Trent Buck writes:

> I think you'll find that is a vocal minority who give others a bad name.

The majority is indeed very silent, then.

I don't really see any objective reason for being interested in Linux,
when real UNIX systems are available for free. A lot of the people who
jumped on the Linux bandwagon didn't understand that there was another
OS called UNIX until quite a distance down the road. Some of them still
don't know about UNIX.

Then again, a lot of UNIX fans have never heard of Multics.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Trent Buck writes:

> BSDen do less ``out of the box'' than Linuces, but they do it more
> robustly, securely and efficiently.

Agreed. And this tends to favor the BSDs for servers, whereas it's
somewhat of a disadvantage for desktops. But since neither Linux nor
the BSDs can hold a candle to the Mac or Windows on the desktop, the
latter disadvantage isn't that important.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Ohmster writes:

> Not really, yeah if you are a professional hacker you could hack an NT
> system, but there are not that many professional hackers out there,
> breaking into everyone's home systems.

Even professionals will have a hard time hacking an NT-based system, if
it is properly configured. Just forgetting the administrator password
on an NT-based system can be a very unpleasant experience.

> These same professional hackers
> could just as easily get into your *nix system if they are that good so I
> think that this negates your point, to a degree, C.

UNIX is no more intrinsically secure than NT, and is less secure in many
ways. However, proper configuration of UNIX can make it very secure,
and there are a few extra-secure versions in existence as well.

> I am only talking about the NT based systems though, the Win95, 98, and
> previous systems are a big joke and offer no security at all.

Yes. The earlier versions of Windows look like they were written by
high-school kids. Come to think of it, they very nearly were.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Mxsmanic wrote in
news:s576319arm2rl7jjod1f1icjdl6u8e8e8h@4ax.com:

> No X is installed by default, although you can request X.Org
> installation during system installation. If you really want X and a
> pretty Windows-like experience, you can install the software of your
> choice. Unlike many Linux distributions, the BSDs don't take for
> granted that you want a desktop and GUI; it's up to you to install and
> configure one if that's what you really want.
>
> I don't run X on my FreeBSD machines because they are servers, not
> desktops. If I want a desktop, I run Windows, since that is by far the
> most logical choice for a desktop machine. In practice, I have top
> running on my FreeBSD consoles, and I communicate with them via ssh and
> ftp sessions from my Windows desktop. One FreeBSD machine is a
> production server, and provides essentially all the server functions I
> require (including a Web site that receives 300,000+ unique visitors
per
> month). The other is for experimentation. The third machine is my
> Windows XP desktop. None of these machines ever crashes.

Man you did an excellent job of explaining this to me, thanks a lot. Yes,
I am going to build a box out of scrap and make it powerful enough to run
FreeBSD so that I can really get a taste for it. I agree with you that a
server really should not run x, after all, it is a server and should do
what servers do, without the overhear of runnning x. I use SecureCRT to
connect with my Redhat box now, although I can run x on it with a gnome
desktop. My redhat 9 system works so darned good and I have spent a lot
of time over the years with tweaking it just to perfection. I have
startup things that make it boot with the numlock on for both console and
x, and many other customizations. This is what keeps me from updating it
to something a little newer. Perhaps I will try out the FreeBSD on
another machine and see how it goes. If it does a good job with
connecting, NAT'ing, serving, and firewalling, then I might use it for my
server instead of RH9.

Thanks again, this was a very informative post.

--
~Ohmster
ohmster at newsguy dot com

Ohmster writes:

> I gotta agree with this, the non NT versions are pretty unstable and have
> no security at all, but this is not the case with the NT kernels.

NT kernels are very secure, and in fact they are even more secure than
most people realize, because not all the security features are exposed
in the user interfaces.

> There
> is one self-defeating option on Windows though in that most Windows
> computer users run as administrators and thus, if they download a "free
> screensaver" that is packed with mal and spyware, they get their systems
> hosed pretty badly.

These same people would run as root on a UNIX system, anyway.

Both systems tend to force the user to log in as root/administrator in
order to install software and certain other functions, though. A key
difference is that one need not systematically reboot UNIX to install
something, but that's more a problem with the way applications are
written than it is with the OS itself (many Windows applications are
still written as if they were running under Windows 3.x).

> What sets linux apart is that running as a sysadmin
> is heavily discouraged and when you run as a non privileged user, you
> simply do not have the access to bring the entire system down with a bad
> download.

Running as the administrator is heavily discouraged with Windows, too.

> Windows does not discourage privileged user accounts so this
> does tend to bring down the security quite a bit on a Windows system.

UNIX doesn't discourage root. Furthermore, on UNIX, root access is all
or nothing. On Windows, there are very precise controls on the
privileges that a given account can have, from nothing at all to the
keys to the kingdom (but most people just use the default profiles).

> I think that the trouble is that most all Windows software must install
> as an administrator, with many *nix programs, you can install them to
> your own directory and do not need sysadmin rights for this.

Exactly. But this is a defect in the way the applications are written.
Both operating systems allow applications to be installed without
privileged access.

> It would be a big plus if the Windows developers could do something
> like this.

Unfortunately, most Windows developers know very little about the NT
architecture, and have no idea how to develop for secure systems. Worst
yet, they usually must write packages that will install and run on older
non-NT versions of Windows, too, and these older versions do indeed
require reboots and privileged access and other things.

> When
> you run Windows as a non administrator, you pretty much cannot install
> anything at all to the computer and can only work with what is already
> there. This is a really big drawback to the Windows OS.

You can install applications that are specifically designed for
user-level installation. You can also create intermediate accounts
(Operators, etc.) that can install software at various levels without
having all privileges (this isn't possible under UNIX).

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Spake Mxsmanic:
> and there are a few extra-secure versions in existence as well.

For those who DON'T know, Mxsmanic is of course referring to SELinux,
which is run(?) by the United States' No Such Agency:
http://www.nsa.gov/selinux/

--
Trent Buck, Student Errant
For I am no longer a stranger in the ways of woman.
You finally killed one, eh?

Spake Mxsmanic:
> > Windows does not discourage privileged user accounts so this
> > does tend to bring down the security quite a bit on a Windows system.
>
> UNIX doesn't discourage root. Furthermore, on UNIX, root access is all
> or nothing. On Windows, there are very precise controls on the
> privileges that a given account can have, from nothing at all to the
> keys to the kingdom (but most people just use the default profiles).

Are you talking about Access Control Lists (ACL)? Or something like a
fine-grained sudoers file?

If it's something different entirely, can you point me to some
literature? If Microsoft is doing something better than us, then it's
important to know what it is.

Incidentally, Ubuntu (for one), like OS X, sets a random root password
by default, and gives the first user full sudo access. NO ONE knows the
root password.

> Exactly. But this is a defect in the way the applications are written.
> Both operating systems allow applications to be installed without
> privileged access.

IIUC it's also a deficiency of the current Windows filesystems. Because
the pathname is the `primary key' (unlike UNIX, which has uses inodes),
you can't remove an open file. This causes problems when upgrading
software, solved by a full reboot.

Another thing (IIUC) that requires rebooting under Windows is module
configuration. The NT kernel doesn't have an equivalent to modprobe(8).

> Worst yet, they usually must write packages that will install and run
> on older non-NT versions of Windows, too, and these older versions do
> indeed require reboots and privileged access and other things.

Intruiging. Are the deficiencies I mentioned above no longer extant?

> > When you run Windows as a non administrator, you pretty much cannot
> > install anything at all to the computer and can only work with what
> > is already there. This is a really big drawback to the Windows OS.
>
> You can install applications that are specifically designed for
> user-level installation.

This is true. As a non-administrator I have run GNU Emacs for NT and
miscellaneous binaries from http://gnuwin32.sf.net. At least part of
the problem is ignorant or arrogant app developers.

> You can also create intermediate accounts
> (Operators, etc.) that can install software at various levels without
> having all privileges (this isn't possible under UNIX).

This is possible indirectly, by leveraging orthogonal technologies
including sudo, groups and ACLs. It's also common to chroot FTP and
HTTP servers (and thus their users), which is a level of sorts.

--
Trent Buck, Student Errant
Business is so thoroughly convinced that Lisp is a useless and obsolete
language that when they see someone advocating it, they immediately
assume that this person is insane. -- Jerry Coffin

Ohmster writes:

> ... I am going to build a box out of scrap and make it powerful enough to run
> FreeBSD so that I can really get a taste for it.

You don't need much horsepower unless you plan to run X on the machine.
An X server will gobble resources, but if you can get by without the
pretty windows, a straight UNIX machine will fly like the wind even on
very modest hardware ... remember, it used to run on PDP-8s!

My old dual-processor 200 MHz Pentium Pro system runs lightning fast
with FreeBSD installed on it--much faster than it ran with Windows NT.
HOWEVER, if I start an X server on the machine, it then runs
significantly _slower_ than it did under NT. The reason is that any GUI
is very resource-hungry, and the X server of UNIX is less efficient than
the GUI of Windows, because the latter is more tightly integrated into
the OS (at the expense of poorer security and reliability).

So if you really want a GUI, consider Windows. If you just want a very
fast server, run UNIX (without X).

> I agree with you that a server really should not run x, after
> all, it is a server and should do what servers do, without the
> overhear of runnning x.

Exactly. It's a waste of hardware. Not only that, but interacting with
GUIs is a real pain at a distance, whether it be via pcAnywhere (about
the only option I used to have for Windows) or via a remote X server.
For administering a server at a distance, nothing beats a simple CLI.

> I use SecureCRT to connect with my Redhat box now ...

That's what I use. Nice product. I use SecureFX for FTP, and between
that and SecureCRT, I have pretty much all that I need.

> My redhat 9 system works so darned good and I have spent a lot
> of time over the years with tweaking it just to perfection. I have
> startup things that make it boot with the numlock on for both console and
> x, and many other customizations. This is what keeps me from updating it
> to something a little newer.

If it works so well, why would you _want_ to change it? Don't fix
something that isn't broken! _Especially_ if it's a production server.

My production server just hums along on its own. I look at the console
from time to time to see if all is well, and it always is. I don't play
around with it much ... that's what the other experimental machine is
for. Indeed, I don't play around with the Windows desktop, either.
Both machines are production machines, so I don't do anything to
destabilize them.

> Perhaps I will try out the FreeBSD on another machine and see
> how it goes.

That's probably the best way to do it.

> If it does a good job with connecting, NAT'ing, serving, and
> firewalling, then I might use it for my server instead of RH9.

I personally think that routing, NAT, firewalls, and the like should be
on separate pieces of hardware, not on machines that are doing other
things as well. It's more secure and stable that way. My router does
all the NAT and firewall stuff--and nothing else. The other machines
can't be attacked because they can't even be reached, and since the
firewall is physically independent of these machines, there's no chance
of squeaking past the firewall on the same machine.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Trent Buck writes:

> How many known bugs are outstanding (i.e. unfixed) and exploitable,
> compared to Microsoft's current operating systems?

I'm not sure, but I suspect the numbers are very close to being the
same. A lot of holes have been plugged in Windows, and Windows has been
under attack for years. Linux is still vulnerable, and attacks
intensify every day.

One way to make Linux a lot more secure is to turn off the GUI (true for
any OS, actually), but Linux users are so hellbent on making their
systems look as much like wannabe Windows systems as possible that they
refuse to consider shutting down the GUI.

A UNIX system with no GUI and only a port or two open, with reliable
daemons listening on those ports, and with no local or remote user
access is very, very secure.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Trent Buck writes:

> - Linux code is read by more people.

I don't think people find bugs by analyzing code, although some do. If
that were the case, nobody would find bugs in Windows, since the code
isn't public.

> - There is more Linux code.

Is there? I don't even know if Microsoft has a count of the number of
lines of code it has written.

> - The Linux community (mostly) WANTS full disclosure of bugs.

So does the Windows community (mostly).

> - Linux bugs are (mostly) POTENTIAL exploits.

So are most Windows bugs.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Spake Mxsmanic:
> if you can get by without the pretty windows

The unsung hero of the console is screen(1), which lets you open
multiple windows, swap between them and resize them. It lets you lock
the terminal. It lets you reconnect to your windows if your network
connection dies. It can even show a clock and list of windows along the
bottom line. If you haven't checked out screen, you are REALLY missing
out.

> > I use SecureCRT to connect with my Redhat box now ...

Interesting. What are the advantages over putty?

> My router does all the NAT and firewall stuff--and nothing else. The
> other machines can't be attacked because they can't even be reached,
> and since the firewall is physically independent of these machines,
> there's no chance of squeaking past the firewall on the same machine.

Unless, of course, there is a gaping hole in your commodity router.

--
Trent Buck, Student Errant
Isn't that, like, a Greek tragedy? The man who spends all
his time downloading pr0n but never gets to look at it?

Spake Mxsmanic:
> One way to make Linux a lot more secure is to turn off the GUI (true for
> any OS, actually), but Linux users are so hellbent on making their
> systems look as much like wannabe Windows systems as possible that they
> refuse to consider shutting down the GUI.

That's not the case for (at least) Debian, which does not install X
unless you specifically tell it to. Regardless, I don't see how a
desktop with one X session that doesn't listen to the network at all (as
is the default in (at least) Debian) is any less secure the same box
with just the standard VTs. Could you elaborate?

--
Trent Buck, Student Errant
God doesn't fit inside a single religion.

Mxsmanic wrote in
news:l7g631h8ga7gkghstcr2ljig4kjvskvdsc@4ax.com:


>> I use SecureCRT to connect with my Redhat box now ...
>
> That's what I use. Nice product. I use SecureFX for FTP, and between
> that and SecureCRT, I have pretty much all that I need.

Yeah no doubt.

>> My redhat 9 system works so darned good and I have spent a lot
>> of time over the years with tweaking it just to perfection. I have
>> startup things that make it boot with the numlock on for both console
>> and x, and many other customizations. This is what keeps me from
>> updating it to something a little newer.
>
> If it works so well, why would you _want_ to change it? Don't fix
> something that isn't broken! _Especially_ if it's a production
> server.

Well, it is not exactly a production server, but I do run my personal
domain on it, my family domain, and a stationery website for a friend
with a domain. I never have to do anything with this machine anymore
except to run it and leave it alone. This thing is so freaking good and
stable and never hiccups or burps. Had this been an MS OS and MS servers,
it would cost many thousands of dollars and probably could not have an
uptime of years without having to reboot. All of this Redhat stuff is
free. Still, it works very well and you are right, don't fix what is not
broken.


> My production server just hums along on its own. I look at the
> console from time to time to see if all is well, and it always is. I
> don't play around with it much ... that's what the other experimental
> machine is for. Indeed, I don't play around with the Windows desktop,
> either. Both machines are production machines, so I don't do anything
> to destabilize them.

This is a very good line of thought. I will follow this example.


> I personally think that routing, NAT, firewalls, and the like should
> be on separate pieces of hardware, not on machines that are doing
> other things as well. It's more secure and stable that way. My
> router does all the NAT and firewall stuff--and nothing else. The
> other machines can't be attacked because they can't even be reached,
> and since the firewall is physically independent of these machines,
> there's no chance of squeaking past the firewall on the same machine.
>

Hmmmm, I have heard this train of thought before and I sure cannot argue
with it. Perhaps I will setup a single, low power computer, just to do
the firewall and routing, then the next machine will be the server and
the XP play machines. Yes, this seems like a very good idea. Do you think
that FreeBSD would be a good candiate for a firewall/router machine or
should I just stick with the Redhat line, maybe try out Fedora Core. I
like the fact that FC is up to date and is updated pretty regularly, but
that is also a downside for a production machine, who wants to have to
update a production machine all the time? If it is setup right and works
and is secure, leave it alone to do it's job.

Okay, I have to setup an experimental machine so that I can try out
FreeBSD and Fedora Core. Perhaps a dual boot system until I get an idea
of what is better for me.

Thanks for the very good advice and discussion.

--
~Ohmster
ohmster at newsguy dot com

Trent Buck wrote in news:20050313064417.6d869169
@harpo.marx:

> Spake Mxsmanic:
>> if you can get by without the pretty windows
>
> The unsung hero of the console is screen(1), which lets you open
> multiple windows, swap between them and resize them. It lets you lock
> the terminal. It lets you reconnect to your windows if your network
> connection dies. It can even show a clock and list of windows along
the
> bottom line. If you haven't checked out screen, you are REALLY missing
> out.

Hmmm, I have heard this many times but have yet to learn about screen. Do
you have any URLS handy that I could get a hands on experience for screen
with?

>> > I use SecureCRT to connect with my Redhat box now ...
>
> Interesting. What are the advantages over putty?

Oh I don't know. There might not really be any. I just use SecureCRT
because I have it and am familier with it. I have used putty and putty
works quite well and can be setup very nicely. Putty is very good.
SecureCRT will allow you to use Zmodem but I cannot figure out how to get
the linux side of Zmodem to work or install. I think it would be a pretty
neat feature to be able to transfer files back and forth over a secure
connecton and not have to run an FTP or SecureFTP program as well as
putty or SecureCRT. I don't know if putty can do that or not. I would
like to know if anyone ever uses Zmodem to exchange files over a secure
terminal though. I used Zmodem back in the days of my first real ISP with
a dial up shell account. It did work quite well for getting binary files
up and down the connection. Does anybody here use Zmodem or anything like
that in a secure terminal application?



--
~Ohmster
ohmster at newsguy dot com

Mxsmanic wrote in
news:n9d631h41rhujutcgpoeaa0vulb4b7jqnh@4ax.com:

> Agreed. And this tends to favor the BSDs for servers, whereas it's
> somewhat of a disadvantage for desktops. But since neither Linux nor
> the BSDs can hold a candle to the Mac or Windows on the desktop, the
> latter disadvantage isn't that important.
>

Hmmmm, yeah, Windows or Mac are definitely better for desktop, although I
cannot stand a Mac and won't buy or use one. My reasons are personal
though, I think that Macs are expensive and limited with the applications
and programs that you can get for them. Doesn't mean that a Mac is not a
good computer though, I just don't want one, unless I could "get under
the hood" and use *nix style commands in them.

I have seen UNIX and Linux desktops that are setup and that work quite
well though. Still, they are not as easy to use though. With Windows, you
can drag and drop just about anything, anywhere. Rarely does this always
work on a linux system unless you use something like KDE and only use KDE
applications. Throw in something non-KDE like Firefox and there goes your
drag and drop.

--
~Ohmster
ohmster at newsguy dot com

Trent Buck writes:

> The unsung hero of the console is screen(1), which lets you open
> multiple windows, swap between them and resize them. It lets you lock
> the terminal. It lets you reconnect to your windows if your network
> connection dies. It can even show a clock and list of windows along the
> bottom line. If you haven't checked out screen, you are REALLY missing
> out.

I'm aware of it, but haven't had much occasion to use it, as I usually
access the system from ssh clients. The problem with the console is
that system messages periodically appear on it, messing up anything you
might be doing that requires a clean screen.

> Interesting. What are the advantages over putty?

I don't know, as I've not used putty. I don't remember how I found out
about SecureCRT--I think an ISP recommended it to me while discussing
ssh clients from Windows. I eventually bought their FTP and secure FTP
clients, too (AbsoluteFTP, followed by SecureFX).

> Unless, of course, there is a gaping hole in your commodity router.

I'm not aware of one. It's a pretty simple device, and my firewall
rules are pretty simple, too ... just one or two steps away from "block
everything." I've sacrificed some things completely, such as instant
messaging, simply because I don't like having so many ports open.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Ohmster writes:

> Hmmm, I have heard this many times but have yet to learn about screen. Do
> you have any URLS handy that I could get a hands on experience for screen
> with?

It should already be on your system. I think it's pretty standard with
UNIX or is at least readily available.

> I would like to know if anyone ever uses Zmodem to exchange
> files over a secure terminal though.

Zmodem ... ick. That brings back bad memories of the old days.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Ohmster writes:

> Hmmmm, yeah, Windows or Mac are definitely better for desktop, although I
> cannot stand a Mac and won't buy or use one.

Macs are too opaque for my tastes--they are so user-friendly that you're
never quite sure what they are actually doing behind the scenes.
Unfortunately, Windows is getting that way, too.

Also, Macs are too expensive, and there are too few applications
available for them. And being locked into a single company for both the
OS _and_ the hardware is pushing things dangerously far.

> My reasons are personal
> though, I think that Macs are expensive and limited with the applications
> and programs that you can get for them. Doesn't mean that a Mac is not a
> good computer though, I just don't want one, unless I could "get under
> the hood" and use *nix style commands in them.

Yes. I've heard that you can get to the UNIXate stuff beneath the hood
of OS X, but I don't know how true that really is. Why bother, if you
can just install a straight UNIX system instead?

> I have seen UNIX and Linux desktops that are setup and that work quite
> well though.

Sure, but why bother, when there are better desktops to be had?

I suppose that if you can't afford Mac or Windows OS software, UNIX is
an option. But if you are that strapped, how are you paying for the
hardware?

Also, you can't build a Mac from scratch, which is a big disadvantage.
OEM copies of Windows are cheaper than boxed retail copies, but they are
still expensive (more expensive than they should be).

Then again, if you buy a boxed Linux distribution, you pay nearly as
much. I see Linux distributions in excess of $100 these days; at that
price, just buy Windows instead.

> Still, they are not as easy to use though. With Windows, you
> can drag and drop just about anything, anywhere. Rarely does this always
> work on a linux system unless you use something like KDE and only use KDE
> applications. Throw in something non-KDE like Firefox and there goes your
> drag and drop.

All GUIs are a mess.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

Trent Buck writes:

> For those who DON'T know, Mxsmanic is of course referring to SELinux,
> which is run(?) by the United States' No Such Agency:
>
> http://www.nsa.gov/selinux/

Actually, I was thinking of secure proprietary and free versions of
UNIX, like the one HP has (can't remember the name), or TrustedBSD.

Of course, nothing prevents Linux from being secured in the same way.
Even the latest version of FreeBSD supports ACLs, although I haven't
tried them yet.

--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.