[nfbcs] Sonar or Vinux

[Littlefield, Tyler]

I just wanted to follow up with this, after a discussion with a friend. 
I think one could argue that open source might be more secure because 
there are more people that have the potential to actually look at it. On 
the otherhand, the mindset of most developers doesn't really support 
this, although it is still a pretty valid claim. Most people want to add 
their code and be done with it, so you actually end up having to devote 
money that is donated to open source to pay people to work on the code 
that noone wants to touch. It's how EWIFI got built into the boot code 
for BSD, it's how LibreSSL is working now. Conversely, a lot of the 
people who will study that code and study it closely are the people who 
actually want to exploit it. So, while it may be possible for the code 
to be more secure with more eyes, it's somewhat unlikely. Even if this 
were the case however, you still have the hardware the code is running 
on. I remember an issue a while back with Intel and the NSA, where the 
NSA wanted the ability to influence the microcode. Whether or not they 
got that is something we'll never know. It's not even really unlikely 
that the processor couldn't be injecting instructions or running it's 
own instructions while other programs are running. It's more than 
possible that the harddrive could hold a buffer and store random data 
(whatever it felt like) on unused sectors of the disk. It's even 
possible that the compilers we use are flawed; we always compile our 
compilers with pre-existing compiled code. So, if the first compiler 
were able to inject code into it's binaries, then all compilers 
subsequent to that would be infected and a recompilation would just keep 
passing along the problem.
On 7/26/2014 9:53 PM, Littlefield, Tyler via nfbcs wrote:
> Hello:
> I have a few points to make. First, I didn't say that Linux was 
> security through obscurity. I'm saying that the claim that it can't 
> get a virus is security through obscurity; it doesn't keep any system 
> anymore secure than anything else.
>
> I also have a few more points:
> https://www.google.com/?gws_rd=ssl#q=kernel.org+breech
>
> OpenSSL is not a good sign of anything. That bug had existed for at 
> least two years before it was finally brought into the open; who knows 
> what could've been stolen in that timeframe. Just because no instances 
> (that I know of) have been reported does not mean it wasn't useful. 
> When a bad guy finds a security flaw, they're not going to run and say 
> "lookie, here's a problem I found, you should fix this so I can't use 
> it." Subsequently, Numerous catastrophic problems have been found 
> while working on the LibreSSL fork. Some of these have been patched, 
> but you don't have a good track record if you're just surviving until 
> your code is actually analysed. There is a pretty good reason why 
> Google and OpenBsd have started work on their own versions and started 
> doing code cleanup; mainly because OpenSSL has been declared broken 
> beyond repair. So why is this? It's not a fault of open source for 
> sure; the biggest issue is that noone wants to spend the time digging 
> through OpenSSL's code. It's a lot of code, and even if someone were 
> to dig through it, it would take someone who really knows what they're 
> doing to actually know how to change it. I'm not presenting this point 
> as a way to demonstrate Linux vs Windows, I'm just trying to explain 
> that everyone who seems to be taking cover behind the idea that 
> Windows is way less insecure than Linux are clearly bias.
>
> Perhaps people are switching to Linux for systems, but Stability 
> really has nothing to do with it. The days of windows 98 are over; My 
> windows system hasn't rebooted in 2-3 months and it probably wouldn't 
> have to if I weren't going to run updates tonight. Perhaps that makes 
> a system unstable, but you also have to reboot when installing a new 
> kernel, which is pretty important, as vulnorabilities in the kernels 
> do actually get patched and you need to install them.
>
> You also mentioned the millitary drone, which I went and googled; all 
> sources seem to agree with this:
> http://www.darkreading.com/attacks-and-breaches/iran-hacked-gps-signals-to-capture-us-drone/d/d-id/1101882? 
>
> So there were two points made here: 1) That Windows was the underlying 
> system and is no longer because it's insecure, and 2) The use of Linux 
> can insure that when signals are jammed, the drone can return home: 
> "...but when Linux looses contact with it's controller, the default 
> programming takes over and the drone either finishes it's planned 
> recon or it returns to base."
> 1) I don't know what the underlying system was. This attack took place 
> because the signals were jammed, and the GPS coordenates were able to 
> be spoofed through signals. See my next point.
> 2) Linux or windows doesn't have any affect on how this actually takes 
> place. If Windows shipped with a drone-management autopilot software, 
> perhaps you could make this point. As it stands though, the software 
> that these were using were written over the top of whatever the drones 
> were running. It is a defect in these that made this happen. Whether 
> Windows or Linux, a jamming of the radio signals should be able to 
> signal the software to continue or go home; sadly, that wasn't 
> something that was previously thought of.
>
> You also mentioned all these lovely devices that run Linux. I have to 
> steal some of Linux's light and state that a lot of network devices 
> and appliances are in fact running some version of BSD, as are a lot 
> of other devices (see NetBSD). The fact that Android and other systems 
> are built on Linux also doesn't really state anything extra for the 
> security. The fact is, it is open source, extendable and is not 
> proprietary; this saves companies like Google a lot of investment in 
> building their own kernel. A lot of places are also using Linux for 
> the same reason: it doesn't cost as much as windows. When you're 
> distributing 5000 laptops to kids, you don't really want to pay the 
> licensing fees that come with Windows and Open Office. Does this make 
> an OS more secure and more stable? Certainly not; it just means that 
> there is no cost associated with the OS in question.
>
> So, why do I make these points? I run Linux on one server and BSD on 
> another. While I appreciate all three operating systems, my goal is to 
> keep discussions open and clear up some of the myths. Every system, 
> whether it is Windows, Linux or BSD has its' inherent flaws. To simply 
> state unequivocally that one is more secure than another is a bit 
> crazy. The points made here for the most part simply don't stand up. 
> Now, windows Seven and up (possibly even Vista, though I didn't ever 
> use it) ship with UAC enabled: you have to run a program as an 
> administrator to allow it to make a lot of changes. UAC prompts the 
> user when changes are to be made and asks them if they want to 
> continue. Many of the points that have been brought up are points that 
> might have held 10 years ago or are tilted without a fair comparison.
> On 7/26/2014 8:26 PM, Blaine Clark via nfbcs wrote:
>> Linux's security through obscurity is totally off-base. When the US 
>> lost that drone to Iraq several years ago, it was because Iraq 
>> managed to break and overpower the radio control frequency and simply 
>> took over the Microsoft OS that ran the drone. Within a year, all 
>> drones in use by the US military were converted to use Linux. Of 
>> course this won't stop any further radio jamming, but when Linux 
>> looses contact with it's controller, the default programming takes 
>> over and the drone either finishes it's planned recon or it returns 
>> to base. It can't be hacked if it's protected by a solid password. 
>> The unmanned sub being used to search for the downed Malaysian 
>> airliner uses Linux. The servers of the New York Stock exchange and 
>> the European Stock Exchange use Linux. The White House uses a Red Hat 
>> Linux server. Half of the development stations at Google use Goobuntu 
>> which is their remake of Ubuntu. Android is Linux. The Federal 
>> Aviation Administration uses Linux on the monitoring and alert 
>> systems of the air traffic controllers. The US Postal Service has 
>> used Linux since 1998, not for it's security, but for it's stability 
>> and superiority at being able to decipher addresses on envelopes. 
>> Both China and Russia are ditching Microsoft for their own builds of 
>> Linux due in no small part to the eavesdropping of our NAS.
>> The French Gendarme replaced Microsoft many years ago with Linux. 
>> Google Chrome netbooks, which are taking off by being used by schools 
>> is a severely stripped down version of Linux with mainly just a 
>> browser for the user interface. Munich, Germany is replacing all of 
>> the Microsoft proprietary programs such as MS Office and all others 
>> with Open Source alternatives in preparation of getting the city 
>> employees ready for when they switch from Microsoft to Linux. Linux 
>> has replaced the operating system and all the laptops being used on 
>> the Mir Space Station. This is partly for security and stability, but 
>> mainly because everything about Linux is open source and when the 
>> need arises to alter the OS for new hardware and new proceedures, it 
>> is so much easier than relying on copyrighted, proprietary 
>> permissions to be given.
>> 98% of the world's super computers use Linux because it is more 
>> efficient, IE faster. It's more secure and it's much more stable than 
>> Microsoft. Linux, in any of it's over 400 various builds, is used by 
>> millions all over the world. Some of those builds are so complex that 
>> it truly takes a degree in Linux computer science to operate them 
>> while there are others that are as simple and as easy to use as 
>> Microsoft, easier as a matter of fact. Case in point; Most of the 
>> menus and navigators used on smart TVs are Linux.
>> The best firewall for any desktop or laptop is probably the hardware 
>> firewall built into your modem. Software firewalls can be configured 
>> on Microsoft, Mac and Linux with little trouble. On my Debian-based 
>> Linux-Mint all I need to do is open a terminal and type 'ufw -enable' 
>> after I perform a fresh install and the firewall is permanently 
>> enabled with default iptable settings. The firewall isn't enabled 
>> automatically because software firewalls are thought by some to be 
>> not the best home firewall approach even though a monitoring daemon 
>> can be set up to log each transmission in or out of each port and 
>> corresponding iptable rules can be made. The best way to keep a 
>> cracker/hacker from entering your system be it Microsoft, Mac or 
>> Linux is to have a complex password that can't be broken.
>> This brings up where Linux is totally superior to Microsoft by 
>> default. There is absolutely no way anything or anyone can write to 
>> the Linux system files without the express, written permission of the 
>> administrator. Microsoft can be set up this way, but the 
>> administrator account must be used for very limited purposes and not 
>> used for general access by any regular user of the system. All sub 
>> user accounts have to be very carefully set and maintained to prevent 
>> most unauthorized access, and even then it's still possible for some 
>> some well crafted malware to slip through Internet Explorer or 
>> Outlook and it's various names.
>> The Linux.com repositories, where the authorized Linux software 
>> packages reside, are on Linux servers which have every type of 
>> shielding, monitoring and alerting methods available and set to 
>> either prevent intrusions or to notify the administrators of a server 
>> breach. I use a couple of third-party packages such as TeamViewer, a 
>> remote conferencing and access program and Spotify, a radio styled 
>> online music player. When I download or update any third-party 
>> packages I scan them with ClamAV. When they pass, I install them, 
>> then I immediately perform a deep system scan. Other than maybe three 
>> or four times a year I don't use an anti-virus program.
>> To address the Heartbleed security problem, This was an OpenSSL 
>> problem that had absolutely nothing to do with Linux. The OpenSSL 
>> project has about 14 developers even though it is Open Source. No one 
>> on the Linux development side paid any attention to OpenSSL. So, is 
>> it any wonder that a widely used, large-scale product made by a very 
>> small handful of developers had a problem? What's surprising is that 
>> these 14 developers, not all of whom are full time even, have such a 
>> successful record. Compare that record to Microsoft's security record 
>> with their hundreds of developers and testers!
>> People from all over the world work on the packages that go into the 
>> Linux.com software repositories. Those packages are sent to the Linux 
>> Foundation for testing, review and approval, so yes, not only is 
>> every single line of code checked, it is tested and evaluated as well 
>> before it is released to the repository.
>> With some finagling it's possible to not only have a live DVD or USB 
>> to carry around, it's also possible to have a fully functional mobile 
>> computer operating system on USB that you can carry around. The 
>> difference between a Live media OS and a fully functional mobile OS 
>> is that with the mobile OS you can save files and settings on the USB 
>> which you can't do on a Live Load media. With this, it's possible to 
>> run a desktop or laptop that has no hard drive as though it does. 
>> You're just substituting a USB drive. It could be a thumb drive or it 
>> could be an external drive.
>> Let's compare out of the box security between Microsoft and Linux. 
>> Microsoft's default account is the administrator's account which is 
>> set to be as easily accessible to all parts of the system as possible 
>> for the 'easiest', most user-friendly customer experience. That means 
>> everything is wide open to any user, even ones who visit you over the 
>> internet. With Linux, the administrator account is not open. To cause 
>> or to allow any system changes, the 'root' users password must be 
>> given at all times. This doesn't diminish ease of use, it's just a 
>> different approach. As for hardening Microsoft to prevent hacking? 
>> Don't think for one minute that the US military hadn't tried that on 
>> those drones. If they couldn't do it, can you?
>> The reason I switched from Microsoft to Linux was because throughout 
>> all of the summer of 2007 I fought with MS support over one 
>> particular update that destabilized my XP. I could Restore to a prior 
>> date as long as the system stayed stable long enough, otherwise I'd 
>> have to reinstall. I proved the problem wasn't hardware related by 
>> installing Linux and using that computer for another four or five 
>> years. I started with Ubuntu and my wife, who had just bought a new 
>> computer with Vista late in 2006 or early 2007 had trouble with about 
>> every third update. By the way, she still uses that computer. She's 
>> blind in one eye and has slightly distorted vision in the other so 
>> her graphics settings are critical. MS updates reverted those 
>> settings to default every third month. She watched over my shoulder 
>> for about a month and wanted to try that Linux thing. I set up a 
>> dual-boot for her with Vista and Ubuntu so she could start either one 
>> when starting the computer. By April of 2008 she discovered she 
>> hadn't used Vista for quite a while and didn't need it. I removed it 
>> and from early 2008 we haven't had Microsoft in this house and we 
>> don't miss it one bit. We have Linux Mint on both desktops and both 
>> laptops. We both switched because Linux is much more stable than 
>> Microsoft. Not because it's more secure, that was nice though! Not 
>> because we had any experience with Linux, because we sure didn't! 
>> Stability is one of the reasons why the Vinux developers don't 
>> recommend updating the older versions of Vinux. Updating some, but 
>> not all packages can break the speech engine. In the latest version 
>> of Vinux updating is recommended mainly because they have been 
>> working with Ubuntu on maintaining stability in regards to the speech 
>> engine. Ubuntu has taken the challenge to heart and has instituted 
>> it's own accessibility coordination group. Ubuntu has been including 
>> the speech engine and a couple of screen readers in it's installation 
>> files. Main stream accessibility was the first aim of Vinux all 
>> along, providing what the main builds of Linux wouldn't was really 
>> their second aim. All in all, they were and are deliberately trying 
>> to eliminate their own project and they are slowly succeeding. Ubuntu 
>> is working on including the entire speech engine compatibility issue 
>> into it's updates. Other packages with accessible mouse control and 
>> head and eye control are moving along with great strides. Voice 
>> control has a long ways to go, but there has been progress in that 
>> area too. Ubuntu has also been working on compatibility with the 
>> speech engine on it's server builds. Accessibility in mainstream 
>> Linux is growing and it's due in no small part to the Vinux project. 
>> Remember that I said the reason that I switched as well as my wife 
>> was because Microsoft kept breaking or reverting default settings? 
>> Microsoft has this major problem too.
>> The originator of Vinux is a lecturer for the Royal National College 
>> in the UK. He dropped out of the Vinux project for a while due to 
>> personal reasons and is now back to a very limited degree. The 
>> development team that Tony Sales managed to assemble and who stepped 
>> in when Tony had to leave are all either blind or legally blind. They 
>> are also a totally volunteer group. They pay for the server and the 
>> bandwidth used by people who download Vinux and access the 
>> documentation. They ask for donations and do get some, but the bulk 
>> of the financing comes out of their own pockets.
>> As for which is better, Sonar or Vinux? It all depends on you. I've 
>> said elsewhere that the main problem with Linux is all the choices 
>> that it throws at the uninitiated to have to wade through to find 
>> what's right for them. At the same time one of the main advantages of 
>> Linux is all the choices that it offers! All those choices are a 
>> problem and an advantage! Sonar is free as well as Vinux. All you're 
>> going to be out is the time trying each one. Another thing to keep in 
>> mind is that Linux is not Windows. There are differences. On the 
>> surface the differences are the programs used, however if you install 
>> the Firefox browser, the Thunderbird email client and Libre Office 
>> and practice using them, quite a bit of the learning curve will be 
>> taken care of. Next, under the surface, read, study and practice the 
>> differences between the keyboard navigation styles you'll find in 
>> Linux. Go over the documentation that Vinux provides. Download each 
>> build and make your own boot media, DVD or USB. Try them in live mode 
>> as often and for as long as you like to get used to them and when 
>> you've made up your own mind as to which one is better, install it, 
>> or install both and dual-boot. I will say though, that Sonar changing 
>> to a non-Debian build is going to take away from the ease of 
>> installation in the future, however, that should put accessibility 
>> focus on the other build as Vinux has done to Ubuntu. The 
>> Ubuntu-Debian build is so easy to install and they have no intention 
>> of changing that. Also, in the future, Vinux may disappear only to be 
>> incorporated into the mainstream Ubuntu build.
>> One more point, to install Microsoft, set aside around three hours to 
>> babysit, then add on more hours for the updates and restarts. On top 
>> of that, now you have to install all of your third-party programs and 
>> then ... you have to go through all your settings. This can easily 
>> take an entire day.
>> To install an Ubuntu build figure on either around 20 minutes for a 
>> clean install or about one hour to install alongside Microsoft. The 
>> Linux installer has to move all those MS files into one area to make 
>> room for itself and that takes time. Add on about 15 to 20 minutes at 
>> most for updates if you have a fast internet connection. If you're 
>> reinstalling Linux you could have made a backup list of all your 
>> added software. No, not a full backup of your software, just a 
>> special list of the software you had installed! Now you can have 
>> Linux install and update your extra software from that list. 
>> Depending on what special stuff you installed before, you could be 
>> done in 10 to another 20 minutes. Now, all you have to do is go 
>> through and make all your settings, or if you backed up your /home 
>> folder, just copy that back into the new installation and your 
>> settings are back too as well as your personal files. You can install 
>> Linux in less than an hour or, in just over an hour.
>>
>>
>>
>> _______________________________________________
>> nfbcs mailing list
>> nfbcs at nfbnet.org
>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>> To unsubscribe, change your list options or get your account info for 
>> nfbcs:
>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com
>
>


-- 
Take care,
Ty
http://tds-solutions.net
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.