[KLUG Advocacy] The infamous "libz" "Open Source hole" exists on Windows! -- WAS: Dell-Oracle-RedHat "Unbreakable Linux"

[Adam Williams]

>>http://newsforge.com/comments.pl?sid=24112&cid=14949
>>Very insightful.  I hadn't thought of that.
>Yeah, I love it!  All these MS-IT media bigots going on and on how "how
>could such a crucial, popular Open Source (BSD) library have such a
>critical hole for so long?"  Hey, it happens!  I agree, it was a
>shocker!

How come IE keeps haveing the same ridiculous security problems over and 
over? I can pull up a users sessions variables, username, and *password* 
with a simple javascript.  It happens, yes.  Complex systems, are.. well.. 
they're complex.  But if the problem is libz I can fix or motivate someone 
else too.  If it's IE, I wait (and wait) for the next patch, and hope.

>But then, you find out Windows is using the _same_damn_ libz library
>_unchanged_ for LZ77 algorithm compression in Windows for _everything_,
>from Expand (the *.??_ files) to CABs (*.cab)!  But do we hear anything
>about this in the MS-IT media?  No!  

But does Win32 use libz for any critical functions?  To use CABs or files 
that need "expand" and do any real damage (to a properly configured 
system) one need to be running with Administrator access.  An administator 
who uses CABs (or what not) from unknown originals is a flake.  Linux on 
the otherhand uses libz inside privilaged process on a very regular basis 
(logrotate for example).  So maybe it isn't as easy (but certainly not 
impossible) to exploit on Win32. 

>Now this "study" comes out.  Oh,
>BSD is "safer" than GPL because it can be taken "closed source."  Yeah,
>I'll believe that after seeing "libz" in Windows -- yeah.

That was never anything other than FUD.  Even most "real" Windows techs I 
know snicker at this closed-is-better security rhetoric.

>As a 10-year veteran of seeing NT "mature," this disgusts me.  I'm
>sorry, but the said state of _denial_ in the MS-IT industry is just
>_pitiful_.  

I honestly don't think it is so much denial as they SERIOUSLY believe with 
religious zeal, that they have no other option.  So why carry on about it,  
thats just a fact of life (to them).  The quote I remember is "It is 
better to be on the steam roller than in front of it" in reference to 
supporting anything other than M$ platforms.  They're is no point in 
arguing with that kind of attitude,  they just start to think YOU are the 
brain washed zealot.

>Windows is _built_ on BSD/public domain Open Source. 
>Anything that affects Open Source affects Windows.  

"Anything" is a bit strong, but close.

>Given the exodus to
>GPL/copyleft by more and more BSD/public domain projects and you can see
>_why_ Microsoft is worried!

There is an exodus to GPL?  My general sense was the opposite.  Many GPL 
projects seem to be making changes to be more BSD-ish friendly (unixODBC, 
Asterisk, etc...)

>"But it's national security we're talking about!"  Yeah, and they're on
>the wrong side of the argument.  As they even admit, 80% of major
>Internet services are running GPL -- yet that 20% of non-GPL seems to
>get all the "cracks"?  Yeah, hmmm, yeah.

The Pentagon isn't buying that either.  Despite Hollywood's portrayal of 
them as warlocks in uniform,  they are a serious smart and intellectually 
rigourous bunch of chaps (and I suppose chapletts these days).  Listening 
to them speak, or reading stuff they write, lets one understand how the
military can rise to power in so many nations.  Compared to them most 
congressman are knee-jerk inarticulate ignorant bumblers.