0424: "Security Holes"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
DragonHawk
Posts: 457
Joined: Sat Sep 15, 2007 1:20 am UTC
Location: NH, US, Earth
Contact:

Re: "Security Holes" discussion

Postby DragonHawk » Fri May 16, 2008 1:29 pm UTC

Sound wrote:I just don't understand the left side strip

Basically, what we see in the left side of the comic is computer source code program statements being commented out (disabled). All of these statements are really, obviously, fundamentally good things, and should never be commented out. Ever.

The first statement (MD_update (...)) appears to be from the OpenSSL code, so I assume it's the particular line that got commented out by the Debian volunteer.

do_not_crash() is obvious, I hope. :)
and in particular the prevent_911() function call (btw, 9-1-1 or 9/11?)

I'm assuming it's 9/11, as in the 11 Sep 2001 attacks on the US. As in, "this function would have prevented the 9/11 attacks, but it was commented out".
Ben'); DROP TABLE Users;--

GENERATION 42: The first time you see this, copy it into yοur sig on any forum and stick a fork in yοur еyе. Social experiment.

sysctl
Posts: 7
Joined: Sat Jun 02, 2007 8:20 pm UTC

Re: "Security Holes" discussion

Postby sysctl » Fri May 16, 2008 1:30 pm UTC

Aaaand there we go: Debian generated SSH-Keys working exploit. Includes archive of all possible 65536 private keys that could be generated on an affected system. Bruteforces ssh access in about 20 minutes.

User avatar
phlip
Restorer of Worlds
Posts: 7572
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: "Security Holes" discussion

Postby phlip » Fri May 16, 2008 1:32 pm UTC

Sound wrote:I just don't understand the left side strip

OK, basic breakdown for any non-programmers around (not saying you necessarily are a non-programmer, but I know plenty of people here are)
First panel: Programmer is considering "commenting out" parts of the code... for the uninitiated, this means basically removing the code from the program.
Second panel: Programmer removes MD_update(&m,buf,j); - what this code does is unimportant, except that it was a line that a maintainer of Debian (a Linux distribution) removed from a couple of places in OpenSSL (an encryption library)... the upshot of which (which was discovered just this week) is that any encryption key created on a Debian machine in the last year and a half could be brute-force cracked in a couple of hours, at the most... and often much faster.
Third and fourth panels: Programmer comments out some other (fictional) pieces of code that are almost as vital, and have nearly as serious implications as the OpenSSL one.
Sound wrote:and in particular the prevent_911() function call (btw, 9-1-1 or 9/11?)

Well, since "prevent_911" is supposed to be a good thing (removing it being a bad thing), I'd say probably 9/11.

KTC wrote:If you had imported and use your (DSA) private key on a vulnerable version, then you're just as affected. In fact, it's worse as unlike a weak key that were generated on a vulnerable version, there's no way to test whether that key is affected other than the enduser own knowledge of where they have used their key.

And now it's my turn to admit ignorance... where else in the SSL/SSH/whatever chain is the PRNG used, that would make a key generated on a secure system, but then used on a vulnerable system, useless? In my (very basic, surface level) understanding of the cyphers involved, wouldn't the PRNG only be used in the key generation?

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

hohohojo
Posts: 2
Joined: Mon May 12, 2008 1:22 pm UTC

Re: "Security Holes" discussion

Postby hohohojo » Fri May 16, 2008 1:37 pm UTC

I don't understand the right side of the strip at all.

mattme
Posts: 27
Joined: Sun Jun 10, 2007 3:17 pm UTC
Location: Cambridge, UK

Re: "Security Holes" discussion

Postby mattme » Fri May 16, 2008 1:43 pm UTC

Funny comic :)

My key was in the blacklist. I ssh from my computer into university and student networks, and from my phone (diff key) into my computer and the university.

The above crack tries each of the 65000 common keys. Would this work? Surely they'd need to try passwords on each key.

Simetrical
Posts: 37
Joined: Wed Aug 22, 2007 5:12 pm UTC
Location: New York City
Contact:

Re: "Security Holes" discussion

Postby Simetrical » Fri May 16, 2008 1:50 pm UTC

This comic is totally fail. The line was commented out using C-style comments, not C++-style! (Which is probably because OpenSSL is written in C.)

Okay, just kidding. Trying to meddle with packages you don't understand is what's fail. Why can't distributors refrain from committing any patches not from upstream that could conceivably be useful upstream? If you're just changing path names to match your distro's layout, fine, but is there any justifiable reason whatsoever for a distribution to maintain bug fixes or feature additions for a project with a non-dead upstream?

This post and the next one, by an OpenSSL developer, are very informative. I find it unbelievable how anyone can defend Debian over this. I hope that Debian will learn from this.
phlip wrote:any encryption key created on a Debian machine in the last year and a half could be brute-force cracked in a couple of hours, at the most... and often much faster.

Not even close to a couple of hours. The only entropy is the process ID, which only goes up to 32k. So for a given architecture and key length, you just have to look it up in a hash table with 32k entries, so <<1 ms to crack a compromised key. It will have to have some more entries to account for more architectures, if you don't know what architecture it was created on, but it's still only a few hundred thousand generated total for all architectures and key lengths. Generating the list took a day or two, I believe, using a bunch of CPU cores.
phlip wrote:And now it's my turn to admit ignorance... where else in the SSL/SSH/whatever chain is the PRNG used, that would make a key generated on a secure system, but then used on a vulnerable system, useless? In my (very basic, surface level) understanding of the cyphers involved, wouldn't the PRNG only be used in the key generation?

When you sign something with DSA, the algorithm generates a new key for some reason, it seems, on the local machine. If the machine was running a compromised version of OpenSSL, the generated signature will therefore make use of compromised keys in generating the signature. I imagine that the newly-generated key is somehow used to encrypt parts of the DSA private key somehow and embed them in the signature, so that if you have the signature and the one-time key used for the encryption, you can decrypt (maybe partially) the DSA key. But I'm not sure either.

User avatar
phlip
Restorer of Worlds
Posts: 7572
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: "Security Holes" discussion

Postby phlip » Fri May 16, 2008 2:23 pm UTC

Simetrical wrote:Not even close to a couple of hours. The only entropy is the process ID, which only goes up to 32k. So for a given architecture and key length, you just have to look it up in a hash table with 32k entries, so <<1 ms to crack a compromised key. It will have to have some more entries to account for more architectures, if you don't know what architecture it was created on, but it's still only a few hundred thousand generated total for all architectures and key lengths. Generating the list took a day or two, I believe, using a bunch of CPU cores.

Well, I was taking my info from
Sgeo wrote:http://metasploit.com/users/hdm/tools/debian-openssl/
Which said it'd take a couple of hours... I'm thinking that's for a situation like private-key authentication, where you don't know what public key the server's expecting... but if there's a good chance that one of those 32k are used, then you can find it in a couple hours. Less, if it's one of the common ones, from a moderately low pid.

Simetrical wrote:When you sign something with DSA, the algorithm generates a new key for some reason, it seems, on the local machine. If the machine was running a compromised version of OpenSSL, the generated signature will therefore make use of compromised keys in generating the signature. I imagine that the newly-generated key is somehow used to encrypt parts of the DSA private key somehow and embed them in the signature, so that if you have the signature and the one-time key used for the encryption, you can decrypt (maybe partially) the DSA key. But I'm not sure either.

Ah, OK, I think I see. Never really looked at DSA before... yes, if it does that then it would be a problem.

RSA doesn't do anything that though, does it? A secure RSA key used on an insecure machine would still be OK after patching, though, correct?

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

jareds
Posts: 436
Joined: Wed Jan 03, 2007 3:56 pm UTC

Re: "Security Holes" discussion

Postby jareds » Fri May 16, 2008 2:34 pm UTC

phlip wrote:
KTC wrote:If you had imported and use your (DSA) private key on a vulnerable version, then you're just as affected. In fact, it's worse as unlike a weak key that were generated on a vulnerable version, there's no way to test whether that key is affected other than the enduser own knowledge of where they have used their key.

And now it's my turn to admit ignorance... where else in the SSL/SSH/whatever chain is the PRNG used, that would make a key generated on a secure system, but then used on a vulnerable system, useless? In my (very basic, surface level) understanding of the cyphers involved, wouldn't the PRNG only be used in the key generation?

For DSA, you have domain parameters, p, q, and g, that may be shared by many users of the system, a private key x, and a public key y=g^x mod p. These are all integers, p and q are prime, and there are other restrictions on the values that are not relevant for explaining the problem.

A DSA signature is a pair (r,s) where r=(g^k mod p) mod q and s=(k^-1 * (z*x+r)) mod q and z is a hash of the message and k is a random number. So if an attacker has a message and signature and knows k he can solve for x, the private key, in the equation for s. If the attacker knows that k is restricted to some small number of possibilities, as is presumably the case on an affected Debian machine, he can thus narrow x down to the same small number of possibilities, and then find x by trying each possibility in the equation for y, the public key.

jareds
Posts: 436
Joined: Wed Jan 03, 2007 3:56 pm UTC

Re: "Security Holes" discussion

Postby jareds » Fri May 16, 2008 2:58 pm UTC

RSA doesn't do anything that though, does it? A secure RSA key used on an insecure machine would still be OK after patching, though, correct?

Yes, the key is fine. RSA is always used in practice with random padding, but weaknesses in the padding would not allow your key to be determined. In the case of encryption, various attacks are possible without random padding (see, e.g., the Wikipedia article on RSA), but they're not really serious for the normal use of encrypting an asymmetric key. In the case of signing, I don't think any actual weakness is known with deterministic padding, although the current recommended RSA signature scheme uses random padding.

Edited to add: I should note that none of the weaknesses of not using padding for RSA encryption involve the attacker learning information about the key, only about the plaintext.

User avatar
phlip
Restorer of Worlds
Posts: 7572
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: "Security Holes" discussion

Postby phlip » Fri May 16, 2008 3:07 pm UTC

Cool, thanks for the info.

I'm asking mainly out of curiosity, since I know that either (a) my keys are on that blacklist, or (b) my private keys have never been on an insecure computer... apt-get is downloading the openssl fix now, so I'll soon know which it is... but it's probably the former :(

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

random5
Posts: 19
Joined: Tue May 22, 2007 1:18 pm UTC
Location: Adelaide, Australia

Re: "Security Holes" discussion

Postby random5 » Fri May 16, 2008 3:35 pm UTC

Actually it's ubuntu that gives up root access with hardly a fight. Just start it up in recovery mode and you can drop straight into the root prompt without it even asking for a password. WTF GUYS! At least put a little challenge in it, you don't have to be like windows in every way.

Not_a_Spambot
Posts: 37
Joined: Wed Mar 19, 2008 5:26 am UTC

Re: "Security Holes" discussion

Postby Not_a_Spambot » Fri May 16, 2008 3:48 pm UTC

Curse that Jeff Goldbum! Curse him and his sudden-but-inevitable betrayal!

On the other hand, does that imply that the OLPC project is actually an attempt by aliens to take over the planet?

I always did think that Nicholas Negroponte's skin looked like it was a fake rubber mask.
Or something like that.

User avatar
Jessica
Jessica, you're a ...
Posts: 8337
Joined: Tue Oct 23, 2007 8:57 pm UTC
Location: Soviet Canuckistan

Re: "Security Holes" discussion

Postby Jessica » Fri May 16, 2008 4:22 pm UTC

I really didn't like this one.
doogly wrote:On a scale of Mr Rogers to Fascism, how mean do you think we're being?
Belial wrote:My goal is to be the best brain infection any of you have ever had.

Simetrical
Posts: 37
Joined: Wed Aug 22, 2007 5:12 pm UTC
Location: New York City
Contact:

Re: "Security Holes" discussion

Postby Simetrical » Fri May 16, 2008 5:34 pm UTC

random5 wrote:Actually it's ubuntu that gives up root access with hardly a fight. Just start it up in recovery mode and you can drop straight into the root prompt without it even asking for a password. WTF GUYS! At least put a little challenge in it, you don't have to be like windows in every way.

If you can restart the computer in recovery mode, you have physical access to it. With physical access, all you have to do is put in a live CD (maybe the one you used to install Ubuntu) and make a quick manual edit to the /etc/shadow file on disk to change the root password. There's no security in this case unless your drive is encrypted, on any OS. An OS that requires you to type in passwords when you restart the computer isn't the slightest bit more secure than one that doesn't. It does, however, make your life more difficult for no particularly good reason.

Grasshopper
Posts: 4
Joined: Mon Feb 04, 2008 6:17 pm UTC

Re: "Security Holes" discussion

Postby Grasshopper » Fri May 16, 2008 5:36 pm UTC

Simetrical wrote:
random5 wrote:Actually it's ubuntu that gives up root access with hardly a fight. Just start it up in recovery mode and you can drop straight into the root prompt without it even asking for a password. WTF GUYS! At least put a little challenge in it, you don't have to be like windows in every way.

If you can restart the computer in recovery mode, you have physical access to it. With physical access, all you have to do is put in a live CD (maybe the one you used to install Ubuntu) and make a quick manual edit to the /etc/shadow file on disk to change the root password. There's no security in this case unless your drive is encrypted, on any OS. An OS that requires you to type in passwords when you restart the computer isn't the slightest bit more secure than one that doesn't. It does, however, make your life more difficult for no particularly good reason.


Actually it protects against n00bs and kiddies.

Simetrical
Posts: 37
Joined: Wed Aug 22, 2007 5:12 pm UTC
Location: New York City
Contact:

Re: "Security Holes" discussion

Postby Simetrical » Fri May 16, 2008 5:40 pm UTC

Can you envision anyone capable of using a command line in Ubuntu's recovery mode, but not capable of booting a live CD?

tonyb
Posts: 8
Joined: Thu Oct 11, 2007 10:02 pm UTC

Re: "Security Holes" discussion

Postby tonyb » Fri May 16, 2008 6:54 pm UTC

I knew they were packaged together for a reason.
Image
(click to expand)

1 1 2 3 5 8 13 21
Posts: 13
Joined: Fri May 16, 2008 7:29 pm UTC

Re: "Security Holes" discussion

Postby 1 1 2 3 5 8 13 21 » Fri May 16, 2008 7:35 pm UTC

DragonHawk wrote:I'm assuming it's 9/11, as in the 11 Sep 2001 attacks on the US. As in, "this function would have prevented the 9/11 attacks, but it was commented out".

See, I'm assuming it's 9-1-1, as in slang for 'emergency', thus reading "prevent emergency". Because that's a thing which is significantly more likely to happen in code than being able to prevent 9/11, especially 5 years later...

but that's just me.

tonyb
Posts: 8
Joined: Thu Oct 11, 2007 10:02 pm UTC

Re: "Security Holes" discussion

Postby tonyb » Fri May 16, 2008 7:49 pm UTC

1 1 2 3 5 8 13 21 wrote:
DragonHawk wrote:I'm assuming it's 9/11, as in the 11 Sep 2001 attacks on the US. As in, "this function would have prevented the 9/11 attacks, but it was commented out".

See, I'm assuming it's 9-1-1, as in slang for 'emergency', thus reading "prevent emergency". Because that's a thing which is significantly more likely to happen in code than being able to prevent 9/11, especially 5 years later...

but that's just me.


They obviously take place in the past, the commenting occurred a while ago.

JPJ007
Posts: 9
Joined: Tue Sep 18, 2007 8:18 pm UTC

Re: "Security Holes" discussion

Postby JPJ007 » Fri May 16, 2008 8:22 pm UTC

Ha! I knew it! They all called me crazy when I said the U.N. was in cahoots with the aliens. But now I have proof. They used alien tech in the OLPC!

User avatar
DragonHawk
Posts: 457
Joined: Sat Sep 15, 2007 1:20 am UTC
Location: NH, US, Earth
Contact:

Re: "Security Holes" discussion

Postby DragonHawk » Fri May 16, 2008 9:57 pm UTC

Simetrical wrote:If you can restart the computer in recovery mode, you have physical access to it. With physical access, all you have to do is put in a live CD...

Or just add "init=/bin/sh" to the kernel boot command line, which will cause the kernel to start the shell as the initial process (instead of /sbin/init). That will bypass anything the initscripts do.

If I'm worried about the console, I always use a boot loader password and a BIOS password, and set the system to boot from hard disk first, other media never. Of course, *that* assumes you can't just take the cover off the computer, pull the hard drive out, put it in your pocket, and walk away.
Ben'); DROP TABLE Users;--

GENERATION 42: The first time you see this, copy it into yοur sig on any forum and stick a fork in yοur еyе. Social experiment.

User avatar
yjester
Posts: 30
Joined: Fri Jan 18, 2008 2:46 pm UTC
Location: SP, Brazil
Contact:

Re: "Security Holes" discussion

Postby yjester » Sat May 17, 2008 12:44 am UTC

I liked this post, as I was able to understand like 30% of it straightly and made people from the forum explain the other 154% :-) Thanks, guys.

And now we know the pet from comic 413 may change ownership quite easily... could OLPC be safer?
GENERATION 19: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social experiment.

1 1 2 3 5 8 13 21
Posts: 13
Joined: Fri May 16, 2008 7:29 pm UTC

Re: "Security Holes" discussion

Postby 1 1 2 3 5 8 13 21 » Sat May 17, 2008 1:07 am UTC

tonyb wrote:
1 1 2 3 5 8 13 21 wrote:
DragonHawk wrote:I'm assuming it's 9/11, as in the 11 Sep 2001 attacks on the US. As in, "this function would have prevented the 9/11 attacks, but it was commented out".

See, I'm assuming it's 9-1-1, as in slang for 'emergency', thus reading "prevent emergency". Because that's a thing which is significantly more likely to happen in code than being able to prevent 9/11, especially 5 years later...

but that's just me.


They obviously take place in the past, the commenting occurred a while ago.

Ah, but he clearly comments out "prevent_911" after OpenSSH's initialization vector, which happened in 2006. Check and mate!

User avatar
Air
Posts: 44
Joined: Sun Mar 30, 2008 4:07 am UTC
Location: Open.

Re: "Security Holes" discussion

Postby Air » Sat May 17, 2008 1:21 am UTC

I uncovered your mom's security holes last night! :P

..sorry just had to.
I thought this was really funny even though I didn't know about the Debian-OpenSSL fiasco until looking it up. Love the LOTR reference. And I really wish there really was a "do_not_crash()" function.

User avatar
Jach
Posts: 167
Joined: Sat May 05, 2007 8:38 pm UTC
Contact:

Re: "Security Holes" discussion

Postby Jach » Sat May 17, 2008 2:13 am UTC

As a Gentoo user (and occasionally Ubuntu), this comic made me smile. Also I love the LotR reference.

I ought to look at the code now and find out the secrets of this do_not_crash() function!
I love reading quotes.

tonyb
Posts: 8
Joined: Thu Oct 11, 2007 10:02 pm UTC

Re: "Security Holes" discussion

Postby tonyb » Sat May 17, 2008 2:42 am UTC

1 1 2 3 5 8 13 21 wrote:
tonyb wrote:
1 1 2 3 5 8 13 21 wrote:
DragonHawk wrote:I'm assuming it's 9/11, as in the 11 Sep 2001 attacks on the US. As in, "this function would have prevented the 9/11 attacks, but it was commented out".

See, I'm assuming it's 9-1-1, as in slang for 'emergency', thus reading "prevent emergency". Because that's a thing which is significantly more likely to happen in code than being able to prevent 9/11, especially 5 years later...

but that's just me.


They obviously take place in the past, the commenting occurred a while ago.

Ah, but he clearly comments out "prevent_911" after OpenSSH's initialization vector, which happened in 2006. Check and mate!


Unless you consider the do_not_crash() part of windows in 1985, in which case there is no logical order to them.

(man... I am bored....)

User avatar
Surgery
Posts: 628
Joined: Wed Sep 12, 2007 6:22 am UTC
Location: Western New York

Re: "Security Holes" discussion

Postby Surgery » Sat May 17, 2008 3:52 am UTC

Jach wrote:I ought to look at the code now and find out the secrets of this do_not_crash() function!


I think it's supposed to take your first born child as a parameter, and an optional blood sacrifice parameter.

also, i'm pretty sure that function was commented out in the copies of flash we use at work, and our server software, and our middleware xml generator.

kyevan
Posts: 10
Joined: Fri Feb 29, 2008 5:09 am UTC

Re: "Security Holes" discussion

Postby kyevan » Sat May 17, 2008 1:37 pm UTC

Hah, this doesn't affect me, I replaced that code with a more secure random number function AGES ago.

Xbehave
Posts: 54
Joined: Wed Jan 09, 2008 4:45 am UTC

Re: "Security Holes" discussion

Postby Xbehave » Sat May 17, 2008 9:43 pm UTC

Grasshopper wrote:[Actually it protects against n00bs and kiddies.

only noobs and kiddies without CDs. And cant you boot any distro into single user mode if they havent locked thier grub?

The only way to be sure your desktop is safe is to
1)lock grub
2)lock bios
3)put a cat insdie the desktop to prevent bios being reset
unfortunatly the RSPCA has something to say about that :(

I did once try setting up my laptop with encrypted drives, but tbh it was such a PITA it wasnt worth it, so when i broke the laptop i didnt bother with anything other than 1+2, and just hope that the attacker cant find the bios reset.
GENERATION 20: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social experiment.

Wizzard1
Posts: 15
Joined: Thu Dec 13, 2007 11:15 pm UTC

Re: "Security Holes" discussion

Postby Wizzard1 » Sat May 17, 2008 10:28 pm UTC

You guys should run data-less, password-less, internet-less and OS-less. Smooth sailing!!

IE Expect flaws and exploitation in anything which can be used at more than 1 level, IE user and administrator, system and administrator, etc etc.

User avatar
Kaiyas
Posts: 459
Joined: Sun Feb 17, 2008 4:57 pm UTC

Re: "Security Holes" discussion

Postby Kaiyas » Sun May 18, 2008 2:33 am UTC

Sound wrote:I just don't understand the left side strip, and in particular the prevent_911() function call (btw, 9-1-1 or 9/11?)

I'm guessing it's a reference to 9/11 because non-criminals usually don't prevent 911 calls.
Image
clintonius wrote:This place is like mental masturbation

1 1 2 3 5 8 13 21
Posts: 13
Joined: Fri May 16, 2008 7:29 pm UTC

Re: "Security Holes" discussion

Postby 1 1 2 3 5 8 13 21 » Mon May 19, 2008 2:08 am UTC

Man, am I the ONLY one who thinks it's a reference to September 11th, and not 911 as in slang for emergency? Really? Really?

Helmchyn
Posts: 3
Joined: Mon May 19, 2008 9:03 am UTC

Ubuntu

Postby Helmchyn » Mon May 19, 2008 9:41 am UTC

[begin flame]

Ubuntu looks like Vista? Hell I'm so gonna nuke you for that one!

I switched from distro to distro (including Mandrake as todays Mandriva was named by that time, Fedora and Debian) over several years and am now happily using Kubuntu. I am using GNU/Linux since 2001, and work as a (mostly script-)programmer in unix administration so i would for sure not consider me a clueless newbee. I have actually seen Vista and from a usability point of view it contains desasterous flaws which you will not find in Ubuntu or any of its derivates.

Other than Suse (which was mentionioned before in this discussion) Ubuntu still works an can be configurated like a GNU/Linux (Debian in this case) underneath and is therefore a system usable by by an experienced Unix-Admin and by his grandma as well. I could recommend Vista for neither of them nor for anyone else! The graphical effects provided by compiz do actually contribute to the usability of the system (which is not the case for Vistas Aero) and combust not even a half of the processing power Vista uses even without Aero.

If you have an understanding for interface design and know the rules of usability you will notice that Vista and Ubuntu do not even look similar to each other because there is no interface on the world as flawed as the so called user interface of Vista. I feel seriously offended by this comparison.

[end flame]

It seems with the mentioning of Vista we have entered new dimensions of Godwins law here ;-)

Don't you ever do that agian :twisted:

Simetrical
Posts: 37
Joined: Wed Aug 22, 2007 5:12 pm UTC
Location: New York City
Contact:

Re: Ubuntu

Postby Simetrical » Mon May 19, 2008 1:28 pm UTC

Helmchyn wrote:The graphical effects provided by compiz do actually contribute to the usability of the system (which is not the case for Vistas Aero)
The hilarious thing is that I saw that exact objection made against Ubuntu by a Vista supporter (i.e., Aero is useful and Compiz is not). I thought it was a stupid objection then, too.

I've never used Vista to any significant extent. There are a couple of nice little things I liked (mini-screenshots when hovering over the taskbar, for instance). I didn't see anything spectacularly unusable; being a little more specific would help others to better understand the points you're making. Your combination of vitriol with vagueness is unfortunately typical of many attacks on Microsoft, correct or not. Although maybe you're preaching to the choir here anyway, if you want to convince anyone, being respectful and precise is much more effective than flaming.

I'm happy with Ubuntu, but there are a couple of really obnoxious flaws that Windows XP never suffered from, and Vista even less so:

  • No good multi-screen support, or at least not without more fiddling than I'm willing to do. Xinerama was a mess when I tried it, windows stretching across both screens when maximized. Dual-head is okay, and it's what I use, but it doesn't allow dragging windows back and forth, which is a big pain. There are also random bugs like that notification pop-ups don't work in windows other than the first, and probably others.
  • The search is a joke. When I've tried to use the search button in Nautilus, it searches my entire disk, not just the current directory? WTF? By most accounts, the OS X-style search in Vista is one of its good points, at least if you don't mind the indexer running all the time.
  • Fourth and fifth mouse buttons don't work.
  • Edit: Oh, yeah, and it completely fails to boot unless I use a weird kernel version. That's one I shouldn't forget.

I've accumulated some more annoyances but forgot most of them for now. Overall, as I say, I'm happy with it, but I haven't seen any really decent objections to Vista except its slowness and resource-hogging, which are definitely fairly ludicrous from what I've seen. And maybe that UAC is occasionally too aggressive. Well, and that it's made by Microsoft.
Last edited by Simetrical on Mon May 19, 2008 3:40 pm UTC, edited 1 time in total.

User avatar
Feirgon
Posts: 16
Joined: Fri Jan 18, 2008 3:33 pm UTC
Location: New York

Re: "Security Holes" discussion

Postby Feirgon » Mon May 19, 2008 3:34 pm UTC

Could someone explain the eploits to the given OS for me? I understood most everything, but I haven't used most of the OS's so I feel really out of the loop. Unless the exploits are just random references, in which case.... :|
Image
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!

masher
Posts: 821
Joined: Tue Oct 23, 2007 11:07 pm UTC
Location: Melbourne, Australia

Re: Ubuntu

Postby masher » Tue May 20, 2008 2:33 am UTC

Simetrical wrote:I'm happy with Ubuntu, but there are a couple of really obnoxious flaws that Windows XP never suffered from, and Vista even less so:

  • No good multi-screen support, or at least not without more fiddling than I'm willing to do. Xinerama was a mess when I tried it, windows stretching across both screens when maximized. Dual-head is okay, and it's what I use, but it doesn't allow dragging windows back and forth, which is a big pain. There are also random bugs like that notification pop-ups don't work in windows other than the first, and probably others.


I'm running Ubuntu with two monitors. I can't remember how I set it up, but my windows don't maximise over both screens and I can drag windows across screens.

Rysto
Posts: 1460
Joined: Wed Mar 21, 2007 4:07 am UTC

Re: "Security Holes" discussion

Postby Rysto » Tue May 20, 2008 2:39 am UTC

Feirgon wrote:Could someone explain the eploits to the given OS for me? I understood most everything, but I haven't used most of the OS's so I feel really out of the loop. Unless the exploits are just random references, in which case.... :|

They're just random jokes, and have no relation to reality.

random5
Posts: 19
Joined: Tue May 22, 2007 1:18 pm UTC
Location: Adelaide, Australia

Re: "Security Holes" discussion

Postby random5 » Tue May 20, 2008 4:32 am UTC

A nice graphical config for dual head which worked on ubuntu / *nix in general would be very nice, that said I got dual head working quite easily if with certain limitations. I simply have to set an appropriatly sized virtual display in xorg.conf (basically adding the line Virtual 2560x2560) and a second display is added as soon as I plug it in, with no 3d support though so compiz turns off. My laptop only has an intel card and while I'm tempted to try and get proper dual head working that is easier with an nvidia/ati card and this suits my purposes just fine. If I want to change the position of the second display relative to the first the command is very simple - xrandr --output <NAME> --left-of <NAME 2>, where you can use --right-of --above --below etc to set up monitors as you wish. Not end-user friendly but simple enough for any geek.

Helmchyn
Posts: 3
Joined: Mon May 19, 2008 9:03 am UTC

Re: "Security Holes" discussion

Postby Helmchyn » Tue May 20, 2008 8:05 am UTC

Fine, Simetrical got a point when he said I didn't explain some of the Flaws in the user interface of Vista, so here are some of them (Oh have I mentioned that I belive Vista to be technologically superior to XP, it surely is, but heaven know what discussion I broke loose with that one now)
However, falws in Vista, part One:

1. Button labels: they really believed they would improve usability by removing the button labels in the dafault config. i. e. take a look at the file and web browser, there are forward and backward buttons as usual, but how can a user new to Windows or maybe computers at all know that, when they are not labeled? Of course when you let the mouse hover over the button because your hand happens to fall asleep suddenly then you would see a description appearing. But kids, ever observed newbee users, they cannot hold the mouse pointer at one place for a second.
That is even more serious in the Start menu, which now cannot be reffered to as Start menu any more. How can you help them on phone? "Sir, klick on the button with.. ummm down left on your Screen.... no no not the window, the screen.... with umm you know, the button with the colorful thingie on it"

2. The Symbols themselves: ever noticed the (unlabeled) switch off button in the Start.. ahm.."Thingie"-menu. Ever noticed then that it in fact does not switch off the computer but sends it to standby, thats not what you would expect, is it? Furthermore the the program entrys in this menu don't have icons at all, not any more. For usability purposes you normally (if you know what you are doing) set Labels and icons. So that a new user can learn the icons by reading the labels and can then find the entrys faster by looking at the learned icons. In the Vista menu the icons appear in a seperate box when you let your mouse hover over the label. That looks nice but you cannot use the icon to recognise and FIND the entry, instead you have to read all the text (like in text user interface menus, back in the '80s) to find the entry and maybe you see the icon then.

3. Settings should be changebale at the place where they are viewed: Look at the dialog where you configure the behaviour of network shares. You have the points listed ("sahre directorys in network", etc...) and behind them little indicators for "yes" and "no". Instead of klicking on these indicators to change things you have to find the merely noticable (unlabled) button in front of the list entry to extend the entry and find radio buttons for... umm "yes" and "no". (sometimes when you do least expect it you find also something like a "maybe" button)

4. the "settings" menu of your desktops right-klick pull-down menu (is it "settings" in the english version? well, the last label there). So this is special, hold on guys. It appears a configuration supermenu which leads you to settings for the style, shape, color of windows, screen resolution, screen saver, etc... The Microsoft folks have set things right for the first two or three dialogs there. Instead of stacking a new window onto the screen when you click on these points. the submenu appears in the same window and with a back-button you can also find back into the main menu, fine. Now klick on the third or fourth point there. Ooops, it appears: the old dialog window from Microsoft Windows XP (TM), was there a development deadline? Oh but thats not the case all the time. The behaviour of that menu depends on weather you have the Aero style switched on or not. What has the menu navigation to do with the graphical style? Who knows? Did they have seperate menus developed for the different styles? By seperate teams? Did they not talk to each other?

5. "sudo": Microsoft patented the concept of the 1970s unix command sudo in 2001 to enable unprivileged users in Vista to alter administrative settings by typing in the admin password when it's needed. So you don't have to switch users to perform a minor administrative task. Imagine now, you have to perform, say, two minor administrative tasks (switch the IP and enable a share). You will have to type the password twice then. There is no 5-minute password remembering like in original sudo, which is used in Ubuntu for the same purpose.

Did we yet talk about the fact that microsoft failed to implement the concept of multiple desktops for two decades now? The concept which becomse easily understandable (because "feelable") for every user with the Compiz desktop cube. What about the transparency effect of Aero-windows? It sure looks nice but it would make sense only if the user could control the transparency for every window like in compiz (or was that a beta i have seen of Aero, i don't want to be unfair here). In Aero you can still not tell a particular window to stay in background or foreground (and maybe become slightly more transparent then), a feature which i often use to place text editors over a browser window, and keep an eye on the text editor or maybe a movie window when i interact with a website.

None of these and other flaws appear in Ubuntu. Ubuntu is also not perfect (they have less flawas nonetheless), but hey, ever noticed the "report problems or wishes to the developers" button in the help menu of every KDE-Application? That is what makes free software superior in userfriendlyness and lets it become technologically superior as well. Therefore Ubuntu is in no way comparable to Vista, because "Ubuntu will always be free" (like in freedom).

Simetrical
Posts: 37
Joined: Wed Aug 22, 2007 5:12 pm UTC
Location: New York City
Contact:

Re: Ubuntu

Postby Simetrical » Tue May 20, 2008 1:40 pm UTC

masher wrote:
Simetrical wrote:I'm happy with Ubuntu, but there are a couple of really obnoxious flaws that Windows XP never suffered from, and Vista even less so:

  • No good multi-screen support, or at least not without more fiddling than I'm willing to do. Xinerama was a mess when I tried it, windows stretching across both screens when maximized. Dual-head is okay, and it's what I use, but it doesn't allow dragging windows back and forth, which is a big pain. There are also random bugs like that notification pop-ups don't work in windows other than the first, and probably others.


I'm running Ubuntu with two monitors. I can't remember how I set it up, but my windows don't maximise over both screens and I can drag windows across screens.

Hmm. I didn't ever figure out how to get that working. I'm not too surprised it's possible if you push the right magic buttons. I use the proprietary NVIDIA driver's control thing, incidentally, since the OSS stuff seems not to work in my experience. (I should probably report this stuff as bugs, but when this strikes, I'm usually too frantic at trying to get my computer to work again at non-VESA resolutions to be interested in taking careful notes.)
Helmchyn wrote:1. Button labels: they really believed they would improve usability by removing the button labels in the dafault config. i. e. take a look at the file and web browser, there are forward and backward buttons as usual, but how can a user new to Windows or maybe computers at all know that, when they are not labeled?

Some people seem to believe this is a usability improvement, strangely, yeah. I've heard it suggested for MediaWiki as well, that the edit button should be replaced with a cross-lingual "edit" icon. The response there was that such an icon would not be understandable cross-lingually, only incomprehensible cross-lingually, and we kept the text labels.

I suppose it arises from the next point you raise, which is that you should try to have icons in addition to labels.
Helmchyn wrote:3. Settings should be changebale at the place where they are viewed: Look at the dialog where you configure the behaviour of network shares. You have the points listed ("sahre directorys in network", etc...) and behind them little indicators for "yes" and "no". Instead of klicking on these indicators to change things you have to find the merely noticable (unlabled) button in front of the list entry to extend the entry and find radio buttons for... umm "yes" and "no". (sometimes when you do least expect it you find also something like a "maybe" button)

This is one of my big gripes with GNOME. On Windows, if I want to delete an item from the Start menu, what do I do? Right-click on it and hit Delete. (Granted, moving over focus to the confirmation dialog tends to cause the Start menu to close, but I'm not sure if that's still a problem.) What do I do in GNOME? Well, I right-click, and get what options? Add this launcher to panel, add this launcher to menu, and a couple of other useless things that normal people probably wouldn't understand. (What's a "launcher"? I can guess, but how about using "program" or at least "link" or "item"?) How do I delete an item? Well, I go to System -> Preferences -> Main Menu, browse to the same item I was just looking at, and delete it from there.

Same thing when I accidentally got two SFTP connections to the same computer listed under "Places". Right-click and what do I get? In Nautilus, nothing, no context menu at all. (Well, now I try it and I do get a context menu, which includes an "unmount" option. That word should probably never be used in a GUI without explanation altogether, and here it's not even correct: this is an SFTP connection, not anything mountable.) In the Places menu at the top, a right click opens up the place in question, again no context menu. I eventually removed the duplicate entry weeks later when I accidentally stumbled across the correct preference somewhere.
Helmchyn wrote:5. "sudo": Microsoft patented the concept of the 1970s unix command sudo in 2001 to enable unprivileged users in Vista to alter administrative settings by typing in the admin password when it's needed. So you don't have to switch users to perform a minor administrative task. Imagine now, you have to perform, say, two minor administrative tasks (switch the IP and enable a share). You will have to type the password twice then. There is no 5-minute password remembering like in original sudo, which is used in Ubuntu for the same purpose.

On the other hand, you have to be careful to check the parent process when remembering the password, or else you've completely killed the security of the system. I always noticed that opening two shells and typing sudo in both in quick succession would prompt me both times, which is good, but I was talking to someone on IRC recently who said that typing the password in one terminal would remember it for his other terminals as well, which is an incredibly bad idea.

But, yes, this is apparently annoying enough to get some people to turn off UAC, from talking to some Windows-using friends. I've heard it's improved in SP1, however.
Helmchyn wrote:Did we yet talk about the fact that microsoft failed to implement the concept of multiple desktops for two decades now?

You know, I've tried using that a couple of times and never found it worthwhile. I guess it would be useful for people with a different style of working. I pretty much only have IRC open in one window, web browser in the other, all the time. If you're doing multiple things and each requires a bunch of windows, then I imagine it would be handy.
Helmchyn wrote:None of these and other flaws appear in Ubuntu.

Well, one does, as I pointed out. :) Also, there are some things in Ubuntu that are icon-only, like notification area stuff (update, restart, etc.); trash in the lower right; "minimize all applications" in the lower left. Well, I guess that's not many.
Helmchyn wrote:Ubuntu is also not perfect (they have less flawas nonetheless), but hey, ever noticed the "report problems or wishes to the developers" button in the help menu of every KDE-Application? That is what makes free software superior in userfriendlyness and lets it become technologically superior as well. Therefore Ubuntu is in no way comparable to Vista, because "Ubuntu will always be free" (like in freedom).

Personally I don't find Ubuntu superior in user-friendliness to Windows, overall. That's not least because more than once I've been unable to boot due to hardware/driver issues. When the kernel boots, Ubuntu is great these days about getting an only somewhat crippled X running regardless of what evil things you do to it, but I've had kernel panics on boot that required me to manually download a new kernel (although thankfully, not to compile a new one, yet). Also, it's been nightmarish more than once getting out of the semi-crippled mode to resolutions higher than 800×600, requiring hours of fiddling, downloading alpha drivers, etc. There are also random other things.

Personally, I would never recommend Linux yet to anyone unless 1) they're willing to make sacrifices to use open-source software (like me), or 2) they're interested in saving some money and getting something that uses guaranteed supported hardware, like the Eee or gPC. I have hopes for the future, though!


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: BlitzGirl and 74 guests