> From: "Geo." 
> "Adam Flinton"  wrote in message
> news:40406fe1$1{at}w3.nls.net...
>> > Does Linus contribute to the RH product? If he screws up and codes
> something
>> > that's exploitable don't you consider that a RH exploit if it affects
> RH?
>> >
>> 
>> Yes I do. It is both a RH exploit & a linux one. Being a linux one it is
>> also a mandrake one, a Suse/Novell one, a debian one, a knoppix one, a
>> slackware one etc.etc.etc.
> Ok so you do admit then that you can have a RH (or Mandrake, SUSE, knoppix,
> slackware, etc) exploit that is NOT also a Linux exploit as you define
> "Linux"? (the "&" in your statement implies this)

Yup. I have not stated otherwise. What I have stated is that none of those
distribs is by itself "linux". Rich was trying to say that a hole
in Gaim is thus a hole in "linux".

Do you think that a hole in GAIM is a hole in "linux"? If so then
why is a hole in GAIM (or it would seem possibly trillian) not also a hole
in Windows?


> Great we are making progress. Now all you have to do is realize that people
> run RH or Mandrake or SUSE or Knoppix but nobody runs just "Linux".

Hohum. If you're talking about prebuilt binaries vs compiling your own
distrib then I would point you to Gentoo. There you get a kickstarter &
you decide exactly what you want & you then compile it for your exact
system & requirements. It is possible to see no 2 Gentoo installs as
being the same.


>> You have a base set of stuff required
>> for linux to work (kernel & some drivers) & that after
that it's up to
>> the distro maker. But a given distro maker builds on top of linux it is
>> not linux per se.
> Would everyone who downloaded or purchased "Just Linux"
please raise their
> hands? People don't run "just Linux" Adam, they run a distribution and
> because of that it's proper to identify security vulnerabilities by
> distribution not by "just linux".

Give this:

http://www.gentoo.org/

A go. In fact in this exact case give this:

http://www.gentoo.org/proj/en/hardened/

a go.

If you're seriously going down this route then "Would everyone who
downloaded or purchased "Just Windows" please raise their
hands?" coz heck there's drivers which may well not be on the Windows
CD & without which your all parts of your machine may not work.

"My scanner doesn't work.....I have a CD wot came with it but then I'd
not be running just windows anymore so I can't pollute my system...."

Equally how many people are just running Windows on the s/w side? Do you
write all your word processed docs with WordPad? I take it you can't use
spreadsheets etc at all coz no spreadsheet comes with Windows...

> In fact, the issue of "just Linux" is
> pretty irrelevant since many distributions run a common core of stuff that's
> far greater than that (as one example how many include BIND?).

& how many don't? Other Unix'es may include bind etc. so is BSD a
"linux"? If
Apple includes Bind is it "linux"? 

> NTserver comes with a DNS server, does that mean a flaw in MS DNS is or
> isn't an NTserver exploit? In my book it most certainly is. You consider
> NTserver to be an OS don't you? Don't you think that trying to point out
> that an MS DNS exploit isn't really an OS issue is misleading? Are you in
> marketing or something? 

Bollox. You're in essence trying to say that anything that any Linux distro
bundles makes that thing "(whether JBoss or Bind or Mysql) into
"linux".

MS sell a product called Windows which they themselves write & include
stuff in so as to drive up the value add of Windows.

The Linux distros may include stuff (mostly written by others) to also
drive up the value add of their product.

However If I decide to sell PC'es with Windows & Office (or Smartsuite,
or Mysql etc.etc) preloaded, that doesn't make Office or Smartsuite or
Mysql "part of Windows".

If you want to say that any bundling of an OS + 3'rd party apps counts as a
vuln for that OS where a vuln is found in that 3'rd party ap then so be it.


Is that what you're saying?

>> Secondly if you look at the MS EULA you can't hold em responsible for
>> anything so while MS do provide patches it's mostly because they would
>> be dead in the water commerically w/o them.
> They would be dead in the water specifically because their customers DO hold
> them responsible even in light of the wording in the EULA.

Hah. Really? So if the DCOM hole is exploited & people have to rush
around fixing things, they send the bill to Redmond? Check the EULA.

>> No it's a matter of loading what you need. If you have no need for anon
>> ftp would you load it & expose it to the net? If you have no need of
>> GAIM would you fire it up, get some accounts & leave it on even if you
>> aren't using it?
> I run plenty of W2Kserver machines, none of them has WINS loaded on it
> although WINS does come on the W2Kserver CD. Does this mean that a WINS
> exploit like MS04-006 somehow doesn't count as a "Windows" exploit?
> If I put the W2Kserver box on a shelf does that mean there are no windows
> exploits?

Huh? If all the Windows boxes in the world are turned off forever then MS
will have no Windows exploits.


>> A Large distrib is a collection of software where I doubt anyone ever uses
> anything like all of it.
> the more shit you install the more security issues you will have, correct?
> If that's true then why do you have such a problem with the same logic being
> used to reason that the more shit you include in a product the more security
> issues you will have?

No probs there with me. 
I am merely asking for equality in this. If an OS is bundled with 3'rd
party apps & a hole is found in one of those apps then I am happy that
it is counted as an OS vuln. i.e if WinDVD is found to have a vuln then
windows has a vuln coz it's preloaded. If MySQL is preloaded & MySQL
has a vuln etc.etc.

Equally, if a white box maker somewhere bundles GAIM with Windows &
there is a hole in GAIM then both Linux & Windows have a hole. 

I am equally happy to say that a linux hole is one which applies to all
linux distribs of a given kernel or kernels where the hole exists in the
base level linux & that the same is applied to windows. 

The alternative is that I choose a major distro when I want to show
"how much you get with linux" & a mini hardened distro (e.g.
a router on a floppy version) when we want to compare "vulns".

I don't mind which. The 2'nd puts "linux" in a far better light
than "Windows".

e.g. I could choose the least vulnerable from:

http://www.fokus.gmd.de/linux/linux-distrib-small.html




Adam

--- BBBS/NT v4.01 Flag-5