Post by thread:[OT]: Real Computer Alert

Exact match. Not showing close matches.
PICList Thread
'[OT]: Real Computer Alert'
2001\04\03@194546 by Andy N1YEW

This is an official computer alert. Andrew N1YEW ----- Original Message ----- From: CERT Advisory <spam_OUTcert-advisoryTakeThisOuTcert.org> To: <.....cert-advisoryKILLspam@spam@cert.org> Sent: Tuesday, April 03, 2001 2:02 PM Subject: CERT Advisory CA-2001-06 {Quote hidden}> > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2001-06 Automatic Execution of Embedded MIME Types > > Original release date: April 03, 2001 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, > except IE 5.01 SP2 > * Any software which utilizes vulnerable versions of Internet > Explorer to render HTML > > Overview > > Microsoft Internet Explorer has a vulnerability triggered when parsing > MIME parts in a document that allows a malicious agent to execute > arbitrary code. Any user or program that uses vulnerable versions of > Internet Explorer to render HTML in a document (for example, when > browsing a filesystem, reading email or news messages, or visiting a > web page), should immediately upgrade to a non-vulnerable version of > Internet Explorer. > > I. Description > > There exists in Internet Explorer a table which is used to determine > how IE handles MIME types when it encounters MIME parts in any type of > HTML document, be it email message, newsgroup posting, web page, or > local file. This table contains a set of entries that cause Internet > Explorer to open the MIME part without giving the end user the > opportunity to decide if the MIME part should be opened. This > vulnerability allows an intruder to construct malicious content that, > when viewed in Internet Explorer (or any program that uses the IE HTML > rendering engine), can execute arbitrary code. It is not necessary to > run an attachment; simply viewing the document in a vulnerable program > is sufficient to execute arbitrary code. > > For more details, see Microsoft Security Bulletin MS01-020 on this > topic at: > > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > > There have been reports that simply previewing HTML content (as in a > mail client or filesystem browser) is sufficient to trigger the > vulnerability. The impact of viewing malicious code in this manner is > being evaluated. > > The CERT/CC is currently unaware of any reports of this vulnerability > being used to successfully attack a system. Demonstration code > exploiting this vulnerability has been published in several public > forums. This vulnerability is being referenced in CVE as CAN-2001-0154 > and by the CERT/CC as VU#980499. > > II. Impact > > Attackers can cause arbitrary code to be executed on a victim's system > by embedding the code in a malicious email, or news message, or web > page. > > III. Solution > > Apply the patch from Microsoft > > Apply the patch from Microsoft, available at: > > www.microsoft.com/windows/ie/download/critical/Q290108/default.asp {Quote hidden}> > As noted in the 'Caveats' section of the Microsoft advisory, end users > must apply this patch to supported versions of Microsoft's browser. > This means IE must be upgraded to IE 5.01 Service Pack 1 or IE 5.5 > Service Pack 1 before users can apply this patch. Users who have not > previously upgraded will incorrectly receive a message stating that > they do not need to apply this patch, even though they are vulnerable. > Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which > has this patch incorporated in it) and apply the appropriate patch. > > An excerpt from MS01-020: > > Caveats: > If the patch is installed on a system running a version of IE other > than the one it is designed for, an error message will be displayed > saying that the patch is not needed. This message is incorrect, and > customers who see this message should upgrade to a supported version > of IE and re-install the patches. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. When vendors report new information to the CERT/CC, we > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > > Cyrusoft International, Inc. > > Mulberry does not use Internet Explorer to render HTML within Mulberry > itself and is not vulnerable to these kinds of problems. Users can > save HTML attachments to disk and then view those in browsers > susceptible to this problem, but this requires the direct intervention > of the user to explicitly save to disk - simply viewing HTML in > Mulberry does not expose users to these kinds of problems. > > Our HTML rendering is a basic styled-text only renderer that does not > execute any form of scripts. This is true on all the platforms we > support: Win32, Mac OS (Classic & X), Solaris, linux. > > An official statement about this is available on our website at: > > http://www.cyrusoft.com/mulberry/htmlsecurity.html > > > Lotus Development Corporation > > Notes does not use IE to render HTML-formatted mail messages. > > > Microsoft Corporation > > Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE > to Execute E-mail Attachment") related to this issue at: > > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > > A patch is available for this issue at: > > www.microsoft.com/windows/ie/download/critical/Q290108/default.asp {Quote hidden}> > > Netscape Communications Corporation > > Netscape is currently investigating the impact this vulnerability, if > any, has on users of the Netscape browser. > > > Opera Software > > Opera does not use Internet Explorer or any other external software to > render HTML. > > > QUALCOMM Incorporated > > It is unclear at this time what impact, if any, this vulnerability has > on Eudora clients. > > > Appendix B. - References > > 1. Havrilla, J., and Hernan, S., "CERT Vulnerability Note VU#980499: > Certain MIME types can cause Internet Explorer to execute > arbitrary code when rendering HTML", March 2001. > https://www.kb.cert.org/vuls/id/980499 > _________________________________________________________________ > > Microsoft has acknowledged Juan Carlos Cuartango for bringing this > issue to their attention. > > This document was written by Jeffrey S. Havrilla and Shawn V. Hernan. > If you have feedback, comments, or additional information about this > issue, please send us email. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2001-06.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: certKILLspamcert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to .....majordomoKILLspam.....cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2001 Carnegie Mellon University. > > Revision History > April 03, 2001: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP for Personal Privacy 5.0 > Charset: noconv > > iQCVAwUBOsoNNQYcfu8gsZJZAQFd3gQAkCKdIcdKJ/gaii0odrJdM/jlZUv7MYYf > R8LUHkV1dUTxEI/SRrKtAoEsf/UVVgZI4PGBB/pyptkmSv2axMWf4AD1Ubful712 > ojVaHG7hJuV5RNiw2yE/R4AoWZ5GbdaQByYWpCB+OfwNzsz/7MYibjI6xUtvqRvV > JxYMB6q5TqM= > =B0Bv > -----END PGP SIGNATURE----- > -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2001\04\03@213127 by Damon Hopkins

Andy N1YEW wrote: > > Systems Affected > > > > * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, > > except IE 5.01 SP2 > > * Any software which utilizes vulnerable versions of Internet > > Explorer to render HTML Solution: Use Netscape Damon Hopkins -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2001\04\03@223150 by Herbert Graf

> Andy N1YEW wrote: > > > Systems Affected > > > > > > * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, > > > except IE 5.01 SP2 > > > * Any software which utilizes vulnerable versions of Internet > > > Explorer to render HTML > > Solution: Use Netscape A good idea, if Netscape ever ran for me without crashing. Netscape is the ONLY app I use in Linux that ALWAYS crashes, in an hour it crashes at least 3 or 4 times. The windows version is better, but not by much. People have told me the reason Netscape crashes is because it has problems with Java and for Netscape not to crash I should disable Java. This is just not acceptable, although I personally don't like Java much alot of what I do on the web requires Java, and for that reason Netscape is not for me (WHEN I have a choice). Just my two cents. I hear Netscape 6 is even worse. TTYL -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2001\04\03@230941 by trm

I gave up on Ver 6 when I upgraded to 6.01. It allowed me to download my emails, but not open them. Before that it would intermittently "lose" what was in the Inbox when I exited 7 re-entered Netscape. "magically" they would reapear a few restarts later. Uh ?? I've gone back to Ver. 4.71. Most of the problems are gone, but I "lost" about 100 emails (Mostly from PICLIST) to Ver. 6.01. Ver 6 is also MUCH slower than Ver 4.71. Ted Melton Herbert Graf wrote: {Quote hidden}> > Andy N1YEW wrote: > > > > Systems Affected > > > > > > > > * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, > > > > except IE 5.01 SP2 > > > > * Any software which utilizes vulnerable versions of Internet > > > > Explorer to render HTML > > > > Solution: Use Netscape > > A good idea, if Netscape ever ran for me without crashing. Netscape is the > ONLY app I use in Linux that ALWAYS crashes, in an hour it crashes at least > 3 or 4 times. The windows version is better, but not by much. People have > told me the reason Netscape crashes is because it has problems with Java and > for Netscape not to crash I should disable Java. This is just not > acceptable, although I personally don't like Java much alot of what I do on > the web requires Java, and for that reason Netscape is not for me (WHEN I > have a choice). Just my two cents. I hear Netscape 6 is even worse. TTYL > > -- > http://www.piclist.com hint: The list server can filter out subtopics > (like ads or off topics) for you. See http://www.piclist.com/#topics -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

2001\04\04@004242 by Nicholas Irias

If you crash 3 or 4 times per hour, the problem is probably your Linux OS rather than Windows or Netscape. I run the much maligned Windows NT with the much maligned Outbreak and Internet Exploder, and I measure the time between crashes in months. People only write viruses for Windows, so Linux enjoys a bit of "security through obscurity". A Linux user laughing at a Windows user who has encountered a virus is like a caveman laughing at a motorist whose gas tank has been sugared. Sugar may not hurt the caveman's sandals, but when the day is done, he is still a caveman using an outmoded means of transportation. {Original Message removed}

2001\04\04@021858 by Scott Dattalo

On Tue, 3 Apr 2001, Nicholas Irias wrote: > If you crash 3 or 4 times per hour, the problem is probably your Linux OS > rather than Windows or Netscape. I run the much maligned Windows NT with > the much maligned Outbreak and Internet Exploder, and I measure the time > between crashes in months. > > People only write viruses for Windows, so Linux enjoys a bit of "security > through obscurity". A Linux user laughing at a Windows user who has > encountered a virus is like a caveman laughing at a motorist whose gas tank > has been sugared. Sugar may not hurt the caveman's sandals, but when the > day is done, he is still a caveman using an outmoded means of > transportation. Had you mentioned TV's, you'd been 3 for 3 for things I seldom do. Your caveman metaphor is most enlightening - though in my case I exchange the sugar for traffic and the sandals for Speedplays. I often considered abandoning my outmoded form of travel, especially since on most mornings it just saves 5 minutes on my 25 minute commute. Besides, my 14 year old nissan 200sux could use more attention. Excluding bad hardware - I've never once have had Linux crash. Period. My current box has been up: $ uptime 10:39pm up 80 days, 12:26, 8 users, load average: 0.00, 0.01, 0.00 Which is amazing considering that my two year old daughter loves to push buttons. So I doubt that Linux is the reason Netscape is crashing on the original poster's computer. But the real issue I'd like to address in this totally Off Topic thread is the false assertion that Linux has security through obscurity. Linux is hardly obscure. Granted it's not as ubiquitous as windows, and probably won't be for the near future, but there are numerous places it's used. I submit that Linux is secure (from viruses) because it clearly delineates user space and OS space, whereas windows blurs the two. W9x makes no distinction. NT/W2k endeavor to make a distinction by adding an Administrator mode. Most people I know defeat this by giving users (i.e. themselves) administrative priviledges because it's too cumbersome to switch between user mode and administrative mode. (Correct me if I'm wrong, but it's not possible to have an administrator and user simultaneously logged into a "stock" NT/2k box). I consider this blurring between the user and superuser a fundamental design error in all of MS's OSes. This design error is what makes Microsoft's OSes vulnerable to (and the target of) virus attacks and GNU/Linux (and Unix in general ) relatively impervious. If you care to hear my opinions about other windows fundamental design errors, I can climb to a higher rung on the soap box. Scott -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@024916 by Neil Bradley

> Excluding bad hardware - I've never once have had Linux crash. Period. You are unique. I work with Linux daily and it not only buckles under heavy load it also kernel traps several times a month. I've not seen this behavior in Windows 2000 (though Win98 and the others is an entirely different story) or under FreeBSD. > My > current box has been up: > $ uptime > 10:39pm up 80 days, 12:26, 8 users, load average: 0.00, 0.01, 0.00 With a load average of near 0. Compare Linux to FreeBSD 4.0: [SYNTHCOM->neil: 1053] uptime 11:46PM up 107 days, 22:10, 3 users, load averages: 2.54, 2.45, 2.27 Prior to that (had to shut down because of an extended power failure my UPS couldn't handle): [SYNTHCOM->neil: 532] uptime 6:58PM up 209 days, 2:16, 5 users, load averages: 1.95, 2.02, 1.99 And that was when I installed FreeBSD 4.0. Prior to that it had been running a bit over a year - each time rebooted because of failed hardware or upgrades. Oh, and the load average is always over 2 but has no effect on system performance. ;-) Linux starts getting sluggish after a load average of 1.00. > false assertion that Linux has security through obscurity. Linux is hardly > obscure. It's quite obscure, actually. IT can't decide if it's POSIX compliant, 4.4BSD, AT&T or its own thing. > the near future, but there are numerous places it's used. I submit that Linux is > secure (from viruses) because it clearly delineates user space and OS space, Lots of people (ignoranly) log in as root. It's just as easy to have a virus propogate, or do something sneaky like putting "." in someone's path. It has nothing to do with "user" or "OS" space. > whereas windows blurs the two. W9x makes no distinction. NT/W2k endeavor to make > a distinction by adding an Administrator mode. Most people I know defeat this by > giving users (i.e. themselves) administrative priviledges because it's too > cumbersome to switch between user mode and administrative mode. (Correct me if > I'm wrong, but it's not possible to have an administrator and user > simultaneously logged into a "stock" NT/2k box). Yes it is - I do remote configuration to our 2K boxes at work with just such an approach. And "administrator" isn't a mode, it's a default account created that grants access to everything. Viruses can still be destructive in user space. > between the user and superuser a fundamental design error in all of MS's OSes. > This design error is what makes Microsoft's OSes vulnerable to (and the target > of) virus attacks and GNU/Linux (and Unix in general ) relatively impervious. > If you care to hear my opinions about other windows fundamental design errors, > I can climb to a higher rung on the soap box. Feel free to talk about Windows fundamental design errors, but Linux is OOOZING with them judging by the number of security problems found. 1/5th the "market" of Windows and has 3X the reported security holes. -->Neil ------------------------------------------------------------------------------- Neil Bradley There'd be no more N'Sync if everyone had guns. Synthcom Systems, Inc. ICQ #29402898 -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@030328 by Michael Rigby-Jones

> -----Original Message----- > From: Nicholas Irias [SMTP:EraseMEniriasspam_OUTTakeThisOuTPACBELL.NET] > Sent: Wednesday, April 04, 2001 5:10 AM > To: PICLISTspam_OUTMITVMA.MIT.EDU > Subject: Re: [OT]: Real Computer Alert > > If you crash 3 or 4 times per hour, the problem is probably your Linux OS > rather than Windows or Netscape. I run the much maligned Windows NT with > the much maligned Outbreak and Internet Exploder, and I measure the time > between crashes in months. > > People only write viruses for Windows, so Linux enjoys a bit of "security > through obscurity". A Linux user laughing at a Windows user who has > encountered a virus is like a caveman laughing at a motorist whose gas > tank > has been sugared. Sugar may not hurt the caveman's sandals, but when the > day is done, he is still a caveman using an outmoded means of > transportation. > Walking is outmoded? Actually, if you live in the states I guess you are correct. During my time over there stayiong with friends, I offered to walk the half mile down to the local shops to get some groceries, and they thought I was mad to consider walking. I found out why when I tried to walk there, the sidewalk stopped at the end of the street!! Mike -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@031639 by dr. Imre Bartfai

Hi, maybe. I looked for a good Netscape version until I found 4.76 (I believe this is the last non-Java version). Using with Xfree 4.0.3, crash is rather seldom. I hope this helps. Regards, Imre PS: I use SuSE Linux 7.0, but I updated to glibc 2.2. On Tue, 3 Apr 2001, Herbert Graf wrote: {Quote hidden}> > Andy N1YEW wrote: > > > > Systems Affected > > > > > > > > * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, > > > > except IE 5.01 SP2 > > > > * Any software which utilizes vulnerable versions of Internet > > > > Explorer to render HTML > > > > Solution: Use Netscape > > A good idea, if Netscape ever ran for me without crashing. Netscape is the > ONLY app I use in Linux that ALWAYS crashes, in an hour it crashes at least > 3 or 4 times. The windows version is better, but not by much. People have > told me the reason Netscape crashes is because it has problems with Java and > for Netscape not to crash I should disable Java. This is just not > acceptable, although I personally don't like Java much alot of what I do on > the web requires Java, and for that reason Netscape is not for me (WHEN I > have a choice). Just my two cents. I hear Netscape 6 is even worse. TTYL > > -- > http://www.piclist.com hint: The list server can filter out subtopics > (like ads or off topics) for you. See http://www.piclist.com/#topics > > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@055339 by Alan B. Pearce

> whereas windows blurs the two. W9x makes no distinction. NT/W2k endeavor to make > a distinction by adding an Administrator mode. Most people I know defeat this by > giving users (i.e. themselves) administrative priviledges because it's too > cumbersome to switch between user mode and administrative mode. (Correct me if > I'm wrong, but it's not possible to have an administrator and user > simultaneously logged into a "stock" NT/2k box). I get the feeling that this is not the issue, but rather how the code is run, i.e. in Intel parlance is it run in Ring 0 (highest accessibility to the hardware) or Ring 3 (no accessibility to the hardware). NT uses the security of the various rings, as does the various flavours of Unix AFAIK, but the Win9x make limited if any use of this. -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@062445 by Wojciech Zabolotny

On Wed, Apr 04, 2001 at 12:00:21AM -0700, Neil Bradley wrote: > > Excluding bad hardware - I've never once have had Linux crash. Period. > > You are unique. I work with Linux daily and it not only buckles under > heavy load it also kernel traps several times a month. I've not seen this > behavior in Windows 2000 (though Win98 and the others is an entirely > different story) or under FreeBSD. > Sounds like a misconfigured kernel :-(. Do you use any experimental drivers? I never had such problems when using self compiled kernels. I often write the CDR, compile the program and work interactively (eg. with editor or WWW browser) at the same time, additionally with a few remote users on board (Yes, I know that CD Writer in the multiuser server is not the best idea, but runing cdrecord through "nice --19" works perfectly) - compare it with Windows, where you have to deactivate screen saver when writing CDRs. When I first worked with NT4.0 it really seemed to me faster, than Linux running on the same hardware, but that impression disappeared immediately, when Windows started to use the virtual memory - I had to wait a few seconds when switching the applications. The main problem - both in Linux and in Windows is the memory... And the last thing. I really want to know that my OS does not contain any "back doors" left intentionally by the software vendor or their employees. This is only possible with the Open Source OS'es. -- Wojciech Zabolotny @spam@wzabKILLspamise.pw.edu.pl http://www.debian.org : Use Linux! Save your data and time. -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@070913 by Wojciech Zabolotny

On Tue, Apr 03, 2001 at 09:09:32PM -0700, Nicholas Irias wrote: > If you crash 3 or 4 times per hour, the problem is probably your Linux OS > rather than Windows or Netscape. I run the much maligned Windows NT with > the much maligned Outbreak and Internet Exploder, and I measure the time > between crashes in months. > > People only write viruses for Windows, so Linux enjoys a bit of "security > through obscurity". A Linux user laughing at a Windows user who has > encountered a virus is like a caveman laughing at a motorist whose gas tank > has been sugared. Sugar may not hurt the caveman's sandals, but when the > day is done, he is still a caveman using an outmoded means of > transportation. > "Security through obscurity" in the Open Source OS???? Sounds very funny!!! BTW. I have some "multiboot" machines, where both Linux and Windows are used, and "crash rate" is much higher when running under Windows. Additionally the TCO is much lower in the case of Linux, because all important services and fundamental applications are included in the OS distribution. May be I'm a caveman, but if I can have my job done three times faster with my "outdated" tools (like LaTeX instead of Word), then I really prefere to use them. -- Wojciech Zabolotny KILLspamwzabKILLspamise.pw.edu.pl -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@073231 by Steven J. Devine

> If you crash 3 or 4 times per hour, the problem is probably your Linux OS > rather than Windows or Netscape. I run the much maligned Windows NT with > the much maligned Outbreak and Internet Exploder, and I measure the time > between crashes in months. Perhaps a configuration issue and/or bad install, as I have four linux machines, one which has been running 24x7 since 1994, two since 97, the other more recent. All of which run Netscape without crashes of any regularity. (tho the older machine uses an older version of Netscape... hey, why mess with it if it works?) Steve -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@091205 by Nicholas Irias

Linux is obscure just as an "obscure poet" is obscure. There has been an effort to publish source code, but only a handfull of people use it. And that obscurity provides security by discouraging virus writers, who dont want to spend days cooking up a virus for a platform that has too few potential carriers and victims. More results if you write a virus aimed at millions of users than one aimed at hundreds of users. {Original Message removed}

2001\04\04@093108 by Dale Botkin

On Wed, 4 Apr 2001, Neil Bradley wrote: > > Excluding bad hardware - I've never once have had Linux crash. Period. > > You are unique. I work with Linux daily and it not only buckles under > heavy load it also kernel traps several times a month. I've not seen this > behavior in Windows 2000 (though Win98 and the others is an entirely > different story) or under FreeBSD. He's nowhere near unique. I have used Linux on production systems handling heavy loads -- it simply does not crash unless you've badly misconfigured something. Of course you *can* hose pretty much any OS badly enough to make it unstable -- if you try hard enough. Reliability and robustness of any OS is dependent to some degree on the competency of the administrator and operator. > Feel free to talk about Windows fundamental design errors, but Linux is > OOOZING with them judging by the number of security problems found. 1/5th > the "market" of Windows and has 3X the reported security holes. 'Scuse me? Where on Earth did *those* figures come from? Never mind, I'm sure there are sources to back up pretty much any conceivable opinion. I don't want to step into this holy war... but let me share my personal experience. I have been an NT admin and managed a group of very good, experienced NT people. I have also run many BSD, Linux and Solaris boxes, and currently work in a large enterprise environment where NT is used for desktops and "business" apps, and Sun/Solaris is used for producton. NT systems can be made more or less reliable as long as they are regularly rebooted and as long as limit each system to a single function. UNIX systems can be made reliable by simply keeping users off them - "bouncing" a UNIX server to correct a problem is an exceedingly rare occurrence, whereas it's fairly common on the NT boxes. At home I run 98, NT and Linux. The Windows machines have been reloaded a few times and are OK as long as they're regularly rebooted and you don't keep anything critical on the disk without a backup. The Linux machine is a file server, DNS, SMTP, POP3, Web, DHCP, firewall, network backup, MP3 server, development, and user shell box. I get concerned if it's rebooted more tan once or twice a year, and that's usually to physically move it. It's running the same RedHat 5.2 I installed in 1998 (though with a current kernel). The NT box is a PII-333 with 128MB of memory and is acceptably quick. When it dies and I'm not there, it stays dead until I get hom to fix it. The Linux box is a Pentium-200 with 96MB. When it has problems I can fix them from anywhere. Guess which one has the tape backp drive attached? Dale --- The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@093259 by Bond Peter S-petbond1

> Linux is obscure just as an "obscure poet" is obscure. There > has been an > effort to publish source code, but only a handfull of people > use it. And This probably depends entirely upon your environment. From my POV, Linux is anything *but* obscure - in the server market it has been doing particularly well (can't find the figures ATM, and as a zealot I'm probably not supposed to quote them anyway <G>); in the embedded market it is doing pretty well (look at Lynx RTS as were/LynuxWorks now - they have AFAICT ditched their home-grown LynxOS completely to move over to Linux). Our mob have a Linux 5 9's telecomms server offering. As a user friendly desktop system, it is inadequate IMHO - I'm quite happy using it as a desktop OS, but it isn't for everyone. I think you'll find that far more than a handful are using it. > that obscurity provides security by discouraging virus > writers, who dont > want to spend days cooking up a virus for a platform that has too few > potential carriers and victims. More results if you write a > virus aimed at > millions of users than one aimed at hundreds of users. Making an OS open source enables anyone attacking it to see what possible attacks could work. Contrarywise, making it closed source should make it more difficult to attack... Except - open source code can be peer reviewed by far more people than a commercial offering such as the WinX products. I do agree to some extent with what you say on target "audiences", but it really is much, much easier to write virii for WinX machines than Linux - not that Linux is immune, far from it - but the OS is far less resilient than it ever should be. Also, with Linux the speed of response to an attack is far faster than Microsoft could ever manage. Even the commercial versions of Linux tend to be much faster in responding to security advisories. One other point about virus "writers" - a lot of them are using virus creation kits, for want of a better term. An engine is developed by one individual with some skill (note - whilst I don't like what they do, the occasional one or two are very, very good at it); this is then adopted by the script kiddies who attach their own payloads. Different virus signature, so a new virus. Peter -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@093927 by Andy N1YEW

My LiNuX box never crashes(ex hardware stuff) andy ----- Original Message ----- From: Dale Botkin <RemoveMEdaleTakeThisOuTBOTKIN.ORG> To: <spamBeGonePICLISTspamBeGoneMITVMA.MIT.EDU> Sent: Wednesday, April 04, 2001 9:30 AM Subject: Re: [OT]: Real Computer Alert > On Wed, 4 Apr 2001, Neil Bradley wrote: > > > > Excluding bad hardware - I've never once have had Linux crash. Period. > > > > You are unique. I work with Linux daily and it not only buckles under > > heavy load it also kernel traps several times a month. I've not seen this {Quote hidden}> > behavior in Windows 2000 (though Win98 and the others is an entirely > > different story) or under FreeBSD. > > He's nowhere near unique. I have used Linux on production systems > handling heavy loads -- it simply does not crash unless you've badly > misconfigured something. Of course you *can* hose pretty much any OS > badly enough to make it unstable -- if you try hard enough. Reliability > and robustness of any OS is dependent to some degree on the competency of > the administrator and operator. > > > Feel free to talk about Windows fundamental design errors, but Linux is > > OOOZING with them judging by the number of security problems found. 1/5th {Quote hidden}> > the "market" of Windows and has 3X the reported security holes. > > 'Scuse me? Where on Earth did *those* figures come from? Never mind, I'm > sure there are sources to back up pretty much any conceivable opinion. > > I don't want to step into this holy war... but let me share my personal > experience. I have been an NT admin and managed a group of very good, > experienced NT people. I have also run many BSD, Linux and Solaris boxes, > and currently work in a large enterprise environment where NT is used for > desktops and "business" apps, and Sun/Solaris is used for producton. > > NT systems can be made more or less reliable as long as they are regularly > rebooted and as long as limit each system to a single function. UNIX > systems can be made reliable by simply keeping users off them - "bouncing" > a UNIX server to correct a problem is an exceedingly rare occurrence, > whereas it's fairly common on the NT boxes. > > At home I run 98, NT and Linux. The Windows machines have been reloaded a > few times and are OK as long as they're regularly rebooted and you don't > keep anything critical on the disk without a backup. The Linux machine is > a file server, DNS, SMTP, POP3, Web, DHCP, firewall, network backup, MP3 > server, development, and user shell box. I get concerned if it's rebooted > more tan once or twice a year, and that's usually to physically move it. > It's running the same RedHat 5.2 I installed in 1998 (though with a > current kernel). > > The NT box is a PII-333 with 128MB of memory and is acceptably quick. > When it dies and I'm not there, it stays dead until I get hom to fix it. > > The Linux box is a Pentium-200 with 96MB. When it has problems I can fix > them from anywhere. > > Guess which one has the tape backp drive attached? > > Dale > --- > The most exciting phrase to hear in science, the one that heralds new > discoveries, is not "Eureka!" (I found it!) but "That's funny ..." > -- Isaac Asimov > > -- > http://www.piclist.com hint: The PICList is archived three different > ways. See http://www.piclist.com/#archives for details. > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@095856 by Herbert Graf

> If you crash 3 or 4 times per hour, the problem is probably your Linux OS > rather than Windows or Netscape. I run the much maligned Windows NT with > the much maligned Outbreak and Internet Exploder, and I measure the time > between crashes in months. It's not the OS, that's for sure, both the IRIX version and Linux version of Netscape I use do the same thing. Netscape on my home Linux machine crashes nearly as often. On Windows it's actually a LITTLE more stable, but not much. Now it IS the sites I visit, which uses heavy Java, but if Opera and IE work fine without crashing so should Netscape. > People only write viruses for Windows, so Linux enjoys a bit of "security > through obscurity". A Linux user laughing at a Windows user who has > encountered a virus is like a caveman laughing at a motorist > whose gas tank > has been sugared. Sugar may not hurt the caveman's sandals, but when the > day is done, he is still a caveman using an outmoded means of > transportation. True but Linux is no longer in complete obscurity and malicious code will begin to be created for it. The one REAL benefit of Linux though is that root access IS privileged, a new process CANNOT be started without root's access, even NT has back doors that allow a process to gain root access. TTYL > {Original Message removed}

2001\04\04@101246 by Herbert Graf

Unfortunately the version of Netscape I run isn't my choice, I was talking about my Universities systems, I doubt they'd approve of me gaining root and installing an updated Netscape on every machine. FWIW I think we are running 4.76 but I'm not sure, I am sure it's 4.7something. TTYL > {Original Message removed}

2001\04\04@101308 by Herbert Graf

> Feel free to talk about Windows fundamental design errors, but Linux is > OOOZING with them judging by the number of security problems found. 1/5th > the "market" of Windows and has 3X the reported security holes. This is unfair. Linux is fully open source, meaning finding holes is VERY easy and because so many different people work on Linux the holes are found with a large volume. Windows is closed source, making finding holes EXTREMELY difficult. I personally believe that if Windows source were released the number of holes found would be so huge people would just drop the idea of ever running Windows to begin with. TTYL -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@102347 by David VanHorn

> >Feel free to talk about Windows fundamental design errors, but Linux is >OOOZING with them judging by the number of security problems found. 1/5th >the "market" of Windows and has 3X the reported security holes. So because Winblows dosen't report theirs, it's somehow better? In my experience, Linux has reports of holes because people are actively looking for them. They look, because the majority of the servers on the net are running Linux. My personal server has been up for over a year, never rebooted. It's 300 miles away from me. Would I attempt this with Windows? No way. -- Dave's Engineering Page: http://www.dvanhorn.org Where's dave? http://www.findu.com/cgi-bin/find.cgi?kc6ete-9 -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@103606 by Andrew Kunz

>installing an updated Netscape on every machine. FWIW I think we are running >4.76 but I'm not sure, I am sure it's 4.7something. TTYL 4.5 is much more stable. Andy -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@105458 by Bond Peter S-petbond1

> Unfortunately the version of Netscape I run isn't my choice, > I was talking > about my Universities systems, I doubt they'd approve of me > gaining root and > installing an updated Netscape on every machine. FWIW I think > we are running > 4.76 but I'm not sure, I am sure it's 4.7something. TTYL Sounds familiar. My uni *never* approved of my gaining root... Peter -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@115145 by Alan B. Pearce

>Sounds familiar. My uni *never* approved of my gaining root... You might make like a weed and grow ??? :) sorry couldn't resist. -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@115516 by Bond Peter S-petbond1

> >Sounds familiar. My uni *never* approved of my gaining root... > > You might make like a weed and grow ??? :) Too many grad students went that way... <G> Peter -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@124104 by Herbert Graf

Well I also from time to time use 4.5 on IRIX and it crashes just as often. TTYL {Quote hidden}> -----Original Message----- > From: pic microcontroller discussion list > [TakeThisOuTPICLISTEraseMEspam_OUTMITVMA.MIT.EDU]On Behalf Of Andrew Kunz > Sent: Wednesday, April 04, 2001 10:18 > To: RemoveMEPICLISTTakeThisOuTMITVMA.MIT.EDU > Subject: Re: [OT]: Real Computer Alert > > > >installing an updated Netscape on every machine. FWIW I think we > are running > >4.76 but I'm not sure, I am sure it's 4.7something. TTYL > > 4.5 is much more stable. > > Andy > > -- > http://www.piclist.com hint: The PICList is archived three different > ways. See http://www.piclist.com/#archives for details. > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@130753 by jamesnewton

My uninformed and minor experience agrees with Neil's statement here. My NT, 98, etc.. boxes don't get hacked (knock on silicon) as long as I keep up with the free, easy to install, automatic, Microsoft provided security updates. If I open the ports on my Red Hat Linux box to other than a few static IP's, it gets rooted within days. Yes, If I knew what I was doing with Linux I could probably keep it secure by spending some time on it. Seems like you can pay Microsoft for the software and support but the service is free or you can pay Red Hat nothing for the software and some for support and pay Linux gurus for the service. And by pay, I mean one of: Kiss ass, beg, appeal to pride, pay dollars, trade hardware, trade services, etc... Notice that I got NO takers on admining my Linux box in return for its use and use of its connection. My signon message for that box is "why hack this system when I would pay you to keep it secure? call xxx." No takers there either. It's too much work. Linux has to grow out of the "I'm a guru and your just a stupid user" thing if it is going to survive. And it took all of 5 seconds to install the security patch from Microsoft to fix this Alert. http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp --- James Newton (PICList Admin #3) jamesnewtonEraseME.....piclist.com 1-619-652-0593 PIC/PICList FAQ: http://www.piclist.com or .org {Original Message removed}

2001\04\04@135133 by Timothy Stranex

> "Security through obscurity" in the Open Source OS???? > Sounds very funny!!! > BTW. I have some "multiboot" machines, where both Linux and Windows are > used, and "crash rate" is much higher when running under Windows. > Additionally the TCO is much lower in the case of Linux, because all > important services and fundamental applications are included in the OS > distribution. > May be I'm a caveman, but if I can have my job done three times faster with > my "outdated" tools (like LaTeX instead of Word), then I really prefere to use > them. Please don't tell me people actually use word...!!!??? <HORIFIED> Timothy Stranex EraseMEtimotuskonet.com South Africa -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@135849 by Dale Botkin

On Wed, 4 Apr 2001, Timothy Stranex wrote: > > "Security through obscurity" in the Open Source OS???? > > Sounds very funny!!! > > BTW. I have some "multiboot" machines, where both Linux and Windows are > > used, and "crash rate" is much higher when running under Windows. > > Additionally the TCO is much lower in the case of Linux, because all > > important services and fundamental applications are included in the OS > > distribution. > > May be I'm a caveman, but if I can have my job done three times faster with > > my "outdated" tools (like LaTeX instead of Word), then I really prefere to use > > them. > > Please don't tell me people actually use word...!!!??? <HORIFIED> Sure, all the time. I have not seen anything on my UNIX machine yet that does what Word will do. Star Office is close, but way, way too slow to be useful on the hardware I use for Linux. Or on the NT box, for that matter. I have to admit, though, Word 2K is getting iritating. I liked Office 98 better than 2K. Dale --- The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@142147 by Neil Bradley

> He's nowhere near unique. I have used Linux on production systems > handling heavy loads -- it simply does not crash unless you've badly > misconfigured something. We had it running on two different MP boxen at work for serving files. It would crash once a week at least, and in most cases would wind up losing a volume or some cluster of files. Every time I'd ask (in Linux newsgroups) whether or not they've seen something like this, it was always "What patch level are you running?" And I thought Service Packs under NT were bad! This isn't an isolated incident. We load the CRAP out of our file servers from multiple sites around the world. > Of course you *can* hose pretty much any OS > badly enough to make it unstable -- if you try hard enough. Serving files over a 100Mb/sec network is enough to make Linux unstable? We switched that box to Win2K and surprisingly it's not only faster, it stays running for months (not a crash yet - cross fingers). I've yet to have a crash on it, and it's running on THE SAME box. > Reliability > and robustness of any OS is dependent to some degree on the competency of > the administrator and operator. Oh yeah, there's real rocket science to running Samba. Not! You cannot call in to question someone's experience being the problem when the problem is obviously something with Linux itself. Two completely different OSes had no problems and actually wound up with a much lower CPU load. It was all Linux could do to keep up with a full stream (load average of about 1.4) while FreeBSD runs Samba on the same box at around 0.4. I can't tell for certain with 2K, but it's around 40% CPU load across both processors. We ran FreeBSD for a while and it served us very well (far better than Linux had at that point) and switched to 2K because of the domain authentication that the company enforced. > > Feel free to talk about Windows fundamental design errors, but Linux is > > OOOZING with them judging by the number of security problems found. 1/5th > > the "market" of Windows and has 3X the reported security holes. > 'Scuse me? Where on Earth did *those* figures come from? Never mind, I'm > sure there are sources to back up pretty much any conceivable opinion. Well, I gave NT too much credit, but my original points remain: http://www.securityfocus.com/frames/?content=/templates/forum_message.html%3fforum=2%26head=2782%26id=2782 I would expect an OS with nowhere near the marketshare to have considerably less security incidents. Linux is still out ahead of everyone else, and they're already well in the lead for 2001 so far. And this doesn't even touch Regardless, it does point to Linux having quite a few kernel problems. Just because you've never had any trouble with it doesn't mean it's trouble free, and just because I've seen problems with it under loads doesn't mean it's bug ridden. But it does point out fact that it has quite a ways to go for me to ever consider trusting it again when there are alternatives out there that are far more stable and efficient. -->Neil ------------------------------------------------------------------------------- Neil Bradley There'd be no more N'Sync if everyone had guns. Synthcom Systems, Inc. ICQ #29402898 -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\04@222135 by Alejandro Lavarello

Try OPERA! http://www.opera.com In two flavours: with Java and without. Regards!! Alejandro. At 09:15 04/04/01 +0200, you wrote: {Quote hidden}>Hi, > >maybe. I looked for a good Netscape version until I found 4.76 (I believe >this is the last non-Java version). Using with Xfree 4.0.3, crash is >rather seldom. > >I hope this helps. > >Regards, >Imre > >PS: I use SuSE Linux 7.0, but I updated to glibc 2.2. > >On Tue, 3 Apr 2001, Herbert Graf wrote: > >> > Andy N1YEW wrote: >> > > > Systems Affected >> > > > >> > > > * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, >> > > > except IE 5.01 SP2 >> > > > * Any software which utilizes vulnerable versions of Internet >> > > > Explorer to render HTML >> > >> > Solution: Use Netscape >> >> A good idea, if Netscape ever ran for me without crashing. Netscape is the >> ONLY app I use in Linux that ALWAYS crashes, in an hour it crashes at least >> 3 or 4 times. The windows version is better, but not by much. People have >> told me the reason Netscape crashes is because it has problems with Java and {Quote hidden}>> for Netscape not to crash I should disable Java. This is just not >> acceptable, although I personally don't like Java much alot of what I do on >> the web requires Java, and for that reason Netscape is not for me (WHEN I >> have a choice). Just my two cents. I hear Netscape 6 is even worse. TTYL >> >> -- >> http://www.piclist.com hint: The list server can filter out subtopics >> (like ads or off topics) for you. See http://www.piclist.com/#topics >> >> >> >> > >-- >http://www.piclist.com hint: The PICList is archived three different >ways. See http://www.piclist.com/#archives for details. > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

2001\04\05@144942 by Peter L. Peres

>Solution: Use Netscape > > Damon Hopkins Or something else... Peter -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email RemoveMElistservEraseMEEraseMEmitvma.mit.edu with SET PICList DIGEST in the body

More... (looser matching)
- Last day of these posts
- In 2001 , 2002 only
- Today
- New search...