[nfbcs] Sonar or Vinux
John G. Heim
jheim at math.wisc.edu
Sun Jul 27 18:18:35 UTC 2014
For pete's sake, Tyler, how in the world can you fail to see the flaw in
your argument? There may not be a lot of people looking at the code for
most linux packages except for the developers themselves but there is
nobody, absolutely nobody, but the developers looking at the code for
most Windows programs.
You keep saying bad guys are looking at the linux code too but facts are
facts. The vast majority of exploits are for Windows, not linux. As a
rule, exploits just don't get into the linux code. Yes, there are flaws
but there flaws in Windows apps too. And based on virus and botnet
statistics, open source is working. How in the world can you just make
this wild claim that open source code isn't more secure than proprietary
code? Have you any evidence what so ever to back that up? Because the
facts certainly do not support the claim.
On 07/26/2014 09:20 PM, Littlefield, Tyler via nfbcs wrote:
> I just wanted to follow up with this, after a discussion with a
> friend. I think one could argue that open source might be more secure
> because there are more people that have the potential to actually look
> at it. On the otherhand, the mindset of most developers doesn't really
> support this, although it is still a pretty valid claim. Most people
> want to add their code and be done with it, so you actually end up
> having to devote money that is donated to open source to pay people to
> work on the code that noone wants to touch. It's how EWIFI got built
> into the boot code for BSD, it's how LibreSSL is working now.
> Conversely, a lot of the people who will study that code and study it
> closely are the people who actually want to exploit it. So, while it
> may be possible for the code to be more secure with more eyes, it's
> somewhat unlikely. Even if this were the case however, you still have
> the hardware the code is running on. I remember an issue a while back
> with Intel and the NSA, where the NSA wanted the ability to influence
> the microcode. Whether or not they got that is something we'll never
> know. It's not even really unlikely that the processor couldn't be
> injecting instructions or running it's own instructions while other
> programs are running. It's more than possible that the harddrive could
> hold a buffer and store random data (whatever it felt like) on unused
> sectors of the disk. It's even possible that the compilers we use are
> flawed; we always compile our compilers with pre-existing compiled
> code. So, if the first compiler were able to inject code into it's
> binaries, then all compilers subsequent to that would be infected and
> a recompilation would just keep passing along the problem.
> On 7/26/2014 9:53 PM, Littlefield, Tyler via nfbcs wrote:
>> Hello:
>> I have a few points to make. First, I didn't say that Linux was
>> security through obscurity. I'm saying that the claim that it can't
>> get a virus is security through obscurity; it doesn't keep any system
>> anymore secure than anything else.
>>
>> I also have a few more points:
>> https://www.google.com/?gws_rd=ssl#q=kernel.org+breech
>>
>> OpenSSL is not a good sign of anything. That bug had existed for at
>> least two years before it was finally brought into the open; who
>> knows what could've been stolen in that timeframe. Just because no
>> instances (that I know of) have been reported does not mean it wasn't
>> useful. When a bad guy finds a security flaw, they're not going to
>> run and say "lookie, here's a problem I found, you should fix this so
>> I can't use it." Subsequently, Numerous catastrophic problems have
>> been found while working on the LibreSSL fork. Some of these have
>> been patched, but you don't have a good track record if you're just
>> surviving until your code is actually analysed. There is a pretty
>> good reason why Google and OpenBsd have started work on their own
>> versions and started doing code cleanup; mainly because OpenSSL has
>> been declared broken beyond repair. So why is this? It's not a fault
>> of open source for sure; the biggest issue is that noone wants to
>> spend the time digging through OpenSSL's code. It's a lot of code,
>> and even if someone were to dig through it, it would take someone who
>> really knows what they're doing to actually know how to change it.
>> I'm not presenting this point as a way to demonstrate Linux vs
>> Windows, I'm just trying to explain that everyone who seems to be
>> taking cover behind the idea that Windows is way less insecure than
>> Linux are clearly bias.
>>
>> Perhaps people are switching to Linux for systems, but Stability
>> really has nothing to do with it. The days of windows 98 are over; My
>> windows system hasn't rebooted in 2-3 months and it probably wouldn't
>> have to if I weren't going to run updates tonight. Perhaps that makes
>> a system unstable, but you also have to reboot when installing a new
>> kernel, which is pretty important, as vulnorabilities in the kernels
>> do actually get patched and you need to install them.
>>
>> You also mentioned the millitary drone, which I went and googled; all
>> sources seem to agree with this:
>> http://www.darkreading.com/attacks-and-breaches/iran-hacked-gps-signals-to-capture-us-drone/d/d-id/1101882?
>>
>> So there were two points made here: 1) That Windows was the
>> underlying system and is no longer because it's insecure, and 2) The
>> use of Linux can insure that when signals are jammed, the drone can
>> return home: "...but when Linux looses contact with it's controller,
>> the default programming takes over and the drone either finishes it's
>> planned recon or it returns to base."
>> 1) I don't know what the underlying system was. This attack took
>> place because the signals were jammed, and the GPS coordenates were
>> able to be spoofed through signals. See my next point.
>> 2) Linux or windows doesn't have any affect on how this actually
>> takes place. If Windows shipped with a drone-management autopilot
>> software, perhaps you could make this point. As it stands though, the
>> software that these were using were written over the top of whatever
>> the drones were running. It is a defect in these that made this
>> happen. Whether Windows or Linux, a jamming of the radio signals
>> should be able to signal the software to continue or go home; sadly,
>> that wasn't something that was previously thought of.
>>
>> You also mentioned all these lovely devices that run Linux. I have to
>> steal some of Linux's light and state that a lot of network devices
>> and appliances are in fact running some version of BSD, as are a lot
>> of other devices (see NetBSD). The fact that Android and other
>> systems are built on Linux also doesn't really state anything extra
>> for the security. The fact is, it is open source, extendable and is
>> not proprietary; this saves companies like Google a lot of investment
>> in building their own kernel. A lot of places are also using Linux
>> for the same reason: it doesn't cost as much as windows. When you're
>> distributing 5000 laptops to kids, you don't really want to pay the
>> licensing fees that come with Windows and Open Office. Does this make
>> an OS more secure and more stable? Certainly not; it just means that
>> there is no cost associated with the OS in question.
>>
>> So, why do I make these points? I run Linux on one server and BSD on
>> another. While I appreciate all three operating systems, my goal is
>> to keep discussions open and clear up some of the myths. Every
>> system, whether it is Windows, Linux or BSD has its' inherent flaws.
>> To simply state unequivocally that one is more secure than another is
>> a bit crazy. The points made here for the most part simply don't
>> stand up. Now, windows Seven and up (possibly even Vista, though I
>> didn't ever use it) ship with UAC enabled: you have to run a program
>> as an administrator to allow it to make a lot of changes. UAC prompts
>> the user when changes are to be made and asks them if they want to
>> continue. Many of the points that have been brought up are points
>> that might have held 10 years ago or are tilted without a fair
>> comparison.
>> On 7/26/2014 8:26 PM, Blaine Clark via nfbcs wrote:
>>> Linux's security through obscurity is totally off-base. When the US
>>> lost that drone to Iraq several years ago, it was because Iraq
>>> managed to break and overpower the radio control frequency and
>>> simply took over the Microsoft OS that ran the drone. Within a year,
>>> all drones in use by the US military were converted to use Linux. Of
>>> course this won't stop any further radio jamming, but when Linux
>>> looses contact with it's controller, the default programming takes
>>> over and the drone either finishes it's planned recon or it returns
>>> to base. It can't be hacked if it's protected by a solid password.
>>> The unmanned sub being used to search for the downed Malaysian
>>> airliner uses Linux. The servers of the New York Stock exchange and
>>> the European Stock Exchange use Linux. The White House uses a Red
>>> Hat Linux server. Half of the development stations at Google use
>>> Goobuntu which is their remake of Ubuntu. Android is Linux. The
>>> Federal Aviation Administration uses Linux on the monitoring and
>>> alert systems of the air traffic controllers. The US Postal Service
>>> has used Linux since 1998, not for it's security, but for it's
>>> stability and superiority at being able to decipher addresses on
>>> envelopes. Both China and Russia are ditching Microsoft for their
>>> own builds of Linux due in no small part to the eavesdropping of our
>>> NAS.
>>> The French Gendarme replaced Microsoft many years ago with Linux.
>>> Google Chrome netbooks, which are taking off by being used by
>>> schools is a severely stripped down version of Linux with mainly
>>> just a browser for the user interface. Munich, Germany is replacing
>>> all of the Microsoft proprietary programs such as MS Office and all
>>> others with Open Source alternatives in preparation of getting the
>>> city employees ready for when they switch from Microsoft to Linux.
>>> Linux has replaced the operating system and all the laptops being
>>> used on the Mir Space Station. This is partly for security and
>>> stability, but mainly because everything about Linux is open source
>>> and when the need arises to alter the OS for new hardware and new
>>> proceedures, it is so much easier than relying on copyrighted,
>>> proprietary permissions to be given.
>>> 98% of the world's super computers use Linux because it is more
>>> efficient, IE faster. It's more secure and it's much more stable
>>> than Microsoft. Linux, in any of it's over 400 various builds, is
>>> used by millions all over the world. Some of those builds are so
>>> complex that it truly takes a degree in Linux computer science to
>>> operate them while there are others that are as simple and as easy
>>> to use as Microsoft, easier as a matter of fact. Case in point; Most
>>> of the menus and navigators used on smart TVs are Linux.
>>> The best firewall for any desktop or laptop is probably the hardware
>>> firewall built into your modem. Software firewalls can be configured
>>> on Microsoft, Mac and Linux with little trouble. On my Debian-based
>>> Linux-Mint all I need to do is open a terminal and type 'ufw
>>> -enable' after I perform a fresh install and the firewall is
>>> permanently enabled with default iptable settings. The firewall
>>> isn't enabled automatically because software firewalls are thought
>>> by some to be not the best home firewall approach even though a
>>> monitoring daemon can be set up to log each transmission in or out
>>> of each port and corresponding iptable rules can be made. The best
>>> way to keep a cracker/hacker from entering your system be it
>>> Microsoft, Mac or Linux is to have a complex password that can't be
>>> broken.
>>> This brings up where Linux is totally superior to Microsoft by
>>> default. There is absolutely no way anything or anyone can write to
>>> the Linux system files without the express, written permission of
>>> the administrator. Microsoft can be set up this way, but the
>>> administrator account must be used for very limited purposes and not
>>> used for general access by any regular user of the system. All sub
>>> user accounts have to be very carefully set and maintained to
>>> prevent most unauthorized access, and even then it's still possible
>>> for some some well crafted malware to slip through Internet Explorer
>>> or Outlook and it's various names.
>>> The Linux.com repositories, where the authorized Linux software
>>> packages reside, are on Linux servers which have every type of
>>> shielding, monitoring and alerting methods available and set to
>>> either prevent intrusions or to notify the administrators of a
>>> server breach. I use a couple of third-party packages such as
>>> TeamViewer, a remote conferencing and access program and Spotify, a
>>> radio styled online music player. When I download or update any
>>> third-party packages I scan them with ClamAV. When they pass, I
>>> install them, then I immediately perform a deep system scan. Other
>>> than maybe three or four times a year I don't use an anti-virus
>>> program.
>>> To address the Heartbleed security problem, This was an OpenSSL
>>> problem that had absolutely nothing to do with Linux. The OpenSSL
>>> project has about 14 developers even though it is Open Source. No
>>> one on the Linux development side paid any attention to OpenSSL. So,
>>> is it any wonder that a widely used, large-scale product made by a
>>> very small handful of developers had a problem? What's surprising is
>>> that these 14 developers, not all of whom are full time even, have
>>> such a successful record. Compare that record to Microsoft's
>>> security record with their hundreds of developers and testers!
>>> People from all over the world work on the packages that go into the
>>> Linux.com software repositories. Those packages are sent to the
>>> Linux Foundation for testing, review and approval, so yes, not only
>>> is every single line of code checked, it is tested and evaluated as
>>> well before it is released to the repository.
>>> With some finagling it's possible to not only have a live DVD or USB
>>> to carry around, it's also possible to have a fully functional
>>> mobile computer operating system on USB that you can carry around.
>>> The difference between a Live media OS and a fully functional mobile
>>> OS is that with the mobile OS you can save files and settings on the
>>> USB which you can't do on a Live Load media. With this, it's
>>> possible to run a desktop or laptop that has no hard drive as though
>>> it does. You're just substituting a USB drive. It could be a thumb
>>> drive or it could be an external drive.
>>> Let's compare out of the box security between Microsoft and Linux.
>>> Microsoft's default account is the administrator's account which is
>>> set to be as easily accessible to all parts of the system as
>>> possible for the 'easiest', most user-friendly customer experience.
>>> That means everything is wide open to any user, even ones who visit
>>> you over the internet. With Linux, the administrator account is not
>>> open. To cause or to allow any system changes, the 'root' users
>>> password must be given at all times. This doesn't diminish ease of
>>> use, it's just a different approach. As for hardening Microsoft to
>>> prevent hacking? Don't think for one minute that the US military
>>> hadn't tried that on those drones. If they couldn't do it, can you?
>>> The reason I switched from Microsoft to Linux was because throughout
>>> all of the summer of 2007 I fought with MS support over one
>>> particular update that destabilized my XP. I could Restore to a
>>> prior date as long as the system stayed stable long enough,
>>> otherwise I'd have to reinstall. I proved the problem wasn't
>>> hardware related by installing Linux and using that computer for
>>> another four or five years. I started with Ubuntu and my wife, who
>>> had just bought a new computer with Vista late in 2006 or early 2007
>>> had trouble with about every third update. By the way, she still
>>> uses that computer. She's blind in one eye and has slightly
>>> distorted vision in the other so her graphics settings are critical.
>>> MS updates reverted those settings to default every third month. She
>>> watched over my shoulder for about a month and wanted to try that
>>> Linux thing. I set up a dual-boot for her with Vista and Ubuntu so
>>> she could start either one when starting the computer. By April of
>>> 2008 she discovered she hadn't used Vista for quite a while and
>>> didn't need it. I removed it and from early 2008 we haven't had
>>> Microsoft in this house and we don't miss it one bit. We have Linux
>>> Mint on both desktops and both laptops. We both switched because
>>> Linux is much more stable than Microsoft. Not because it's more
>>> secure, that was nice though! Not because we had any experience with
>>> Linux, because we sure didn't! Stability is one of the reasons why
>>> the Vinux developers don't recommend updating the older versions of
>>> Vinux. Updating some, but not all packages can break the speech
>>> engine. In the latest version of Vinux updating is recommended
>>> mainly because they have been working with Ubuntu on maintaining
>>> stability in regards to the speech engine. Ubuntu has taken the
>>> challenge to heart and has instituted it's own accessibility
>>> coordination group. Ubuntu has been including the speech engine and
>>> a couple of screen readers in it's installation files. Main stream
>>> accessibility was the first aim of Vinux all along, providing what
>>> the main builds of Linux wouldn't was really their second aim. All
>>> in all, they were and are deliberately trying to eliminate their own
>>> project and they are slowly succeeding. Ubuntu is working on
>>> including the entire speech engine compatibility issue into it's
>>> updates. Other packages with accessible mouse control and head and
>>> eye control are moving along with great strides. Voice control has a
>>> long ways to go, but there has been progress in that area too.
>>> Ubuntu has also been working on compatibility with the speech engine
>>> on it's server builds. Accessibility in mainstream Linux is growing
>>> and it's due in no small part to the Vinux project. Remember that I
>>> said the reason that I switched as well as my wife was because
>>> Microsoft kept breaking or reverting default settings? Microsoft has
>>> this major problem too.
>>> The originator of Vinux is a lecturer for the Royal National College
>>> in the UK. He dropped out of the Vinux project for a while due to
>>> personal reasons and is now back to a very limited degree. The
>>> development team that Tony Sales managed to assemble and who stepped
>>> in when Tony had to leave are all either blind or legally blind.
>>> They are also a totally volunteer group. They pay for the server and
>>> the bandwidth used by people who download Vinux and access the
>>> documentation. They ask for donations and do get some, but the bulk
>>> of the financing comes out of their own pockets.
>>> As for which is better, Sonar or Vinux? It all depends on you. I've
>>> said elsewhere that the main problem with Linux is all the choices
>>> that it throws at the uninitiated to have to wade through to find
>>> what's right for them. At the same time one of the main advantages
>>> of Linux is all the choices that it offers! All those choices are a
>>> problem and an advantage! Sonar is free as well as Vinux. All you're
>>> going to be out is the time trying each one. Another thing to keep
>>> in mind is that Linux is not Windows. There are differences. On the
>>> surface the differences are the programs used, however if you
>>> install the Firefox browser, the Thunderbird email client and Libre
>>> Office and practice using them, quite a bit of the learning curve
>>> will be taken care of. Next, under the surface, read, study and
>>> practice the differences between the keyboard navigation styles
>>> you'll find in Linux. Go over the documentation that Vinux provides.
>>> Download each build and make your own boot media, DVD or USB. Try
>>> them in live mode as often and for as long as you like to get used
>>> to them and when you've made up your own mind as to which one is
>>> better, install it, or install both and dual-boot. I will say
>>> though, that Sonar changing to a non-Debian build is going to take
>>> away from the ease of installation in the future, however, that
>>> should put accessibility focus on the other build as Vinux has done
>>> to Ubuntu. The Ubuntu-Debian build is so easy to install and they
>>> have no intention of changing that. Also, in the future, Vinux may
>>> disappear only to be incorporated into the mainstream Ubuntu build.
>>> One more point, to install Microsoft, set aside around three hours
>>> to babysit, then add on more hours for the updates and restarts. On
>>> top of that, now you have to install all of your third-party
>>> programs and then ... you have to go through all your settings. This
>>> can easily take an entire day.
>>> To install an Ubuntu build figure on either around 20 minutes for a
>>> clean install or about one hour to install alongside Microsoft. The
>>> Linux installer has to move all those MS files into one area to make
>>> room for itself and that takes time. Add on about 15 to 20 minutes
>>> at most for updates if you have a fast internet connection. If
>>> you're reinstalling Linux you could have made a backup list of all
>>> your added software. No, not a full backup of your software, just a
>>> special list of the software you had installed! Now you can have
>>> Linux install and update your extra software from that list.
>>> Depending on what special stuff you installed before, you could be
>>> done in 10 to another 20 minutes. Now, all you have to do is go
>>> through and make all your settings, or if you backed up your /home
>>> folder, just copy that back into the new installation and your
>>> settings are back too as well as your personal files. You can
>>> install Linux in less than an hour or, in just over an hour.
>>>
>>>
>>>
>>> _______________________________________________
>>> nfbcs mailing list
>>> nfbcs at nfbnet.org
>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>> To unsubscribe, change your list options or get your account info
>>> for nfbcs:
>>> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com
>>>
>>
>>
>
>
More information about the NFBCS
mailing list