<!--QuoteBegin-Talesin+Feb 11 2004, 06:10 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Talesin @ Feb 11 2004, 06:10 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Y'know, MonsE.. it's pretty easy to attempt to write off an opponent's viewpoint with ridicule. It takes far more effort to actually debate.
As for the Debian rooting, if you looked a bit closer you'd see that the cause of that was OpenSSH. Oh, and a patch was released within hours. Not next-day... within <i>hours</i> to fix the overflow vulnerability.
Impartial or not, are you going to deny that Windows is notorious for its security holes? Nobody said I was impartial. Hell, I wouldn't be debating if I was. That does not, however, immediately classify me as a 'fanatic'. I simply have a firmer grasp on the details of computing than most care to, and have formed opinions based on that experience.
<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> Ehhh, I am debating. You are saying things like 'notorious'.
Do you really think that if someone rooted MS's master copy of Longhorn on a server that it would not be patched within hours? The PR damage alone on Debian demanded it. And it was not OpenSSH, it was a kernel vulnerability. I did look closely.
I willingly admit that MS has security holes - FFS I deal with them as part of my day to day job. I also admit that Linux does. Do I use the word notorious? It's purely subjective, and has no place in debate. If you just want to count security holes being patched, Linux and its pieces and the rest have just as many as MS. I posted facts, you toss out notorious.
And I'm not ridiculing you, I'm being hyperbolic. Don't lose your sense of humor in this, or I might call you a fanatic. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html//emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo-->
You have a firmer grasp of computing than most people. That does not automatically make you right, infallible, or impervious to learning new things, I hope.
Take this up in a PM at this point, you're getting way too worked up.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->ah coolies... the way it was posted and stuff I was just worried it might have been a manual patch or something =3
thanks monse ^^ <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> No prob, gem. for future reference, there are no critical updates that you have to go hunt down in the MS world - they're always put under the Windows Update umbrella.
Stickied for the original noble CForrestor reasoning - patching is good.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Even from a neutral point of view, its odd that a patch for such a "large security hole" (from MS's "Critical" rating) takes so long to make. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> And to clarify: this was not precisely a security hole, it's part of an existing RFC that most browsers follow. In fact, I'll quote something that Skulkbait and I were chatting about in a PM:
NEWS So-called "phishing" scams, where users are duped into going to a supposedly legitimate website and tricked into revealing sensitive information, are on the rise. Late in 2003, a spate of phishing scams all came out at roughly the same time, creating security havoc.
Many of the scams took advantage of the RFC standard method of embedding a username and password combination into an URL (i.e., <a href='http://username:password@www.server.com)' target='_blank'>http://username:password@www.server.com)</a>. Although this method has existed since the dawn of the Internet, it presents a serious security flaw when it comes to duping users.
That's why it's all the more surprising that Microsoft, a firm not known for sacrificing functionality for security, plans to actually remove this functionality from its Internet Explorer browser. It's even being nice enough to warn everyone months in advance so preparations can be made. This is a significant departure from past tendencies to just spring changes on unsuspecting I.T. folk, and could signal a sea change for the Redmond software giant.
Starting with Internet Explorer 6 Service Pack 1 (SP1), URL-embedding of credentials will no longer work at all. Microsoft presents a variety of workarounds on its support website that will allow this functionality to remain, albeit in a more secure format.
Although this implementation will cause IE to deviate from the standard URL specification, security experts are applauding the change. States Russ Cooper, maintainer of the NTBugTraq mailing list, "This action is a clear demonstration of the TCI promise, security over functionality." Cooper goes on to say "No doubt some who will cry foul ... because needed functionality is now gone or websites have to be recoded," but notes that "the average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."
<b>Competing browsers Netscape, Mozilla, Opera, and others are expected to implement similar modifications if Microsoft's experiment proves useful.</b> <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Comments
As for the Debian rooting, if you looked a bit closer you'd see that the cause of that was OpenSSH.
Oh, and a patch was released within hours. Not next-day... within <i>hours</i> to fix the overflow vulnerability.
Impartial or not, are you going to deny that Windows is notorious for its security holes? Nobody said I was impartial. Hell, I wouldn't be debating if I was. That does not, however, immediately classify me as a 'fanatic'. I simply have a firmer grasp on the details of computing than most care to, and have formed opinions based on that experience.
<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Ehhh, I am debating. You are saying things like 'notorious'.
Do you really think that if someone rooted MS's master copy of Longhorn on a server that it would not be patched within hours? The PR damage alone on Debian demanded it. And it was not OpenSSH, it was a kernel vulnerability. I did look closely.
I willingly admit that MS has security holes - FFS I deal with them as part of my day to day job. I also admit that Linux does. Do I use the word notorious? It's purely subjective, and has no place in debate. If you just want to count security holes being patched, Linux and its pieces and the rest have just as many as MS. I posted facts, you toss out notorious.
And I'm not ridiculing you, I'm being hyperbolic. Don't lose your sense of humor in this, or I might call you a fanatic. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html//emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo-->
You have a firmer grasp of computing than most people. That does not automatically make you right, infallible, or impervious to learning new things, I hope.
Take this up in a PM at this point, you're getting way too worked up.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->ah coolies... the way it was posted and stuff I was just worried it might have been a manual patch or something =3
thanks monse ^^ <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
No prob, gem. for future reference, there are no critical updates that you have to go hunt down in the MS world - they're always put under the Windows Update umbrella.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Even from a neutral point of view, its odd that a patch for such a "large security hole" (from MS's "Critical" rating) takes so long to make.
<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
And to clarify: this was not precisely a security hole, it's part of an existing RFC that most browsers follow. In fact, I'll quote something that Skulkbait and I were chatting about in a PM:
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->http://www.geek.com/news/geeknews/2004Jan/gee20040130023673.htm
NEWS
So-called "phishing" scams, where users are duped into going to a supposedly legitimate website and tricked into revealing sensitive information, are on the rise. Late in 2003, a spate of phishing scams all came out at roughly the same time, creating security havoc.
Many of the scams took advantage of the RFC standard method of embedding a username and password combination into an URL (i.e., <a href='http://username:password@www.server.com)' target='_blank'>http://username:password@www.server.com)</a>. Although this method has existed since the dawn of the Internet, it presents a serious security flaw when it comes to duping users.
That's why it's all the more surprising that Microsoft, a firm not known for sacrificing functionality for security, plans to actually remove this functionality from its Internet Explorer browser. It's even being nice enough to warn everyone months in advance so preparations can be made. This is a significant departure from past tendencies to just spring changes on unsuspecting I.T. folk, and could signal a sea change for the Redmond software giant.
Starting with Internet Explorer 6 Service Pack 1 (SP1), URL-embedding of credentials will no longer work at all. Microsoft presents a variety of workarounds on its support website that will allow this functionality to remain, albeit in a more secure format.
Although this implementation will cause IE to deviate from the standard URL specification, security experts are applauding the change. States Russ Cooper, maintainer of the NTBugTraq mailing list, "This action is a clear demonstration of the TCI promise, security over functionality." Cooper goes on to say "No doubt some who will cry foul ... because needed functionality is now gone or websites have to be recoded," but notes that "the average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."
<b>Competing browsers Netscape, Mozilla, Opera, and others are expected to implement similar modifications if Microsoft's experiment proves useful.</b>
<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->