And the other plus with the Linux OS is its easier to patch. I can't remember the last time I've needed to reboot for any patches, security or otherwise. Its more modular so I just unload whatever needs patched, patch it and reload it. You can easily roll the patch out across your web farm.

Just got my first warning on Quickbooks running on XP (on Parallels on a mac) saying QB will not be fully functional after 5/31/14.

So, since I am running a Mac, I might try QB for mac.

Anyone use QB on a Mac and take credit cards?

I'm amused that the outcry about this GnuTLS flaw seems pretty muted, at least from what I've read, compared to the breathless "this is as bad as it gets" media coverage of Apple's similar "goto fail" flaw that was just publicized. And this is a security vulnerability in an important open source module that has potentially been around since 2005! That's like 75 years in Internet time!

Definitely a black eye for those who claim that open source software is inherently more secure JUST BECAUSE the source code is publicly available. OK, so if no one else reviews some printer driver code, I can understand that. But a major cryptographic module that "everyone" uses everyday? BIG black eye to the OS community.

And from some comments I've read, that module wasn't even written by people who truly understand crypto and how to properly implement crypto procedures anyway. Another big demerit in my opinion. Phil Zimmerman of PGP fame always emphasized that the proper IMPLEMENTATION of crypto algorithms and software so they interact with the operating system and other software in a secure manner was just as critical as selecting robust algorithms in the first place. I wouldn't trust much of the "security" software, particularly mobile apps, that are floating around these days, to be as secure as they claim.

Did Apple have a security flaw? I think I vaguely remember something like that, but no details. I trust they fixed it. Apple is quite good about that I think. I guess if Apple or opensource did have a security flaw, it might actually deserve breathless media coverage. Since these flaws are so extremely rare compared to that other closed course operating system out there. The novelty of having a security flaw in Apple/opensource would deserve some media coverage due to its rarity. Similar to someone observing a Sasquatch walking around in downtown Denver.


This statement goes to show you how difficult to exploit on a wide scale this flaw is, thus limiting potential harm. But go ahead media, scream breathlessly if you want. Just don't go mentioning that Linux used to make fine china, then furnaces, before they got into operating systems. That is about the ignorance level from mass media I've come to expect, unfortunately.


How so? A vulnerability has been found in opensource code. I don't think opensource said there would never ever be any flaw discovered. How does the quantity of these opensource vulnerabilities compare to the quantity of closed source (Microsoft, et.al.) vulnerabilities found? If you think about that, you'll have to admit that opensource *IS* inheritantly more secure. By a fantastically wide margin. I guess if you are saying one opensource flaw is equivalent to 1000 Microsoft flaws, then you could try to make your point based on that. But nobody would take you seriously if that was your basis.

Anyway, I hope the flaw is patched soon, if it hasn't been already. At least a patch to something like SSL can be applied without requiring all the servers to be rebooted, unlike that other common OS out there. Personally, I won't be throwing out opensource and running to closed source because somebody found a difficult to exploit bug. That would be silly.

What specifically are the security holes in IE and what settings are necessary to counter them, or where can I find out about them?

I just upgraded from my older XP machine to a new desktop with Win7 because of the age of my system and the discontinuation of XP support. With no security updates from MS, it's going to become a hackfest by every twerp with a internet connection and a supply of Redbull. I'm running the current (11?) version of IE and relying on Norton and basic common sense to keep the goblins out (Like not opening Canadian Vi***a ads, or going to websites that use a dictionary in the meta data).

EDIT: Also has anybody used Norton Zone cloud storage? It seems like a good place to put the most critical files.

Open source is more secure because...? The way that so many people parrot that same mantra essentially boils down to almost a circular kind of logic. "Anyone" can contribute code to an open source project and anyone can see the code, ergo, the thinking goes, it is more (pick your adjective) secure/correct/efficient/yada-yada, but as this major GnuTLS flaw so starkly illustrates, just because anyone CAN look at the code for open source software, doesn't mean that anyone actually DOES, at least with a knowledgeable and critical eye. Obviously, with this major GnuTLS vulnerability, nobody did (well, except for the bad guys who may have been exploiting this hole for years).

Actually, I think MS has come a long way since the days about a decade ago when Internet Explorer and the IIS webserver had more holes than a block of Swiss cheese. People would groan when a report about a new IE or IIS vulnerability was published because they just kept coming and coming and were often quite big holes. People were totally losing trust in MS products so Bill Gates made some big decisions.

I remember thinking that when Gates launched his Trustworthy Computing Initiative, it was a huge business and mental shift. Remember, we were coming out of the Dot Com days when "get the code out first, get it out fast" was the mantra in software development. Bill Gates essentially said that MS needed to think of our computers more like appliances or utilities--they need to "just work"--and that's the level of functionality users expected. So the mindset, the procedures, the design, the software tools, etc. were changed to emphasize the quality and security of their code. The level of vulnerabilities in code written after TCI was initiated seems light years ahead in security compared to before. (And most of Win XP was written before TCI, by the way, which is a huge reason to move on). When's the last big IE or IIS vulnerability, the kind you'd read about in the mainstream press? I can't think of one.

Can an open source developer do the same thing? Sure. Do they? Not necessarily. So which model is inherently more likely to produce secure code? A closed system that systematically checks for problems, or an open one that can/might check? There is nothing "inherently" more secure with open source. It is inherently more transparent but that only matters if someone acts on that transparency. A one-person open source project, like an app, could be riddled with security vulnerabilities, no one else bothers to review the code, and yet tons of people may merrily go about using it, feeling confident because they're using open source code and it seems to run just fine. That's akin to "walking by faith, not by sight".

Well the security holes in both are too numerous to list. You can look for all the patched ones on (Microsoft) technet then subscribe to various security lists and read about all the not yet patched.

The biggest problem with IE and OE are the tight integration with the OS so a security flaw in either becomes a flaw to the core of the OS. While other browsers/email can have security flaws they don't hook deep into the OS so those flaws generally stop at a level where they can't cause too many problems.

A number of years ago before we had so many security programs and other web browsers to choose from I mistyped a web address. A simple www.gogle instead of www.google too me to some porn site whose text was in another language and then started popping up many IE windows so fast I had to reboot to stop them. I was running as a non-admin user and still got infected with something that I tried to remove and ended up just rebuilding. Yes (Windows) security has improved since the early days of XP but the integration of end user apps the very core is still the worst thing they ever did to Windows.

I will admit ... they are trying. Some efforts have been more successful than others. I remember trying to use Vista once. Every time I hit a key, up came a popup asking if I really meant to hit that key, and asked if I was aware of the security ramifications of hitting that key. That is no way to treat a user base who probably didn't understand why they even hit that key in the first place, let alone be able to comprehend the resulting Windows popup.

What happened with Microsoft and Windows, is they targeted the "mass market". Most of the end-users of their Windows computers, were, to put it bluntly, totally computer ignorant. So they tried to make things more easy to use by trying to do everything for everybody, to support their target user base. Unfortunately, "we'll do it all for you" and "security" are at opposite ends of the spectrum. When you automate/integrate for ease of use, security goes down the drain. And when you make things secure, ease of use suffers. That is why many Windows users complain about how difficult Linux is, and complain that "Linux is not like Windows, therefore bad". They don't know any better. The target user base of Linux is the opposite of the target user base for Windows.

Open source vs. closed source definitely has something to do with security. But the effect is probably not as marked as the difference in the user base of open source products vs. Windows users. Linux/open source users tend to be much more computer literate and technically savvy than Windows users. And that difference probably has more to do with overall security than the differences in the operating systems. Although Linux and just about every other OS out there, open source or not, is more secure than Windows. Windows has indeed improved over the years. But it is still trails miles behind every other OS in the security area. Under the hood, Windows looks like a mating squid ball. Everybodies tentacles stuck into everybody elses' orifaces. While the squids seem to like it that way, it does not make for a secure and stable operating system.

Apple stubbornly refused to comment on anything related to security before eventually fixing the "goto" bug. (They KNEW, and for a very long time).

The GnuTLS community immediately publishes any information about bugs, security flaws and recommendations. (And fixes it, as soon as humanly possible)

The GnuTLS flaw meant that under some very specific circumstances the security check would indicate "OK" where it should go "Fail".

The Apple "goto" failure meant that under no circumstances would you get a red flag when visiting a https-site; the actual security verification was by-passed all together.

As for legacy code versus open source code, the quality of the code depends on the actual team and management. But would you like the worlds leading cryptographic expert to scrutinize your work? Then you need to make the code public.

I think the bigger picture is that online security is an endless thrust-and-parry business, with serious consequences. It's not one OS versus another; they are all under assault to some degree, from well organized and financed criminal/state entities. Weaknesses are systematically found, hoarded/sold, and exploited for financial (or sometimes political) gain. XP is/was a venerable OS, but it was not designed for this new reality. It's not fearmongering to anticipate some waves of nastiness following the end of support.

In practical terms, I'm wondering about the number of small-store outfits using point-of-sale equipment that may (?) be vulnerable. I might just take the approach I already use with all other online purchases -- a credit card with a $500 limit for everyday stuff. That controls my vulnerability (and the credit card issuer's) to a manageable number without a huge loss of convenience on my part.