Windows XP users Phelled by new Trojan [Symantec bulletin, SP2 no protection, will see 2 IE popups]

The Register ^ | Dec 30, 2004 | Ashlee Vance

[Bush2000]

Netraverse is supposedly making an XP compatible version of its "bridging" software. You'll be able to run ANY Windows application in Linux since your Windows programs think they're still running in Windows!

Rrrrright -- and I can turn this lead into gold. WINE has been trying to do exactly that for years -- and no one cares.

[konaice]

If everyone quits using IE then the virii will all be written for Firefox or whatever browser(S) have become the leading programs on the net.

You obviously haven't read a single thing I (and some of the other Freepers here who are knowledgeable about software) have said.

You can not write a virus for a properly written browser. If the browser is properly written, there are no bugs that can be exploited by viruses.

You are simply parroting the Microsoft line that IE is targeted because it is popular, and as soon as other browsers become popular they will be targeted to the same extent. This is nonsense as anyone who writes software for a living can tell you.

[konaice]

Clue phone: The kernel architecture of Linux hasn't changed. It's still a monolithic kernel. Tanenbaum's opinion is just as valid today as it was 10 years ago.

Nonsense. It is monolithic only in the sense that the kernel is the kernel. If you haven't been paying attention for ten years you might not have noticed that more and more of the kernel has been exported to modules, some of which run in user space.

The 2.6 kernel is lean and tight, virtually all disks, network, Human Interfaces, sound, and device drivers of all types have been exported out of the kernel. About all it does is schedule and manage memory.

[ShadowAce]

Rrrrright -- and I can turn this lead into gold.

Then you're rich. I'm currently running three (3) operating systems simultaneously on my laptop--and one of them is W2K.

And no--it's not a tri-boot. They're all running at the same time.

[VeniVidiVici]

And no--it's not a tri-boot. They're all running at the same time.

Cool! I run Virtual PC on my WinXP box. Have Linux running in a virtual machine. Thinking about installing Win95 in another. Have a hankering to play the old Doom.

Have the same setup on my laptop but i/o is a complete dog on it. Painful to watch with two operating systems running. Adding more memory would probably help but the company won't pay for it.

[ThanhPhero]

That certainly makes things look a bit better. No, I am not a programmer or IT. I am USER. I can juke this thing around a bit, perhaps more than many but in a real pinch I have to call my son to come fix it.

[Bush2000]

You can not write a virus for a properly written browser.

Tripe. "Properly written" essentially boils down to zero bugs -- which simply isn't feasible without an inordinately large cost. I would invite you to go out to secunia.org and check out the exploits for Mozilla and Firefox (some of which are very serious). As long as human beings are writing code, human beings will make mistakes. So "properly written" is a bar which all developers will never achieve -- but will continue chasing.

You are simply parroting the Microsoft line that IE is targeted because it is popular

Which is absolutely true.

and as soon as other browsers become popular they will be targeted to the same extent. This is nonsense as anyone who writes software for a living can tell you.

No, it isn't nonsense. I've met many of the same researchers at DefCon who make their living crafting security exploits. Some of them work for security and anti-virus companies. Others are free-lancers. They intentionally target MS because that's the market that they primarily sell their services into. Nobody is paying them on the open source side; hence, they follow the money. If Firefox eventually becomes popular, that will change. It's just simple economics.

[Bush2000]

Then you're rich. I'm currently running three (3) operating systems simultaneously on my laptop--and one of them is W2K. And no--it's not a tri-boot. They're all running at the same time.

How is this concept novel? VirtualPC does the same exact thing -- and nobody needs to change platforms. But that's emulation, which has never really been popular with anyone because it's slow. As I was saying earlier, running Windows software on Linux is a non-starter. It didn't work for IBM OS/2 when it tried the same thing. And it hasn't worked for WINE. People know intuitively that you choose a platform based on software availability -- and you don't bother with hacky cross-platform shims because they're more trouble than they're worth.

[Bush2000]

Nonsense. It is monolithic only in the sense that the kernel is the kernel. If you haven't been paying attention for ten years you might not have noticed that more and more of the kernel has been exported to modules, some of which run in user space. The 2.6 kernel is lean and tight, virtually all disks, network, Human Interfaces, sound, and device drivers of all types have been exported out of the kernel. About all it does is schedule and manage memory.

Sigh. Allow me to quote directly from the HOWTO for Linux Loadable Kernel Modules (LKMs):

2.4. What LKMs Can't Do

There is a tendency to think of LKMs like user space programs. They do share a lot of their properties, but LKMs are definitely not user space programs. They are part of the kernel. As such, they have free run of the system and can easily crash it.

2.5. What LKMs Are Used For

There are six main things LKMs are used for:

• Device drivers. A device driver is designed for a specific piece of hardware. The kernel uses it to communicate with that piece of hardware without having to know any details of how the hardware works. For example, there is a device driver for ATA disk drives. There is one for NE2000 compatible Ethernet cards. To use any device, the kernel must contain a device driver for it.

• Filesystem drivers. A filesystem driver interprets the contents of a filesystem (which is typically the contents of a disk drive) as files and directories and such. There are lots of different ways of storing files and directories and such on disk drives, on network servers, and in other ways. For each way, you need a filesystem driver. For example, there's a filesystem driver for the ext2 filesystem type used almost universally on Linux disk drives. There is one for the MS-DOS filesystem too, and one for NFS.

• System calls. User space programs use system calls to get services from the kernel. For example, there are system calls to read a file, to create a new process, and to shut down the system. Most system calls are integral to the system and very standard, so are always built into the base kernel (no LKM option). But you can invent a system call of your own and install it as an LKM. Or you can decide you don't like the way Linux does something and override an existing system call with an LKM of your own.

• Network drivers. A network driver interprets a network protocol. It feeds and consumes data streams at various layers of the kernel's networking function. For example, if you want an IPX link in your network, you would use the IPX driver.

• TTY line disciplines. These are essentially augmentations of device drivers for terminal devices.

• Executable interpreters. An executable interpreter loads and runs an executable. Linux is designed to be able to run executables in various formats, and each must have its own executable interpreter.

[ChefKeith]

FYI

[ShadowAce]

How is this concept novel?

That was my point. Your post #261 implied that it was impossible (reference your turning lead into gold), not that it was passe.

[konaice]

You can not write a virus for a properly written browser.

Tripe. "Properly written" essentially boils down to zero bugs -- which simply isn't feasible without an inordinately large cost. I would invite you to go out to secunia.org and check out the exploits for Mozilla and Firefox (some of which are very serious). As long as human beings are writing code, human beings will make mistakes.

Oh how clever... Set up the straw man and then ferociously knock it down. Tough guy!

I said properly written, not bug free.

Properly written means no remotely exploitable security loopholes. The sad fact is that windows and MSIE have no concept of security by design. The huge number of security flaws in MSIE are there by design, not as a byproduct of bugs. These loop holes were intentionally designed in, so Micorosoft could leverage various pieces of software to dominate the net. They have been forced into retreat on each of these as it is taken over by the virus writers. Never the less, the early versions of MSIE would run executables downloaded without so much as a "by your leave". You are simply parroting the Microsoft line that IE is targeted because it is popular

Which is absolutely true. No its absolute bunk. MSIE is targeted because its a soft target. You break MSIE, and not only do you own the user's browser, but you own the user's machine. There is nothing standing in your way once you find a security flaw (one put there by design) in MSIE or Outlook, and the entire system is yours. This can not happen in the Unix world. At most you can compromise one user's account but you still can not install runnable executables (precisely because you can't set them to be executable) because browsers designed properly do not support that capability, and operating systems designed properly require it. It has nothing at all do do with bugs.

As for your last point mentioning the size of the security industry that has grown up around this pathetic excuse of an operating system, Thanks for proving my point. If that's your idea of a "Good Thing", this conversation has no where to go. There would be no need of this if Microsoft had even an inkling of an idea about security.

[konaice]

Sigh. Allow me to quote directly from the HOWTO for Linux Loadable Kernel Modules (LKMs)

Thanks for proving my point that the kernel is NOT monolithic.

[Bush2000]

Thanks for proving my point that the kernel is NOT monolithic.

You neglected to read this part:

"There is a tendency to think of LKMs like user space programs. They do share a lot of their properties, but LKMs are definitely not user space programs. They are part of the kernel. As such, they have free run of the system and can easily crash it."

Compiling the kernel produces a single binary with placeholders for these LKMs. The fact that they aren't compiled directly into the kernel doesn't mean they are user-mode. At run time, LKMs are pulled into the same monolithic kernel space. Nice try.

[Bush2000]

Properly written means no remotely exploitable security loopholes.

And you can guarantee that Mozilla and Firefox have no remotely exploitable security loopholes?!? LMFAO! What a charlatan you are. You might want to rethink your definition of "properly written". Because your definition means that no networked software is "properly written". Don't believe me? Check out Mozilla/Firefox Vulnerabilities. 21 remotely exploitable vulnerabilities. Face it: You can't name a single networked app that can meet such a stringent standard. Which means that it's a meaningless standard.

The sad fact is that windows and MSIE have no concept of security by design. The huge number of security flaws in MSIE are there by design, not as a byproduct of bugs. These loop holes were intentionally designed in, so Micorosoft could leverage various pieces of software to dominate the net.

You really are delusional, aren't you? Windows is no more exploitable than Linux. If you run as Administrator, it has the same effect as running as Root under Linux. Don't run as Administrator. Poof! Problem solved.

MSIE is targeted because its a soft target. You break MSIE, and not only do you own the user's browser, but you own the user's machine. There is nothing standing in your way once you find a security flaw (one put there by design) in MSIE or Outlook, and the entire system is yours.

Wrong. See above.

As for your last point mentioning the size of the security industry that has grown up around this pathetic excuse of an operating system, Thanks for proving my point.

Your point is pointless. The reason that the security industry targets Windows is that corporate types -- the ones that actually pay for and deploy security solutions -- pay for Windows solutions. None of the OSS cheapskates are going to give them a dime for finding an exploit under Linux.

If that's your idea of a "Good Thing", this conversation has no where to go.

Whether it's a "good thing" or not is irrelevant. It's reality. Deal with it.

There would be no need of this if Microsoft I had even an inkling of an idea about security.

Fixed it for you.

[Bush2000]

That was my point. Your post #261 implied that it was impossible (reference your turning lead into gold), not that it was passe.

You do get that "emulation" does not equate to "native execution", right? I was referring to the latter. But you already knew that.

[Osage Orange]

But calling me gay because I buy a different computer is OK?

Are you saying...you aren't happy?

[Aquinasfan]

Viruses are haram.

[ShadowAce]

I was referring to the latter.

OK. It was not clear in your post, however.

[N3WBI3]

Would I choose a 2003 server cluster or a stand alone Linux system? I would choose the Linux cluster but that is not comparing apples and apples...

Would I choose a cluster of Linux servers runnin Apache and MySQL over a cluser of 2003 running IIS and (ug) MSSQL... Ill take Linux...

The benefit is you dont have to buy extra licenses to cluster over the servers..