if not used as administrator, and this opens all.
Be that as it may, there is a huge difference between running an application (or all applications) with administrative privileges and being a part of the kernel. The former, while something we all know and agree is a bad idea, is not an engineering travesty (it's a security travesty). The latter most certainly is an egregious violation of OS design principles. And while I do think Linux is technologically superior to Windows in very many ways, I don't think MS OS engineers are foolish enough to put application code in the kernel.
Here's some Wikipedia stuff on it. My impression is that there are a lot of good employees at Microsoft who want to do the right thing, including the engineers, but they get overruled by Bill & Steve, if for competitive advantage. http://en.wikipedia.org/wiki/United_States_v._Microsoft -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 08:40, James Knott wrote:
...
Here's some Wikipedia stuff on it. My impression is that there are a lot of good employees at Microsoft who want to do the right thing, including the engineers, but they get overruled by Bill & Steve, if for competitive advantage.
The word "kernel" does not even appear on that page. I don't usually like to get in to debates on lexical semantics, but in this case, the claim was that IE was incorporated into the _kernel_, not "the operating system," and this means something specific. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 17:31, G T Smith wrote:
J Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option.
According to several folks, including IBM, Windows NT (new Technology) was a rebrand of OS/2 v3.0 when IBM and Microsoft parted ways. One link is http://www.os2bbs.com/os2news/OS2History.html . I have a feeling that somewhere along the line, someone decided to combine VMS and OS/2 and see what happened. For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed. Mike -- Powered by SuSE 10.0 Kernel 2.6.13 X86_64 KDE 3.4 Kmail 1.8 5:49pm up 176 days 22:22, 5 users, load average: 2.20, 2.19, 2.18 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
I don't usually like to get in to debates on lexical semantics,
Please feel free, but please do so on the OT list :) Thanks, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option.
According to several folks, including IBM, Windows NT (new Technology) was a rebrand of OS/2 v3.0 when IBM and Microsoft parted ways. One link is http://www.os2bbs.com/os2news/OS2History.html . I have a feeling that somewhere along the line, someone decided to combine VMS and OS/2 and see what happened.
For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed.
Mike
Back in those days, NT etc. had an OS/2 subsystem, which could be used to run text mode 16 bit OS/2 apps. I even tried HyperAccess on it and while it would run, it did so poorly. NT had it, XP doesn't and I'm not sure about W2000. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 09:05, Dave Howorth wrote:
Randall R Schulz wrote:
I don't usually like to get in to debates on lexical semantics,
Please feel free, but please do so on the OT list :)
I don't consider this exchange off-topic. RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 18:11, James Knott wrote:
Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option.
According to several folks, including IBM, Windows NT (new Technology) was a rebrand of OS/2 v3.0 when IBM and Microsoft parted ways. One link is http://www.os2bbs.com/os2news/OS2History.html . I have a feeling that somewhere along the line, someone decided to combine VMS and OS/2 and see what happened.
For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed.
Mike
Back in those days, NT etc. had an OS/2 subsystem, which could be used to run text mode 16 bit OS/2 apps. I even tried HyperAccess on it and while it would run, it did so poorly. NT had it, XP doesn't and I'm not sure about W2000.
I know it's on 2000, and just looked at XP which doesn't like you said. I guess they finally figured out how to write code to replace it. I remember running Win3.x programs on OS/2 and always having to update the .dll's after M$ changed the API. I did some further reading, and VMS is in there somewhere. The guy that M$ hired was from VMS and didn't think too much of OS/2. One thing I've noticed is that when there is an NTFS partition to be mounted, I see it as hpfs/ntfs. I liked hpfs because it worked. I don't remember defgragging it. But once M$ started screwing with it, you had to do it. Not as often as FAT, but it still needs to be done. Either way, it's still a crappy OS. BSOD is the screen of the day. When it goes, it goes quickly. Mike -- Powered by SuSE 10.0 Kernel 2.6.13 X86_64 KDE 3.4 Kmail 1.8 6:13pm up 176 days 22:45, 5 users, load average: 2.07, 2.14, 2.15 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option.
According to several folks, including IBM, Windows NT (new Technology) was a rebrand of OS/2 v3.0 when IBM and Microsoft parted ways. One link is http://www.os2bbs.com/os2news/OS2History.html . I have a feeling that somewhere along the line, someone decided to combine VMS and OS/2 and see what happened.
For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed.
Mike
I remember OS/2 as a bit of a cripple when it first came out, (I was tasked with writing a GUI graphics editor to edit greysale photographic images which proved to be a little difficult as the colour support API basically was not implemented when it was first released). However this link is a bit interesting on OS history... http://www.oshistory.net/metadot/index.pl - From this it appears that NT 3.1 was an amalgam of VMS 5.4, Windows 3.0 and OS/2 2.1.1 SE Oddly SuSE appears not to have a history according to the Linux section :-) - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHrJKmasN0sSnLmgIRAhwVAKC6Yt93iNcL0Cmn7X2SXPc7dpaFBgCfWNvG fiFsjR7IyzQbk+BKpasgkEE= =PcYL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike wrote:
On Friday 08 February 2008 18:11, James Knott wrote:
Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option.
According to several folks, including IBM, Windows NT (new Technology) was a rebrand of OS/2 v3.0 when IBM and Microsoft parted ways. One link is http://www.os2bbs.com/os2news/OS2History.html . I have a feeling that somewhere along the line, someone decided to combine VMS and OS/2 and see what happened.
For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed.
Mike
Back in those days, NT etc. had an OS/2 subsystem, which could be used to run text mode 16 bit OS/2 apps. I even tried HyperAccess on it and while it would run, it did so poorly. NT had it, XP doesn't and I'm not sure about W2000.
I know it's on 2000, and just looked at XP which doesn't like you said. I guess they finally figured out how to write code to replace it. I remember running Win3.x programs on OS/2 and always having to update the .dll's after M$ changed the API. I did some further reading, and VMS is in there somewhere. The guy that M$ hired was from VMS and didn't think too much of OS/2.
Those changing .DLL's were attempts by MS to prevent apps from running on OS/2 and in many cases also caused problems for Windows users, when one app was expecting an older DLL, only to find it had been replaced by a newer one.
One thing I've noticed is that when there is an NTFS partition to be mounted, I see it as hpfs/ntfs. I liked hpfs because it worked. I don't remember defgragging it. But once M$ started screwing with it, you had to do it. Not as often as FAT, but it still needs to be done.
I suspect that sector ID number was intentional, to cause confusion.
Either way, it's still a crappy OS. BSOD is the screen of the day. When it goes, it goes quickly.
My work computer (XP) never does anything quickly. It takes five minutes from log in to almost usable desktop. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 18:34, G T Smith wrote:
For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed.
Mike
I remember OS/2 as a bit of a cripple when it first came out, (I was tasked with writing a GUI graphics editor to edit greysale photographic images which proved to be a little difficult as the colour support API basically was not implemented when it was first released).
I didn't get to work with it until the 3.0 days. I'd been fighting with Win3.x and was so mad because it wouldn't multi-task. Well, it would, but if one program crashed it took out the entire thing. Once I started with OS/2 I could run a lot of programs at once and not worry about crashes.
However this link is a bit interesting on OS history...
http://www.oshistory.net/metadot/index.pl
From this it appears that NT 3.1 was an amalgam of VMS 5.4, Windows 3.0 and OS/2 2.1.1 SE
Well, there ya go. ;-) They probably took the worst of all three and put it together. I never ran the first incantation of NT, but did have the "privilege" of running NT 3.51. It would run for a while, and then die. About the only one I've used that's stable is 2000.
Oddly SuSE appears not to have a history according to the Linux section
Hmm. Interesting. I know that it started out from what I've heard as a derivative of Slackware. But I didn't start with it until 5.3 back in 1998. Mike -- Powered by SuSE 10.0 Kernel 2.6.13 X86_64 KDE 3.4 Kmail 1.8 6:40pm up 176 days 23:12, 5 users, load average: 2.09, 2.14, 2.15 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Wolfgang Woehl wrote:
In that light it leaves me baffled though that people keep on downsizing this huge effort by saying "It's safe anyway".
I think the bottom line, is that it's far easier to be secure by default in Linux than Windows. There are many security attacks in Windows for which either don't exist or are much harder to exploit in Linux.
To more concisely summarize: To be safe on Windows, even the extremely cautious still suffer successful attacks all too frequently. (I know, because I've seen it happen even on US Department of Defence network which is very secure and completely isolated from the internet which we are using here). In contrast, with Linux, even a carefree lack of caution on the part of the user will rarely result a successful attack on a properly configured machine -- that generally requires downright stupidity by the user (download virus.tar; tar xvf virus.tar; ./virus/virus). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Sloan wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
IMHO using a microsoft operating system intelligently (is there an oxymoron here?) involves a number of additional restrictions and caveats, as well as extra costs, as compared to using linux intelligently, which is OTOH fairly straightforward.
Joe
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Do they run as admin or user? Do they have any applications that force them to run as admin?
Maybe securing a desktop Linux system is easier. However, as long as it is not difficult as such on the other side, security is not a selling point. I've talked about security and Linux to Windows users. What they say is: I do not need "better" or "more" security, since security is a non-issue to begin with. If, on the other hand, OpenOffice or MS Office became magically easier to use once run on Linux, then they might become interested.
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space. The sole reason for this, was so that Microsoft could force IE bundling, as IE was now part of the OS. This goes completely against good software engineering principles and means that problems with the browser become problems with the OS.
That's what I've gathered.
"Security" in Windows comes from patching a sieve.
More specifically, replacing one section of permeable wire mesh with a new section of permeable wire mesh -- BY DESIGN. The many back-doors in Windows are *NOT* accidental.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 08 February 2008 07:21, James Knott wrote:
...
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space.
Do you know this for a fact? If so, how do you know? Where did you learn it?
Microsoft's testimony in court. The couldn't remove IE because it's WITHIN the kernel.
It really is very hard to believe, since it is such a gross violation of the principles of operating system design. I find it hard to believe even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations.
Since when has MS had the user's interest in mind when locking them in to using MS products (therefore advancing sales of their "server" software against competitors) and spying on users (such as what web sites they are visiting) is profitable for them.
...
Randall Schulz
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 18:36, James Knott wrote:
I know it's on 2000, and just looked at XP which doesn't like you said. I guess they finally figured out how to write code to replace it. I remember running Win3.x programs on OS/2 and always having to update the .dll's after M$ changed the API. I did some further reading, and VMS is in there somewhere. The guy that M$ hired was from VMS and didn't think too much of OS/2.
Those changing .DLL's were attempts by MS to prevent apps from running on OS/2 and in many cases also caused problems for Windows users, when one app was expecting an older DLL, only to find it had been replaced by a newer one.
Yep.. I remember it well. I started saving them, and when I new one came out, I'd put it in the directory with the app.
One thing I've noticed is that when there is an NTFS partition to be mounted, I see it as hpfs/ntfs. I liked hpfs because it worked. I don't remember defgragging it. But once M$ started screwing with it, you had to do it. Not as often as FAT, but it still needs to be done.
I suspect that sector ID number was intentional, to cause confusion.
Of course.. Isn't that their prime objective? Deceit and confusion?
Either way, it's still a crappy OS. BSOD is the screen of the day. When it goes, it goes quickly.
My work computer (XP) never does anything quickly. It takes five minutes from log in to almost usable desktop.
You're lucky. You've got XP. My work computer is still 2000. And slow is an understatement. Log in, go and get coffee, come back and watch it finish. And the coffee pot is at the other end of the building.. ;-) Mike -- Powered by SuSE 10.0 Kernel 2.6.13 X86_64 KDE 3.4 Kmail 1.8 6:52pm up 176 days 23:24, 5 users, load average: 2.04, 2.08, 2.12 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 08 February 2008 07:52, jdd wrote:
Randall R Schulz a écrit :
even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations. fact is many windows applications don't run at all if not used as administrator, and this opens all.
Be that as it may, there is a huge difference between running an application (or all applications) with administrative privileges and being a part of the kernel. The former, while something we all know and agree is a bad idea, is not an engineering travesty (it's a security travesty). The latter most certainly is an egregious violation of OS design principles. And while I do think Linux is technologically superior to Windows in very many ways, I don't think MS OS engineers are foolish enough to put application code in the kernel.
That's what the whole IE-bundling lawsuit was about. Microsoft's argument was that they indeed do *ON PURPOSE* AS PART OF THEIR BUSINESS PLAN embed the IE code in the kernel. When some CS prof demonstrated an IE-less Windows system, MS almost immediately issued an SP bolting IE in so tightly that there would be no repeat performances. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 08 February 2008 08:30, James Knott wrote:
Randall R Schulz wrote:
On Friday 08 February 2008 07:21, James Knott wrote:
...
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space. Do you know this for a fact? If so, how do you know? Where did you learn it?
It really is very hard to believe, since it is such a gross violation of the principles of operating system design. I find it hard to believe even Microsoft would commit such a technological travesty for the sake of thwarting a lawsuit or some regulations. I have read about it in a couple of different sources, but don't have any handy at the moment. Read up on Netscape vs MS for the why. And does bad software design from Microsoft surprise you?
Bad design is everywhere, in every discipline. And I do not hold the belief that everything MS does is bad or of poor quality (though Outlook and Exchange are enough to earn them a special place in hell). Nor do I believe all or even most (or even many) of their engineers are unskilled.
So yes, this is beyond the pale. No engineer would buy into it. They would have to be dragged kicking and screaming into such a horrible scheme.
There is certainly no technical reason for them to tie IE so closely to the operating system, yet that is precisely what they claimed. ...
Again, "tie closely to the OS" and "tied into the kernel" _are NOT the same thing_! You said IE code is in the kernel. I'm still not ready to believe that.
How can it be "tied closely to the OS" without being tied into the kernel. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
I remember OS/2 as a bit of a cripple when it first came out, (I was tasked with writing a GUI graphics editor to edit greysale photographic images which proved to be a little difficult as the colour support API basically was not implemented when it was first released).
OS/2 was originally developed by Microsoft for IBM. It didn't become real good until 1.3, after IBM took over development, when they found MS was diverting the funding to Windows. I started using it with 2.0 and I've yet to see a desktop that compares with the Workplace Shell. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike wrote:
You're lucky. You've got XP. My work computer is still 2000. And slow is an understatement. Log in, go and get coffee, come back and watch it finish. And the coffee pot is at the other end of the building.. ;-)
I boot mine, go get a coffee and then on return, enter password. I then enjoy coffee and sometimes cookies & read the paper while waiting for the desktop. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike schreef: | G T Smith also, i thought, wrote this: |> My work computer (XP) never does anything quickly. It takes five |> minutes from log in to almost usable desktop. | | You're lucky. You've got XP. My work computer is still 2000. And slow is | an understatement. Log in, go and get coffee, come back and watch it | finish. And the coffee pot is at the other end of the building.. ;-) | | Mike | | I do not know if you ever used an app like registry mechanic? It tends to 'take care' of the 'faults', that come to existance in these systems, and make it search for unexisting or replaced files, from which the system was 'forgotten' to save what happened to them... When i used XP, i was sceptic at the beginning, but when i tried it, it found about 386 mistakes at first run, and after repairing them, XP ran as new. Here there are 4 XP boxes around, on which i weekly repair the registry and defragment the most used drives to keep them running at an exeptable speed. Might not be a bad idea to try that, exept if you want to start the day 'at ease'...ofcourse.. As i remember correctly, the apps work on W2K also... (I am not advertising for the adversary, but try helping to make that system less anoying to use..) - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.24-3-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 11.0 (x86_64) Alpha2 ~ KDE: 3.5.8 "release 39" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkesntQACgkQX5/X5X6LpDjVuQCfcb6t2rom+qYP8b3OJjztNaiF pMsAn09itEVDB/qZGlh0McwVV+U3H4Ek =MVCY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott schreef: | Mike wrote: |> You're lucky. You've got XP. My work computer is still 2000. And slow is |> an understatement. Log in, go and get coffee, come back and watch it |> finish. And the coffee pot is at the other end of the building.. ;-) |> |> | | I boot mine, go get a coffee and then on return, enter password. I then | enjoy coffee and sometimes cookies & read the paper while waiting for | the desktop. | | ~ See? Better not make it quicker than.. ;-) - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.24-3-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 11.0 (x86_64) Alpha2 ~ KDE: 3.5.8 "release 39" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkesnwQACgkQX5/X5X6LpDgWEQCdH+eZvkjdFO143h0GfKCciX5h o4UAn1smrYA+0puyc+ts4hemXdm95uot =9HdR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate.
I do hear that a lot from windows users. On the other hand, enterprising black hats rent out compromised microsoft boxes by the millions for sending out spam, or doing coordinated DOS attacks - and yet the owners of those compromised microsoft boxes will claim they've never had any security issues. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 19:26, M9. wrote:
When i used XP, i was sceptic at the beginning, but when i tried it, it found about 386 mistakes at first run, and after repairing them, XP ran as new. Here there are 4 XP boxes around, on which i weekly repair the registry and defragment the most used drives to keep them running at an exeptable speed. Might not be a bad idea to try that, exept if you want to start the day 'at ease'...ofcourse.. As i remember correctly, the apps work on W2K also... (I am not advertising for the adversary, but try helping to make that system less anoying to use..)
true.. But when the work computer belongs to the government, they frown on bring in anything that might make your job easier. They even block the use of Firefox with something from Mcafee. But the funny part of it is that it's based solely on the name of the executable. Rename it, and it works fine.. ;-) Mike -- Powered by SuSE 10.0 Kernel 2.6.13 X86_64 KDE 3.4 Kmail 1.8 7:26pm up 176 days 23:59, 5 users, load average: 2.14, 2.22, 2.19 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike schreef: | On Friday 08 February 2008 19:26, M9. wrote: | |> (I am not advertising for the adversary, but try helping to make that |> system less anoying to use..) | | true.. But when the work computer belongs to the government, they frown | on bring in anything that might make your job easier. They even block | the use of Firefox with something from Mcafee. But the funny part of it | is that it's based solely on the name of the executable. Rename it, and | it works fine.. ;-) | | Mike | Lol.. :-)) - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.24-3-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 11.0 (x86_64) Alpha2 ~ KDE: 3.5.8 "release 39" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkesorUACgkQX5/X5X6LpDiRKwCgxQYYxXa2l2J+Je/sL+fJxOgN e5gAn2MdiQgQFRpv94pjZ16kf7LeGWC1 =AKoS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008, James Knott wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Sloan wrote:
Tero Pesonen wrote:
On Friday 08 February 2008, Randall R Schulz wrote:
Linux is safe when used intelligently. Intelligent use includes using secure passwords and applying security upgrades when they're made available. Intelligent use excludes running binaries or scripts supplied by unknown individuals.
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
IMHO using a microsoft operating system intelligently (is there an oxymoron here?) involves a number of additional restrictions and caveats, as well as extra costs, as compared to using linux intelligently, which is OTOH fairly straightforward.
Joe
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Do they run as admin or user? Do they have any applications that force them to run as admin?
On the standard Windows XP what-ever version, I think everything is run as admin, or with the admin rights.
Maybe securing a desktop Linux system is easier. However, as long as it is not difficult as such on the other side, security is not a selling point. I've talked about security and Linux to Windows users. What they say is: I do not need "better" or "more" security, since security is a non-issue to begin with. If, on the other hand, OpenOffice or MS Office became magically easier to use once run on Linux, then they might become interested.
There are a lot of fundamental flaws in Windows, that create security risks. One is the way IE is tied into the kernel, so that a user app runs in kernel space. The sole reason for this, was so that Microsoft could force IE bundling, as IE was now part of the OS. This goes completely against good software engineering principles and means that problems with the browser become problems with the OS.
Certainly. I guess that has something to do with why Firefox has >45% market share here in Finland. Even CERT-FI (Finnish National Computer Emergency Response Team) has guided all businesses and home users to look for alternatives to IE on Windows. I don't know what's their stance on the newer IE version. (7 or 8 or something like that)
That's what I've gathered.
"Security" in Windows comes from patching a sieve.
Sure. But I still won't let my Linux box run unpatched either. Or OS X, if I were running that. Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008, James Knott wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Randall R Schulz:
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer
Any given nasty application would need 1 system call to remove your homedir. Call that "unfair" or "vulnerability", whatever.
How you would run into such a nasty app is another story. But isn't saying that you couldn't a bit over-optimistic?
Wolfgang
Given that /home is owned by root and mere mortals cannot make any changes there, how would that happen, from any app a user could run? If I run some malicious piece of software, the contents of my home directory may be at risk, along with other files I have write permissions for, but not much else.
Not much else? I think that's quite a bit already. If a malicious user or program got access to my home dir, I would think that as a pretty damn serious issue. That just *might* ruin my day pretty bad, depending on what the said user or program were up to. Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis:
Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here.
Aaron, buffer-overflows were a problem because applications can do pretty much anything. So they've been dealt with and are more or less gone for good. The pipeline from authors through distributions and community audits to the user works. I'm not too much concerned with the security of that well-established and trusted pipeline (although I am a bit). But there are many other pipelines that give you access to software. It's a Wide Web and you don't know what's coming at you. Wrt carelessness: Every now and then you've shared a little of your experiences in Baghdad. You, of all people, would know that carelessness can be lethal. You wouldn't touch children toy booby-traps or anything from unknown origin for that matter just because you were with the strongest military force on earth. You were careful and that is probably one of the reasons why you returned. Why should you use your computer differently and just "click"? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott:
If I run some malicious piece of software, the contents of my home directory may be at risk, along with other files I have write permissions for, but not much else.
There you are. Loosing /home/user/* would pretty much make any persons day except Captain Backup's. There is no widely-used mechanism in place that would prevent any application you run from opening network sockets, having rwx access to what you own including hardware etc. Not that most apps would need all these privileges. The mechanisms exist though, they're just not used widely: Various acccess control models (sandboxing, apparmor). There's a reason these exist. Randall, Sloan, James: You know all this. All of you mentioned sets of things people need to be careful about. Like strong passwords, updating, establishing trust between a user and the community he/she depends on, not being a fool etc. Right on. "I click anything because I'm on linux" just doesn't fit in. So, again, and concluding as I seem to have said my share: Don't advocate carelessness. It's inherently dangerous in the long run. That's not much to ask is it? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 08:55:22 am Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J Windows NT as originally designed was secure but a combination of inputs from the sales team and the application group compromised what was a reasonably secure design extremely badly. (Essentially Microsoft bought the VMS design team from Digital, and NT originally owed a lot to VMS). The windows 9x/98/Me code stream was really Windows(4?)/MSDOS 7 with the GUI as a compulsory option.
According to several folks, including IBM, Windows NT (new Technology) was a rebrand of OS/2 v3.0 when IBM and Microsoft parted ways. One link is http://www.os2bbs.com/os2news/OS2History.html . I have a feeling that somewhere along the line, someone decided to combine VMS and OS/2 and see what happened.
They didn't actually combine VMS, just used the main developer. For that, they paid royally later and ended up supporting DEC Alpha machines for many years. I had several customers running Alpha machines with WinNT on board.
For years, all the incarnations of NT from 3.5 to 2000 had a directory under system called os2. I'd have to look at work, but I think the only file in that directory is os2.dll. I once deleted it just for fun, and the system ground to a halt. But I think that was NT4, and has since been fixed.
this is way off topic, but... OS/2 was a Joint IBM/Microsoft effort to develop a true 32-bit operating system. Microsoft was shut out of GUI development when Jobs was asked to leave Apple, and the new management refused to share GUI code with Microsoft. Windows was being developed but was a long way off and only a 16-bit shell over DOS. If you ever find a copy of OS/2 1.3 (I have one.) You'll see that it looks remarkably like Windows NT 3.5. The about screen says 1988 Microsoft / 1988 IBM. AFAIK, Microsoft was more interested in providing a desktop OS, while IBM still felt the desktop was a non-starter and wanted to make OS/2 more mainframe-centric. Hence, the two companies agreed to disagree and parted ways. Microsoft announced NT ("A better Unix than Unix.") at the '92 or '93 (I forget) CES show after taking notes about what Sun was already doing with its operating system. In any case, the resulting NT had to support multiple subsystems. In fact Win32 is just one subsystem. OS2 is another. (DOS and 16-bit apps run in a Virtual DOS Machine.) On all versions of NT though XP, you can run native OS2 16-bit command line and non-gui apps by calling the OS2 subsystem. (All UI is passed through the subsystems before being handed off to the kernel.) i believe they finally got rid of this in NT 6.0 (aka Vista), since I don't see an OS2.dll file anywhere. Sorry for the off-topic post (I know I'll hear it from Patrick.) but I thought y'all would be interested. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Aaron Kulkis:
Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here.
Aaron, buffer-overflows were a problem because applications can do pretty much anything.
No, they can't. Programs can pretty much do what the object code files tell them to do. And nothing more. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 11:43, Wolfgang Woehl wrote:
James Knott:
If I run some malicious piece of software, the contents of my home directory may be at risk, along with other files I have write permissions for, but not much else.
There you are. Loosing /home/user/* would pretty much make any persons day except Captain Backup's.
Hardware failure is more likely to cause this than some nebulous security threat that you've dreamt up in your fearful and fertile imagination.
There is no widely-used mechanism in place that would prevent any application you run from opening network sockets, having rwx access to what you own including hardware etc. Not that most apps would need all these privileges.
Again, you're claiming that people run "any application." We do not. No one just grabs some code from an unknown, untrusted source and runs it. And reliable applications that we do all use every day are known to be reliable and come from trustworthy sources.
The mechanisms exist though, they're just not used widely: Various acccess control models (sandboxing, apparmor). There's a reason these exist.
They are bandaids and afterthoughts, unneeded by well written applications and unable to truly secure insecure ones.
Randall, Sloan, James: You know all this.
You don't know what I know. Clearly.
All of you mentioned sets of things people need to be careful about. Like strong passwords, updating, establishing trust between a user and the community he/she depends on, not being a fool etc.
None of this is fundamentally different from or any harder to teach and learn than "look both ways before crossing the street" or "don't take candy from strangers."
Right on. "I click anything because I'm on linux" just doesn't fit in.
You insist on grossly misrepresenting what Joe said. He said he will "click on" any URL in his browser without concern that the HTML he retrieves via the URL will harm his system or allow others' systems to be harmed..
So, again, and concluding as I seem to have said my share: Don't advocate carelessness. It's inherently dangerous in the long run. That's not much to ask is it?
No one has even once advocated carelessness here. You interpret a lack of undue fear and apprehension in using common Linux software to access the Internet to be carelessness. It is not.
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
James Knott:
If I run some malicious piece of software, the contents of my home directory may be at risk, along with other files I have write permissions for, but not much else.
There you are. Loosing /home/user/* would pretty much make any persons day except Captain Backup's.
While true, there's no benefit of it to the typical virus-writer. The typical virus and trojan author is attempting to hijack a machine for the purpose of turning it into a spam-zombie or to be part of a DoS attack net. Mucking around in a user's home directory doesn't help them achieve those goals at all.
There is no widely-used mechanism in place that would prevent any application you run from opening network sockets,
So? Open all the sockets under my user ID that you want. It doesn't hurt me at all, other than taking space in the file-handle table.
having rwx access to what you own including hardware etc. Not that most apps would need all these privileges.
Again, the most serious problem here is loss of data, which should be backed up anyways. It's NOT going to corrupt your system and force a whole reformat+install+configure like on Windows.
The mechanisms exist though, they're just not used widely: Various acccess control models (sandboxing, apparmor). There's a reason these exist.
Randall, Sloan, James: You know all this. All of you mentioned sets of things people need to be careful about. Like strong passwords, updating, establishing trust between a user and the community he/she depends on, not being a fool etc. Right on. "I click anything because I'm on linux" just doesn't fit in.
So, again, and concluding as I seem to have said my share: Don't advocate carelessness. It's inherently dangerous in the long run. That's not much to ask is it?
There's no BENEFIT to writing malware that attacks a USER ACCOUNT on a Linux or Unix machine.
Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 14:36:00 Aaron Kulkis wrote:
Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here.
Well, no, the morris worm wasn't the first time it was used. This paper http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf was written shortly after the worm incident, and it describes buffer overflows as Although experienced C programmers are aware of the problems with these routines, they continue to use them. I would say the situation is similar today. Experienced programmers are aware of the problems, but some continue to use the problematic functions, and inexperienced programmers just don't know any better We still see security patches issued for buffer overruns We shouldn't panic, but we also shouldn't become complacent. I have complained in the past about the disturbing practice of encouraging people to disable signature checks on rpms, simply because it makes it easier to install a package. Given this practice, that would be a brilliant way of introducing bad code on a system And bad code doesn't have to be "if(!strcmp(user, "blackhat") strcat(passwd, "password");", it could just as well be to change fgets() to gets(). I'd like to see the code review that would catch that in a hurry, and it would then be trivial to crack the program Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008, Sloan wrote:
Tero Pesonen wrote:
I don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate.
I do hear that a lot from windows users. On the other hand, enterprising black hats rent out compromised microsoft boxes by the millions for sending out spam, or doing coordinated DOS attacks - and yet the owners of those compromised microsoft boxes will claim they've never had any security issues.
And they're also the people who've never actually thought of security in the first place. No, security won't come automatically. You need a driver's license for driving a car on public roads. You do not need any kind license for connecting a PC box to the "public" net. That's where it really comes down to. Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
There is no widely-used mechanism in place that would prevent any application you run from opening network sockets, having rwx access to what you own including hardware etc. Not that most apps would need all these privileges.
The question is, how would the remote script kiddie replace the vendor-supplied application with a hostile trojan in the first place? That small detail always seems to be glossed over in these conversations.
Randall, Sloan, James: You know all this. All of you mentioned sets of things people need to be careful about. Like strong passwords, updating, establishing trust between a user and the community he/she depends on, not being a fool etc. Right on. "I click anything because I'm on linux" just doesn't fit in.
You're entitled to your viewpoint that it "doesn't fit in" but IMHO that's more of an aesthetic matter, rather than any real differences we may have in the technical understanding of things. We all agree that extreme stupidity is not a good policy, whether driving, or using a computer. However, I can't leave unchallenged this silly idea that there are no differences in the level of security risk in using linux vs using windows. The fact is, microsoft users all take for granted the drill of installing and maintaining the patchwork of 3rd-party band-aids which are necessary to prevent immediate infestation of spyware, trojans, viruses etc on a brand new windows pc. I've been reminded from time to time of the "deer in the headlights" mentality which often affects microsoft users, when I've sent my mother an email containing a URL or an attachment and she's afraid to open it, even though she trusts me personally, for fear of who knows what nasty things might happen to her computer. There *is* a difference in using windows and linux. I'm not saying we should be stupid and reckless, I'm just saying that there is a definite difference. BTW I'm still waiting to see that attachment or the URL which, if I click on, would take over my linux box...
So, again, and concluding as I seem to have said my share: Don't advocate carelessness. It's inherently dangerous in the long run. That's not much to ask is it?
No, that's not too much to ask - and IMHO neither is it too much to ask that you don't deny the fact that linux users have a lot less to worry about than microsoft users, security-wise. Fair enough? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan:
Wolfgang Woehl wrote:
So, again, and concluding as I seem to have said my share: Don't advocate carelessness. It's inherently dangerous in the long run. That's not much to ask is it?
No, that's not too much to ask - and IMHO neither is it too much to ask that you don't deny the fact that linux users have a lot less to worry about than microsoft users, security-wise. Fair enough?
Fair enough. It's high on the list of reasons I'm using linux for. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz:
On Friday 08 February 2008 11:43, Wolfgang Woehl wrote:
Randall, Sloan, James: You know all this.
You don't know what I know. Clearly.
Reading this list made me think "Randall knows a lot". So ... Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 13:07, Wolfgang Woehl wrote:
Randall R Schulz:
On Friday 08 February 2008 11:43, Wolfgang Woehl wrote:
Randall, Sloan, James: You know all this.
You don't know what I know. Clearly.
Reading this list made me think "Randall knows a lot". So ...
What meant is that you do not know what things I do know and what things I do not know. And I do know a lot. But then, everyone knows a lot.
Wolfgang
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 20:56:43 Randall R Schulz wrote:
Again, you're claiming that people run "any application." We do not. No one just grabs some code from an unknown, untrusted source and runs it.
Actually, I see this happening all the time, even from experienced people "Yeah, I had this problem, and I googled it, and I found this program from 2004 which actually works, and it's really cool. It's a free download, here's the url" Happens all the time -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M9. wrote:
Mike schreef:
| G T Smith also, i thought, wrote this:
Not me guv honest! Have not booted into the XP side of my machine for the last 6 weeks (and that was an accident!). :-)
|> My work computer (XP) never does anything quickly. It takes five |> minutes from log in to almost usable desktop. | | You're lucky. You've got XP. My work computer is still 2000. And slow is | an understatement. Log in, go and get coffee, come back and watch it | finish. And the coffee pot is at the other end of the building.. ;-) | | Mike | |
<snip> On the rare occasions I do start XP its the raft of background stuff loading on the machine which causes the main problem......
- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHrNvyasN0sSnLmgIRAr2PAKDifiM4zUoOx8Zm/72d05InxR0zFgCfYn9v r9o2PJxfo2NMXkpXsGpHbHg= =afL8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Ponte wrote:
On Friday 08 February 2008 08:55:22 am Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J
<snip>
They didn't actually combine VMS, just used the main developer. For that, they paid royally later and ended up supporting DEC Alpha machines for many years. I had several customers running Alpha machines with WinNT on board.
Curious, at lot of the naming internals in NT3/NT4 were very close to those in VAX/VMS .... <snip> - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHrNv3asN0sSnLmgIRAlonAKCdvhIxltM9qbOgqAxkzMRT5q2yQQCeMH0u xis/mEEnu85BKLAIn6vMB9U= =3Psw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 02:44:16 pm Anders Johansson wrote:
On Friday 08 February 2008 20:56:43 Randall R Schulz wrote:
Again, you're claiming that people run "any application." We do not. No one just grabs some code from an unknown, untrusted source and runs it.
Actually, I see this happening all the time, even from experienced people
"Yeah, I had this problem, and I googled it, and I found this program from 2004 which actually works, and it's really cool. It's a free download, here's the url"
That is *exactly* why my mother runs openSUSE. I got sick of the "I just downloaded and ran this program which it told me I needed and now I can't find my photos" phone calls. Oddly enough - since she's been running openSUSE - I haven't had one yet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 14:44, Anders Johansson wrote:
On Friday 08 February 2008 20:56:43 Randall R Schulz wrote:
Again, you're claiming that people run "any application." We do not. No one just grabs some code from an unknown, untrusted source and runs it.
Actually, I see this happening all the time, even from experienced people
"Yeah, I had this problem, and I googled it, and I found this program from 2004 which actually works, and it's really cool. It's a free download, here's the url"
Happens all the time
I think the previous is connected with the following:
Madness takes its toll
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Basil Chupin wrote:
James Knott wrote:
Tero Pesonen wrote:
If that's too complicated for someone, they shouldn't be using a computer at all.
So, are Windows XP or Vista not safe then when used intelligently?
--Tero Pesonen
There are a number of flaws in the basic design of Windows that makes it more difficult to secure. One was a result of the "browser wars". When Netscape sued Microsoft for forced bundling of IE, Microsoft claim that IE couldn't be removed because it was part of the OS. At that time, it was simply another app, like Netscape. However, with the next Windows version, IE was deeply embedded in the kernel, using many common files etc. The result of this, was a security breech in IE became a breech in the kernel. There are many other examples, from the technical perspective about why Windows is inherently less secure. Ever notice how many Windows apps require a user to run with admin rights?
If you are using the Home Edition you have no other choice except to run it with Administrator rights.
Is there no way to add another user? I try to convince my friends to create a user account, separate from the admin. It sounds like another security bomb is about to go off.
I quote from a book I have on the XP: QUOTE Windows XP Home edition bestows Administrator rights on anyone who logs into the computer, giving full control to all system resources - this is not a satisfactory security model for business and power users. UNQUOTE. Answer your question? :-) Ciao. -- Past experience, if not forgotten, is a guide for the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
James Knott wrote:
Is there no way to add another user? I try to convince my friends to create a user account, separate from the admin. It sounds like another security bomb is about to go off.
I quote from a book I have on the XP:
QUOTE
Windows XP Home edition bestows Administrator rights on anyone who logs into the computer, giving full control to all system resources - this is not a satisfactory security model for business and power users.
UNQUOTE.
Answer your question? :-)
My question was about Vista. My ThinkPad came with XP Home and I have both Admin and user accounts on it. User accounts in XP Home do not have admin rights. However, most people never get past that first account, which does have admin rights. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 05:50:33 pm Basil Chupin wrote:
James Knott wrote:
Basil Chupin wrote: ....
If you are using the Home Edition you have no other choice except to run it with Administrator rights.
Is there no way to add another user? I try to convince my friends to create a user account, separate from the admin. It sounds like another security bomb is about to go off.
I quote from a book I have on the XP:
QUOTE
Windows XP Home edition bestows Administrator rights on anyone who logs into the computer, giving full control to all system resources - this is not a satisfactory security model for business and power users.
UNQUOTE.
Answer your question? :-)
The book and practice seems to be out of phase :-) It is simple to create new user(s). They are by default administrators (well, elevated rights), so that has to be fixed manually. -- Regards, Rajko. See http://en.opensuse.org/Portal -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Friday 08 February 2008 14:36:00 Aaron Kulkis wrote:
Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here.
Well, no, the morris worm wasn't the first time it was used. This paper
http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf
was written shortly after the worm incident, and it describes buffer overflows as Although experienced C programmers are aware of the problems with these routines, they continue to use them.
I was a Computer Systems Engineering student when the Morris Worm hit, and until then, the problems of using strcat() instead of using strncat() were looked at more as a problem of exacerbating program bugs, but few if anybody had considered it to be a vehicle for overwriting the stack with both bogus stack-frame information AND rogue code.
I would say the situation is similar today. Experienced programmers are aware of the problems, but some continue to use the problematic functions, and inexperienced programmers just don't know any better.
What schools are these programmers graduating from where the use of strcat() doesn't bring about grading penalties? After the Morris worm was dissected, by George Goble(*) -- he of the original dual-CPU Unix kernal fame, the profs at Purdue were quite adamant that the use of strcat() and other unbounded functions must end, and their use MUST be replaced with their bounded cousins (strncat() and the rest). (*) We were lucky enough in the Electrical Engineering school to have some Gould Unix machines which we beta-tested for Gould, and were both very obscure at the time, and their design was based on the IBM 370 CPU, and thus the buffer overflows which were effective against both the VAX-11 and the 680x0-based Sun Microsystems machines.
We still see security patches issued for buffer overruns
We shouldn't panic, but we also shouldn't become complacent. I have complained in the past about the disturbing practice of encouraging people to disable signature checks on rpms, simply because it makes it easier to install a package. Given this practice, that would be a brilliant way of introducing bad code on a system
And bad code doesn't have to be "if(!strcmp(user, "blackhat") strcat(passwd, "password");", it could just as well be to change fgets() to gets(). I'd like to see the code review that would catch that in a hurry, and it would then be trivial to crack the program
For starters: grep -e "strcmp(\| gets(\|strcat(" *.c *.h
Anders
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Sloan:
Wolfgang Woehl wrote:
So, again, and concluding as I seem to have said my share: Don't advocate carelessness. It's inherently dangerous in the long run. That's not much to ask is it? No, that's not too much to ask - and IMHO neither is it too much to ask that you don't deny the fact that linux users have a lot less to worry about than microsoft users, security-wise. Fair enough?
Fair enough. It's high on the list of reasons I'm using linux for.
EXACTLY!
Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kai Ponte wrote:
On Friday 08 February 2008 08:55:22 am Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J
<snip>
They didn't actually combine VMS, just used the main developer. For that, they paid royally later and ended up supporting DEC Alpha machines for many years. I had several customers running Alpha machines with WinNT on board.
Curious, at lot of the naming internals in NT3/NT4 were very close to those in VAX/VMS ....
There was no NT-3 Windows 3.x consisted of Windows 3.1, Windows for Workgroups (3.11), and Windows 95 and 98 (aka Windows 32x) Windows NT is Windows 4.0 Windows 2000 is Windows 5.0 Windows XP is Windows 6.0 Windows Vista is Windows 7.0 That was the influence of Dave Cutler, who was hired from DEC. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Basil Chupin wrote:
James Knott wrote:
Is there no way to add another user? I try to convince my friends to create a user account, separate from the admin. It sounds like another security bomb is about to go off.
I quote from a book I have on the XP:
QUOTE
Windows XP Home edition bestows Administrator rights on anyone who logs into the computer, giving full control to all system resources - this is not a satisfactory security model for business and power users.
UNQUOTE.
Answer your question? :-)
My question was about Vista.
Sorry, must have missed this along the way - didn't see any reference to Vista, the discussion I thought was all about XP.
My ThinkPad came with XP Home and I have both Admin and user accounts on it. User accounts in XP Home do not have admin rights. However, most people never get past that first account, which does have admin rights.
A friend is using the Home edition and I haven't "played" with it (because I didn't want to get tangled up with Home edition :-) ) so cannot comment for or against that you have both Admin and user accounts on it. All I know is what I heard, and read (and quoted above) about the Home edition of XP. Of course, it is in XP Professional that most people who use it at home who never get past the first account - the Administrator - and do not create a user with limited access rights. The need to create a normal, limited access, user in XP Professional is not something which is enforced in Professional which is why, I understand, most XP Prof. setups are being run by a home user with full Admin. rights. I cannot see why the Home edition should be more security conscious than the Professional edition, and also cost much less, unless SP1 and SP2 introduced the ability to create limited-access users in the Home edition. Ciao. -- Past experience, if not forgotten, is a guide for the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rajko M. wrote:
On Friday 08 February 2008 05:50:33 pm Basil Chupin wrote:
James Knott wrote:
Basil Chupin wrote:
....
If you are using the Home Edition you have no other choice except to run it with Administrator rights.
Is there no way to add another user? I try to convince my friends to create a user account, separate from the admin. It sounds like another security bomb is about to go off.
I quote from a book I have on the XP:
QUOTE
Windows XP Home edition bestows Administrator rights on anyone who logs into the computer, giving full control to all system resources - this is not a satisfactory security model for business and power users.
UNQUOTE.
Answer your question? :-)
The book and practice seems to be out of phase :-)
It is simple to create new user(s).
Nowhere have I said anything about not being able to create new users. All the above quote is stating is, "....bestows Administrative rights on *anyone* [my emphasis] who logs into the computer,....".
They are by default administrators (well, elevated rights), so that has to be fixed manually.
What you write is, of course, all very exciting - except that for the Joe-in-the-street who buys a copy of the Home edition (AND Professional, BTW) will not have a damn clue that you need to use the OS as a user with NO Administrator privileges. Which is why openSUSE was created. Ciao. -- Past experience, if not forgotten, is a guide for the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
The need to create a normal, limited access, user in XP Professional is not something which is enforced in Professional which is why, I understand, most XP Prof. setups are being run by a home user with full Admin. rights. I cannot see why the Home edition should be more security conscious than the Professional edition, and also cost much less, unless SP1 and SP2 introduced the ability to create limited-access users in the Home edition.
I believe both versions work the same. The first account has admin rights and many people don't go beyond that to create users with restricted rights. They simply don't realize the difference between admin and user. At least in Linux, at least SUSE, you get warnings about running as root and you're expected to create a user during install. With Ubuntu and some other distros, the first user is an admin user, with rights to create a root password. Additional users are mere mortals. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 23:50, Basil Chupin wrote:
Of course, it is in XP Professional that most people who use it at home who never get past the first account - the Administrator - and do not create a user with limited access rights.
The need to create a normal, limited access, user in XP Professional is not something which is enforced in Professional which is why, I understand, most XP Prof. setups are being run by a home user with full Admin. rights. I cannot see why the Home edition should be more security conscious than the Professional edition, and also cost much less, unless SP1 and SP2 introduced the ability to create limited-access users in the Home edition.
Ciao.
I have XP Pro at home. How do I access the Administrator account, so that I can unzip some files that have been sent to me? AFAIR, the install did not ask me for a password, so I don't have one--that I know of. What an idiot system! --dm Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Doug McGarrett
I have XP Pro at home. How do I access the Administrator account, so that I can unzip some files that have been sent to me? AFAIR, the install did not ask me for a password, so I don't have one--that I know of. What an idiot system!
Subject is "OpenSuse 11", nothing to do with accounts on windoz. AND, is offtopic on this list. It belongs on the opensuse-offtopic list. Mailing-List: contact opensuse-offtopic+help@opensuse.org; run by mlmmj X-Mailinglist: opensuse-offtopic List-Post: mailto:opensuse-offtopic@opensuse.org List-Help: mailto:opensuse-offtopic+help@opensuse.org List-Subscribe: mailto:opensuse-offtopic+subscribe@opensuse.org List-Unsubscribe: mailto:opensuse-offtopic+unsubscribe@opensuse.org List-Owner: mailto:opensuse-offtopic+owner@opensuse.org -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett wrote:
On Friday 08 February 2008 23:50, Basil Chupin wrote:
Of course, it is in XP Professional that most people who use it at home who never get past the first account - the Administrator - and do not create a user with limited access rights.
The need to create a normal, limited access, user in XP Professional is not something which is enforced in Professional which is why, I understand, most XP Prof. setups are being run by a home user with full Admin. rights. I cannot see why the Home edition should be more security conscious than the Professional edition, and also cost much less, unless SP1 and SP2 introduced the ability to create limited-access users in the Home edition.
Ciao.
I have XP Pro at home. How do I access the Administrator account, so that I can unzip some files that have been sent to me? AFAIR, the install did not ask me for a password, so I don't have one--that I know of. What an idiot system!
See my response in opensuse offtopic under Subject XP Pro/Home Edition. Ciao -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Basil Chupin wrote:
The need to create a normal, limited access, user in XP Professional is not something which is enforced in Professional which is why, I understand, most XP Prof. setups are being run by a home user with full Admin. rights. I cannot see why the Home edition should be more security conscious than the Professional edition, and also cost much less, unless SP1 and SP2 introduced the ability to create limited-access users in the Home edition.
I believe both versions work the same. The first account has admin rights and many people don't go beyond that to create users with restricted rights. They simply don't realize the difference between admin and user.
Which is caused by Microsoft not making the default name something like "admin", and prompting the user to come up with their own name for the "first account" which the uninformed person is, more often than not, going to name after themselves, as a personal account (because MS doesn't tell them that it's NOT a personal account). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 09:57, Aaron Kulkis wrote:
Randall R Schulz wrote:
...
Be that as it may, there is a huge difference between running an application (or all applications) with administrative privileges and being a part of the kernel. ...
That's what the whole IE-bundling lawsuit was about.
Microsoft's argument was that they indeed do *ON PURPOSE* AS PART OF THEIR BUSINESS PLAN embed the IE code in the kernel.
When some CS prof demonstrated an IE-less Windows system, MS almost immediately issued an SP bolting IE in so tightly that there would be no repeat performances.
Did they ever disclose the source code that showed IE code in the kernel? If not, why do you believe them when they say it's in the kernel (_if_ they said that)? Making the system inoperable without IE is still far from putting IE in the kernel. There are many ways to do the former. By the way, where can I buy some of these software bolts? I've got some code that keeps coming loose 'cause all I can find is software glue, and apparently it's not impervious to bit rot. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 10:02, Aaron Kulkis wrote:
Randall R Schulz wrote:
...
Again, "tie closely to the OS" and "tied into the kernel" _are NOT the same thing_! You said IE code is in the kernel. I'm still not ready to believe that.
How can it be "tied closely to the OS" without being tied into the kernel.
In fact, every bit of software that does not run on a virtual machine is very much tied closely to the OS on which it runs. Only things like device drivers and file system modules are in the kernel (and even they need not be a part of the kernel per se). Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz a écrit :
How can it be "tied closely to the OS" without being tied into the kernel.
In fact, every bit of software that does not run on a virtual machine is very much tied closely to the OS on which it runs. Only things like device drivers and file system modules are in the kernel (and even they need not be a part of the kernel per se).
well... What Microsoft said is that the OS is tightly linked to IE, so they can't remove IE :-) and I've seen a *mouse* driver requiring IE as dependency... (I beg it was for the help system, but who knows :-)) discussion on the lack of security of windows is endless. and vista is funny on this respect. every single operation need to be acnowledged twice by the user, so nobody read the popup anymore, it could be "your are going to die", the user whould clic OK anyway :-)) jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 11 February 2008 08:25:31 am jdd wrote:
Randall R Schulz a écrit :
How can it be "tied closely to the OS" without being tied into the kernel.
In fact, every bit of software that does not run on a virtual machine is very much tied closely to the OS on which it runs. Only things like device drivers and file system modules are in the kernel (and even they need not be a part of the kernel per se).
Actually, Aaron (or whomever) is correct. Since '99 or so, in both NT and Win98/ME, the kernel handles many aspects of IE. IE6 cannot run in Vista since it has large chunks of code in the ntdll.dll file, which was wholly re-written for Vista. Is there actually code in krnl386.exe? I don't know.
well... What Microsoft said is that the OS is tightly linked to IE, so they can't remove IE :-)
and I've seen a *mouse* driver requiring IE as dependency... (I beg it was for the help system, but who knows :-))
discussion on the lack of security of windows is endless. and vista is funny on this respect. every single operation need to be acnowledged twice by the user, so nobody read the popup anymore, it could be "your are going to die", the user whould clic OK anyway :-))
You can remove that. I have it disabled on both my Vista machines. Go into control panel, do a search for uac and select "Turn User Account Control on or off." It will gripe at you a bit, but the annoying issue will go away. Not as elegant as openSUSe and certainly not ready to be a usable operating system, but this little bit helps. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte a écrit :
Not as elegant as openSUSe and certainly not ready to be a usable operating system, but this little bit helps.
thanks. I wont spread this info, because this is one of my main argument in favor of openSUSE :-)))) "openSUSE, the security without the hassel" jdd (and I use nearly never this other system, but who can buy a cheap laptop without paying M$???) -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 jdd schreef: | Kai Ponte a écrit : | |> Not as elegant as openSUSe and certainly not ready to be a usable |> operating |> system, but this little bit helps. | | thanks. I wont spread this info, because this is one of my main argument | in favor of openSUSE :-)))) | | "openSUSE, the security without the hassel" | | jdd | (and I use nearly never this other system, but who can buy a cheap | laptop without paying M$???) | Well, this becomes more and more possible, in the last time, year or so.., but not if you are very picky, and want brandnew hw. In holland new laptops with ubuntu on it are sold... In holland 2 years ago, there was a movement to get refund from M$, if windows would not be used on a laptop... I will find out what happened, i don't know if it bled to death.... - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.24-3-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 11.0 (x86_64) Alpha2 ~ KDE: 3.5.8 "release 39" ~ OS: Linux 2.6.22.16-0.2-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 10.3 (x86_64) ~ KDE: 3.5.7 "release 72.6" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHsJO+X5/X5X6LpDgRAiydAJ0c/+UY+l6jj2jIU+q/9xvvzPYMyACeP3eZ /uRW1wsZfxWNSACNKl/IAyk= =K9+g -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
In fact, every bit of software that does not run on a virtual machine is very much tied closely to the OS on which it runs. Only things like device drivers and file system modules are in the kernel (and even they need not be a part of the kernel per se).
You're talking about the binary, right? After all, lots of software can be built for all kinds of OS'es which would mean they're not really tied to the OS, but once you've only got the binary, then yes, you're tied to an OS that has the right kind of loader etc. etc. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
M9. wrote:
In holland 2 years ago, there was a movement to get refund from M$, if windows would not be used on a laptop... I will find out what happened, i don't know if it bled to death....
It happened everywhere, but so far I only know of a guy in the UK who managed to get his money back (from Dell): http://news.bbc.co.uk/2/hi/technology/6144782.stm /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12. opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 11 February 2008 12:47, Wolfgang Woehl wrote:
... Maybe try and not get phished in the meantime ...
The success of phishing scams requires extreme gullibility of the victim.
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Freitag, 8. Februar 2008 Aaron Kulkis:
You see...the whole Unix security model PRESUMED that a user might (either unintentionally or intentionally) write and/or execute a run-away process which could be destructive. Write-permissions (or lack of them) prevent the process from doing damage to anything other than the user's own personal files.
Aaron, I'm taking the liberty to call your set of thinking "old-school" which has a positive side and a negative side. Bad news first: Immense lack of imagination wrt to possible scenarios. Immense. I don't mean to sound rude but you really need to read up on what is going on. For example all of web2.0 is one huge stress-test suite for a browser infrastructure. To take this lightly is ... well, I've already called it names ... But don't. Why would you? Do you audit? Good news: old-school tends to have all the tools ready to deal with the moving target "security on linux". So you stand a chance :) As I said, I'm taking liberties and I'm sure you will shoot back at me (in 1 week or something -- man, you should fix your email, this is like a trip back in time. This thread was _over_). But no hard feelings, allright? Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 11 February 2008 13:11, Wolfgang Woehl wrote:
... For example all of web2.0 is one huge stress-test suite for a browser infrastructure. ...
This is true. It is an entirely different class of potential vulnerabilities and exploits. Many of them are of the cross-site scripting variety or injection exploits. But these are all fundamentally different in their means of execution and the locus of vulnerability. A browser that is 100% secure from buffer-overflow exploits including those in any plug-ins or other dynamically linked extensions and which has a perfect JavaScript implementation including the browser sandbox model can still expose one to these attacks. It is also the case that many of these vulnerabilities are equally present on Linux and Windows, since they originate in poorly crafted Web applications (either on the server side or in client-side JavaScript). There is virtually nothing an end user can do to protect against such exploits other than refrain from using that class of services (and that class includes all sorts of today's shiny new fun stuff on the Web, from Amazon.com and eBay to FaceBook, MySpace and Flickr and more). If I read between your lines to say "we ain't seen the half of the catastrophes Web 2.0 software will ultimately cause," I'm afraid you're right.
...
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 February 2008, Joe Sloan wrote:
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
Unmanaged? It will update automatically. Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
I've never been phished, because I'm not stupid enough to believe that my bank is smart enough to notify me that an "unauthorized transaction" has occurred, but still stupid enough to actually carry out the transation. They're either smart, or stupid, but not both at the same time.
Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
I just download and ungzip/untar in /local, run the installer script and install in /opt. I really don't give a hoot about the browser RPM's, other than having something to go to the Mozilla website to IMMEDIATELY download the latest release. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
I don't understand what you mean by "unmanaged"? If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
You see...the whole Unix security model PRESUMED that a user might (either unintentionally or intentionally) write and/or execute a run-away process which could be destructive. Write-permissions (or lack of them) prevent the process from doing damage to anything other than the user's own personal files.
Aaron, I'm taking the liberty to call your set of thinking "old-school" which has a positive side and a negative side.
Bad news first: Immense lack of imagination wrt to possible scenarios. Immense.
Have you ever actually written an operating system? I actually had to do such a thing ...writing a multi-user, multi-tasking OS on a lowly 8-bit Motorola 6809 as an undergraduate at Purdue University. You learn a hell of a lot very quickly doing such a thing.
I don't mean to sound rude but you really need to read up on what is going on. For example all of web2.0 is one huge stress-test suite for a browser infrastructure. To take this lightly is ... well, I've already called it names ... But don't. Why would you? Do you audit?
As an professional Unix Systems Engineer who has spent most of my career working at fortune 500 corporations, believe me, I keep up on security issues.
Good news: old-school tends to have all the tools ready to deal with the moving target "security on linux". So you stand a chance :)
That's because we actually UNDERSTAND what the hell is going on inside the computer...on the CPU-register level if need be. There were time when I used to write in C, but debug in the assembly code produced by the compiler. I eventually reached the point where I could write the assembly code produced by compiler. A friend and I used to challenge each other with weird-but-legal C code to see who could stump the other by write some code which the other could not produce (from his own head) the assembly code which would be produced by the compiler.
As I said, I'm taking liberties and I'm sure you will shoot back at me (in 1 week or something -- man, you should fix your email, this is like a trip back in time. This thread was _over_). But no hard feelings, allright?
Sorry about that. I'm migrating stuff. It should be fixed soon.
Wolfgang
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Basil Chupin
I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^( -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
Joe Sloan wrote:
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
I don't understand what you mean by "unmanaged"?
It means unmanaged. Suse (like most distros) has a package management system, which carries definite benefits. If you remove the carefully prepared package and replace it with an unpackaged tarball, the package management system knows nothing about it.
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
My experience has been that the tarballs have rough edges - jagged fonts, lack of certain features that the suse packages have, other little details. I suppose if there were a serious security emergency, you could temporarily run a download install in /usr/local until an updated package is installed. Then again, I tend not to go entering my credentials at random URLs included in spam claiming to be from my bank, so it's not exactly an emergency for me. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Basil Chupin wrote:
Joe Sloan wrote:
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
I don't understand what you mean by "unmanaged"?
It means unmanaged. Suse (like most distros) has a package management system, which carries definite benefits. If you remove the carefully prepared package and replace it with an unpackaged tarball, the package management system knows nothing about it.
I always install seamonkey in /opt/seamonkey[version_number.rev] and then # cd /opt # ln -s /seamonkey[version_number.rev] seamonkey EVERYTHING is installed within that directory. Removal means: rm /local/download/seamonkey*tar.gz rm -rf /opt/seamonkey[whatever_version_number] Firefox, Thunderbird and Sunbird are similar. Seriously, no package management is needed for stock installs from the Mozilla site *IF* you set the installation directory to /usr/local/appname.version_number or /opt/appname.version_number
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
My experience has been that the tarballs have rough edges - jagged fonts,
HUH???? The tarballs don't need any fonts..they use the fonts already installed on your system.
lack of certain features that the suse packages have, other little details. I suppose if there were a serious security emergency, you could temporarily run a download install in /usr/local until an updated package is installed. Then again, I tend not to go entering my credentials at random URLs included in spam claiming to be from my bank, so it's not exactly an emergency for me.
Ditto. Especially not: http:/www.mybank.com.some_country_on_some_other_continent/login -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* Basil Chupin
[02-11-08 22:49]: I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^(
OK, I'll bite! What 'enhancements' are provided by openSUSE? (I can see your tongue-in-cheek :-) .) Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 11 February 2008 08:59:05 pm Basil Chupin wrote:
Patrick Shanahan wrote:
* Basil Chupin
[02-11-08 22:49]: I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^(
OK, I'll bite!
What 'enhancements' are provided by openSUSE?
(I can see your tongue-in-cheek :-) .)
Stupid question - but... ..if you wanted to roll your own version of software_x, and still have it in the package management system, then couldn't one compile said software and then use checkinstall to create an RPM? Then if an update comes out wouldn't that then work nice with the <insert distro here> package management system? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Basil Chupin wrote:
Joe Sloan wrote:
Basil Chupin wrote:
Wolfgang Woehl wrote:
Freitag, 8. Februar 2008 Aaron Kulkis:
Do you actually understand how silly you sound to anyone who actually understands the Unix and Linux security model.
Hi Aaron, just a short follow-up: see http://nvd.nist.gov/nvd.cfm for stuff about Mozilla Firefox before 2.0.0.12.
opensuse and you and me have 2.0.0.10. Ok, update rule. opensuse will catch up, probably within days, and everything is fine again. There's a gap though. Maybe try and not get phished in the meantime, Aaron?
Which is why I never use FF or TB as provided in openSUSE but always install the ones directly from Mozilla.
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
I don't understand what you mean by "unmanaged"?
It means unmanaged. Suse (like most distros) has a package management system, which carries definite benefits.
Such as?
If you remove the carefully prepared package and replace it with an unpackaged tarball, the package management system knows nothing about it.
Which means...?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
My experience has been that the tarballs have rough edges - jagged fonts, lack of certain features that the suse packages have, other little details.
As far as I am aware, suse don't go fooling around with 'jagged fonts' and such. And what do you think are the "certain features" which may be lacking but provided in the suse packages? I am not aware that suse is in the business of re-writing packages such as Firefox or Thunderbird.
I suppose if there were a serious security emergency, you could temporarily run a download install in /usr/local until an updated package is installed.
What you say sounds most reasonable. However, most of the people using a Linux distro are reliant on the distro provider to come up with a 'fixed' version in the form of a RPM or variation. Today, in my part of the world, it is 12 Feb 2008 and there is still no sign of a fixed openSUSE version of Firefox, but on the 8 Feb 2008 I was able to install FF with the security fix to version 2.0.0 12. (Before you, or anyone, notices, I downloaded the fixed FF, according to the file properties in my directory, on 8 Feb but my wife tells me that her copy of FF was auto-updated, 'A couple of days ago I think, I cannot remember exactly when' - meaning that I either downloaded the latest version just before it would have auto-updated or I wasn't paying attention and downloaded it even though I had already allowed it to be upgraded - memory...memory.... :-( .)
Then again, I tend not to go entering my credentials at random URLs included in spam claiming to be from my bank, so it's not exactly an emergency for me.
Which is *almost* the exact the wording used by my friends to justify their inaction, or "devil-may-care" attitude, when I mention security to them about what they use to access the Internet! (I know that I am p*****g against the wind with them, but I keep persisting - have been for years now, but I cannot give up hope. I am a masochist, I admit it.) Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, Basil Chupin wrote:
And what do you think are the "certain features" which may be lacking but provided in the suse packages? I am not aware that suse is in the business of re-writing packages such as Firefox or Thunderbird.
First of all the Firefox 2.0.0.12 update arrived at least in the buildservice at about the same time as anywhere else in the web. Even if you are free to use whatever you want there are a few changes in the SUSE version of Firefox 2.x. Some of them might not be of interest for you but still it is "better distribution integration": - Tango theme is prepackaged and used under Gnome - added some search providers - changed default bookmarks - support X11 session management (better) - using locale from the environment - support for lockdown mode - support commandline args for helper apps - get network status from NetworkManager - supports startup notification - use supported and default paper sizes from CUPS printers - being able to use system proxy settings - some other general bugfixes which are not upstream integrated - pango font rendering support - seamless integration with distribution provided plugins/extensions - pulls in installed dictionaries automatically Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Monday 11 February 2008 08:59:05 pm Basil Chupin wrote:
Patrick Shanahan wrote:
* Basil Chupin
[02-11-08 22:49]: I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^(
OK, I'll bite!
What 'enhancements' are provided by openSUSE?
(I can see your tongue-in-cheek :-) .)
Stupid question - but...
I absolutely resent your statement. What I have no time for are smart-arses who consider themselves to be in the category you consider yourself to be.
..if you wanted to roll your own version of software_x, and still have it in the package management system, then couldn't one compile said software and then use checkinstall to create an RPM?
Then if an update comes out wouldn't that then work nice with the<insert distro here> package management system?
You aren't reading what has been stated in this thread, have you? Jesus, talk about arseholes...... Sorry, Kai but until now I did have respect for you about what you stated in this forum. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Rosenauer wrote:
Hi,
Basil Chupin wrote:
And what do you think are the "certain features" which may be lacking but provided in the suse packages? I am not aware that suse is in the business of re-writing packages such as Firefox or Thunderbird.
First of all the Firefox 2.0.0.12 update arrived at least in the buildservice at about the same time as anywhere else in the web.
So, as a person who decided to switch to openSUSE and a new user, I am supposed to know via ISP that 'it' has arrived in the buildservice? - but doing so it did not replace my security-deficient version of FF and so left me vulnerable? Come on, please be reasonable and realise that there are big hassles which most people here keep overlooking or ignoring because it is politically incorrect or considered as being anti-suse or anti-linux.
Even if you are free to use whatever you want there are a few changes in the SUSE version of Firefox 2.x. Some of them might not be of interest for you but still it is "better distribution integration":
- Tango theme is prepackaged and used under Gnome - added some search providers - changed default bookmarks - support X11 session management (better) - using locale from the environment - support for lockdown mode - support commandline args for helper apps - get network status from NetworkManager - supports startup notification - use supported and default paper sizes from CUPS printers - being able to use system proxy settings - some other general bugfixes which are not upstream integrated - pango font rendering support - seamless integration with distribution provided plugins/extensions - pulls in installed dictionaries automatically Wolfgang
Sorry, and I am not being offensive, but all the "reasons" you mention above are just lame and not relevant (to be polite) points. Take for example your claim that, "-use supported and default paper sizes from CUPS printers". I have little trouble with printing with my non-openSUSE version of FF to my printer(s). More, "Added some search providers". So what exactly is the big deal? One can add additional 'search providers' at any time without relying on Suse. In fact, I have *thrown out* most of the pre-installed search providers. I won't go through the rest of the list because the items are all questionable, sorry. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Feb 12, 2008 at 07:18:49PM +1100, Basil Chupin wrote:
Wolfgang Rosenauer wrote:
Hi,
Basil Chupin wrote:
And what do you think are the "certain features" which may be lacking but provided in the suse packages? I am not aware that suse is in the business of re-writing packages such as Firefox or Thunderbird.
First of all the Firefox 2.0.0.12 update arrived at least in the buildservice at about the same time as anywhere else in the web.
So, as a person who decided to switch to openSUSE and a new user, I am supposed to know via ISP that 'it' has arrived in the buildservice? - but doing so it did not replace my security-deficient version of FF and so left me vulnerable?
Come on, please be reasonable and realise that there are big hassles which most people here keep overlooking or ignoring because it is politically incorrect or considered as being anti-suse or anti-linux.
As I already said, we are working on getting the updates out to the usual update channels. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
Wolfgang Rosenauer wrote:
First of all the Firefox 2.0.0.12 update arrived at least in the buildservice at about the same time as anywhere else in the web.
So, as a person who decided to switch to openSUSE and a new user, I am supposed to know via ISP that 'it' has arrived in the buildservice? - but doing so it did not replace my security-deficient version of FF and so left me vulnerable?
I don't know what you are talking about and I guess you don't either. Because if you _did_ so it would have replaced your older Firefox. And no, I don't expect new users to know about all the stuff around zypper and buildservice repos.
Come on, please be reasonable and realise that there are big hassles which most people here keep overlooking or ignoring because it is politically incorrect or considered as being anti-suse or anti-linux.
So what do you propose? To ship only a kernel and a glibc and let the user manage the rest? So please be _reasonable_ yourself.
Even if you are free to use whatever you want there are a few changes in the SUSE version of Firefox 2.x. Some of them might not be of interest for you but still it is "better distribution integration":
[...]
Sorry, and I am not being offensive, but all the "reasons" you mention above are just lame and not relevant (to be polite) points.
That's your personal opinion. Stop talking about as if it would be everyone's.
Take for example your claim that, "-use supported and default paper sizes from CUPS printers". I have little trouble with printing with my non-openSUSE version of FF to my printer(s).
Then be happy that it works for you out of the box.
More, "Added some search providers". So what exactly is the big deal? One can add additional 'search providers' at any time without relying on Suse. In fact, I have *thrown out* most of the pre-installed search providers.
That's again your personal opinion. Others have requested those in bugzilla.novell.com.
I won't go through the rest of the list because the items are all questionable, sorry.
It's most probably because you don't know what it is about but that stuff wasn't added out of fun but because it was reported as bug or requested as a feature request. I'll stop discussing this with you and let others decide if the changes are relevant to them or not. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Marcus Meissner wrote:
On Tue, Feb 12, 2008 at 07:18:49PM +1100, Basil Chupin wrote:
Wolfgang Rosenauer wrote:
Hi,
Basil Chupin wrote:
And what do you think are the "certain features" which may be lacking but provided in the suse packages? I am not aware that suse is in the business of re-writing packages such as Firefox or Thunderbird.
First of all the Firefox 2.0.0.12 update arrived at least in the buildservice at about the same time as anywhere else in the web.
So, as a person who decided to switch to openSUSE and a new user, I am supposed to know via ISP that 'it' has arrived in the buildservice? - but doing so it did not replace my security-deficient version of FF and so left me vulnerable?
Come on, please be reasonable and realise that there are big hassles which most people here keep overlooking or ignoring because it is politically incorrect or considered as being anti-suse or anti-linux.
As I already said, we are working on getting the updates out to the usual update channels.
Ciao, Marcus
As you would realise, Marcus, I am not downplaying your efforts - lord knows you have enough to contend with, and are working your butts off to keep the whole production going and ontrack. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Rosenauer wrote:
Basil Chupin wrote:
Wolfgang Rosenauer wrote:
First of all the Firefox 2.0.0.12 update arrived at least in the buildservice at about the same time as anywhere else in the web.
So, as a person who decided to switch to openSUSE and a new user, I am supposed to know via ISP that 'it' has arrived in the buildservice? - but doing so it did not replace my security-deficient version of FF and so left me vulnerable?
I don't know what you are talking about and I guess you don't either. Because if you _did_ so it would have replaced your older Firefox.
Ahem, but only within the last half-hour Marcus Meissner responded with the following words, "As I already said, we are working on getting the updates out to the usual update channels. Ciao, Marcus"
And no, I don't expect new users to know about all the stuff around zypper and buildservice repos.
Of course they don't.
Come on, please be reasonable and realise that there are big hassles which most people here keep overlooking or ignoring because it is politically incorrect or considered as being anti-suse or anti-linux.
So what do you propose? To ship only a kernel and a glibc and let the user manage the rest? So please be _reasonable_ yourself.
What you state does not in any way follow on from what I wrote.
Even if you are free to use whatever you want there are a few changes in the SUSE version of Firefox 2.x. Some of them might not be of interest for you but still it is "better distribution integration":
Sorry, and I am not being offensive, but all the "reasons" you mention above are just lame and not relevant (to be polite) points.
That's your personal opinion. Stop talking about as if it would be everyone's.
Where have I claimed that it was "everyone's" opinion? You are getting agitated - relax :-) . I am not going out of my way to stir you up and insult you.
Take for example your claim that, "-use supported and default paper sizes from CUPS printers". I have little trouble with printing with my non-openSUSE version of FF to my printer(s).
Then be happy that it works for you out of the box.
Sorry, but isn't the printing part of CUPS supposed to do just that: work "out of the box", and without any "fiddling" by openSUSE people in Firefox, of all places, to have this happen as a matter of course?
More, "Added some search providers". So what exactly is the big deal? One can add additional 'search providers' at any time without relying on Suse. In fact, I have *thrown out* most of the pre-installed search providers.
That's again your personal opinion. Others have requested those in bugzilla.novell.com.
Jesus! How reliant on being hand-fed have some people become! Simply click on the down-arrow next to the entry appearing in the "search" window in the taskbar and select 'Manage Search Engines...' and you can add to your hearts desire all the search engines available! And people have been asking for this in bugzilla.novell.com?! No wonder that poor Marcus and colleagues have been run off their feet spending time answering requests for this sort of tripe :-( .
I won't go through the rest of the list because the items are all questionable, sorry.
It's most probably because you don't know what it is about but that stuff wasn't added out of fun but because it was reported as bug or requested as a feature request.
Right -see my comment above.
I'll stop discussing this with you and let others decide if the changes are relevant to them or not.
No problemo. And I quite understand, and accept, your comment. Ciao -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Monday 11 February 2008 08:59:05 pm Basil Chupin wrote:
Patrick Shanahan wrote:
* Basil Chupin
[02-11-08 22:49]: I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^(
OK, I'll bite!
What 'enhancements' are provided by openSUSE?
(I can see your tongue-in-cheek :-) .)
Stupid question - but...
..if you wanted to roll your own version of software_x, and still have it in the package management system, then couldn't one compile said software and then use checkinstall to create an RPM?
Then if an update comes out wouldn't that then work nice with the<insert distro here> package management system?
Aaargh!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aaron Kulkis schreef: | Again, the most serious problem here is loss of data, which | should be backed up anyways. It's NOT going to corrupt your | system and force a whole reformat+install+configure like on Windows. | | | There's no BENEFIT to writing malware that attacks a USER ACCOUNT | on a Linux or Unix machine. | | | | | I once installed cli from avast (gui did not work at that time). I let it to search all disks... The only place where virusses were found: Exactly: the windows partitions... - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.24-3-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 11.0 (x86_64) Alpha2 ~ KDE: 3.5.8 "release 39" ~ OS: Linux 2.6.22.16-0.2-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 10.3 (x86_64) ~ KDE: 3.5.7 "release 72.6" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHsXGwX5/X5X6LpDgRAkjWAKCR7iKSW06BhltdlKOvZrg4tmSBHQCgon2Q LWzXyo/YVwnbNEJNwoW+vzw= =63Uq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
James Knott wrote:
[pruned]
TI don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Do they run as admin or user? Do they have any applications that force them to run as admin?
XP PRO *insists* that someone be an 'assistant Administrator' and the first user who is created after the Admin is assigned Admin rights. The thinking here, it seems to me, is that if the Admin gets run over by a bus then the 'assistant admin' has full access to the OS. That is the way I saw/see it - but I may be wrong. But being a 'normal' user on XP is really a big pain in the arse because you cannot install any new software, or do some maintenance, unless you have Admin rights. Which is why many home users simply run the OS in Admin user mode - even if they know what this means. [pruned]
"Security" in Windows comes from patching a sieve.
More specifically, replacing one section of permeable wire mesh with a new section of permeable wire mesh -- BY DESIGN.
The many back-doors in Windows are *NOT* accidental.
Which brings up a very important question requiring an honest answer. The matter of Windows having deliberate in-built backdoors has been mooted for quite some time. A number of Windows applications claiming to be Firewalls which not only prevent INBOUND access into the system also claim to prevent *OUTBOUND* unauthorised access to the Internet by applications. ZoneAlarm, for example, is one such security applications. (I won't go into the details of who owns, or is associated with the company which actually owns, ZoneAlarm but it may be indirectly relevant to this topic of "back-doors" in Windows.) How, say, such a well known security firewall application as ZoneAlarm handle the back-door issue which is inbuilt into Windows' applications? Is ZoneAlarm, and similar, capable of preventing back-door traffic, both inbound and outbound, inbuilt into Windows systems? About 3 years ago (I have the messages somewhere on file) a person (?programmer) found that ZoneAlarm was "reporting" back to ZA servers about the system they were installed on and ZA, of course, claimed that it was a "coding" glitch; there was a fix (I asked the reporter for "The Inquirer" to publish the 'fix') and the "glitch" was fixed. But, in the real world, what do ZA et alia do to handle the inbuilt back-doors in Windows (put there, I have read, at the request of the American Intelligence Agencies - which is one of the reasons why the Chinese governement won't touch Windows with a 10--foot barge pole. And I am *NOT* trying to introduce politics into this discussion!) This is not simply a MS related question, and therefore may be considered by some to be OT, but what MS, et alia, is forced to do may also be relevant to what pressures OSs such as openSUSE may be subjected to. Dunno, just asking.... Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aaron Kulkis schreef: | James Knott wrote: |> Basil Chupin wrote: |>> The need to create a normal, limited access, user in XP Professional |>> is not something which is enforced in Professional which is why, I |>> understand, most XP Prof. setups are being run by a home user with |>> full Admin. rights. I cannot see why the Home edition should be more |>> security conscious than the Professional edition, and also cost much |>> less, unless SP1 and SP2 introduced the ability to create |>> limited-access users in the Home edition. |>> |> |> I believe both versions work the same. The first account has admin |> rights and many people don't go beyond that to create users with |> restricted rights. They simply don't realize the difference between |> admin and user. | | Which is caused by Microsoft not making the default name something | like "admin", and prompting the user to come up with their own | name for the "first account" which the uninformed person is, more | often than not, going to name after themselves, as a personal account | (because MS doesn't tell them that it's NOT a personal account). | | | It did in W2K... - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.24-3-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 11.0 (x86_64) Alpha2 ~ KDE: 3.5.8 "release 39" ~ OS: Linux 2.6.22.16-0.2-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 10.3 (x86_64) ~ KDE: 3.5.7 "release 72.6" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHsXo6X5/X5X6LpDgRAv4KAKCB53KHsY59G/c1mpMEoYb+TzpTAwCgzEmf 7TzecVUs802OwRdwva1KJfs= =tVYM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kai Ponte wrote:
On Friday 08 February 2008 08:55:22 am Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J
<snip>
They didn't actually combine VMS, just used the main developer. For that, they paid royally later and ended up supporting DEC Alpha machines for many years. I had several customers running Alpha machines with WinNT on board.
Curious, at lot of the naming internals in NT3/NT4 were very close to those in VAX/VMS ....
There was no NT-3 Windows 3.x consisted of Windows 3.1, Windows for Workgroups (3.11), and Windows 95 and 98 (aka Windows 32x)
Windows NT is Windows 4.0
Windows 2000 is Windows 5.0
Windows XP is Windows 6.0
Windows Vista is Windows 7.0
That was the influence of Dave Cutler, who was hired from DEC.
What happened to Windows NT 3.1 & 3.5? -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 02/12/2008 04:40 PM, Wolfgang Rosenauer wrote:
It's most probably because you don't know what it is about but that stuff wasn't added out of fun but because it was reported as bug or requested as a feature request.
I'll stop discussing this with you and let others decide if the changes are relevant to them or not.
Just want you to know I really appreciates your tweaks to Firefox, and the speed you got 2.0.0.12 ready to go in the build service. I don't understand the ranting going on, Basil must have had a bad day. Thanks for your hard work on some frequently changing packages. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Morris wrote:
On 02/12/2008 04:40 PM, Wolfgang Rosenauer wrote:
It's most probably because you don't know what it is about but that stuff wasn't added out of fun but because it was reported as bug or requested as a feature request.
I'll stop discussing this with you and let others decide if the changes are relevant to them or not.
Just want you to know I really appreciates your tweaks to Firefox, and the speed you got 2.0.0.12 ready to go in the build service. I don't understand the ranting going on, Basil must have had a bad day. Thanks for your hard work on some frequently changing packages.
No, sorry I have not had a "bad day". I have the Build Service as a repository for zyppo to work with. zyppo did not notify me that there was an upgrade to FF. The information came from elsewhere (can't quite remember from where but it certainly was NOT from zyppo). And, as I said, my wife said that FF notified her that there was an upgrade and she elected to have the upgrade install itself. zyppo, or anything Suse, had anything to do with it. In fact, just had a look at what YaST software management (aka zyppo) shows- and it shows that FF v2.0.0.10-0.1 (dated Wed 28 Nov 2007) is available for installation. But I am running v2.0.0.12 which I obtained directly from Mozilla.org. Oh! As I also use smart, smart is also showing that the latest FF available for installation is 2.0.0.10-0.1. So, please, don't say that I "had a bad day". Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Basil Chupin
No, sorry I have not had a "bad day".
I have the Build Service as a repository for zyppo to work with. zyppo did not notify me that there was an upgrade to FF. The information came from elsewhere (can't quite remember from where but it certainly was NOT from zyppo). And, as I said, my wife said that FF notified her that there was an upgrade and she elected to have the upgrade install itself. zyppo, or anything Suse, had anything to do with it.
In fact, just had a look at what YaST software management (aka zyppo) shows- and it shows that FF v2.0.0.10-0.1 (dated Wed 28 Nov 2007) is available for installation. But I am running v2.0.0.12 which I obtained directly from Mozilla.org.
Oh! As I also use smart, smart is also showing that the latest FF available for installation is 2.0.0.10-0.1.
So, please, don't say that I "had a bad day".
ok, your day was not of *good* quality :^) smart installed: wahoo:~ # rpm -q --last MozillaFirefox MozillaFirefox-2.0.0.12-2.2 Sun Feb 10 08:47:16 2008 and the time is gmt-5 -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 02/12/2008 10:19 PM, Patrick Shanahan wrote:
* Basil Chupin
[02-12-08 09:13]: No, sorry I have not had a "bad day".
I have the Build Service as a repository for zyppo to work with. zyppo did not notify me that there was an upgrade to FF. It only notifies of security updates, not every repository. If it notified me every time something rebuilt in all the repositories I have added, that would give ME a bad day. :-) The information came from elsewhere (can't quite remember from where but it certainly was NOT from zyppo). And, as I said, my wife said that FF notified her that there was an upgrade and she elected to have the upgrade install itself. zyppo, or anything Suse, had anything to do with it.
But since the opensuse firefox installs for all users, and therefore in root only writable locations, firefox telling you to update would be useless (or even worse annoying), assuming you do NOT run firefox as root.
In fact, just had a look at what YaST software management (aka zyppo) shows- and it shows that FF v2.0.0.10-0.1 (dated Wed 28 Nov 2007) is available for installation. But I am running v2.0.0.12 which I obtained directly from Mozilla.org.
Do you have the mozilla repository set to refresh, because yours is way out of sync.
Oh! As I also use smart, smart is also showing that the latest FF available for installation is 2.0.0.10-0.1.
So, please, don't say that I "had a bad day".
ok, your day was not of *good* quality :^)
smart installed:
wahoo:~ # rpm -q --last MozillaFirefox MozillaFirefox-2.0.0.12-2.2 Sun Feb 10 08:47:16 2008
and the time is gmt-5
joe@jmorris:~> rpm -q --last MozillaFirefox MozillaFirefox-2.0.0.12-2.1 Sat 09 Feb 2008 07:22:36 AM PHT What took you so long Patrick? ;-) BTW, I looked because of a security bulletin that mentioned the update. I was pleasantly surprised at how quickly it was available, not sure what is going on with Basil's system. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
Kai Ponte wrote:
On Monday 11 February 2008 08:59:05 pm Basil Chupin wrote:
OK, I'll bite!
What 'enhancements' are provided by openSUSE?
(I can see your tongue-in-cheek :-) .)
Stupid question - but...
..if you wanted to roll your own version of software_x, and still have it in the package management system, then couldn't one compile said software and then use checkinstall to create an RPM?
Then if an update comes out wouldn't that then work nice with the<insert> distro here> package management system?
Aaargh!
Kai, my sincere apologies for my earlier response.
I misread what you wrote and took it the wrong way.
Again, my sincere apologies.
Yes, I guess what you stated in your response is correct. One could roll an RPM from a tarball from Mozilla.org and install it.
Only difference is that the tarball would need to be somehow altered to make it install in the default location where openSUSE normally installs FF.
I always simply untar the tarball and "install" (ie, replace the /mozilla directory ) FF in my home directory - because I am the only user of my system. What one would need to do to have it available for multiple users of the OS I cannot say.
The proper place is /usr/local or /opt -- just in case you allow other users on your system, or eventually get a job doing administration/systems engineering, then you're already in the habit of putting stuff in the right place. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Aaron Kulkis wrote:
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kai Ponte wrote:
On Friday 08 February 2008 08:55:22 am Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote:
J <snip>
They didn't actually combine VMS, just used the main developer. For that, they paid royally later and ended up supporting DEC Alpha machines for many years. I had several customers running Alpha machines with WinNT on board.
Curious, at lot of the naming internals in NT3/NT4 were very close to those in VAX/VMS ....
There was no NT-3 Windows 3.x consisted of Windows 3.1, Windows for Workgroups (3.11), and Windows 95 and 98 (aka Windows 32x)
Windows NT is Windows 4.0
Windows 2000 is Windows 5.0
Windows XP is Windows 6.0
Windows Vista is Windows 7.0
That was the influence of Dave Cutler, who was hired from DEC.
What happened to Windows NT 3.1 & 3.5?
The first version of NT was Windows 4.0. For Windows 3.5, see the line Windows 3.x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 11:53, Aaron Kulkis wrote:
Wolfgang Woehl wrote:
Aaron Kulkis:
Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here.
Aaron, buffer-overflows were a problem because applications can do pretty much anything.
No, they can't.
Programs can pretty much do what the object code files tell them to do. And nothing more.
That was one of the points I kept trying to make, but there is one exception: You'll note in the description of buffer overflow vulnerabilities that accompany the patches that fix them it usually says something like "carefully crafted inputs could in principle allow an attacker to execute arbitrary code." This is because if the attacker can put just the right stuff in the local buffer that can overflow (*) so as to replace the return address recorded in the stack frame to point into the buffer itself at a point where the nefarious binary instructions reside. Then, when the subroutine returns, instead of going back to its caller, it executes the attacker's code. As you can see, this is tricky business and exploits have to be crafted for specific applications or libraries where unchecked buffers get filled from input received over the network (image data and the code that processes it have been the vector for many vulnerabilities exposed over the past few years). (*) It has to be in an activation record / stack frame, since overflowing a buffer in the data area can't change the code now matter how far it overflows 'cause the instruction text is shared an unwritable in virtuall all modern Linux / Unix applications. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 08 February 2008 11:53, Aaron Kulkis wrote:
Wolfgang Woehl wrote:
Other than *very* *old*, uncorrected code with buffer-overflow vulnerabilities, due to calls to strcat(3) instead of strncat(3), and similar pitfalls which are now very well understood since the first use in th 1987 Morris Worm, you have to provide some hard documentation (i.e. code sections) to make your point here. Aaron, buffer-overflows were a problem because applications can do
Aaron Kulkis: pretty much anything. No, they can't.
Programs can pretty much do what the object code files tell them to do. And nothing more.
That was one of the points I kept trying to make, but there is one exception:
You'll note in the description of buffer overflow vulnerabilities that accompany the patches that fix them it usually says something like "carefully crafted inputs could in principle allow an attacker to execute arbitrary code."
This is because if the attacker can put just the right stuff in the local buffer that can overflow (*) so as to replace the return address recorded in the stack frame to point into the buffer itself at a point where the nefarious binary instructions reside. Then, when the subroutine returns, instead of going back to its caller, it executes the attacker's code.
Which was the attack method used by the Morris Worm, and which also made strcat() and friends essentially obsolete in favor of the related length-limited equivalents such as strncat().
As you can see, this is tricky business and exploits have to be crafted for specific applications or libraries where unchecked buffers get filled from input received over the network (image data and the code that processes it have been the vector for many vulnerabilities exposed over the past few years).
(*) It has to be in an activation record / stack frame, since overflowing a buffer in the data area can't change the code now matter how far it overflows 'cause the instruction text is shared an unwritable in virtuall all modern Linux / Unix applications.
Randall Schulz
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 February 2008 01:50:41 am Basil Chupin wrote:
Kai Ponte wrote:
On Monday 11 February 2008 08:59:05 pm Basil Chupin wrote:
Patrick Shanahan wrote:
* Basil Chupin
[02-11-08 22:49]: I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^(
OK, I'll bite!
What 'enhancements' are provided by openSUSE?
(I can see your tongue-in-cheek :-) .)
Stupid question - but...
..if you wanted to roll your own version of software_x, and still have it in the package management system, then couldn't one compile said software and then use checkinstall to create an RPM?
Then if an update comes out wouldn't that then work nice with the<insert distro here> package management system?
Aaargh!
Kai, my sincere apologies for my earlier response.
I misread what you wrote and took it the wrong way.
Again, my sincere apologies.
LOL! I've been on usenet (and the interweb in general) long enough to see how questions can be misinterpreted. No problems.
Yes, I guess what you stated in your response is correct. One could roll an RPM from a tarball from Mozilla.org and install it.
Only difference is that the tarball would need to be somehow altered to make it install in the default location where openSUSE normally installs FF.
Ok, valid point. <Insert Distro Here> may install to a different location than would the software's original owner.
I always simply untar the tarball and "install" (ie, replace the /mozilla directory ) FF in my home directory - because I am the only user of my system. What one would need to do to have it available for multiple users of the OS I cannot say.
Oh, that's a cool idea. I had done this when FF 2.0beta was out so I could run 1.x supplied from openSUSE and 2.x from the beta without them interfering. Cool idea. I think maybe I'll look into this. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 8 Feb 2008, Aaron Kulkis wrote:- This is quite a way off-topic, and should probably move to the off-topic list.
There was no NT-3
There wasn't a version NT 3.0, but there was a version called NT 3.5.
Windows 3.x consisted of Windows 3.1, Windows for Workgroups (3.11),
That parts right.
and Windows 95 and 98 (aka Windows 32x)
But I'm certain that that part's wrong. Win95, and the subsequent versions using the 95 kernel series, weren't based on the same code as Windows 3. They operated in a similar manner, in that they were all graphical shells running on top of DOS and, maybe with the exception of WinME, could exit to DOS. Also, they had to use a compatibility layer to make the 16 bit code run on the 32 bit system, which is where the Windows on Windows appears.
Windows NT is Windows 4.0
ITYM Windows NT 4.0. And, I'm not entirely sure, but weren't there versions later than 4.0 but before 5.0? My web server logs show entries for a browser identifying itself as running on NT 4.1.
Windows 2000 is Windows 5.0
Maybe, but ITYM Windows NT 5.0
Windows XP is Windows 6.0
Wrong. XP identifies itself as Windows NT 5.1. It's almost the same as Windows 2000 but with extra eye-candy added, better(?) plug-and-play, and some security stripped out, all to make it more attractive, "easier" and "friendlier" for the masses. You also missed out Windows 2003, which possibly identified itself as NT 5.2. That would explain the Windows NT 5.2 entries in my web server logs. And there's also Windows Media PC, which may be identifying itself as either Windows NT 5.1 or NT 6.0. I have several entries where the browser says it's running on NT 5.1 and includes "Media Center PC 4.0" in the User-agent string. I've also several more entries where it says Windows NT 6.0 and the User-agent includes "Media Center PC 5.0".
Windows Vista is Windows 7.0
Maybe but, if it is, ITYM Windows NT 7.0. It's actually quite interesting watching the server logs. Strangely enough, my site is almost entirely about Linux, with my Wiki only having openSUSE related pages, and yet there seems to be a majority of browsers claiming to be on Windows OSes looking at them. Oh, and before you state the obvious that the browsers User-agent can be faked, I know. My contention is that most Windows users, especially those using MSIE, aren't going to know how to do that, so I can sort-of rely on it being fairly accurate. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-P2 @ ~100Mnodes RC5-72 @ ~15Mkeys SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a1 SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.11 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 February 2008 07:13:31 pm Aaron Kulkis wrote:
Curious, at lot of the naming internals in NT3/NT4 were very close to those in VAX/VMS ....
There was no NT-3
Hold on... There was an NT 3.1, which was the first "version" of NT. They wanted it to match the version number of Windows. I had a copy of this on six (IIRC) 5.25" floppies and it ran like a dog on my DX/25.
Windows 3.x consisted of Windows 3.1, Windows for Workgroups (3.11), and Windows 95 and 98 (aka Windows 32x)
Not quite. Windows 3.1 and 3.11 were shell programs running over DOS. Win95/98/Me were shell extensions running integrated with DOS and took over. But in general, you're correct on the Windows 3.x line.
Windows NT is Windows 4.0
"Windows 4.0" was never released. It became Windows 95. Windows NT 4.0 was released as NT 4.0 (1996).
Windows 2000 is Windows 5.0
This was NT 5.0, released in '99. There never was a "Windows 5.0", per se. The distinction is necessary, as the "Windows" and the "NT" lines hadn't merged yet.
Windows XP is Windows 6.0
Nope - 5.1. 5.1.2600, to be exact. This was where the NT line and the DOS/Win line merged. There really wasn't much to XP (prior to SP2) that made it more than a point increase from Win2k, other than the dumbing down of the interface and the goofy UI. It is also the reason I eventually ended up running openSUSE on my laptops and desktops. At this time, I realized Windows was not going to allow for users to run in anything but administrator mode without some serious tweaking and work. I began with Mandrake and eventually moved up to SUSE 9.1 right about this time. I haven't looked back once.
Windows Vista is Windows 7.0
Actually, it is listed as "Microsoft Windows [Version 6.0.6000]" I don't mean to come off as nit-picky, but it bears correct understanding to see where Microshaft has tried to take the computer users of the world. It also allows us Linux users to see where openSUSE should and (maybe) should not go in the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 09 February 2008 04:01:23 Aaron Kulkis wrote:
grep -e "strcmp(\| gets(\|strcat(" *.c *.h
And how many do you think are in the habit of doing that regularly on their source repositories? Most security vulnerabilities you see reported have been in the code for a moderately long time. There are far more problematic functions than the ones you describe, and grepping for them all is simply not done on a regular basis. But ok, how's this then buffer_size = 10 char buffer[10]; strncat(buffer, things_read_from_the_net, buffer_size); and then someone does s/buffer_size = 10/buffer_size = 1000/ grep for that Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 February 2008 10:24, Anders Johansson wrote:
On Saturday 09 February 2008 04:01:23 Aaron Kulkis wrote:
grep -e "strcmp(\| gets(\|strcat(" *.c *.h
And how many do you think are in the habit of doing that regularly on their source repositories?
Most security vulnerabilities you see reported have been in the code for a moderately long time. There are far more problematic functions than the ones you describe, and grepping for them all is simply not done on a regular basis. But ok, how's this then
buffer_size = 10 char buffer[10];
strncat(buffer, things_read_from_the_net, buffer_size);
and then someone does s/buffer_size = 10/buffer_size = 1000/
grep for that
Obviously, purely textual analysis cannot discover this sort of thing. But if you apply language-oriented analysis, you can pick up a lot more. Users of JetBrains' (née IntelliJ) IDEA have some notion of just how sophisticated static analysis can be. Naturally, it cannot catch every bug (nor solve the halting problem, for that matter), but it does help.
Anders
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Saturday 09 February 2008 04:01:23 Aaron Kulkis wrote:
grep -e "strcmp(\| gets(\|strcat(" *.c *.h
And how many do you think are in the habit of doing that regularly on their source repositories?
Any programmer with a clue. When I was a student at Purdue, these sorts of tests were run on all program class assignments, as well as automated execution to test for input/output correctness, automatic grade reduction for late submissions, etc. Electrical Engineering and Computer Science each had their own, separately developed grading suites, but these sorts of things were well established even in the 1980's. How do I know? Because the profs made the grading software available (for execution) to students in the introductory-level classes -- the idea being to get the students to develop good programming practices from the beginning, rather than playing, "gotcha!" over easily-corrected errors.
Most security vulnerabilities you see reported have been in the code for a moderately long time. There are far more problematic functions than the ones you describe, and grepping for them all is simply not done on a regular basis. But ok, how's this then
buffer_size = 10 char buffer[10];
ANY literal in an array declaration should be worth one police night-stick to the side of the head. That's the kind of stuff that gets severe reprimands and grade reductions even in SOPHOMORE level classes at any reputable college or university.
strncat(buffer, things_read_from_the_net, buffer_size);
and then someone does s/buffer_size = 10/buffer_size = 1000/
grep for that
Which is why literals should NEVER be used in programs. And again, why any university with a respected curriculum in computer science or electrical engineering completely breaks such habits of its students by the time they graduate.
Anders
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Feb 12, 2008 1:40 PM, Randall R Schulz
On Tuesday 12 February 2008 10:24, Anders Johansson wrote:
On Saturday 09 February 2008 04:01:23 Aaron Kulkis wrote:
grep -e "strcmp(\| gets(\|strcat(" *.c *.h
And how many do you think are in the habit of doing that regularly on their source repositories?
Most security vulnerabilities you see reported have been in the code for a moderately long time. There are far more problematic functions than the ones you describe, and grepping for them all is simply not done on a regular basis. But ok, how's this then
buffer_size = 10 char buffer[10];
strncat(buffer, things_read_from_the_net, buffer_size);
and then someone does s/buffer_size = 10/buffer_size = 1000/
grep for that
Obviously, purely textual analysis cannot discover this sort of thing. But if you apply language-oriented analysis, you can pick up a lot more.
Users of JetBrains' (née IntelliJ) IDEA have some notion of just how sophisticated static analysis can be.
Naturally, it cannot catch every bug (nor solve the halting problem, for that matter), but it does help.
Anders
Randall Schulz
I believe the Coverty Checker is still being used for free to evaluate the Linux Kernel. http://www.coverity.com/html/press_story03_12_14_04.html Not sure if they also scan user space tools. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Feb 12, 2008 1:51 PM, Greg Freemyer
On Feb 12, 2008 1:40 PM, Randall R Schulz
wrote: On Tuesday 12 February 2008 10:24, Anders Johansson wrote:
On Saturday 09 February 2008 04:01:23 Aaron Kulkis wrote:
grep -e "strcmp(\| gets(\|strcat(" *.c *.h
And how many do you think are in the habit of doing that regularly on their source repositories?
Most security vulnerabilities you see reported have been in the code for a moderately long time. There are far more problematic functions than the ones you describe, and grepping for them all is simply not done on a regular basis. But ok, how's this then
buffer_size = 10 char buffer[10];
strncat(buffer, things_read_from_the_net, buffer_size);
and then someone does s/buffer_size = 10/buffer_size = 1000/
grep for that
Obviously, purely textual analysis cannot discover this sort of thing. But if you apply language-oriented analysis, you can pick up a lot more.
Users of JetBrains' (née IntelliJ) IDEA have some notion of just how sophisticated static analysis can be.
Naturally, it cannot catch every bug (nor solve the halting problem, for that matter), but it does help.
Anders
Randall Schulz
I believe the Coverty Checker is still being used for free to evaluate the Linux Kernel.
http://www.coverity.com/html/press_story03_12_14_04.html
Not sure if they also scan user space tools.
Actually, it looks like at least a couple hundred of them are being scanned by coverity. http://scan.coverity.com/rungAll.html The rung 0 entries don't have anyone looking at the issues identified, so it is only a 100 or so projects that actually have someone setup to get the coverity feedback. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 February 2008 07:16, Aaron Kulkis wrote:
...
The first version of NT was Windows 4.0.
Not really. See http://en.wikipedia.org/wiki/Windows_NT
...
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
James Knott wrote:
Aaron Kulkis wrote:
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kai Ponte wrote:
On Friday 08 February 2008 08:55:22 am Mike wrote:
On Friday 08 February 2008 17:31, G T Smith wrote: > J <snip>
They didn't actually combine VMS, just used the main developer. For that, they paid royally later and ended up supporting DEC Alpha machines for many years. I had several customers running Alpha machines with WinNT on board.
Curious, at lot of the naming internals in NT3/NT4 were very close to those in VAX/VMS ....
There was no NT-3 Windows 3.x consisted of Windows 3.1, Windows for Workgroups (3.11), and Windows 95 and 98 (aka Windows 32x)
Windows NT is Windows 4.0
Windows 2000 is Windows 5.0
Windows XP is Windows 6.0
Windows Vista is Windows 7.0
That was the influence of Dave Cutler, who was hired from DEC.
What happened to Windows NT 3.1 & 3.5?
The first version of NT was Windows 4.0.
For Windows 3.5, see the line Windows 3.x
We must live in a different universe. Windows NT 3.x had a similar desktop to Windows 3.1 and NT 4 had a desktop similar to Windows 95. http://en.wikipedia.org/wiki/Windows_NT http://en.wikipedia.org/wiki/Windows_NT_3.5 -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 11 February 2008 08:23:06 pm Aaron Kulkis wrote:
My experience has been that the tarballs have rough edges - jagged fonts,
HUH????
The tarballs don't need any fonts..they use the fonts already installed on your system.
I just thought of something. I wonder if Joe is thinking of an issue that was prevelant in *nix gui systems around '99/00. IIRC, the fonts weren't anti-aliased and thus looked "ragged" when compared o Macintosh System 7 or Windows or NT. I remember Sun having some magic to their fonts but KDE on Mandrake or Red Hat looked less than desirable by comparison. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Monday 11 February 2008 08:23:06 pm Aaron Kulkis wrote:
My experience has been that the tarballs have rough edges - jagged fonts,
HUH????
The tarballs don't need any fonts..they use the fonts already installed on your system.
I just thought of something.
I wonder if Joe is thinking of an issue that was prevelant in *nix gui systems around '99/00.
IIRC, the fonts weren't anti-aliased and thus looked "ragged" when compared o Macintosh System 7 or Windows or NT. I remember Sun having some magic to their fonts but KDE on Mandrake or Red Hat looked less than desirable by comparison.
That is tangentially related to the issue - by the early part of the millennium, Linux vendors commonly shipped anti-aliased desktops, and added patches to browsers and other apps to make them play along. When I'd download the mozilla tarball to get the latest and greatest, we'd be back to jagged fonts like it was 1994 again. I understand that the folks that build the mozilla tarballs may have now discovered antialiasing, so that particular issue may be a moot point, but there are many others. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help?
I just download and ungzip/untar in /local, run the installer script and install in /opt.
Right, you can do that, but how does it help?
I really don't give a hoot about the browser RPM's, other than having something to go to the Mozilla website to IMMEDIATELY download the latest release.
I'm curious why you use suse - wouldn't LFS or Rock Linux be more to your liking? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan a écrit :
I'm curious why you use suse - wouldn't LFS or Rock Linux be more to your liking?
some big apps like mozilla and co and openoffice don't have anybenefit from openSUSE, but most of the other utilities do. I like to live borderline on _some_, very limited corners only :-) jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Tuesday 12 February 2008 01:50:41 am Basil Chupin wrote:
Kai Ponte wrote:
On Monday 11 February 2008 08:59:05 pm Basil Chupin wrote:
Patrick Shanahan wrote:
* Basil Chupin
[02-11-08 22:49]: I don't understand what you mean by "unmanaged"?
If you mean that there is no Suse around to hold your hand in keeping the FF installation going then you need not worry! FF updates itself when Mozilla releases a new upgrade/update/whatever you want to call it. Also, any addons auto-date as well.
But doesn't include the enhancements provided by the openSUSE packagers :^(
OK, I'll bite!
What 'enhancements' are provided by openSUSE?
(I can see your tongue-in-cheek :-) .)
Stupid question - but...
..if you wanted to roll your own version of software_x, and still have it in the package management system, then couldn't one compile said software and then use checkinstall to create an RPM?
Then if an update comes out wouldn't that then work nice with the<insert distro here> package management system?
Aaargh!
Kai, my sincere apologies for my earlier response.
I misread what you wrote and took it the wrong way.
Again, my sincere apologies.
LOL!
I've been on usenet (and the interweb in general) long enough to see how questions can be misinterpreted. No problems.
Thanks :-) .
Yes, I guess what you stated in your response is correct. One could roll an RPM from a tarball from Mozilla.org and install it.
Only difference is that the tarball would need to be somehow altered to make it install in the default location where openSUSE normally installs FF.
Ok, valid point.<Insert Distro Here> may install to a different location than would the software's original owner.
I always simply untar the tarball and "install" (ie, replace the /mozilla directory ) FF in my home directory - because I am the only user of my system. What one would need to do to have it available for multiple users of the OS I cannot say.
There is an error in what I stated above. I replace the /firefox, not /mozilla, directory it toto. I usually copy both /.mozilla and /firefox directories first to the second HD as backup; then delete the ff dir in home and move the /firefox directory created by the un-tar-ring process across.
Oh, that's a cool idea. I had done this when FF 2.0beta was out so I could run 1.x supplied from openSUSE and 2.x from the beta without them interfering.
Cool idea.
I think maybe I'll look into this.
I've been doing this now for years as I have been (until recently) installing the nightly builds for both Firefox and Thunderbird. (But I did give myself a threat by installing Thunderbird 3.0a1pre a couple of days ago :-) .) The only thing one needs to do as an extra step when installing FF in your home directory is to make sure that the plugins contain the correct symlinks. Look in /.mozilla/plugins/ and make sure that the symlinks are correct. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* Basil Chupin
[02-12-08 09:13]: No, sorry I have not had a "bad day".
I have the Build Service as a repository for zyppo to work with. zyppo did not notify me that there was an upgrade to FF. The information came from elsewhere (can't quite remember from where but it certainly was NOT from zyppo). And, as I said, my wife said that FF notified her that there was an upgrade and she elected to have the upgrade install itself. zyppo, or anything Suse, had anything to do with it.
In fact, just had a look at what YaST software management (aka zyppo) shows- and it shows that FF v2.0.0.10-0.1 (dated Wed 28 Nov 2007) is available for installation. But I am running v2.0.0.12 which I obtained directly from Mozilla.org.
Oh! As I also use smart, smart is also showing that the latest FF available for installation is 2.0.0.10-0.1.
So, please, don't say that I "had a bad day".
ok, your day was not of *good* quality :^)
Let's say, "Of less than perfect quality." :-) .
smart installed:
wahoo:~ # rpm -q --last MozillaFirefox MozillaFirefox-2.0.0.12-2.2 Sun Feb 10 08:47:16 2008
and the time is gmt-5
Weird. smart installed FF and timezone less than 3 hours ago (when I turned the computer on), and zyppo is now also 'telling' me that FF and timezone are ready to be installed. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
Kai Ponte wrote:
On Monday 11 February 2008 08:23:06 pm Aaron Kulkis wrote:
My experience has been that the tarballs have rough edges - jagged fonts,
HUH????
The tarballs don't need any fonts..they use the fonts already installed on your system.
I just thought of something.
I wonder if Joe is thinking of an issue that was prevelant in *nix gui systems around '99/00.
IIRC, the fonts weren't anti-aliased and thus looked "ragged" when compared o Macintosh System 7 or Windows or NT. I remember Sun having some magic to their fonts but KDE on Mandrake or Red Hat looked less than desirable by comparison.
That is tangentially related to the issue - by the early part of the millennium, Linux vendors commonly shipped anti-aliased desktops, and added patches to browsers and other apps to make them play along. When I'd download the mozilla tarball to get the latest and greatest, we'd be back to jagged fonts like it was 1994 again. I understand that the folks that build the mozilla tarballs may have now discovered antialiasing, so that particular issue may be a moot point, but there are many others.
I haven't seen jagged fonts on *any* apps in years. I pull down a new Mozilla version as soon as the home-page says it's out of date (mainly because there's always some sort of bug-fix for an annoyance or a security update), and I freely download and install other software... and none of that has needed anything special for anti-aliased fonts. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
Aaron Kulkis wrote:
I use suse packages whenever available, but out of curiosity, how does installing an unmanaged tarball help? I just download and ungzip/untar in /local, run the installer script and install in /opt.
Right, you can do that, but how does it help?
Standard Mozilla installations don't throw files all over the directory tree ... the whole thing installs into one directory (and its sub-directories) wherever you tell the installer to put it. For me, each version is installed into it's own directory in /opt. I had /opt/sea-monkey1.1.{5,6,7}. When 1.1.8 came out with a security fix, I just deleted the 1.1.5, 1.1.6, and 1.1.7 directories, and the install tar.gz files. Uninstalling them was as simple as this: rm -rf /opt/seamonkey1.1.{5,6,7} rm -rf /local/downlaod/*seamonkey*1.1.{5,6,7}*
I really don't give a hoot about the browser RPM's, other than having something to go to the Mozilla website to IMMEDIATELY download the latest release.
I'm curious why you use suse - wouldn't LFS or Rock Linux be more to your liking?
I'm happy with SuSE. Until now, I didn't know about LFS or Rock Linux...and frankly, don't care about them. The reason I update Mozilla so much is because it's a piece of very rapidly improving software, and keeping track of the versions doesn't need redhat package manager or any other sort of similar package/software management, because the Mozilla people do things the Right Way(tm) for installation to /usr/local or /opt.
Joe
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
This is a repost of my response to something which Aaron stated - as an expert on Widows security (amongst other things ) - and which he has apparently chosen to totally ignore because it doesn't suit him. To be kind, however, it could also be a simple matter of him missing reading my message. Anything is possible in this world. What would be very nice, from the expert on Windows, and everything else in the universe, is a response on what I asked in my original post dated 12 February 2008 - today is the 18 February - reposted below. QUOTE Basil Chupin wrote:
Aaron Kulkis wrote:
James Knott wrote:
[pruned]
TI don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Do they run as admin or user? Do they have any applications that force them to run as admin?
XP PRO *insists* that someone be an 'assistant Administrator' and the first user who is created after the Admin is assigned Admin rights. The thinking here, it seems to me, is that if the Admin gets run over by a bus then the 'assistant admin' has full access to the OS. That is the way I saw/see it - but I may be wrong.
But being a 'normal' user on XP is really a big pain in the arse because you cannot install any new software, or do some maintenance, unless you have Admin rights. Which is why many home users simply run the OS in Admin user mode - even if they know what this means.
[pruned]
"Security" in Windows comes from patching a sieve.
More specifically, replacing one section of permeable wire mesh with a new section of permeable wire mesh -- BY DESIGN.
The many back-doors in Windows are *NOT* accidental.
Which brings up a very important question requiring an honest answer.
The matter of Windows having deliberate in-built backdoors has been mooted for quite some time.
A number of Windows applications claiming to be Firewalls which not only prevent INBOUND access into the system also claim to prevent *OUTBOUND* unauthorised access to the Internet by applications.
ZoneAlarm, for example, is one such security applications. (I won't go into the details of who owns, or is associated with the company which actually owns, ZoneAlarm but it may be indirectly relevant to this topic of "back-doors" in Windows.)
How, say, such a well known security firewall application as ZoneAlarm handle the back-door issue which is inbuilt into Windows' applications?
Is ZoneAlarm, and similar, capable of preventing back-door traffic, both inbound and outbound, inbuilt into Windows systems?
About 3 years ago (I have the messages somewhere on file) a person (?programmer) found that ZoneAlarm was "reporting" back to ZA servers about the system they were installed on and ZA, of course, claimed that it was a "coding" glitch; there was a fix (I asked the reporter for "The Inquirer" to publish the 'fix') and the "glitch" was fixed. But, in the real world, what do ZA et alia do to handle the inbuilt back-doors in Windows (put there, I have read, at the request of the American Intelligence Agencies - which is one of the reasons why the Chinese governement won't touch Windows with a 10--foot barge pole. And I am *NOT* trying to introduce politics into this discussion!)
This is not simply a MS related question, and therefore may be considered by some to be OT, but what MS, et alia, is forced to do may also be relevant to what pressures OSs such as openSUSE may be subjected to. Dunno, just asking....
Ciao.
UNQUOTE Hoping for a reply...... Ciao. -- I was very heavily into pornography. Then my pornograph broke. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 17 February 2008 09:55:53 pm Basil Chupin wrote:
Is ZoneAlarm, and similar, capable of preventing back-door traffic, both inbound and outbound, inbuilt into Windows systems?
Short answer, no. ZA is a very untrustworthy application. I wouldn't touch it with the proverbial ten foot pole. Of course, a hardware firewall is the best protection against any attack. A good router should have firewall software built in. Second - and often in line with the hardware fireall - would be software. I use Outpost on my Wintendo machine at home. http://www.agnitum.com/ I've heard good reviews (from known derelict types) of Kapersky ( http://usa.kaspersky.com/products_services/internet-security.php ) and even LavaSoft ( http://www.lavasoftusa.com/products/lavasoft_personal_firewall.php ). There's no reason ever to go with Zone Alarm, Norton or McAffee. Sorry for the OT post, but I know many of you probably still use Wintendo out there. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
This is a repost of my response to something which Aaron stated - as an expert on Widows security (amongst other things ) - and which he has apparently chosen to totally ignore because it doesn't suit him.
To be kind, however, it could also be a simple matter of him missing reading my message.
Anything is possible in this world.
What would be very nice, from the expert on Windows, and everything else in the universe, is a response on what I asked in my original post dated 12 February 2008 - today is the 18 February - reposted below.
QUOTE
Basil Chupin wrote:
Aaron Kulkis wrote:
James Knott wrote:
[pruned]
TI don't think running Windows XP on a desktop securely is rocket science. My parents have pulled off such a feat -- they've never had any security issues, and of the people I know, they are the least computer literate. My brother is now on OS X, but not because of security issues. He just wanted a better computer with a better OS than what his XP-powered Wintel box was.
Do they run as admin or user? Do they have any applications that force them to run as admin?
XP PRO *insists* that someone be an 'assistant Administrator' and the first user who is created after the Admin is assigned Admin rights. The thinking here, it seems to me, is that if the Admin gets run over by a bus then the 'assistant admin' has full access to the OS. That is the way I saw/see it - but I may be wrong.
But being a 'normal' user on XP is really a big pain in the arse because you cannot install any new software, or do some maintenance, unless you have Admin rights. Which is why many home users simply run the OS in Admin user mode - even if they know what this means.
[pruned]
"Security" in Windows comes from patching a sieve.
More specifically, replacing one section of permeable wire mesh with a new section of permeable wire mesh -- BY DESIGN.
The many back-doors in Windows are *NOT* accidental.
Which brings up a very important question requiring an honest answer.
The matter of Windows having deliberate in-built backdoors has been mooted for quite some time.
A number of Windows applications claiming to be Firewalls which not only prevent INBOUND access into the system also claim to prevent *OUTBOUND* unauthorised access to the Internet by applications.
ZoneAlarm, for example, is one such security applications. (I won't go into the details of who owns, or is associated with the company which actually owns, ZoneAlarm but it may be indirectly relevant to this topic of "back-doors" in Windows.)
How, say, such a well known security firewall application as ZoneAlarm handle the back-door issue which is inbuilt into Windows' applications?
Is ZoneAlarm, and similar, capable of preventing back-door traffic, both inbound and outbound, inbuilt into Windows systems?
About 3 years ago (I have the messages somewhere on file) a person (?programmer) found that ZoneAlarm was "reporting" back to ZA servers about the system they were installed on and ZA, of course, claimed that it was a "coding" glitch; there was a fix (I asked the reporter for "The Inquirer" to publish the 'fix') and the "glitch" was fixed. But, in the real world, what do ZA et alia do to handle the inbuilt back-doors in Windows (put there, I have read, at the request of the American Intelligence Agencies - which is one of the reasons why the Chinese governement won't touch Windows with a 10--foot barge pole. And I am *NOT* trying to introduce politics into this discussion!)
There's your answer right there. There's other ways to get information out of a computer other than well-known TCP/IP ports. My basis for the accusation is simple... Most all of the Windows exploits attack only a couple applications: IE, Outlook, and IIS, and occasionaly Office. One would think that with all the bad press it gets, that MS would direct their people to go over that code with a fine-toothed comb, so to speak, and ELIMINATE THE SECURITY WEAKNESSES. But for some Strrrrrrrrrrrrrrrraaaaaaaaaaaaange reason, these applications have never been secured. I find it incredibly strange that a company with one of the highest revenue streams on the planet, with virtually no costs other than people and publishing costs, is utterly incapable of securing 3 moderately-sized applications. I can come to only 2 mutually-exclusive conclusions : 1. MS is incapable of securing these applications. 2. MS does not want to secure these applications, because doing so would interfere with their business. #1 is laughable. With the amount of money they have, they can get enough people to review and fix these apps so that they're secure. This leaves only option #2. It's not a question of security expertise, it's simply a matter of deductive LOGIC.
This is not simply a MS related question, and therefore may be considered by some to be OT, but what MS, et alia, is forced to do may also be relevant to what pressures OSs such as openSUSE may be subjected to. Dunno, just asking....
Ciao.
UNQUOTE
Hoping for a reply......
Ciao.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin a écrit :
This is a repost of my response to something which Aaron stated - as an expert on Widows security (amongst other things )
don't you think this thread is long enough? better stop it than restart it. jdd -- http://www.dodin.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Ponte schreef: | On Sunday 17 February 2008 09:55:53 pm Basil Chupin wrote: |>> Is ZoneAlarm, and similar, capable of preventing back-door traffic, |>> both inbound and outbound, inbuilt into Windows systems? |>> | | Short answer, no. | | ZA is a very untrustworthy application. I wouldn't touch it with the | proverbial ten foot pole. | | | Of course, a hardware firewall is the best protection against any attack. A | good router should have firewall software built in. | | Second - and often in line with the hardware fireall - would be software. | | I use Outpost on my Wintendo machine at home. | | http://www.agnitum.com/ | | I've heard good reviews (from known derelict types) of Kapersky ( | http://usa.kaspersky.com/products_services/internet-security.php ) and even | LavaSoft ( | http://www.lavasoftusa.com/products/lavasoft_personal_firewall.php ). | | There's no reason ever to go with Zone Alarm, Norton or McAffee. | | | Sorry for the OT post, but I know many of you probably still use Wintendo out | there. | | Sorry to mix in the ongoing conversation, but as i experience time after time, is that if, and i say if you want to use XP and want to benefit from the good sides of it, (there are some good sides), or simply because you are forced to use it, you *have* to keep some external apps present, to keep everything going as smooth as possible, and as fast as possible. You do not have to believe me, but i assure you, you can. These are: 1) A good firewall, which is sygate an old Norton firewall that is *free*, and that warns you and asks you if you grant or denie to let specified traffic in or out. 2) Virusscanner, Avast, which is very good, and also *free*. 3) Adaware&adwatch, from Lavasoft, there are free versions that work ok, the definition file gets updated regularly. 4) Registry Mechanic, which is not free, but not extremely expensive for the job it does, but absolutely nessesary, if you aint got all day before widnose has been started up, to keep your registry free from deleted or unsaved changes, forgotten by XP(ert), and where it is looking for, for hours and hours. RM lets your XP run as a new. Weekly, an XP user has to: 1) Clean the registry, 2) Defragment the drives that change the most, And if the firewall, adwatch, and avast are set properly, nothing is gonna harm you, except the windows updates: you have to check carefull for the genuine advantage 'updates', if you use an unlicensed version. Sygate firewall, lets you choose *all* traffic, from every changed DLL, to every piece of software that wants to acces the internet, our your pc. You can choose to grant only once, or remember decision, grant or denie. You can lock-up all traffic with one click, if nessesary. You can test the safety of your *backdoors* by it if you like. - -- Have a nice day, M9. Now, is the only time that exists. ~ OS: Linux 2.6.22.17-0.1-default x86_64 ~ Huidige gebruiker: monkey9@AMD64x2-sfn1 ~ Systeem: openSUSE 10.3 (x86_64) ~ KDE: 3.5.7 "release 72.6" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHuVh/X5/X5X6LpDgRAosvAKCS5bVVRk11us62wq+EAPNlzY9vvwCglQTc gy6DQiHyegLq6VJcbZK2Z7k= =ZmNH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* jdd
Basil Chupin a écrit :
This is a repost of my response to something which Aaron stated - as an expert on Widows security (amongst other things )
don't you think this thread is long enough? better stop it than restart it.
or move it to "offtopic" where it probably belongs! -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2/18/08, Patrick Shanahan
* jdd
[02-18-08 03:20]: Basil Chupin a écrit :
This is a repost of my response to something which Aaron stated - as an expert on Widows security (amongst other things )
don't you think this thread is long enough? better stop it than restart it.
or move it to "offtopic" where it probably belongs!
Here's the long version of that statement: Splitting offtopic threads to a seperate mailing list is required for a usefull main mailing list, but if it is hard to find the OffTopic mailing list many people will post OT mails in the main mailing list. The OT mailing lists offers political discussions, news and a lot of other things. This mail apeared to have moved from OpenSuse 11 to MS security, and while interresting, it's not Suse related anymore and should be continued on the Offtopic list. The OpenSuse Offtopic list is hard to find. It was not listed in the SuSe mailing lists lats time I checked. Subscription info for the OT SuSe mailing list: To subscribe, e-mail: opensuse-offtopic+subscribe@opensuse.org To unsubscribe, e-mail: opensuse-offtopic+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-offtopic+help@opensuse.org Neil -- There are two kinds of people: 1. People who start their arrays with 1. 1. People who start their arrays with 0. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 17 February 2008 10:39:00 pm Aaron Kulkis wrote: <snip>
But for some Strrrrrrrrrrrrrrrraaaaaaaaaaaaange reason, these applications have never been secured.
I find it incredibly strange that a company with one of the highest revenue streams on the planet, with virtually no costs other than people and publishing costs, is utterly incapable of securing 3 moderately-sized applications.
Simple Explanation: They've moved all Windows anti-virus people over to KDE4 development so they can meet your timeframe for releasing openSUSE 11.0 Didn't you know about the MS/Novell deal? FYI. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Neil wrote:
On 2/18/08, Patrick Shanahan
wrote: * jdd
[02-18-08 03:20]: Basil Chupin a écrit :
This is a repost of my response to something which Aaron stated - as an expert on Widows security (amongst other things )
don't you think this thread is long enough? better stop it than restart it.
or move it to "offtopic" where it probably belongs!
Here's the long version of that statement:
Splitting offtopic threads to a seperate mailing list is required for a usefull main mailing list, but if it is hard to find the OffTopic mailing list many people will post OT mails in the main mailing list. The OT mailing lists offers political discussions, news and a lot of other things. This mail apeared to have moved from OpenSuse 11 to MS security, and while interresting, it's not Suse related anymore and should be continued on the Offtopic list.
Firstly, I didn't start the initial discussion on security in MS - but that it is irrelevant. Secondly, I note that there are many, many people here who are either already using, or are wanting to install, such apps as VirtualBox etc for the purpose of running XP within openSUSE to avoid dual-booting. Knowing the problems of keeping MS "secure" should be very important to them. And thirdly, read the last paragraph of my 'original' post. It was omitted from subsequent replies and nobody has responded to the question I raise there. [rest of the "lesson" pruned] Ciao. -- I was very heavily into pornography. Then my pornograph broke. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Sunday 17 February 2008 09:55:53 pm Basil Chupin wrote:
Is ZoneAlarm, and similar, capable of preventing back-door traffic, both inbound and outbound, inbuilt into Windows systems?
Short answer, no.
ZA is a very untrustworthy application. I wouldn't touch it with the proverbial ten foot pole.
Of course, a hardware firewall is the best protection against any attack. A good router should have firewall software built in.
Second - and often in line with the hardware fireall - would be software.
I use Outpost on my Wintendo machine at home.
Thanks for that, Kai. I will follow-up on this. There is an excellent FREE firewall called *Comodo* but when started it asks question about each and every file being executed (it's in its "learning" stage) that I uninstalled it because I didn't have the time to answer the Qs :-) . Ciao. -- I was very heavily into pornography. Then my pornograph broke. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (47)
-
Aaron Kulkis
-
Alexey Eremenko
-
Anders Johansson
-
Andreas Jaeger
-
Basil Chupin
-
Benji Weber
-
Bob S
-
Carlos E. R.
-
Cristian Rodríguez
-
Darragh O'Heiligh
-
Dave Howorth
-
David Bolt
-
Doug McGarrett
-
Fred A. Miller
-
G T Smith
-
Greg Freemyer
-
Greg KH
-
Henne Vogelsang
-
James Knott
-
jdd
-
Jerry Houston
-
Joe 'Zonker' Brockmeier
-
Joe Morris
-
Joe Sloan
-
K.R. Foley
-
Kai Ponte
-
Ken Schneider
-
M9.
-
Marco Michna
-
Marcus Meissner
-
Mike
-
Mike McMullin
-
Neil
-
Patrick Shanahan
-
Patrick Shanahan
-
Per Jessen
-
Philipp Thomas
-
Philippe Landau
-
Rajko M.
-
Randall R Schulz
-
Roger Oberholtzer
-
Sloan
-
Tero Pesonen
-
Thomas Schraitle
-
Tim Ertl
-
Wolfgang Rosenauer
-
Wolfgang Woehl