Linux, Macintosh, Windows REDUX by STDOUBT

REAL WORLD EVENT DISCUSSIONS

Linux, Macintosh, Windows REDUX

POSTED BY: STDOUBT
UPDATED: Wednesday, June 21, 2006 05:44
SHORT URL:
VIEWED: 1227
PAGE 1 of 1

Sunday, June 18, 2006 10:21 PM

Hi ho,
Rather than digging up the old thread with 100+
replies, thought I'd start a fresh one. Main reason
being that I recently found a coherent answer to
SigmaNunkis request for an explanation as to why I
thought the GPL (GNU General Public License) was
better than the BSD (Berkely Software Distribution)
license in terms protecting software developers.

To paraphrase a developer I overheard on /.:
If I release my code under BSD, any business can
come along and use it, and ignore me. If I use GPL,
they have to ask ME to re-use the code in their
product, thereby allowing me a chance to negotiate
terms and even re-license to them exclusively for
future upgrades, development, etc.

Obviously, any dev can license his own code any
way he chooses. But once your code is "out there"
under pure BSD, it's well, out there. GPL
protects developers in the sense that if a bigcorp
is asking after your code, YOU have leverage over
it's future. You can re-license future iterations
exclusively to BigCorp or not as you choose.
Anyhoo -that's the best I got -don't need to make
a big whoop-la out of this posts topic, just
thought to ping Sigma about this now that it's
dawned on me... months later. Heh -I think my
brain runs a 486DX (and a dusty one at that).

Also, been really hard to login to FFF.N lately,
and yes, I blame Microsoft
and wanted to say This is one of my all-time
favorite sites!!! It's addictive so THANK YOU
!!!!!!!!!!!!!!!!!to Haken!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!THANK YOU!!!!!!!!!!!!!!!!!!!!!!!
Serenity is an Operating System!
http://elivecd.org/gb/Download/Stable/

P.S ~Haken, please hire SigmaNunki to set you up
a server that don't choke! :-P "Windows Server
2003" is for serving office buildings!

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Monday, June 19, 2006 4:08 AM

SIGNYM

I believe in solving problems, not sharing them.

GPL is like judo- you take the opponent's force (strangulating control by proprietary software licensing agreements) and turn in to your advantage. If MS objects to the basis of the GPL that opens MS up to objections along the same lines. I believe we have Richard Stallman to thank for that insightful twist! I'm not a software expert, but I like to study economic and politics.

On a technical basis- I know someone who's expert enough to crack MS. (And that's no mean feat. Apparently MS code is so tangled that even the developers don't know what's going on half the time.) He vastly prefers Linux (specifically the Debian distro) for it's security and intercompatibility and that is he runs on his (major west coast univerity) Chem Department server.

---------------------------------
Don't piss in my face and tell me it's raining.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Monday, June 19, 2006 7:34 AM

CITIZEN

Quote:
Originally posted by Signym
On a technical basis- I know someone who's expert enough to crack MS. (And that's no mean feat. Apparently MS code is so tangled that even the developers don't know what's going on half the time.) He vastly prefers Linux (specifically the Debian distro) for it's security and intercompatibility and that is he runs on his (major west coast univerity) Chem Department server.

Yep MS code is some of the worst most obfusticated god awful crap I've ever seen.

Though 'cracking' it is slightly different, that's where you take compiled machine code and break software encryptions or protections, so the god awful state of the source doesn't effect you much.

The problem with Linux is not it's technical prowess, it is a better OS than Windows. It's problem is:
A) ease of everyday use (I've been using computers since before I could walk and I find Linux confusing at times)
B) Availabillity of drivers and ease of getting it up and running
C) The fact that most of the industry standard software for many tasks (I'm thinking apps like 3DS Max, Photoshop and so on) are not supported and there aren't realistic Linux based alternatives.

More insane ramblings by the people who brought you beeeer milkshakes!
"I had a rose named after me and I was very flattered. But I was not pleased to read the description in the catalog: 'No good in a bed, but fine against a wall'." -- Eleanor Roosevelt.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Monday, June 19, 2006 8:28 AM

CITIZEN

Hows that for a long time between double posts?

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Monday, June 19, 2006 5:13 PM

SIGMANUNKI

Hey STDOUBT, how you been?

Quote:
Originally posted by STDOUBT:

If I release my code under BSD, any business can
come along and use it, and ignore me. If I use GPL, they have to ask ME to re-use the code in their product, thereby allowing me a chance to negotiate terms and even re-license to them exclusively for future upgrades, development, etc.

This developer has clearly not read the GPL. The company does not have to ask permission to use GPL'd code in there product. They only have to GPL there product to comply with the GPL. If it is LGPL'd, the company need only dynamically link to the lib and they can still have there code closed.

This is of course assuming that the company plays fair and obeys the licensing of the [L]GPL'd lib. This is not always the case:

http://digg.com/technology/Sony_rootkit_based_on_LGPL_and_breaches_lic
ence_
http://www.the-interweb.com/serendipity/index.php?/archives/52-Is-Sony
-in-violation-of-the-LGPL-Part-II.html

And how many other examples are out there that we don't know about?

Oh, and only if they are planning on distributing the product. If the product is just "in house" then the point is moot b/c the GPL states that souce must accompany the product (or easily accessable) when being distributed.

And the part about modifications being sent back up-stream... well, who's going to know (eg sony above). Especially if the product never leaves the company. This is of course, assuming that modifications have been made (which probably isn't the case).

Negotiation only happens if the company wants the developers code, and they are playing by the rules and they want it under a different license. That's a lot of if's.

As an example, a number of years back, I worked in a web development shop. We were charged with writing CGI in C (certainly not my decision) and we statically linked to libmysqlclient. We didn't make any changes to the lib nor did we ask permission to do this nor did we distribute the cgi to any of the users. This was perfectly compliant with the GPL which MySQL is [duel] licensed under (and common practice).

The BSD license says credit where credit due, but the company can't use the name of the developers in any advertising (or the company named in the license).

Both licenses have that no implied warrentee, etc stuff in them. We get what we pay for after all

I really don't know why people would care if there code gets put into a comercial product though. Personally, I'd take it as a compliment. But, as I see it, this is more than just a little about arrogance. I mean, how arrogant do you have to be to think that the code that you write is so good that you have to protect it from the evil companies b/c they are just waiting to "steal" your next "genious" invention. Seriously...

Quote:
Originally posted by STDOUBT:

P.S ~Haken, please hire SigmaNunki to set you up
a server that don't choke! :-P "Windows Server
2003" is for serving office buildings!

Colour me flattered

To be fair though, the server seems to be up for the most part, just not avalible. We just wait and wait and...

Since I highly doubt that Haken will involve me in any discussions about this site. So, I'll just over step my bounds here and make a few suggestions.

The below assumes that the below tech has bindings for asp, though another language could be used as well (eg PHP, Python, etc).

For the least drastic change, the database server must be changed. It really seems to be the bottleneck as 95+% of the errors I get are SQL Server related.

So, MySQL would be a good choice using the MyISAM engine b/c of the speed. But, InnoDB has higher integrety. Just depends on what is needed, though I gather that a site this busy would favour speed, so MyISAM.

The benchmarks that I've seen for sqlite state that it is (much) faster, but I've never personally used it. I also don't know about it's performance with large DB's.

Moving on, there is changing the webserver. Lighttpd has an extremely small foot print and is a very fast webserver by all accounts. Though I've never used it before (but many on misc@openbsd.org have and recommend it), b/c I've heard nothing bad about it, and seeing it's benchmarks, I'd recommend at least trying it.

If none of that helps, the most drastic thing to do would be to switch to Linux (or FreeBSD). This would eliminate the high over-head of the Windows OS's and introduce a fast(er) OS. And for those of you that think that I'm pimping my choosen OS, I run OpenBSD on all my servers.

Anyone care to RFC?

But, now in the spirit of the Linux, Mac, Windows thread, I'll post the below that I received acouple days ago on webappsec@securityfocus.com

"""
Subject: SyScan'06 Highlight - Attacking Microsoft New Operating System (Vista)

Msg:
This is a brand new presentation and its going public for the very first time in SyScan'06.

Joanna Rutkowska, a senior researcher of COSEINC Research, will present her latest technique in bypassing and attacking the latest Mircosoft Vista operating system kernel.

The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, creation of Stealth by Design malware for Vista x64 will be briefly discussed. This will be the base for introducing the new approach (codenamed 'blue pill') for writing undetectable malware on the latest AMD64 processors. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

A working blue pill will be demonstrated.

Please visit www.syscan.org for more.
"""

Yay, M$ security!!!

----
I am on The List. We are The Forsaken and we aim to burn!
"We don't fear the reaper"

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Tuesday, June 20, 2006 3:01 PM

STDOUBT

"blue pill"... *sigh* -that is beautiful

Sigma -good to hear your reply on the license
issue. It's always really interesting to me to see
other opinions -opinions that make sense and stuff ;] Still don't quite get it but -I don't need to either.
Keep on keepin' on bro.

Now -mighty interesting on the Vista kernel. Almost makes me think the holes are deliberate. I actually dread the day when M$ rolls over and starts using the Darwin or FreeBSD kernel. Not that I'm a blackhat, but it's really entertaining to read about all the 5ploits on the Win platform.

As for FFF.N, It was just all of a sudden that it went funky. I don't even know if this message will post. I'd almost rather see it go down completely for a week to be repaired than to have it limping.
FFF.N has One IP address. Yikes. If I had the means and brainpower, I'd email Haken and suggest something -co-location, something -this site has become really important to a lot of people.
Has anyone heard from Haken about the turbulence we're having? I bet if he made an announcement/plea for help, we could get him at least a co-lo for a year (maybe on a UNIX box too!) heh heh.
Gonna hit "Post My Response" now *crosses fingers*

Serenity is an Operating System!!
http://elivecd.org/gb/Download/Stable/

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Tuesday, June 20, 2006 9:43 PM

CITIZEN

Quote:
Originally posted by SigmaNunki:
Subject: SyScan'06 Highlight - Attacking Microsoft New Operating System (Vista)

Msg:
This is a brand new presentation and its going public for the very first time in SyScan'06.

Joanna Rutkowska, a senior researcher of COSEINC Research, will present her latest technique in bypassing and attacking the latest Mircosoft Vista operating system kernel.

The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, creation of Stealth by Design malware for Vista x64 will be briefly discussed. This will be the base for introducing the new approach (codenamed 'blue pill') for writing undetectable malware on the latest AMD64 processors. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

A working blue pill will be demonstrated.

Please visit www.syscan.org for more.

A security exploit for an MS OS that hasn't been released yet, who'd a thunk it...

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Wednesday, June 21, 2006 5:22 AM

SIGMANUNKI

Quote:
Originally posted by citizen:

A security exploit for an MS OS that hasn't been released yet, who'd a thunk it...

What'd ya mean? Are you limiting findinng exploits to just before release?

----
I am on The List. We are The Forsaken and we aim to burn!
"We don't fear the reaper"

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Wednesday, June 21, 2006 5:44 AM

SIGMANUNKI

Been poking around seeing if Apache has ASP support and it does. Using mod_perl and Apache::ASP

http://www.apache-asp.org/

A testimonial:

http://www.apache-asp.org/testimonials.html
"""
Cine.gr

...we ported our biggest yet ASP site from IIS (well, actually rewrote), Cine.gr and it is a killer site. In some cases, the whole thing got almost 25 (no typo) times faster... None of this would ever be possible without Apache::ASP (I do not ever want to write ``print "\n";'' again).

"""

Just a heads up since most of the errors I get have switched from ODBC to timeouts. Really starting to fustrate me.

----
I am on The List. We are The Forsaken and we aim to burn!
"We don't fear the reaper"

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

YOUR OPTIONS

SHARE THREAD

NEW POSTS TODAY

USER	POST DATE

USER

POST DATE