Windows flaw reaches beyond XP

TalkBack 10 of 57:

Next »

« Previous

• Thread View
• Flat View

Good, we can converse then in good will. See below

Retort

``I will address all your arguments in one post. ''

OK.


``>>BTW, which UNIX's are you maintaining.

What difference does it make what I run? Do I need to prove my street cred?''

Not your 'street cred', but your clear, informed and reasoned judgement. Some formal education usually helps, but no necessary. Good'ol common sense and good will is needed.


``Just so you know I have a centos box that handles my LAMP apps, a Centos
Dev server mirroring the live server in case the live box goes down, I run a FreeBSD box at the office for file serving, ftp and R&D
(I * AM * a geek).''

Hmm. Centos is NOT UNIX. It is Linux. FreeBSD is 'more' UNIX than centos.


``I am currently evaluating Trustix to replace my centos boxes, because
Centos installed too much fluff that I don?t use and it is constantly
needing to get patched. Trustix is pretty damn slick BTW. It automated the patching process for packages. That alone is worth it?s weight in gold.''

I am not familiar with the 'update system' for centos but the need to patch is inherent in the components you are deploying. For instance, if you rely on OpenSSL, and there is a flaw and a patch available, you CANNOT avoid patching
unless you can convince yourself that the flaw pre-conditions will never occur.

I think that as long as there is a site with available patches you can automate pretty much anything. There is nothing inherently 'super-natural' with automated procedures. Ofthen the boild down to a script that compareswhat's installed and what updates have been posted. But I understand the
value of cutting back on mechanical labor.


``There. I am cool enough now?''

WHY do you think that doing mandane sysadmin tasks is COOL any more? If you were designing the next-gen architecture of microprocessors or making parallel processing more efficient or automatic, maybe. Or devising smart(er) heuristics for NP-complete computation problems, even better.


`` I also run a 2k3 web edition box for my ASP and CF apps (I am a web developer), that is mirrored as well.''

How and what are you mirroring? Mirroring the web root or the file systems? Did youy write your own script or you are using something else? I will venture to mention that mirroring can take place at various levels: appl, file system, block layer, h/w scsi controller, etc.


``Hint: you can download an eval version of 2k3 from MS for free. It is good for 6 months. All I have to do is back it up and reinstall and I can have it back up and running in hour or two. Hey, free software! Fancy that.''

Thanks but we are a ms-windows free shop here. We have what we need using AIX, IRIX, Solaris, ALTIX, OS-X, RedHat, Fedora, SUSE, etc.


``>> If the 'SecuritySpace' is sending you info only on the non-MS s/w defects then it seems to be an outfit that sends INCOMPLETE information out. It's as if is trying to make one side look bad by hiding the more numerous and serious defects of the other. 'Strange' that you mentioned them here...

As far as the Security Space?s MS ?bias?? That is simply a ridiculous
assertion.''

The 'emails' you supplied in a response to an article on yet ANOTHER MS
windows security flaw ([ http://news.zdnet.com/2100-1009-5793344.html ]) ONLY contained vulernabilities on some UNIX and Linux systems. If the only contents they sent out contains non-MS related ulnerabilities, then they are not a security evaluation firm. If YOU chose to cut and paste these vulns. then again your point you are trying to make is 'But look at THESE vulns which are not related to the system the article is discussing about' (**).

You can do this ONLY when you need to provide a COMPLETE and BALANCED discussion in which you compare alternatives and supply the PROS and the CONS of BOTH of them. So then YOUR reply is incomplete and biased as you didn't give all sides EQUAL share in the coverage.


``I all I have [sic] to say is that they make there money by providing security audits and if they purposely tried to make one side look bad they would not be in business very long. Not to mention making them a target for''

Right, right, "nice try". You understand what I am saying here and what I said in my orig. reply: by presenting (YOU) a piece of info you claimed it came verbatim from these folks, you are trying to say (**) . My statements WERE QUALIFIED: See the '>>' above so I didn't state they are doing it certainly. So if again, it was not them but YOU who opted to cover the OTHER side and not provide arguments in favor or against the side that was affected by the vulnerabilities, you did so for what reason?


``lawsuits. Take a look at their site. They list the latest MS flaws with the latest security issues that were reported on ZDnet.

http://www.securityspace.com/sspace/index.html

BTW I highly recommend them for security audits. They are very thorough.

As a note, your argument against Security Space is an ad hominem fallacy.''

I see ;-): 'ad-hominem' is the fallacy in which one attacks the characterof the person instead of attacking his arguments with sound reasoning. I have NOT attacked their intention, since I QUALIFIED my statements:

"If the 'SecuritySpace' is sending you info only on the non-MS s/w defects then it seems to be an outfit that sends INCOMPLETE information out. It's as if is trying to make one side look bad by hiding the more numerous and serious defects of the other. 'Strange' that you mentioned them here... "

You can disprove my 'conditional' by proving that
"even though SecuritySpace is sending you out incomplete information, they STILL are not trying to make one side look bad by hiding the more numerous and serious defects of the other".

A conditional ("If X then Y") is FALSE, iff the antecedent ("If" condition) is TRUE but the consequent ("then Y") is FALSE. Go it?


``My rant here begs the question: Why do I bother? The fact is: OSS is NOT a magic bullet and is just vulnerable to security breeches as proprietary software. There are security advisories for OS software released just about every day. But since they are not high profile like MS, they don?t get reported as headline news.''

Everyone should bother THINKING HONESTLY before utterring their ultimate judgements.

Only NAIVE people can state (or worse believe) that X is perfect and Y is imperfect. (Outside Theology) nothing is completely perfect, and nothing is completely imperfect. If I claimed anything of this sort, I challenge you to point it out to me.

However, the quality or value of something can ONLY be judged when compared against SOLID STANDARDS of reference. To me, we need to QUANTIFY the value of the object/system under consideration WRT these standards SO THEN we could

COMPARE the value of different objects. This means that if you have say two cars and you need to select one, you need to quantify the pros and cons of both and then compare them along them. Example:

Attribute\Car A B
----------------------------------------------
Max speed
acceleretion (to me this is important
ml/gl
cost of service
num of people
max payload
bagage space
ETC

then you can decide how much inportant each factor is to you (assign a weight) and then take the weighted average. This is just an example and others may refine their method more. (Don't tell me about the utilities that go to the numerator and the cost in the denominator, etc.)

So, given that nothing is perfect to select one that fits our needs better we need to select one whose Utility/TotalCost is higher.

In your Oppinion, WHICH system (eg, UNIX, ms windows, etc.) has HIGHER Utility/TotalCost value? Can you justify your pre-conception in terms of a more qualtifiable method?

My contention is that for the computing tasks I care about UNIX comes FIRST and
MS windows LAST.


``Here, I expounded on that subject further in this post:

http://news.zdnet.com/5208-1009-0.html?forumID=1&threadID=11790&messageID=235248
&start=44
Heh, I certainly put a bee in your bonnet. ''


You are a too young to be able to do anything of this sort

PS: I am an engineer in a large HPC shop in which I select, setup, tune, etc. supercomputers (IBM p690/AIX 5.2, SGI Origins 3800 and 2000/IRIX6.5.x and SGI Altix 3700) along with their multi-terrabyte FC RAIDs and tape arrays, their high-speed communications, parallelization of code, system and appl tuning, ETC. I don't think that what I am doing is cool, actually it is kind of boring.

-m
~
~
~

Posted by: michael_t   Posted on: 07/19/05 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
• VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the costs of maintain ever larger data centers?or building ... Download Now
• Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now