Technocrat

Browsers and Security, the Case of Not Bothering

zogger
Wed Jul 02 14:58:00 -0700 2008
Security
manage

A research paper from a collaboration of IBM, Google and the Computer Engineering and Networks Laboratory has come to the conclusion that there are over half a billion surfers on the internet who are still running older and unpatched versions of their browsers. The researchers aren't sure of the status of all the various really exotic unpatched and older plugins though, that data is still hard to come by, although the normal major plugins are covered.

Attacks against Web browsers depend upon malicious content being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technology (e.g., Flash, QuickTime, Java, etc.) [1, 2]. Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the attacker. Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000 and reached 89.4% of vulnerabilities reported in 2007 [3]. A growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers.

ed.z.: And why don't folks at least upgrade their browsers? That's one I can't understand, even on slow dialup it isn't that bad for just a browser upgrade once in awhile...anyway, that's another reason why I think the market should take a look at internet appliances again. I know they failed in the past, but stuff is cheap now and it should be possible to build and sell simple machines that come locked down much harder than normal general purpose computers. Because people -- a lot of them, not all, but a lot -- just really want an appliance, a machine that does a few things very well and is a no brainer to use and keep secure because you the basic customer/user and also mr remote badguy can not physically change anything important on them. and I'll leave it to ya'all smart guys to figure out how to do the no root but still works machine, I'm busy out schmoozing with clients! ;)

because red hat is evil and sucks

Thomas Lord
Wed Jul 02 19:15:59 -0700 2008
 manage

Red Hat shouldn't exist. It should really be lots of teams of 10 or 20, each serving up binaries to a customer base of 10-20K folks.

Package systems, as they exist today, shouldn't exist. Red Hat's recently "free" satellite system should be the norm but, with one instance per 10-20K folks.

Greed and paranoia about a "need" to beat back the free software movement brought us here. Otherwise, we'd own the desktop by now -- a lot of coops with some R&D on the side serving those 10-20K units of customers -- and vulnerability would be a lot less.

-t

because red hat is evil and sucks
Charles E Hill
Wed Jul 02 21:50:47 -0700 2008
 manage

What?

It should really be lots of teams of 10 or 20, each serving up binaries to a customer base of 10-20K folks.

Great for my home systems, but for work why would I trust the teams to provide consistant, reliable binaries?  What assurances do I have that the team will be there a year from now?  Are all the teams on the same upgrade path?  Do they provide the same duration of support?

Red Hat's recently "free" satellite system should be the norm but, with one instance per 10-20K folks.

Why do you have "free" in quotes?  I detect a note of derision.

Greed and paranoia about a "need" to beat back the free software movement brought us here. Otherwise, we'd own the desktop by now -- a lot of coops with some R&D on the side serving those 10-20K units of customers -- and vulnerability would be a lot less.

Bull.  The desktop is all about the apps, and there are a lot of apps that Linux does not have.  There is no need to beat back the free software movement.  It provides great leverage for commercial developers.

There are too many markets where the people who want the software don't have the skills to write it, so are happy to pay for it.  On the other hand, they don't want their competitors to have the same advantage the new software gets them for free (or at all).

I know several large companies that paid for Red Hat and chose them over Fedora and community-supported distros for very specific reasons.

1. Stability.  Once a version of RHEL is released they support it for years.  They have extensive testing of updates and patches and are very responsive to customer issues.  RHEL is still providing updates and support for RHEL 3, released in 10/2003.  When did Debian stop supporting Woody? (07/2002 - 6/2006)  How about Sarge? (6/2005 - 3/2008)

2. Longevity.  There is little fear that RH will be gone next year, whereas with a coop it can be dicey in the minds of business.

Red Hat and their ilk have their place in the scheme of things.  Feel free to create a distro and try and make a go at medium scale (10-20K units) support?

Speaking of which...Bruce, what finally happened to UserLinux?

because red hat is evil and sucks
Thomas Lord
Wed Jul 02 22:42:24 -0700 2008
 manage

Now, settle down and hear me out please. Yeah, it was a provocative phrasing but, really, I'm right. Let's go through this.

It should really be lots of teams of 10 or 20, each serving up binaries to a customer base of 10-20K folks./p>

Great for my home systems, but for work why would I trust the teams to provide consistant, reliable binaries? What assurances do I have that the team will be there a year from now? Are all the teams on the same upgrade path? Do they provide the same duration of support?

All of the various teams are specifically not on the same upgrade path and that is a big win for enterprises as well as home-user customers because it represents a substantial reduction in global vulnerability.

This is just fine for your enterprise customers. Your assurances of sustained support come, quite properly, from a competitive market. It's like HVAC. Yeah, sure, you've got your favored supplier and it'll be a bitch to do without them if need be but you can. There's no substitute available to enterprises for RHAT which kind of exposes the lie of their model. A decentralized distro with a thousand forks would be far more robust. No, I don't mean the Debian model.

Red Hat's recently "free" satellite system should be the norm but, with one instance per 10-20K folks.

Why do you have "free" in quotes? I detect a note of derision.

Because it's mighty white of them to, faced with no choice, free up a tiny bit of the proprietary software they've built themselves out of. People think of them as a free software business and that's BS. They are a proprietary software company that exploits free software labor.

Greed and paranoia about a "need" to beat back the free software movement brought us here. Otherwise, we'd own the desktop by now -- a lot of coops with some R&D on the side serving those 10-20K units of customers -- and vulnerability would be a lot less.

Bull. The desktop is all about the apps, and there are a lot of apps that Linux does not have. There is no need to beat back the free software movement. It provides great leverage for commercial developers.

Cygnus and then RHAT and Novell killed a desktop strategy that would by now have won. They did it because they curried favor with investors by marginalizing the GNU project. Whence the ECGS fork and GCC takeover. Whence the early death of the real GNU Guile project. Sleezebots reigned in those days, I know first hand. Bruce may have had other intent but OSI happened precisely to marginalize FSF and, as a side effect, they derailed a technical strategy that would have won by now.

Speaking of which...Bruce, what finally happened to UserLinux?

Bruce doesn't get systems engineering well and doesn't seem to understand how he got played in the OSI game. UserLinux was technically naive (the essential engineering problems are deeper than that). I'm still working on gently getting him up to speed.

-t

because red hat is evil and sucks
Charles E Hill
Thu Jul 03 14:24:29 -0700 2008
 manage

A decentralized distro with a thousand forks would be far more robust.

But stability, not security, is their #1 interest.  Hell, to many of them it isn't a concern at all.  My first -- and last -- management call I participated in on my last gig was about our company providing SSH as opposed to a telnet connection to file servers where phone records were stored.

Even though I had proposed using OpenSSH, and the customer preferred that, our management didn't want to take the hassle of sending a new package to development in India and have them integrate it.  It would then have to go thru QC-1, QC-2, live lab testing (my team) and field integration (my team again).

The first words out of the manager's mouth running the call were "Are we contractually obligated to provide a secure solution, or does it just have to work?"  It went down hill from there.

If, maybe, you could convince the kernel team to produce and stick to a stable ABI, then maybe.  Let me know when hell freezes over for that one.

Sustained support we can handle, because in the worst case we can take FOSS software in-house to support it.

Because it's mighty white of them to, faced with no choice, free up a tiny bit of the proprietary software they've built themselves out of.

I don't follow RH in much detail, but I doubt they were forced to free this up.  Red Hat has contributed a lot in the way of GPL code, resources and money (sponsored developers) to the cause.

The EGCS fork came about because GCC was dragging their asses on providing code optimization for MMX, SSE and i686.  It was eventually rolled back in, IIRC.

Yes, I agree that many for-profit corporations use the OSI seal of approval to snow their customers and taint the meaning of "open source".

But GNU taking over?  Help me out here, has the GIMP integrate 16+ bit per channel color, yet?  GEGL was proposed in 1999 and here it is 9 years later... What about full CYMK?

By "applications" I mean Photoshop, Premier, Rosetta Stone, Dragon Naturally Speaking, Lightwave, Final Cut Pro and all those others were there is no acceptable free equivalent.

I can show people FOSS applications on Linux that run with the big dogs in DTP (Scribus), audio editing (Ardour), and others.  Others, though quality (Xara Xtreme), have floundered as FOSS.

I fail to see how FOSS will take over, except as the base and commodity.  Commercial software will ALWAY be needed as some niches are too small and too specialized for reasonable FOSS development times.

And where you say "exploit" I say "leverage".  One thing Steve Ballmer and I agree on -- FOSS can be a cancer.  We'll eat 'em from the inside and eventually win.

because red hat is evil and sucks
Thomas Lord
Thu Jul 03 16:09:20 -0700 2008
 manage

My first -- and last -- management call I participated in

By "and last" you mean you walked? Good for you. And contact the customers and let them know what's what. Technocracy is fourth column.

It's critically important there that you've observed customers with a rational demand and suppliers reluctant to even try to supply it because their production pipeline is horked. "Crisis/opportunity".

I don't follow RH in much detail, but I doubt they were forced to free this up. Red Hat has contributed a lot in the way of GPL code, resources and money (sponsored developers) to the cause.

They are being proactive. They're acting in anticipation of an upcoming force (people building gratis substitutes). The press release said as much. Yeah, it's a force other than by a small increment of timing -- they're trying to keep initiative and quash more hostile substitutes.

The EGCS fork came about because GCC was dragging their asses on providing code optimization for MMX, SSE and i686. It was eventually rolled back in, IIRC.

That's not what it looked like from the inside.

Cygnus boasted in its marketing, untruthfully, that the company were primary maintainers of the code and that they helped achieved cost savings for customers by an assurance of getting new stuff into mainline. Kenner was a bitch for upholding coding standards and review and he was not on the market (be aware, per the Revolution OS confession, that some of Tiemann's "due dillegence" for Cygnus was to figure out "who we needed to hire" -- oops, he missed, slightly on "who we will be able to hire"). Kenner was "in the way" on the projected IPO value of Cygnus stock. There was a clean-hands maneuver wherein ECGS started outside of Cygnus but, imo, it started inside of Cygnus and basically as part of an overall program to marginalize the free software movement.

There's some backstory there. Why did the three brothers find VC for Cygnus? In no small measure because when GCC and GDB first came out it did in fact trash some start-ups and challenge others in a big way. It destroyed VC anticipated returns. The free software movement, RMS, and the GNU project were perceived as a threat. Cygnus showed a way to plausibly fight back -- not a specularly successful way, as it turned out, but a plausible way at the time. The basic plan amounted to making money at the margins of the engineering process defects of the GNU project and that in turn implied "playing as if nice" with the GNU project up to a point but also striving to marginalize it and RMS' politics of freedom. Cygnus didn't turn huge returns but some. The heavy commercial interest that helped bootstrap OSI comes right out of the same set of sentiments and intentions. (Tiemann's current position at OSI is, in this view, quite fitting.)

But GNU taking over? Help me out here, has the GIMP integrate 16+ bit per channel color, yet? GEGL was proposed in 1999 and here it is 9 years later... What about full CYMK?

Funny example you picked. No, the GNU project ain't looking promising. In my opinion, RMS is absolutely terrible as dictator of GNU. He's not competent to do the job. (Do note that the FSF itself has stepped way back from any serious GNU project. It exists mainly in name and in vestiges like Savannah. She's dead, Jim.)

Gnome is a prime example of RMS' non-competence. He dubbed it GNU as a political demonstration against KDE and without consideration of whether or not the technology and leadership was competent to make a solid tactical play. All due respect to Miguel but throwing eggs into the Gnome basket was dumb.

I fail to see how FOSS will take over, except as the base and commodity. Commercial software will ALWAY be needed as some niches are too small and too specialized for reasonable FOSS development times.

For sufficiently small niches the licensing, frankly, makes no price difference. For larger niches, all we need is a higher level of standard operating procedure among the various projects and the resulting efficiencies can open the doors to fund the missing programs (and at higher quality, too).

-t

because red hat is evil and sucks
Charles E Hill
Thu Jul 03 16:43:25 -0700 2008
 manage

By "and last" you mean you walked? Good for you. And contact the customers and let them know what's what.

Actually I mean "not invited to any internal management calls again", but always invited to customer calls.  I won that fight in the end by refusing to sign off on the software, doing the integration myself and handing it back to the developers on a silver platter.  And telling the customer what was going on behind the scenes.  :-)

I signed a contract and made a committment to (some) people I respected, so I wasn't going to just walk.  I promised to do my best and I did.  I *did* refuse to renew my contract even when they upped the offer -- my last day was last Wednesday.

* * *

I am unfamiliar with the background machinations surrounding ECGS and Cygnus.

* * *

Meh, Gnome.  Yes, I saw the FSF has backed off of GNU.  GNU has done a lot, but seems to have stagnated as a whole lately.  We'll see if Miguel's projects will help undermine MS or not by making certain applications more portable.

Browsers and Security, the Case of Not Bothering
Simon
Thu Jul 03 18:08:45 -0700 2008
 manage

> And why don't folks at least upgrade their browsers?

In this case part of the answer is that Microsoft haven't release IE7 for their operating system.

Rather an Apples to Oranges comparison - surely they should only include XP and Vista for IE7 figures.

Microsoft do security fixes for IE6 still, so it is the latest browser if you don't have XP or Vista, but still have a Microsoft OS.

So answer - OS upgrade/replacement is a significant barrier.

I wonder if "free" as in "gratis" operating systems are more upto date in general. i.e. How big the price barrier is as a block on security.

I've even heard of folks scared to run Windows update on their home PC because they think Microsoft will come kick the door in or something if they have an unlicensed copy of Windows - Microsoft may be mean but they aren't the RIAA ;)

Depending when the study was done folks using say Debian stable would probably fall under the "not upgraded category", despite it being trivial to automatically schedule updates for all packaged software, because that software might not be the latest version even if the security patch was retrofitted (not that it counts - but it shows the figures should be interpreted carefully).

 

Do you have questions about the site? Write to bruce at perens.com . List of all articles we've ever published. Source Code Developer's Documentation RSS XML Sitemap XML News Sitemap Valid XHTML 1.0 Strict Valid CSS! [Valid RSS]