From: "Geo." 

"Adam Flinton"  wrote in
message news:40406fe1$1{at}w3.nls.net...

> > Does Linus contribute to the RH product? If he screws up and codes
something
> > that's exploitable don't you consider that a RH exploit if it affects
RH?
> >
>
> Yes I do. It is both a RH exploit & a linux one. Being a linux one it is
> also a mandrake one, a Suse/Novell one, a debian one, a knoppix one, a
> slackware one etc.etc.etc.

Ok so you do admit then that you can have a RH (or Mandrake, SUSE, knoppix,
slackware, etc) exploit that is NOT also a Linux exploit as you define
"Linux"? (the "&" in your statement implies this)

Great we are making progress. Now all you have to do is realize that people
run RH or Mandrake or SUSE or Knoppix but nobody runs just
"Linux".

> You have a base set of stuff required
> for linux to work (kernel & some drivers) & that after that it's up to
> the distro maker. But a given distro maker builds on top of linux it is
> not linux per se.

Would everyone who downloaded or purchased "Just Linux" please
raise their hands? People don't run "just Linux" Adam, they run a
distribution and because of that it's proper to identify security
vulnerabilities by distribution not by "just linux". In fact, the
issue of "just Linux" is pretty irrelevant since many
distributions run a common core of stuff that's far greater than that (as
one example how many include BIND?).

NTserver comes with a DNS server, does that mean a flaw in MS DNS is or
isn't an NTserver exploit? In my book it most certainly is. You consider
NTserver to be an OS don't you? Don't you think that trying to point out
that an MS DNS exploit isn't really an OS issue is misleading? Are you in
marketing or something? 

> Secondly if you look at the MS EULA you can't hold em responsible for
> anything so while MS do provide patches it's mostly because they would
> be dead in the water commerically w/o them.

They would be dead in the water specifically because their customers DO
hold them responsible even in light of the wording in the EULA.

> No it's a matter of loading what you need. If you have no need for anon
> ftp would you load it & expose it to the net? If you have no need of
> GAIM would you fire it up, get some accounts & leave it on even if you
> aren't using it?

I run plenty of W2Kserver machines, none of them has WINS loaded on it
although WINS does come on the W2Kserver CD. Does this mean that a WINS
exploit like MS04-006 somehow doesn't count as a "Windows"
exploit?

If I put the W2Kserver box on a shelf does that mean there are no windows exploits?

>A Large distrib is a collection of software where I doubt anyone ever uses
anything like all of it.

the more shit you install the more security issues you will have, correct?

If that's true then why do you have such a problem with the same logic
being used to reason that the more shit you include in a product the more
security issues you will have?

Geo.

--- BBBS/NT v4.01 Flag-5