Letters If there was ever a headline that would guarantee a response from Register readers, it was Is Linux security a myth?. In it, the writer argued that security can never be perfect, and that Linux cannot ever be 100 per cent secure. You all seemed perfectly happy with this line of reasoning, even if you surprised yourselves by being so:

I was expecting a fairly linux-biased editorial and thought it addressed the reality of 'security' as it relates to all platforms rather than just a Microsoft bashing screed. Ever think about covering politics?

James

But a couple of points were less pleasing to you. Notably the question of accountability, and why it is that there are fewer attacks against Linux than against Microsoft code:

In your article, you answer to the following provocation: "Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux."

I think you forgot to mention that Microsoft take no responsibility in case of security breach (this is in the MS license). So Microsoft itself is not accountable for MS Windows security, that exactly the same for RedHat, SUSE, Apple or other OS vendor.

Best Regards, Christophe

"There are several factors behind there being a far smaller number of attacks against Linux. Not the least of these is the fact that the platform, whilst it is gaining traction fast, is still relatively small in the world of business critical production systems."

It /is/ the least of these. The "market share" argument is cobblers. Apache is running on an absolute majority of the world's webservers, yet all the webserver exploits I see in my weblogs are aimed at IIS - a minority player.

(A significant percentage of these Apache servers are Linux boxes, and most definitely "business critical production systems.")

People hack Windows because they can.

The rest of your article seemed pretty on the button.

Dom

I think that the security of both Windows and Linux distributions are highly over-rated, but it's always interesting to read views of which is more secure. Unfortunately, there do not seem to be many people who bring attention to the fact that there are fewer known attacks against Linux due to the fact that it is not as widely used in the consumer/business arena as Windows is, and therefore, the chances of malicious code targeting Windows is going to be higher.

If all businesses/home users swapped to Linux today, there would be little doubt that attacks would increase exponentially within a short period of time. At that point, we would see just how secure Linux is, and I think that many people do not give M$ the credit they perhaps deserve for the work they have put into fixing their products.

Is it not possible that they have been able to secure Windows to a higher degree than Linux based on the sheer number of attacks that Windows has had to endure? Could it be possible that many, currently unknown, weaknesses in Linux would be exposed as a result of increased usage/attacks?

You've got to admit that the trial-by-fire security fix process that M$ has been forced to undergo through the years can only have strengthened their product, despite that fact that it's a fortress built on sand, in many respects. Let's hope that the core architectural benefits of Linux provide a solid base for Linux as it goes through a similar trial-by-fire in the coming years, as it gains in popularity. And whether you trust the NSA's SE Linux or not, until a consumer OS introduces their application level security policies, they are never going to be secure enough.

Andrew

But one reader had just this to say:

Linux security is not a myth - see Novell - they have a release that has achieved EAL4+ certification.

Jesse

Sage's rumblings about more "unfair bundling" from Microsoft have won them no sympathy from the Reg reader camp:

I read Sage's comments with interest and am afraid to say I find very little sympathy with their point of view, despite usually having little time for Microsoft's business practices.

Sage has consistently dragged behind with their software relying on the fact that in the SME sector they effectively have a monopoly.

The fact is sage has not innovated in the accounts market they've simply acquired competitors and grown to fill the market. They do not keep their software up to date (does Instant accounting still insist on installing 16-bit ODBC drivers?) and instead rely on selling stationary and subscriptions renewals to a customer base that's locked into their product.

Pot calling the kettle black I think.

Ivor

Surely Sage has a case for an anti-trust suit since Microsoft include Calculator with every version of Windows?

Talk about nuisance lawsuits....

Rich

We also found someone prepared to defend Carly Fiorina. Just the one, though, and it was unsigned. Carly, is that you?

I disagree with the Carly slamming situation and as an employee that has not benefited at all from being at HP the past 3 years I think you should hear what I have to say.

Lets get the trivial stuff out of the way first. The $45m payoff is normal and not out of the ordinary for a CEO leaving a company of this size. Sure it will mean I have another year of no pay increase but at least I have the maturity to see past my own needs. Lets stop moaning about this. Its all about survival of the fittest these days and she is a lot fitter than most of us. Get over it!

I don't know why she left but its obvious there was some disagreement up top which resulted in this decision. Lets live with it!

The share price will rise but without a clear new leader and new fresh strategy it will dwindle back to the 19 or so dollars again. You just see!

The fact is that Carly was a great leader, almost up there with the best CEOs and lets not forget she was a women which makes her achievements all the more noted.

She had a vision and the reason HP is failing is not due to Vision but due to the complete lack of anyone at local management level to understand or want to understand the strategy. These people live in their own comfy ivory towers which survive on the reputation of having done something good 20 years ago! and are the very same people that only have cutting costs left in order to make themselves look good by getting rid of all the good people.

By good people I mean the skilled people that are willing to openly challenge and test the Vision and who ultimately move things forward. You see progress never came out of travelling down the middle ground, it comes from taking the best out of the extremes.

Despite what we all see on TV and at our management Board webcasts, the local HP rules now are; you keep your head down, you don't walk through any apparently open management doors and my god you never, ever, ever speak against anything. Oh yes and anything that doesn't appear on a balance sheet is not adding value, including customer relationship!

All great ingredients for the future considering customers, employees and knowledge will be king.

Until we get rid of the driftwood and let the competent people breath it doesn't matter whether we split the company up, invent something new or start cleaning toilets, we will fail.

All I can say is that with the CFO now in charge god help us.

Anon

Dear Ed,

With reference to the "HP" link in the letter from Mike regarding Carly's potential next career move to a ketchup firm, eg: Heinz.

$6.28 for a bottle of HP? I know the dollar's lower than the share price of a leading IT company with a temporary CEO, but you're 'aving a larf aren't ya?

Mind you, it could be a good move for Heinz to take Carly on given her record of out-saucing......

Ollie

Very droll, sir. Very droll.

Next, you got very upset about allegations from webfiltering firm Clearswift that techies spend too much time emailing their mates. This letter from David sums up most of your views:

I'm probably one of the offenders. Browsing the net, too. Then again, I still wonder about things talking about work as the 9-to-5, as if 7-hour working days are still the norm.

For UK techies that doesn't seem to be the case, often being 7.5 or 8 hour days, before considering that almost all the IT contracts I've seen have involved unlimited unpaid overtime, and that it seems to be the norm for UK techies to end up working a greater or lesser amount of said unpaid overtime almost every day.

Lunch generally amounts to heading out to fetch lunch, returning with lunch, and eating said lunch. Few fancy business lunches, schmoozing clients at a pub, etc. I think a little freedom to let off steam with personal email, messaging and net access is just redressing that imbalance, not to mention helping promote a more positive attitude towards spending long hours at work.

Finally, a lot of staff spend a noticeable amount of time chatting to colleagues. UK techies seem to spend a little less time doing this, so they're probably spending the same amount of time communicating with others on a personal level as others, just more via online methods rather than in person.

David

The filing of a lawsuit against the makers of Grand Theft Auto and Sony, in its capacity as manufacturer of the PS2, has tickled all your "don't be stupid" buttons:

I am getting so sick of seeing stupid people blame their problems on computer games. For a start, if someone were to take GTA as "murder training", then perhaps they've ignored the fact that if you shoot cops in GTA, you get chased by cops, and shot at, and a lot of the time, killed by cops.

And to name Sony in the lawsuit because they make the PS2? Bollocks.

Stupid, pointless litigation like this will one day either close down the gaming industry, or ensure that we only have cute, happy, fluffy games to play with.

Name withheld

Suing Sony for making the PS because some nut-job played violent games on it? Great idea! but why stop there?

• Sue manufacturer of the TV set (No TV, no PS 2, duh)
• Sue the power company (If they hadn't supplied power to his place at the times he was playing the game he couldn't have played it)
• Sue beverage and snacks companies (I'm sure he was eating snacks and drinking a coke while playing, it's more fun)
• etc

I'd like to add that I know a lot of people (me included) who have played this abomination of a game, and, miraculously, have yet to murder a single person.

None of us has any guns either, though, therefore denying every single one of my friends of the opportunity to shoot someone.

sam.freak

Are they also suing the gun manufacturers for making the gun?, the police force for insisting the cop carried it?, the holster manufacturer for making the holster in such a way as the murderer could grab the gun out of it?

and of course, Devin Thompson himself for not having the intelligence to distinguish between fantasy (a game / movie) and reality (a real person with a real life). But that would just be sensible now wouldn't it.

Nick

More anecdotal evidence that companies just don't dispose of data properly. This is a nice one, if a little alarming. If this particular culprit can't get it right, who can?

Say it again - I bought an SGI Onyx (high-end graphics workstation) from a guy on ebay, who bought it from a guy on ebay... neither of them had ever got it up and running. I did, and having hacked root I discovered it was an ex-NASA machine, a server from the Goddard Space Flight Center, no less. Complete with databases, email archives, internal web sites, PhD theses... will they never learn?!

Mike

Next up, we argued that dispute over ownership of "game.co.uk" could have significant and far-reaching effects on e-commerce in Britain:

Good write up; but to my mind, poor conclusions.

I think the judgment, based on the fact that Game (a set of high street stores selling computer games) could rightly complain once someone - who bought the domain name when Game were a trading entity as described above - starts flogging computer games from that domain name.

IF the owner had agreed to go back to advertising his consultancy from the site (maybe with a link to a different domain name selling his games) then fine - But he wants to continue to make money from his exploitation (whether intentional, or known, or not) of an existing company's brand name.

Whether Game Plc should have been allowed to name themselves "Game" (in the first place) is a completely different matter; but that registrar is not known for its "always sensible" decisions either!

And yes, I appreciate Game Plc are lame for not registering their domain name in 1995 ... but I don't think they are alone amongst UK companies in that respect, are they?

[OK - I'll come clean - If you seriously believe this guy did not realise exactly what he was doing ... Then I'm the Queen of Iraq]

Andy

On the face of it, it appears that Game plc is in danger of losing their trademark, if one is to believe their own Web site. At the bottom, it shows: "© 1999 - 2005 GAME DIGITAL LTD. REGISTERED NO: 3936328"

Of course, I am assuming that "Game Group plc" is the same company as discussed in your article; and if that is correct, since the current owner of game.co.uk has been doing business under that name since 1995, it would seem that he has prior claim on the business name "Game."

I am not an attorney, however - far from it. I am an honest man.

Morely

You are less than convinced that Macrovision's anti-ripping technology will have any long term success:

Hi Tony, I've just been reading your article on Macrovision's claims about it's new anti ripping methods for DVDs.

I'm particularly bemused/amused by the line "...with a claimed effectiveness rate of 97 per cent, the technique should act as a major disincentive for casual copiers, the company believes."

OK, so the studios will stop me ripping movies to my laptop so I can watch them on a flight rather than suffering the dross served up by the airline (external DVD-ROM drives are more or less unusable on a plane), or maybe making the occasional copy of a movie for a colleague or family member.

What it won't do is deter the people who really are "harming the industry" (to toe the party line), the guy at your local market will probably get around it, the pirates in Hong Kong will almost certainly get around it and within a couple of months, at best, the industry will be right back where it is today.

Exasperatedly yours.

Ben. -- Who buys DVDs and CDs regularly, even the ones he might have downloaded for preview purposes :)

A group of scammers managed to gain access to credit data in the US, but the scammees won't say how:

Re: Fraudsters expose 100,000 across US

It is way past time that companies such as 'ChoicePoint' face serious fines and criminal charges for their shoddy security and procedures resulting in unauthorized disclosure of consumers personal information. At the very least their actions make them an accessory to crime. Martha is getting out soon, save her cell for the ChoicePoint CEO.

Who needs to try the age old Nigerian 419 scam anymore? Nah, that takes work! Just order all the personal information you want straight from the data miners themselves. That's the ticket.

So as a consumer who lives in California, I wonder: Am I impacted by this breach of 'security'? Let me get this straight -- I am supposed to patiently wait for a letter from ChoicePoint to arrive in the mail -- someday.... maybe.....once they get around to it.

This does not sound promising -- I can hear 'It got lost in the mail' already. So trying to be a 'smart' consumer I visit ChoicePoint's web site and look to see if they have provided a way to quickly verify if a person is potentially impacted.

What is this? No big red flashing link saying 'Click here if you fear you may have been screwed by ChoicePoint -- We feel terrible about our actions and will work hard to help you the consumer? Nope. No link like that at all.

In fact there is no link whatsoever offering suggestions or any kind of help to consumers concerned about this particular matter, except for the 'Had to do it because its the law although we really hate it' link for FACT Act compliance.

Following the FACT link, I find (count them) THREE different phone numbers -- one for each of the consumer data-mining products ChoicePoint offers. Yes you guessed it, Joe Consumer has to start off with three calls to ChoicePoint just to try to find out if he or she might be impacted.

Who are these guys and who on earth allows them to operate a business in this manner?

Guys, you might want to refrain from wearing those nifty 'ChoicePoint' logo golf shirts if you are going to try to cross a street in California any time soon. Take a tip from many other corporate criminals: Go incognito. Brakes and tires are so expensive.

Steve

More on why Window's update makes you restart your machine, and why this is a bad/good thing:

Actually regarding Tony's comments on Windows Update -- Microsoft do have a certain amount of justification for continuing to bug you to restart. The thing is that in that state (where an update has been partially installed and a reboot is required) it's not completely safe to keep working on your computer. Some parts will be protected, other parts will not be. And its possible that one of the protected parts may want to call into some protection code in another part that isn't yet actually available (because the file couldn't be replaced until a reboot), causing it to die horribly, or otherwise misbehave.

What you should instead be doing is to not install the update in the first place until you're ready to reboot. This will of course leave your computer vulnerable in the interim -- but there's no guarantee that it'd be any better before the reboot anyway. It depends on how many files couldn't be replaced without rebooting.

Gavin

Ho ho. I see that "Tony" is upset that Windows automatic update keeps pestering him to reboot his machine, even though he pushed the "Restart Later" button.

He's lucky. My "Restart Later" button was greyed out.

I managed to get rid of the dialog by killing some offending system process, but then lost all my unsaved work when the machine rebooted anyway. It costs money to report such bugs to Microsoft, so I didn't. Presumably their next set of updates will be equally violent. Still, I am alert to the danger now, and so are you.

Ken

Killjoy Floridians have locked up a chemistry teacher for making bombs. For shame, you cried:

Damn yanks - back when I was a kid, making electrically triggered explosive devices came under the category of "good, clean fun!". How long will it be before possession of ammonium based fertilizers is a crime. oh wait. it's now a restricted item.

Scott

Lester,

This is bloody ridiculous! My year 8 chemistry teacher used to take us outside all the time to demonstrate reaction rates of sodium and potassium in water. And Acid. That was cool. We destroyed so many of the plastic garbage bins at school. And ran the school out of sodium many times. One student stole a block of sodium, and suffered horrible burns on his fingers, not realising that the skin is also highly reactive with sodium.

My year 12 chemistry teacher taught us how to use various oxides to put colour into fireworks. And make propellant for fireworks, and make fuses to ignite the propellant to effectively disperse the oxides for very pretty fireworks! We would get drunk at parties, and make our own fireworks, supplied with chemicals, err 'acquired' from the chemistry department. He even taught us to make remote fuses, with platinum wire, and a 9V battery. No lit fuse necessary. People got burnt, we laughed. What’s next? A law suit against Johnny Knoxville for making JackAss the movie?

Come on America, GET A LIFE! The anarchist’s cookbook is still available on the web. And I've had several copies archived since '97. Good luck folks.

Byron

On that explosive note, we will leave you and head off for a weekend filled with incendiary devices. Enjoy. ®