Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-user-digest > 07 > 070216.html (Request Expert lists.debian.org Support)

debian-user-digest Digest V2007 #2037

From: <debian-user-digest-request(at)lists.debian.org>
Date: Fri Jul 27 2007 - 06:10:20 EDT


Content-Type: text/plain

debian-user-digest Digest Volume 2007 : Issue 2037

Today's Topics: 

  Re: why do iceweasel et al have more  [ Erik Persson  ]
  Re: Boinc Clients Niceness            [ David Baron  ]
  Re: why do iceweasel et al have more  [ Ron Johnson  ]

Date: Fri, 27 Jul 2007 06:05:54 +0200
From: Erik Persson <erik-maillist@djingis.se> To: Ron Johnson <ron.l.johnson@cox.net>
Cc: debian-user@lists.debian.org
Subject: Re: why do iceweasel et al have more frequent security issues? 

Message-ID: <46A96F22.4080502@djingis.se>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Ron Johnson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
 > Hash: SHA1
>
> On 07/26/07 15:52, Erik Persson wrote:

>> Douglas Allan Tutty wrote:
>>> It seems that the mozilla-derived browsers have security issues
>>> requiring updates far more frequently than other browsers like Konqueror
>>> or links2.
>>>
>>> I'm curious as to why this is.  Does anyone have any ideas? 
>>> I'm on dialup and switched to Konq for this very reason but sometimes I
>>> have a website that doesn't work and its handy to see if iceweasel will
>>> view it.  (so far the only one is the adobe flashplayer test page).
>>>
>>> Doug.
>> As you can see from the other answers, nobody has a clue if the
>> mozilla-based browsers are less secure than the konq or not. I haven't
>> inspected the code either, so I don't have any more facts than anyone
>> else. I do NOT agree with the other answers however.
>>
>> If there are fewer security alerts with Konq the only reasonable
>> conclusion, if you don't have strong facts pointing the other way, is
>> that Konq is more secure, and that this is partly because of better
>> code. The larger userbase of Firefox is very likely to generate a larger
>> number of discovered security issues, but as far as I know, no one can
>> tell you how many more bugs are generated per user or per extra
>> programmer, and probably no one can tell you the how user base and

Do you need help?X

>> security issue rate correlate more precisely. From this, the most
>> reasonable conclusion is that Konq is more secure.
>> Anyhow, the basic fact that there is fewer security alerts in Konq makes
>> this a more secure browser, whether this maybe is because only of a
>> smaller user base or not.

>
> That's just not logical.
>
> For example, just because people didn't know about germs in 1825
> didn't mean that they didn't exist.

That's just the point. You can't be sure about firefox being less secure - there could be reasons that explains the assumed difference in reported security issues and yet firefox being more secure. However, if we don't know, we can't say. We can only say what we know, and what this is likely to represent.
Exactly as it would have been very unwise to argue for the existence of germs in 1825 without having some evidence of their existence.

As I said, we must have some strong evidence to argue that the assumed larger rate of reported security issues in firefox is not because of more security flaws.

Do you need more help?X

If there are fewer reported security issues in konq, the most likely explanation is that there are fewer found security issues in konq. If there are fewer found security issues in konq, one likely explanation is that there are fewer security issues in konq. There are however more people using firefox and there are more developers(?) developing firefox, but since we have no clue as to how this equates to the above, we really can't say much about it other than that it will probably decrease the difference to some extent (maybe all the way, maybe to the degree that konq is less secure - but we don't know). As long as nobody is interested in exploiting the konq bugs and everyone wants to exploit the firefox bugs, I will be more secure using konq even if there are more flaws in konq. Security when using a browser has to do with the risk being attacked, not the number of presumed security flaws in the code (even if this if one factor that influences the risk of being attacked). Is there any reason to believe that people are more interested in finding security problems in firefox? yes there is - more bugs are found in firefox according to the OP. What I'm saying here is that the larger user base probably will lead to more security issues being found and corrected in firefox, but it will also lead to firefox being more of a target, and this will to some extent reduce the advantage of having more eyes on the code.

This sounds as if I advocate for security by obscurity, which is not the case. In the long run, the code with the larger number of eyes on it will be more secure and the better choice from a security standpoint. In a situation in which one product seems to have more reported security flaws than the other, but more users and developers looking at the code, the situation is not as easy.

> - --
> Ron Johnson, Jr.
> Jefferson LA USA

/Erik Persson.

Date: Thu, 26 Jul 2007 21:35:30 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: why do iceweasel et al have more frequent security issues? Message-ID: <20070727043529.GL31753@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="3xQkynibq3FKlJyM" Content-Disposition: inline

--3xQkynibq3FKlJyM 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 27, 2007 at 04:49:41AM +0200, Erik Persson wrote:

> Andrew Sackville-West wrote:

>> On Thu, Jul 26, 2007 at 10:52:07PM +0200, Erik Persson wrote: >>> Anyhow, the basic fact that there is fewer security alerts in Konq make= s=20 
>>> this a more secure browser, whether this maybe is because only of a=20
>>> smaller user base or not.
>> I'm sorry, and i hate to argue with people, but this last statement
>> just doesn't fly with me. security alerts are the result of someone
>> finding a security problem and reporting it. The fact that fewer
>> security alerts exist does _NOT_ mean that konq is more secure. It
>> only means it has fewer reported security problems. Now it _could_ be
>> that this is because there actually _are_ fewer security problems, but
>> it could _also_ be because no one has _found_ or reported
>> problems. There's an important distinction there. =20
>

> The assumption is of course that there is no significant difference in th=
e=20
> ratio of reported security issues to discovered security issues, and I=20
> can't see any reason those should differ.
Can we help you?X

I can't see any reason why they _should_ differ either, but it is entirely possible that they do and that's the point.

It boils down to this argument you stated:

"Anyhow, the basic fact that there is fewer security alerts in Konq make this a more secure browser...."

and that's ridiculous. It doesn't make it a mroe secure browser. It makes it a browser with fewer reported security alerts. period. There _may_ be other issues involved and it in fact _may_ be a more secure browser, but that is not necessarily because it has fewer alerts.

The relationship between reported bugs in one piece of software versus another is directly related to how many of those bugs have been found, not how many bugs there are. True, there is a relationship between the number found and the number that exist, but that doesn't mean that because one has fewer reported bugs that it has fewer bugs. That is, the number found will always be equal to or less than the number that actually exist. But that is all you can know about the number of bugs in a piece of software -- it has exactly or more than the number reported. One piece of software could have 1000 bugs with one reported while another piece could have 100 bugs with 99 reported. According to your statement, the software with the 1 reported bug has fewer bugs than the one with 99 reported but that's not necessarily true.=20

You can only know one thing about the number of bugs in a piece of software and that is the number of _reported_ bugs.

>
> Anyhow, it is more likely that a browser with more reported security issu=
es=20
> have more discovered security issues. And it is also more likely that a=
=20
> browser with more discovered security issues have more security issues.=
=20
> Both, of course, under the assumption that there is no information that=
=20
> changes this.

yes yes yes... _likely_ sure... given a reasonable assumption that the number of users, testers and coders involved are sufficient to effectively test the software, then yes, the one with more reported issues _may_ be less secure. But that's not what you said. You said the fact that Konq had fewer reported problems makes it more secure. You didn't say likely, or reasonable assumed to be... important distinction. 

>
>> WARNING! CAR ANALOGY!
>> if we have two cars parked side-by-side and mine is stolen (I'll
>> take the fall for this analogy ;) and yours is not, does that mean
>> that your car is more secure? no. it means someone looked for a way
>> into my car and exploited it. maybe they never even looked at your
>

> It also mean that it is more likely that your car is less secure.=20
Can't find what you're looking for?X

=2E..

> If you have 10 cars of type A and 5 of type B and 2 A cars, and one B car=
=20
> was stolen, you should guess, if no more information was available, that=
=20
> the cars were about equally secure. No, if you have 10 A cars, and 5 B=20
> cars, and 1 A car was stolen and 4 B cars, you should guess that the B ca=
rs=20
> were less secure.

no. you _could_ guess that. But it is equally valid to guess that car B's, being rarer cars are more desireable and therefore more likely to be stolen.=20

> Now, if you have x A cars and y B cars and you don't know x and y, but yo=
u=20
> know that more A cars are stolen, it is more likely that the A cars are=
=20
> less secure, since there is no reason to believe that x
> is larger than y, than believing the opposite.

no, again, you could believe that, but its equally valid to believe that A cars getting a high price in the chop-shop market. There is possibly some correlation, but not necessarily a causal relationship between security and the numbers stolen. There are other factors involved, just as in software there are other factors: programming language, skill of the coders, number of testers, fundamental security of the design, security of the linked libraries et etc etc.=20

but cars are a bad analogy, hence my BIG WARNING. 

>
>> END CAR ANALOGY!
>> a more pertinent fake example.
>> programmer X finds a security hole in konq that when visiting a
>> carefully crafted website, allows remote execution of code, privilege
>> escalation and ultimately results in a box getting
>> rooted. okay. that's obviously a security problem. but programmer X

Don't know where to look next?X

>> doesn't report this problem and no security alert is issued.  programmer=
 Y=20
>> finds a security hole in mozilla that allows an already >> installed plugin at a certain version to escalate its own privileges and= =20 
>> as a result
>> download and save a piece of code to disk with the name
>> "execute_me". Now if the user happens to see that file and thinks,
>> hmmm... I wonder what that is and executes it (after chmod +x) it does
>> a rm -rf on their home. programmer y reports this security hole and a
>> security alert is made detailing the problem. now, clearly, the konq=20
>> vulnerability is *much* more of a security risk
>> than the mozilla error, right? the mozilla one requires the plugin be
>> already installed and the right version and then requires the user to
>> actually chmod and execute the thing. the konq one just requires the
>> user to visit a carefully crafted website.=20
>

> If this would be the case in the mozilla vs konq situation, you have to=
=20
> explain to me why:
> 1) konq security issues should be reported at a lower ratio

because the person who found the bug likes knowing the bug and wants to be able to utilise it to compromise machines, and thus keeps it under his black hat...

> 2) why security issues in konq are more severe

Confused? Frustrated?X

it was an example showing how your premise that more reported bugs means less secure. I was showing that the number of reported bugs is not necessarily related to the security.=20

> eg. why there should be reason to believe that there is a statistically=
=20
> significant bias between the browsers in factors such as reporting securi=
ty=20
> issues and severity of security issues.

because the whole conversation was predicated on the possibility that one browser has significantly larger mind/eye-share and therefor has greater opportunity to have problems discovered and reported. Sure there are some folks looking at fire&iceweaselfox and hiding the vulnerabilities they discover, but as the crowd of users/testers/coders grows, they become statistically less significant than they would be for a program with lower numbers of users/tester/coders.

>
> I can see no reason to believe one or the other. I just look at the facts=
 -=20
> there are less security issues reported for konq. The only reasonable=20
> conclusion is that konq is more secure.

no. that is _a_ reasonable conclusion, but by no means the only one. 

>
>> but based on what you've written above, because the mozilla one was
>> reported, then mozilla is less secure than konq. that doesn't add
>> up. And in fact, in my fake example above, the lack of security alert
>> makes konq even more of a security problem because 1) the right devs
>> might not know about the problem to issue a patch and 2) the public
>> doesn't know about the problem to avoid it until a patch comes along.
>

> As I stated above, you have to explain how this constructed example could=
=20
> have any impact at all on the real mozilla vs konq case.

I don't have to explain it because it doesn't. it was an example used to illustrate how your assertion was false. But in fact, I believe that in fact this sort of thing goes on all the time. An unreported security vulnerability is _much_ more dangerous than a reported one. A reported one gets fixed. An unreported one gets exploited.=20

>
> Do you really mean that there is some sort of bias in how security issues=
=20
> are reported and that this is to the advantage of firefox?
>

nope. I never said that. I merely pointed out that the assumption that fewer reported security flaws means better security is not valid.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

> As I said, if it is a fact that there is fewer security alerts in konq, t=
he=20
> only reasonable conclusion is that konq has less security issues.

nope. konq has fewer security alerts =3D=3D fewer reported security problems !=3D=3D fewer actual problems.

> All other=20
> conclusions rely on some sort of asymmetry between the browsers, for=20
> example when it comes to the severity of the reported security issues, th=
e=20
> presumed not found or not reported security issues, in the the ratio of=
=20
> reported found security issues etc.

But these are all valid possibilities, not certainties. You have stated that this:

fewer security alerts =3D=3D fewer security problems

is a certainty. Or at least near enough so as not to be significant.

But its not a certainty. It may, in the final analysis be true, but until _all_ the security problems from both programs have been found and counted, then it is not a certainty. It is unknowable.

> If you don't have any facts supporting such kind of asymmetry, you can't=
=20
> argue that there exist such asymmetry, and especially you can't argue tha=
t=20
> such asymmetry is to the advantage of Firefox (it could just as likely be=
=20
> to the advantage of konq - if it existed).

Do you need help?X

I never argued that there _was_ such an asymmetry. I provided an example of how such an asymmetry would make your assertion false.

Note that I have no bias regarding kong and iceweasel.=20

Also, I'm more than willing to embrace a counter example. OpenBSD has had two remote holes in the base install in more than 10 years. And I'm willing to wager that it is in fact probably the most secure OS out there for common folk to use. BUt that is a special case because we _know_ that it was built up piece by piece for one purpose -- to be secure. Security has motivated every decision made about OpenBSD so we have additional data on which to make the assumption that its number of reported vulnerabilities is a good indicator of its security overall. But just pulling two pieces of software out of the air and comparing their security based on the number of reported vulnerabilites doesn't work. Not without some additional information to support those assumptions.

A

--3xQkynibq3FKlJyM 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqXYRaIeIEqwil4YRAp36AJsE7FjxQkok/xnDiYBxAF5E2UxfmwCfZgNv Xz2aJdZkWyye6zaSfMWQgF8=
=LkfI
-----END PGP SIGNATURE----- --3xQkynibq3FKlJyM--

Do you need more help?X

Date: Fri, 27 Jul 2007 02:02:36 -0400
From: Kevin Mark <kevin.mark@verizon.net> To: debian-user@lists.debian.org
Subject: Re: how to ssh to a linux box from an internet cafe 

Message-ID: <20070727060236.GD2722@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Jul 25, 2007 at 05:14:22PM +0300, Nick Demou wrote:
> I'll soon be on vacations without my PC. I believe that internet
> access from an internet cafe will be my best option. If things go for
> the worse how can I ssh to my debian server?
> I suppose that a PC in most internet cafes will be willing to download
> and run putty.exe but am I right? If not is there any other option?
Just to mention the obvious, most access is through client-server programs like ssh. So, before you leave, you need to install the ssh server on your home machine, then test it with the ssh client program on localhost first and if you have a chance, from a remote host. If not a client-server program, then maybe a web-based control panel, although then you have to install apache and make sure that works remotely then. -K 

-- 
|  .''`.  == Debian GNU/Linux == |       my web site:           |
| : :' :      The  Universal     |mysite.verizon.net/kevin.mark/|
| `. `'      Operating System    | go to counter.li.org and     |
|   `-    
http://www.debian.org/ |    be counted! #238656       |
|  my keyserver: subkeys.pgp.net |     my NPO: cfsg.org         |

Can we help you?X

|join the new debian-community.org to help Debian!              |
|_______  Unless I ask to be CCd, assume I am subscribed _______|

Date: Fri, 27 Jul 2007 09:03:11 +0300 From: David Baron <d_baron@012.net.il> To: debian-user@lists.debian.org Subject: Re: Boinc Clients Niceness Message-id: <200707270903.11522.d_baron@012.net.il> Content-type: text/plain; charset=iso-8859-15 Content-transfer-encoding: quoted-printable Content-disposition: inline On Friday 27 July 2007, debian-user-digest-request@lists.debian.org wrote:
> Here's setiathome nice and prio :
> gilles@guitare:/donnees/programmes/BOINC$ ps -o pid,cmd,nice,pri -p 5219
> =A0 =A0PID CMD =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NI PRI
> =A0 5219 setiathome-5.12.i686-pc-lin =A019 =A0 5
>
> So :
> 1) Prio does not mean what I thought ;-)
> 2) Nice value for the process which handle the computation are at the
> maximum value.'
Problem is that is does not stay that way. Changes with new "work unit" and= I=20 even saw this kick down to nice 0 within the same work unit. At least the=20 "optimized" version I use 5.17. (5.12 fails strangely on my system so may n= ot=20 have run long enough to show this problem.)

Date: Fri, 27 Jul 2007 01:27:42 -0500 From: Ron Johnson <ron.l.johnson@cox.net> To: debian-user@lists.debian.org Subject: Re: why do iceweasel et al have more frequent security issues? Message-ID: <46A9905E.5000503@cox.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/26/07 23:05, Erik Persson wrote: [snip]
> As long as nobody is interested in exploiting the konq bugs and everyone
> wants to exploit the firefox bugs, I will be more secure using konq even
> if there are more flaws in konq. Security when using a browser has to do
There are some flaws (XSS pops instantly to mind) that both FF & IE suffer from, but for different reasons. If konq also suffers from these kinds of flaws, then you *are* just as vulnerable. - -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGqZBeS9HxQb37XmcRAqB1AKC/InVBncl986dYkp7HZ+JtY5XbfQCeIUW1 owBO9cl1Xlv1I4oSX552tKw= =gWKL -----END PGP SIGNATURE----- End of debian-user-digest Digest V2007 Issue #2037 ************************************************** Received on Fri Jul 27 06:07:59 2007

This archive was generated by hypermail 2.1.8 : Thu Aug 09 2007 - 19:05:31 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library