This is the reward I get for leaving my window open again today.
More baby spiders in my room.
Grand.
teensy bit of sarcasm
-
ABOUT
ARCHIVES
- August 2008
- July 2008
- May 2008
- April 2008
- February 2008
- January 2008
- December 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
CATEGORIES
LINKS
friends & fam
just for fun
me elsewhere
other good'uns
photo inspiration
resources
SUBSCRIBE
Erin Julian Photography now has its own website. Please come visit!
-
May 11th, 2006 at 1:47 pm
You could’ve haiku’d that one…
“O! Window ajar
tiny spiders coming in
last time I do that…”
May 11th, 2006 at 3:21 pm
Lol, Ian. You should be a guest haiku artist on my blog… I guess you already are, eh?
May 11th, 2006 at 4:45 pm
They’re just being friendly! Hug them and show that you appreciate it!
May 11th, 2006 at 6:47 pm
A haiku artist?
Oh, come on! Surely you jest!
bows Japanesely
May 11th, 2006 at 6:54 pm
*Literally laughing out loud *
May 11th, 2006 at 7:31 pm
Concise. To the point.
Poetry for programmers:
the small, quaint haiku.
May 11th, 2006 at 9:07 pm
Ian -
You suck. Really bad.
So much better at haikus.
My haikus suck too.
James - You are INSANE.
(Wow, I’m really being nice to my commenters tonight. Don’t worry, I know them both in real life. So they can’t stay mad at me too long.
)
May 12th, 2006 at 1:35 am
O Spider so small,
So very rare and good,
Give thy egg gifts to Erin.
May 12th, 2006 at 9:17 am
Ian - you running your own server there using one of those DNS forwarding type services? I recognize the ath.cx domain, I think that’s the one I used to use
May 12th, 2006 at 11:36 am
James- the typical haiku structure is 5-7-5 not 5-6-7. 5-6-6 wouldn’t be so bad since you maintain the 17-syllable limit. Technicalities
Philip- Yep. When I discovered our DSL gives us 896k upstream, setting that baby up was the first thing I did
Also, since I’m a tightwad, I don’t want to pay for hosting. Besides, running your own server gives you far more flexibility since you have full control over the machine(but gives you the additional headache of maintaining security).
And in case you’re wondering, the machine itself is only a lowly 500mhz Pentium 3.
May 12th, 2006 at 7:21 pm
[quote]James- the typical haiku structure is 5-7-5 not 5-6-7.[/quote]
Oops. Yeah, I know that. (I’ve done Haiku before.) But now you know how well my brain functions at 1:30 in the morning with no caffeine.
May 12th, 2006 at 7:25 pm
P.S. Make sure your ISP’s Acceptable Usage Policy doesn’t explicitly bar you from hosting a server on their internet connection. (The ISP I work for /does/ ban you from doing this.)
The most they would probably do was ask you to remove it and terminate service if you refused, but y’know, that’s a hastle.
May 12th, 2006 at 7:26 pm
P.P.S. Purely out of curiosity, what are you hosting it on? Apache? IIS? TELL ME!
May 12th, 2006 at 10:25 pm
James- last I checked Qwest lets you run servers on your connection. Comcast doesn’t(if I recall), but then again they only give you about 64k up so it’d be more or less useless if you did.
Anyway, it’s a typical LAMP server: Linux, Apache, MySQL, PHP/Python. I wouldn’t touch Microsoft’s server products(or any MS product, for that matter) with a 10-foot pole.
May 12th, 2006 at 10:53 pm
[quote]James- last I checked Qwest lets you run servers on your connection. Comcast doesn’t(if I recall), but then again they only give you about 64k up so it’d be more or less useless if you did.[/quote]
Sweet! I’ll definetly have to check that out when I shop for ISPs next!
[quote]Anyway, it’s a typical LAMP server: Linux, Apache, MySQL, PHP/Python.[/quote]
Ok. Thanks!
[quote]I wouldn’t touch Microsoft’s server products(or any MS product, for that matter) with a 10-foot pole.[/quote]
Why not?
May 12th, 2006 at 11:43 pm
*Looks around, amazed at the life this comments thread has taken on all on its own *
Glad to see you guys having fun!
May 12th, 2006 at 11:44 pm
Because calling them “secure” or “stable” would be a lie
After using Windows for several years, I find I can no longer trust microsoft in either respect. I trust open-source softare far more: everything is out in the open, for anyone to check(see scan.coverity.com to see what I mean).
Also, all Microsoft products cost money, which is a definite minus in my book
May 13th, 2006 at 11:50 am
What reasons do you have for saying Windows is not stable? I have crashed Linux with far more frequency as a noob than I ever crashed Windows.
The only reason Windows is the most infected operating system on the planet is because few people change the default configuration. Windows can be made very secure, and easily just as secure as Linux. (I’m not the only one who thinks so. Linux got like a D on the TCSEC. Windows 2000 got a B2.)
As to the cost, yes, it costs money, but I think it’s a good buy.
May 13th, 2006 at 1:11 pm
Read this:
http://www.theregister.co.uk/security/securityreportwindowsvslinux/
And this:
http://linuxadvocate.org/articles.php?p=1
but what I guess it really comes down to is the fact that I just plain love Unix
May 13th, 2006 at 4:19 pm
oops- wordpress mangled that first link. Go here instead: http://tinyurl.com/4sdlg
May 13th, 2006 at 5:12 pm
I will check out the first link later tonight.
As to the second link, it does not enter into our debate at all (although I will read it just the same as it seems informative) so I’m not sure why you posted it.
You bashed Windows on three fronts: 1. It costs 2. It is insecure (and you seem to imply that it cannot be made as as Linux) 3. It is not stable. I responded to all three. I made no claim as to which EULA was more or less restrictive for the end user.
May 13th, 2006 at 10:08 pm
First off, let me say three things.
I did not read the entire article. (This was chiefly because of the below reason.) I got a little over halfway before I quit.
The author is an idiot who obviously has never used Windows to any great extent. He makes several glaringly erronous statements and honestly looked further than Slashdot comments for his facts.
The animocity I show in my critique is because it angers me that this author would publish this on the internet (where many uninformed people will read it) without doing any acceptable research. It is not directed at you, Ian.
[quote]Windows has only recently evolved from a single-user design to a multi-user model[/quote]
Recently? Windows 2000 (which was released in 2000) was released in the first quarter of the year 2000! At the time of this article’s publication, that was nearly five years prior.
[quote]Windows XP was the first version of Windows to reflect a serious effort to isolate users from the system, so that users each have their own private files and limited system privileges.[/quote]
I’m fairly certain Windows 2000 had this. In fact, considering how alike (in many respects, but not all) Windows 2000 and Windows XP are, I’m almost positive.
[quote]This caused many legacy Windows applications to fail, because they were used to being able to access and modify programs and files that only an administrator should be able to access. That’s why Windows XP includes a compatibility mode - a mode that allows programs to operate as if they were running in the original insecure single-user design. This is also why each new version of Windows threatens to break applications that ran on previous versions.[/quote]
God forbid, in adding to and revamping and OS, some stuff should be different from what it was last release! Oh, heavens no! You mean you can’t always have perfect compatibility from release to release?! GOOD GOD HOW WILL WE SURVIVE? Users might actually have to upgrade! :-O
[quote] As Microsoft is forced to hack Windows into behaving more like a multi-usersystem, the new restrictions break applications that are used to working without those restraints.[/quote] No duh. What? You would have had them keep the old design? First you criticize them for ever having the old design, (which I believe only existed in the Desktop version of Windows; I think Windows NT had mutliuser design, but I’m not sure) and then you criticize them for fixing it!
[quote]Microsoft made the Netscape browser irrelevant by integrating Internet Explorer so tightly into its operating system that it is almost impossible not to use IE.[/quote]
Microsoft made Netscape irrelevant by preying on user’s laziness. Most users won’t go searching for another browser because Internet Explorer does what they need! “impossible not to use IE”? Hardly.
[quote]Windows XP represented progress, but even Windows XP could not be justifiably referred to as a true multi-user system.[/quote]
Please tell me why the heck this was in here? The type multi-user switching this guy is talking about does not enter into the security of a product in the slightest.
[quote]When Microsoft integrated Internet Explorer into the operating system, Microsoft created a system where any flaw in Internet Explorer could expose your Windows desktop to risks that go far beyond what you do with your browser. A single flaw in Internet Explorer is therefore exposed in countless other applications, many of which may use Internet Explorer in a way that is not obvious to the user, giving the user a false sense of security.[/quote]
This is an unfounded statement that is often quoted, but never backed up with proof. Please tell me exactly how a vulnerability in Internet Explorer is exposing the system any more than a vulnerability in Mozilla Firefox when they both run in the user space in which they were told to launch.
[quote]In the above architecture, a flaw in the graphics rendering routines cannot do global damage to your computer because the rendering functions do not have direct access to the most vulnerable system areas.[/quote]
This only happens if you are in Admin.
[quote]Case and point: The Windows XP service pack 2 already has a growing history of causing existing third-party applications to fail.[/quote]
No it’s not. This is the cause of Microsoft rewriting a significant portion of the operating system.
[quote]Windows Depends Too Heavily on the RPC model[/quote]
I would attempt to answer this, except for two reasons:I do not know much about RPCThe author has shown so much ignorance about matters much more basic than RPC, I don’t trust him to get his facts straight.
[quote]Linux is based on a long history of well fleshed-out multi-user design[/quote]
Linux has got to be one of the crappiest multi-user designs I’ve ever heard of. Unless you do a crapload of work with groups and system binaries, you’re either superuser or you’re a user. Linux administration sucks. There’s no way to effectively lower the priveledges of the superuser account so any any environment where some person’s daily job (i.e. in an office environment) requires that they need above-user priveledges, they need to user the superuser account which gives them access to everything. Gee. Linux handled that one beautifully.
[quote]In addition, users associated with services such as Apache, MySQL, etc., are often set up with user accounts that have no access to a command line. So if a malicious hacker somehow breaks into the MySQL user account, that hacker cannot exploit that vulnerability to issue arbitrary commands to the Linux server, because that account has no ability to issue commands.[/quote]
This is very easy to do in Windows. Just deny that particular user (or group) access to cmd.exe.
[quote]In sharp contrast, Windows was originally designed to allow all users and applications to have administrator access to every file on the system. Windows has only gradually been re-worked to isolate users and what they do from the rest of the system.][/quote]
Yes, let’s blame them for a design that was originally bad, but which they have fixed. And for the record, Windows 2000 on is based on the Windows NT codebase, which is completely different from the Windows 9x codebase.
[quote]Microsoft has employed to create this barrier between user and system is still largely composed of constantly changing hacks to the existing design, rather than a fundamental redesign with multi-user capability and security as the foundational concept behind the system.[/quote]
See above response.
[quote]This may be one of the most important differentiating factors between Linux and Windows, because it virtually negates most of the critical security vulnerabilities that are common to both Linux and Windows systems, such as the vulnerabilities of the Mozilla browser vs. the Internet Explorer browser.[/quote]
If you’re so concerned about web-browsing based vulnerabilities, why not just disable access to the Mozilla and Internet Explorer binaries? It’s that simple. And in my solution as opposed to his, you still have the ease of use that a GUI provides.
It was at this point that I quit reading the article.
Any questions, comments, and critiques are welcome.
May 14th, 2006 at 12:18 am
Critique follows.
“Recently? Windows 2000 (which was released in 2000) was released in the first quarter of the year 2000! At the time of this article’s publication, that was nearly five years prior.”
Windows moved to a multiuser model in 2000. Unix had been founded on a multiuser model when it was designed in the sixties. Linux was designed to be a free Unix, even in its initial release in 1993. Last time I checked, 40 years was more than 5 years.
“I’m fairly certain Windows 2000 had this. In fact, considering how alike (in many respects, but not all) Windows 2000 and Windows XP are, I’m almost positive.”
Windows XP built upon Windows 2000’s security model, which was not yet complete when 2000 was released. It was far better than win9x, but not as advanced as XP’s.
“No duh. What? You would have had them keep the old design? First you criticize them for ever having the old design, (which I believe only existed in the Desktop version of Windows; I think Windows NT had mutliuser design, but I’m not sure) and then you criticize them for fixing it!”
A hack is not a fix, or at least not a good one; it should be a temporary solution at best. The author is saying instead of building on top of 10 years worth of crap, they should have revamped the core of the operating system to be more multiuser-oriented.
“Please tell me exactly how a vulnerability in Internet Explorer is exposing the system any more than a vulnerability in Mozilla Firefox when they both run in the user space in which they were told to launch.”
explorer.exe is both Internet Explorer and Windows’ own file manager. (try typing a local directory name into IE, or a web address into explorer- you’ll see what I mean). When a web browser is integrated into the OS’s core file managing software, a vulnerability in the browsing half could potentially expose the entire local filesystem to a malicious attacker.
“In the above architecture, a flaw in the graphics rendering routines cannot do global damage to your computer because the rendering functions do not have direct access to the most vulnerable system areas.
This only happens if you are in Admin.”
Do I really need to explain the difference between kernel space and user space to you? The operating system, that is, kernel space, has full access to all aspects of the system. User space has only what access the kernel gives it. A well-designed OS provides very little, if any, user space access to kernel space. The author’s point is that far, far too many things in Windows are implemented in kernel space and access to that kernel space is given out willy-nilly, since applications need those routines. If there’s a bug, the entire kernel(and thereby the entire system) could potentially be exploited.
“Linux has got to be one of the crappiest multi-user designs I’ve ever heard of. Unless you do a crapload of work with groups and system binaries, you’re either superuser or you’re a user. Linux administration sucks. There’s no way to effectively lower the priveledges of the superuser account so any any environment where some person’s daily job (i.e. in an office environment) requires that they need above-user priveledges, they need to user the superuser account which gives them access to everything. Gee. Linux handled that one beautifully.”
The beauty of Unix is that a normal user account cannot hose the system if exploited. You have to admit that it’s very, very easy to hose a windows box, even as a normal user. If you want to have a higher degree of granularity between the two, you use something like sudo, which allows you to grant certain users access to any subset of the superuser privileges.
Besides, the whole idea behind a multiuser system is that one does not need superuser privileges to perform everyday activities. In the office environment of which you speak, you’re either an end user, in which case you need internet, email, word processing, spreadsheets, etc., none of which should require superuser privileges, or you’re a systems admin, in which case you are the superuser.
“Yes, let’s blame them for a design that was originally bad, but which they have fixed. And for the record, Windows 2000 on is based on the Windows NT codebase, which is completely different from the Windows 9x codebase.”
See above. A hack is not(or rather, should not be) a permanent fix.
“If you’re so concerned about web-browsing based vulnerabilities, why not just disable access to the Mozilla and Internet Explorer binaries? It’s that simple. And in my solution as opposed to his, you still have the ease of use that a GUI provides.”
So you propose cutting users off from browsing the internet?
Furthermore:
“The author is an idiot who obviously has never used Windows to any great extent. He makes several glaringly erronous statements and honestly looked further than Slashdot comments for his facts.”
This is what is referred to as argumentum ad hominem, which is a logical fallacy. In a nutshell, you’ve attacked the author’s character in trying to further your argument. This may work in Congress, but I don’t buy it.
Pardon the sarcasm, by the way- it’s just my personality, don’t take it too seriously.
Any further critique is welcomed
May 14th, 2006 at 7:58 am
Also:
“This is very easy to do in Windows. Just deny that particular user (or group) access to cmd.exe.”
Unless you decide to implement your plan where normal users are isolated from the internet, this is trivial to circumvent: just find cmd.exe or a cmd.exe replacement like 4NT on the web somewhere and use it from the restricted account.
May 14th, 2006 at 12:24 pm
Okay, guys. I know you’re being civil and all, but I’m going to ask that you continue this inspiring debate via e-mail or something. I’m not picking on you, and I think it’s great for you two to hash this out and discuss it to your hearts’ content, but I would prefer that this post not become a message board thread about Windows.
Ian and James, I know both of you in real life and know that you’re not (very
) scary or anything, so Ian, let me know if I could provide James with your email address so that you could continue this conversation that way. Thanks!
(I’m not mad, upset, or even at all annoyed at you guys, just so you know. I just would like to keep comments somewhat on topic.
Thanks for understanding.)
May 14th, 2006 at 1:02 pm
nah, it’s fairly obvious that neither one of use is going to convince the other one way or another
I might do a writeup on my blog on the topic, eventually.
No hard feelings, James
May 14th, 2006 at 1:25 pm
“Windows moved to a multiuser model in 2000. Unix had been founded on a multiuser model when it was designed in the sixties. Linux was designed to be a free Unix, even in its initial release in 1993. Last time I checked, 40 years was more than 5 years.”
While this is true, didn’t Linus start the Linux kernel from scratch in 1991? So while you can say that Linux has been designed around a multi-user model since the beginning, that beginning is certainly not in the 1960’s. (If Microsoft chose to write an OS that used the same multi-user model as Unix, would you say that Microsoft had had that multi-user model since the 1960’s?)
“Windows XP built upon Windows 2000’s security model, which was not yet complete when 2000 was released. It was far better than win9x, but not as advanced as XP’s.”
Windows 2000 can both limit system priveledges and limit users interaction with other users files. (Which is what I claimed originally. I did not say that 2000’s security model was as complete as XP’s.)
“A hack is not a fix, or at least not a good one; it should be a temporary solution at best. The author is saying instead of building on top of 10 years worth of crap, they should have revamped the core of the operating system to be more multiuser-oriented.”
Windows NT is an entirely different codebase from Windows 95. Switching codebases isn’t a hack.
“explorer.exe is both Internet Explorer and Windows’ own file manager. (try typing a local directory name into IE, or a web address into explorer- you’ll see what I mean). When a web browser is integrated into the OS’s core file managing software, a vulnerability in the browsing half could potentially expose the entire local filesystem to a malicious attacker.”
The only parts of the filesystem that would be exposed by an exploit would be the parts of the filesystem that the user would normally have access to based on the ACLs. The same would be true with any Firefox exploit.
“Do I really need to explain the difference between kernel space and user space to you? The operating system, that is, kernel space, has full access to all aspects of the system. User space has only what access the kernel gives it. A well-designed OS provides very little, if any, user space access to kernel space. The author’s point is that far, far too many things in Windows are implemented in kernel space and access to that kernel space is given out willy-nilly, since applications need those routines. If there’s a bug, the entire kernel(and thereby the entire system) could potentially be exploited.”
As I’m not sure exactly how Windows interacts with the kernel space on the specifics, I cannot answer this second of your critique.
“The beauty of Unix is that a normal user account cannot hose the system if exploited. You have to admit that it’s very, very easy to hose a windows box, even as a normal user.”
If you running under a User account in Windows, I don’t see how you can hose the entire operating system. The only portions of the OS that I can write to are my personal Documents and Settings folder. The rest is just read and execute by default.
“If you want to have a higher degree of granularity between the two, you use something like sudo, which allows you to grant certain users access to any subset of the superuser privileges.”
I did not realize this. I thought sudo was just a way to run one command under root while leaving the terminal still logged in under the user account. I stand corrected.
“Besides, the whole idea behind a multiuser system is that one does not need superuser privileges to perform everyday activities. In the office environment of which you speak, you’re either an end user, in which case you need internet, email, word processing, spreadsheets, etc., none of which should require superuser privileges, or you’re a systems admin, in which case you are the superuser.
No response here needed as I agree with you.
“See above. A hack is not(or rather, should not be) a permanent fix.”
I still don’t see how changing codebases is a hack rather than a fix. (Unless you know something that I don’t about the NT codebase that I don’t know.)
“So you propose cutting users off from browsing the internet?”
On the server machine, yes.
I understand the author to be saying that Windows cannot do headless non-local administration and because of this the Windows server machine would be vulnerable to browser exploits. This is why I said you could just disable access to the browser executables to mitigate this problem as this would fix the problem if Windows could not do remote administration.
However, Windows can do remote administration:Using Remote Desktop for Administration for remotely managing computers running Windows Server 2003 can greatly reduce administrative overhead in any Windows Server 2003 environment.
Administrators can access servers from anywhere: be it inside the computer room, or from halfway around the world over a WAN, VPN, or dial-up connection. They can start time-consuming batch processing jobs like tape backups, disconnect, and then dial-in to the corporate network at a later time to check the progress.
Server application and operating system upgrades can be completed remotely, as well as tasks that are not usually possible unless the administrator is sitting at the console—for example, domain controller promotion/demotion and disk defragmentation.
Server file system tasks, such as copying large files and virus scanning, are much more efficient when performed within a Terminal Services session, rather than using utilities that are executed on a client computer. And administration tasks are quicker and more intuitive than using command-line utilities, although it is still possible to open up a command shell. (Source: http://www.microsoft.com/windowsserver2003/techinfo/overview/tsremoteadmin.mspx)
“This is what is referred to as argumentum ad hominem, which is a logical fallacy. In a nutshell, you’ve attacked the author’s character in trying to further your argument. This may work in Congress, but I don’t buy it.”
I meant it as more of a statement of my opinion about the author.
“Pardon the sarcasm, by the way- it’s just my personality, don’t take it too seriously.”
Okie dokie.
Also, let me just say that I think that what Linux has managed to do is amazing. I have not yet used it near to the extent that I would like and plan to experiment with it more in the future.
That said, I still believe the security model implmented by Windows to be better, and that is all I’m trying to say.
May 14th, 2006 at 1:27 pm
Erin: Ok, that’s perfectly reasonable. (I apologize for my above post, as I only noticed your comment after I had posted it.)
Ian: No hard feeling to you too, Ian.
My e-mail address is xierox (at) gmail d0t c0m
May 15th, 2006 at 5:10 am
I thought I would be reading 28 comments about spiders but I stand corrected.
I would have to agree with Erin that the topic somewhat veered in the wrong direction. Even so, I feel I have gained a new respect for operating systems in general after reading all of this.
Well here is my response to this…
If I had the choice
I would buy a Macintosh,
but I lack the funds.
P.S. Spiders are awesome. It’s quite fun to put other bugs in their webs to see how they react.