Re: Ten least secure programs
From: Tim Greer (chatmaster_at_charter.net)
To: "Dan Bartley" <firstname.lastname@example.org>, <email@example.com> Date: Fri, 4 Jul 2003 14:02:02 -0700
----- Original Message -----
From: "Dan Bartley" <firstname.lastname@example.org>
To: "Tim Greer" <email@example.com>;
Sent: Friday, July 04, 2003 12:58 PM
Subject: RE: Ten least secure programs
> One more time. I'll admit to being sucked in one last time. :-( This
> really will be my last word on this thread, label that however makes you
> feel better about it.
I have no feelings about it either way. If someone not agreeing with you
updates you this much, it's probably better you leave the topic alone
> I can only assume you live in a bubble of self involvement.
Sure, why not, I don't agree with you and you think highly of yourself, so
it's just illogical to you. Good thing you're mature enough to try and
belittle people for not agreeing with you and your logic, to illustrate how
much of a bugger person than I.
> You outright
> said in earlier posts that you have no security issues,
I said I do not have security issues with the programs I code.
> that you have no
> need for security tools,
I did not say this. Quote where I said there's no need for anyone, or where
I said that I personally have no need. As for the need, it depends on the
type of tool. I said that I have no need for anti-virus tools... this
bothers you? I use platforms that don't have the ability to have viruses,
or not very many over years anyway, and I don't open executables and run
them like a fool. Why would I need an anti-virus tool? IDS, why? This can
be useful, but only for a specific purpose. There's no harm in using one.
Firewalls, I use them, but not to mask an underlying problem, such as you
seem to suggest is the solution. If you choose to construe that as me
making irrational and arrogant claims out of insanity because I think
everything's perfect, then feel free.
> that you have fixed or selected software where
> no security issues exist and do not require security prevention.
That is correct for many aspects of software I run and how I run it. That
is not a claim I made for all services I run and some need to be watches or
updated more than others. It all depends. But yes, I have never had or
seen any problems or reports for Qmail, nor djbdns, I configure and run them
properly and they do not require any concern as other services inevitably
do. If there's an issue one day, I'll update or find out how and why it's
an issue and see if there's anything I can do to prevent it in the future.
Unless you care to explain exactly how your solution of an antivirus,
firewall and IDS will help prevent a problem with a service such as this on
a web server that requires the ability for anyone to send me email or for me
to send out, or resolve my domain to do this and other type of accesses.
The point is, they do not. The point is, these solutions you think are
solutions, are not solutions. They are not worthless and they have a use,
but you don't just throw software at a problem because of poor choices of
the software you use--well, maybe you do, but I don't. I know, how
egotistical of me to have the nerve to say that I use software that has
absolutely no history of security issues over several years of it being very
popular on thousands of heavily used web services and the gall to actually
say that the more control you have over your system the more control you
have, and this better security--provided you know what you're doing. Oh,
what was I thinking, trying to explain this to the great, uh, you.
> you want to clarify what you really meant as opposed to what you
> actually said?
Or perhaps you can actually consider the idea of just actually reading what
I said instead? Or does telling you twice actually matter?
> Which part of you have solved all security issues did I
I'd first like to know exactly where you get the idea that I ever said what
you just claimed. Grow up and stop trying to act like someone realizing the
ability of more control means that they are claiming that they've managed to
somehow come to the self realization that they are perfect and have the
solution to every security issue. I never said any such thing, stop acting
like a child and be a man.
> I am not interested in bashing Linux or any other OS users.
Yes you are, or people that don't agree with you anyway, no matter how valid
the points are--you prefer to take them personally and attack people with
untrue claims, such as you did above. This is helpful?
> I am against
> arrogant admins
Do you exclude yourself and your stubborn standpoint in that list? Do your
own rules not apply to you?
> or users (of any OS) who feel they have all the answers
> and dispense advice based on that assumption.
I agree, and you should stop.
> Unfortunately for the
> growth potential of a promising OS, *some* of the more vocal Linux users
> tend to be very immature, arrogant and closed to learning new things.
I didn't realize you were a Linux user, then? This is true of many
platforms and users, not just Linux.
> Sadly, this has caused Linux (most flavors) to remain a struggling
You're just being a jerk now... not that this seems new in this thread, but
get real. Your bias is pathetic. Apparently Linux is struggling... that's
a good one. You're like any other self-proclaimed person that thinks they
know what they are talking about, when they don't (painfully obvious). I'm
not saying this to come off like a troll, like you are, but simply because
it's blatantly obvious. Why do I say this? Simply because I never did
anything but compare two and mention the platforms. I am more of a *BSD
user than anything, and I use Windows a lot (for home stuff--I'm using it
now, as a matter of fact, and I like it (for this purpose)). yet, because I
mention it, you, like any other fool that can't make a valid point in his
own favor, just assumes that the other person is some Linux nut who
mindlessly bashes MS. Are your feelings hurt because you got yourself a
worthless MSCE and feel jipped? Is that it? I can't blame you.
> I would like to see it be otherwise, it has tremendous
> potential for specific areas.
Potential... a more popular and better performing platform for web servers
over Windows... well, you're right, I guess Linux has potential... maybe one
day we'll be hearing more about this mysterious OS... you biased oaf!
> What planet are you from?
I don't recall, it's been too long to remember. The fact is, I don't agree
with your uneducated and egotistical and defensive position, so you are just
a wreck when trying to deal with it. Grow---up...
> You did not know that IBM and HP make some of
> the most widely used and secure UNIX flavors?
You said IBM and HP have come out best in the last year. I said they are
brand names, not OS'es... if you want to mention and OS, version, dist,
mention it. It's like someone saying "I program computers"... what the hell
does that mean? "I work in IT, I do IT". Huh? Say what you want to say...
name specific things and exactly what "came out best" compared. Where are
these versions and your statistics you keep going on about. Let's see them,
> Or are you just grasping
> for a bashing implement by pretending to be a master of semantics?
I could never be like you... you've got this 'down'. I would never try.
> Hey! I've got an idea
Finally... using it, eh?
> (based on your apparent logic pattern).
You mean "sense"... but I'm sure it's senseless by the time your mind
processed the information.
> It might
> rain somewhere one day. Just never go outside, then you don't need a
If you really think that makes sense. So, apparently because I don't
recommend wearing a raincoat 24 hours day, inside, outside, no matter what
the region you live in has weather like or the forecast, etc., even when
your sleeping or showing, you should put on your raincoat, hat, galoshes,
etc., I'm apparently being too extreme in my comments that "If you don't
need to, don't just put a raincoat on anyway".. you really think this
equates to meaning that I am recommending people take an extreme to the
other degree? You have been posting insanely ludicrous solutions that don't
solve anything, and I recommend the right tool for the right problem only or
avoiding the problem to not need the tool, or using the tool for the right
reasons only, and you come up with this response? I bet you really think
you are making a valid point too.
> You clearly limit the options of whoever it is you are consulting for
> with that kind of approach. I do not recommend anyone here take that
No, I am just actually qualified, unlike you, and don't recommend throwing
software at a problem, without actually solving that problem. And yes, we
all realize you don't recommend taking anyone's approach that you don't
like. Poor you.
> Yes, the original subject of this thread.
And you should maybe try sticking to that original subject.
> Take note that I have made
> suggestions, repeatedly, in every post geared directly toward that
> original subject.
No, you suggested non issues, that didn't relate to the topic and just
wanted to let everyone know how special your mother told you that you were
today. I really don't care, or care what your little problem is. The facts
are that you did not participate in the discussion in any productive manner.
Instead, you wanted to just blurt out what you thought was the solution,
because you lack the skills and education to know what you're talking about.
Perhaps you don't like me for pointing out that fact, but I really can't
care less. Lest someone follow your advice and get a false sense of
security and end up on a big mess.
> Listing 10 specific applications to avoid is
> ridiculous and unproductive.
I'm sure it is, and I'm so very happy to see that you opted to take that
mentality and run with it.
> It is an exercise in both futility and
Again, refer to above. Personally, I'd like to see reasonable, rational and
sensible discussions, not like nut trying to just mask the problem and
accuse anyone that doesn't agree with their methods of thinking they have
the 1 perfect solution for everything.
Person 1: I wrote a program, and it's secure. There's no functions in it
that could open a potential exploit.
Person 2: Liar, all programs have exploits.
Person 1: (Gives very easily understood examples of the differences).
Person 2: So, you think you can secure any program and OS to never be
Person 1: When did I say that? I use some software (lists software) that
has never had any issues. Maybe some will be found one day in those, but
the program I spoke of doesn't have functions that would ever be potentially
Person 2: I'm the best in the world, if you don't agree with me, you're a
big baby! (insert accusations that Person 1 claimed to solve all the
problems for daring to say that some programs are actually more or less
secure compared to each other).
> Instead I have tried to make suggestions on an attitude to
> approach these matters with, so options are not limited and forward
> thinking is embraced.
You have not. You ran over the same rehashed, non solution as any other
person that has no skills in this field would blurt out. But, good thing
you claimed there's stats about how the OS you like less than the one you
like personally, is the least secure--even though you obviously meant when
in the hands of an unskilled person (which is a problem with any OS (or
kernel)), and even though you never did show those stats. Hmmmmmmmmmmm.
> It concerns me to think that young and creative
> minds here would get advice that, in essence, says, "This is the only
> way to do it, any other way and you are wrong"
That would concern me too, sort of like how it concerns me that someone
wants to throw firewalls, IDS and anti-virus on a problem, instead of simply
running more secure software that aren't vulnerable to viruses, need to be
publicly accessible, etc... again, not that these don't have a purpose, but
a pathetic way to try and defend or justify a poor choice of software to run
in the first place. Are you keeping up?
> I do not recommend that any security or IT people take the attitude that
> they have it all figured out.
Nor do I... and, in fact, I'd have to question the qualifications of someone
that won't listen to everyone else, not to mention if they assume that
someone saying that a program has no history of security issues is better
than a program that has major one's all the time, somehow equates to that
person thinking that they have it "all figured out", simply because it
opposes their own views on how it's actually logical to run the less secure
program. I'll get you time to evolve and figure out what I just said.
> I recommend that they keep their options
> open, consider the possibilities, be proactive, and provide solutions
> that allow a business to function in today's interactive world in a way
> the *business* wants.
I agree... and yes, if that means that the company wants to run insecure
programs and services, that yes, you actually do what you even said, and you
can throw anti-virus software to try and prevent that poor choice of an
email program from being infected, for example. Apparently the fact that
someone that knows better than to have to resort to that, and uses software
without any vulnerability history is somehow not open minded enough? Did I
ever say that you shouldn't be prepared or able to deal with whatever
software and services a company wants to run that you have no choice in the
matter? No, in fact I said in another post that this is why people should
be able to secure other less secure platforms, since it keeps you in a job
for one thing, and that you can do everything you can to secure it, with
what you have, for another thing. However, this discussion was about
software being insecure or not. We are *all* quite aware that management
decisions may prevent them from running the best software, but that wasn't
what this discussion was about.
> I always thought the correct work ethic was to
> provide the service to the customer, not force the customer to do it "my
> way or the highway"
And who ever said it wasn't? Stop trying to make excuses, seriously... this
is foolish. This discussion was about software, what one's are more
insecure than the other. We never had this topic discussing the policies of
how to deal with management or client choices. You can try and make excuses
to justify your view, but what it came down to (and what really happened),
was that you had poor ideas of how to deal with a problem, rather than
solving it, you masked it and the problem remained. This is a flaw in logic
and you refuse to budge on your view. So be it, though you should try and
not make a fool out of yourself and act like anyone that says there's a
better alternative is somehow trying to force clients to use their favorite
software, or as if they are victimizing anyone.
> They are, after all, paying me to provide what they
> ask for and need. I hope my creativity does not become so stagnant that
> I ever have to say, "There is only way to do any of this"
No one ever said this, this is the impression you alone have.
> And to help you out Mr. Greer. "Duh! That is obvious!" Yes it is, isn't
Yes, hence "Duh".... and I believe you are the cap who requires the
assistance in getting a clue. Refer to my long-winded response now... are
you keeping up?
> Bears being said anyway, particularly for the those in an early
> learning curve. Too bad that approach seems to be outside your thinking
Okay, and I said "Duh (obviously)" to something and you now claim that this
concept is somehow beyond my reach because I said it was so, when you did
too? You're not very good at this 'debate' thing, are you? So, one of the
few things I agree with you about, you try and accuse me of not grasping the
item that you agreed on? Wow, that's super smart. You're very cool, don't
let anyone tell you otherwise.
> As for the poster who asked for things to be cited regarding the
> compromise and flaw rankings, it has been in the media, in trade
> reports, on web sites, in security newsletters.
So, you can provide a link to these stats then,.... riiiiiight???? What's
preventing you from showing us? Come on then... and again, I'm not talking
about lack of skills being the cause, but the software, kernel, OS, etc. you
claim is statistically inferior. We're waiting....
> I read these things, I
> research and keep current.
Too bad you don't listen for that to matter.
> Google it yourself, don't ask me to do all
> the work for you.
Hey, that's a great way to actually avoid the issue and back up what you
yourself claimed. Nicely played... I don't think I'll buy it though.
Besides, if I had you do my work for me, I'd be in another line of work or
> Please don't take the old and tired approach that if
> it is negative about MS, IBM or whoever it is completely true, but if it
> is negative about Linux, its Linux bashing and lies. Linux deserves
> better than that.
Don't worry, I won't and didn't and don't plan to... that's your job, just
the opposing extreme. I never claimed Linux didn't have problems. I did
state that you can better secure it and exampled why. Apparently that's
arguable anyway, for you, even though you have the source code to do
anything you want. Hey, if you don't have the skills, and you obviously do
not or you'd immediately know the advantages to that, then don't assume that
it's not relevant or not a valid point. The simple fact you argued it, is
what the problem is, partly anyway.
> That attitude didn't work for MS or IBM, it isn't
> going to work for Linux either.
No, it's not, and I wish you'd realize that and stop.
> Also, if anyone is going to try to make swipes on semantics or someone's
> interpretation of statements, don't turn around and do it yourself in
> the same sentence. That gives such an air of desperation and closed
Then stop it.
> Perhaps wrongly, I assumed the security basics list was all encompassing
> where it relates to security basics.
It is, but how is you talking about off topic aspects in an 'Insecure
programs list" changing that fact?
> I did not view it as belonging to a
> select few based on their personal view of what constitutes a computer
> expert and what they view as the only correct options.
How friggin' ironic are you? Are you a comedian. Now because you can't
deal with other people's opposing views, you want to whine about how those
people think the list somehow belongs to them? Is that what you feel when
you argue here? Hmm? is that your view and motivating process to be acting
to ridiculously arrogant? Stop whining already! As for what qualifies as a
computer expert, I'd imagine that would be actually knowing what you are
doing. If those type offend you, then I feel pity for the list you feel
comfortable posting to.
> I don't know,
> seems to me the world is just a little more diverse than that.
You'd think, but not for lack of your efforts. No, I'm not going to bow to
you, so don't wait on it.
> Best Regards,
> Dan Bartley
Indeed. Yew havf yerd'seldf a goewd d'ay dar' Dayn.
-- Regards, Tim Greer firstname.lastname@example.org Server administration, security, programming, consulting. -----Original Message----- From: Tim Greer [mailto:email@example.com] Sent: Friday, July 04, 2003 14:32 To: Dan Bartley; firstname.lastname@example.org Subject: Re: Ten least secure programs ----- Original Message ----- From: "Dan Bartley" <email@example.com> To: <firstname.lastname@example.org> Sent: Thursday, July 03, 2003 6:25 PM Subject: RE: Ten least secure programs > Your comments appeared to have a clear slant to them. They also were > contrary to the statistics. No, only someone that's hard up to bash Linux users would assume this. Nothing was contrary to what _you_ claim. This is getting nowhere. --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------