But you have to be if you hope to ever get a job as a security consultant. No one will take you seriously otherwise.Originally Posted by Kennedy
But you have to be if you hope to ever get a job as a security consultant. No one will take you seriously otherwise.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
I think if you are working on a box that is shared (or accessed) by several users, then you should only run as root when absolutely necessary. On the other hand, if this is your home machine, then do whatever your feel comfortable with.
Personally, I have no problem using sudo.
bit∙hub [bit-huhb] n. A source and destination for information.
Geez will there be a torrent of locusts or something coming next? Mario and I finally found something to agree up ^__^
As for Kennedy being smarted than folks on the SELinux team (and I was more referring to the original OS designers) I guess we will have to take you word on that one...
Btw, it's the second time you make that quote about Linus Torvalds, Kennedy. I don't think you ever understood the context. Let me explain it to you in few words so you drop it for good:
I don't need to know what Linus Torvalds thinks of spaces vs tabs. I don't care. Neither should you or anyone else, when it is common knowledge one or another are either a personal choice or an imposition at your working place. So, for all purposes as far as answering the question of what is best, tabs or spaces, Linus is a nobody just like anyone else.
In fact, Linus is a nobody on many other things he wrote or opinionated about before. But that's cool. So am I, you and everyone else. The issue is not the debate. But the fact some people actually think that quoting Linus Torvalds on tabs vs. spaces is going to actually give some strength to one side of the fence.
Is it clear now?
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
I don't run linux/unix, but in Windows XP, I use the administrator account only for installing software and changing system settings.
For everything else ie. work, internet, games, I use a limited user account, which can't install any software, or change fundamental settings, other than their own basic settings like screensaver.
I've never had a virus, trojan, malware.
OS: Linux Mint 13(Maya) LTS 64 bit.
Crystal. But, I'll still poke at you about it. It seems to get you spinning in a hurry (this is the second time that you have corrected me on it -- the first you asked me if sarcasm is lost on me -- apparently so).
Ah! You got me there
Fair enough.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
I don't have any problems surfing porn* either.
As for Mario F., I really like him or I wouldn't argue so much
This kind of ignores the FACT that MOST of the INTERNET is run on LINUX.
Maybe "most of the internet" still is experimental and fringe, but I continue to give it credits for effort
I do accept that running as root opens up some security issues. But, as with many things, I count myself in a minority here and so can also count on these facts
1) that most users DON'T run that way and so board idiots will not spontaneously target them in their board idiotic way, they will be out trying to sink MS ships.
2) I have like 3 usb keys I cycle thru for backups, plus CDs, and remote storage, all of that near daily with things that are important to me. Also, I have a FLOPPY DISK drive and have never written code longer than 1.44 mb source, and could care less about anything that isn't code.
I don't run SELinux on my primary install. What's more -- I don't have ANY secondary users and sudo is NOT EVEN INSTALLED. I do have them on the more normal installs I use for testing. Come get me ...or get real
*actually this one's not really porn, but the formation with the 3 of them about 3:20-4:15 is what I would call philosophically beautiful
THE SYSTEM IS YOURS. YOU ARE THE ROOT.
Last edited by MK27; 01-11-2010 at 06:53 PM.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
Not so sure about this Jeff. I got put straight into "unstable" (and am still there). But that was after they scouted me (I didn't approach them) and a few months of back and forth with the packager, and then at least a team of three involved in the testing. And they understood C. So the chances of deliberately malicious code, even in a "unstable" package, seems very slim to me -- I cannot modify my own package in the distro directly, I have to go through the packagers, who are debian employees, and then they update the release.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
Hey once about 5 years ago I knew all of the maturity levels. I will look into this and get back. All I know is stable (Sarge) is safe as it gets which is what I use for forward-facing servers and have never has a doubt or a worry.
It's dinner-time around here but like Ahnold says, I'll be back.
Busy watching Avatar on the wide-screen... ^__^
Here is something shedding light on the package system for the curious: Debian - Wikipedia, the free encyclopedia
And I had unstable and testing switched (D'oh). And now Lenny is the latest stable. So behind the times I am. In any event I do have faith in the package maturity system, it has stood by me when the whole RPM system sent system after system up in flames. But oh well, it works for us...
Peace
Jeff
This is all fine. But security concerns aren't interested on best case scenarios. Best Case Scenarios are in fact pretty much useless for about anything -- from security to deciding how one should develop their data entry UI.
I do not deny the added benefits of Open Source software in terms of code security and stability. Most of it spawns from a single factor: Peer Review. Something that is impossible on closed source. But let us not pretend all software is created equal, that all open source projects are created equal, or that in fact the same project is immune to changes in mood or to gross mistakes that someone somewhere may pay dearly.
If Open Source history is not exactly rich in horror stories about unchecked malicious code being injected into the development process by some contributor, this is by no means evidence it can't happen. Mostly because it's rather easy to observe that it CAN indeed happen. We all have seen rather abusive bugs (an by abusive I mean "how exactly did no one seen this before!?) on projects as respectable as Mozilla's or Apache's. The same irresponsible behavior that lead to unchecked submitted code could potentially be explored by a disgruntled contributor. And there are disgruntled contributors. Are there not?
And on smaller scale projects, on dying projects or on projects under a bad management (yeah, because open source is a lot more than just the big players), the opportunities for malicious code to creep in are higher.
Why we don't hear about it, then? I'm sure there are stories. I may entertain myself trying to browse the web or USENET for them. But sure they aren't common. However they aren't probably common because Open Source is still a rather small portion of the global development effort. It is also still -- and thankfully -- mostly a work of passion. It is also a known danger and actively checked and finally, there isn't really enough motivation probably. The same reason probably why Linux has so few virus.
But most notably, my beef with many Open Source projects (and that underline I hope clears once and for all your misconception of my constant criticism) is what I perceive to be a constant increase in the weight being put in the user shoulders. More and more I observe that many projects shift the responsibility of code testing to the end user, leaving the developers the sole task of creating new bugs and fixing old ones. In that order. The notion of users as only... you know, users of a piece of software is being thwarted and many open source projects seem to want to prey on their users workforce, more than they probably should. You really cannot expand the Open Source concept if you demand this type of task from your users, because granny, joe and marlene don't make good software testers. And granny, joe and marlene are the vast majority of users.
I go as far as to say that on many occasions submitted code is not verified at all and there is a conscious decision that the results are to be observed on bugtraq or by user bug submissions. This is more true as the project gets bigger, more mature and with a wider (read, impossible to properly manage) number of contributions. This is the only way I can explain the level of some of the most inane bugs that have been found on popular open source projects, or how certain projects can take years to fix a known bug with multiple bug reports (and here, I'm thinking of a certain bug on a simple macro in boost::filesystem).
In this scenario, more than malign code, is good code I'm afraid of. And so should you.
Last edited by Mario F.; 01-11-2010 at 09:34 PM.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
I doubt very much the programs you run need access to the entire machine. There are many permission schemes available, why not use them? You've pretty much just chucked the idea of "groups" and "users" out the window. As well as wasting space by storing file permissionsIt may not need root privileges, but I do. (The only problem with this one is GUI's must run as the same user as the X.).
And the "trusted, I looked over the source code myself" stuff is BS. Consider a small bug in Firefox that allows code from web pages or images to be run. It's bizarre to give Linux all this praise, when you're not using a large chunk of what made it successful (Granted it wasn't specifically Linux
Last edited by zacs7; 01-11-2010 at 10:42 PM.
It's still showing in the theatres, so how can you watch it on the TV?
OS: Linux Mint 13(Maya) LTS 64 bit.
You guys focus a lot on malicious code and hackers and evil doers. Are you so divine in administrating computers that you never make mistakes? If you have the least privileges you can do the least harm. Even unintentionally without anyone being evil. "Never attribute to malice that which can be adequately explained by stupidity".
hth
-nv
She was so Blonde, she spent 20 minutes looking at the orange juice can because it said "Concentrate."
When in doubt, read the FAQ.
Then ask a smart question.
