PHP coder needs Tor details

Eugen Leitl eugen at
Tue Feb 13 16:35:16 UTC 2007

Okay, I'll chomp upon this troll bait, and descend into lame OS penile
metrology. Hit delete *now*.

On Tue, Feb 13, 2007 at 03:26:55PM -0000, Tony wrote:

> Windows hasn't rendered active content by default since XP SP2. 

I beg to disagree. Outlook pane preview or opening a Word document,
or clicking on an attachment is equivalent to external code execution. How 
do you think that malware makes it onto those 250 Mzombies I mentioned? 

Have you seen a Unix mail client where the default operation
on an attachment is execution? Try executing something random
you download off the web either in KDE or Gnome, it's rather pedagogical.   
Have you seen a FLOSS browser which comes with that great 
technology called ActiveX? God knows Firefox
has its issues, but IE it's not.

> It has never rendered it by default in Vista or Windows 2003.

All very widespread operating systems, Vista especially.
And Windows 2003 server default browser settings are pure joy.
Nothing works anymore, so users so love it.   
> Windows also no longer runs as administrator by default (I guess you havnt used Vista yet).

No, and I won't, unless I have to set up a VMware system for it at work.
I refuse to buy and run DRM-infested systems on principle. 

The necessity to install and run many userland things as
administrator is only indirectly Redmond's fault, but it
has become a part of the information ecology. It doesn't
matter that your OS wants you to be safe, but the applications
don't. You're stuck with that tar baby for a while.
> Its not just in theory. For instance IIS is now so improved that many 
> sites fed up with the constant hacking, exploits, defacements and 
> patching regime dependency compatibility issues that they experience 
> on Linux are migrating over to Windows server 2003. This has been a 

I don't know what they're experiencing on Linux (it's not a particularly
secure operating system, unless cared for properly, I'd rather like
to get away from it on the long run, OpenBSD being the most likely candidate), 
but I don't know what a web server has to do with the OS kernel. You're 
probably (I have to guess here) referring to PHP, which is a) not a web 
server, nor an operating system b) should be certainly considered a cracker 
facilitation tool.

Clearly Sturgeon's rule directly applies here. 

> consistent trend for some time now and Apache just dropped below 

Yes, I've stopped using Apache a long time ago. Strangely enough
my web server isn't even mentioned in the statistics. And it
is also pretty low on vulnerabilities count. Isn't diversity

> 60% market share for the first time since 2002 as a direct result 
> of cumulative migrations from Linux to Windows.

Yes, these numbers are really so meaningful, especially since
GoDaddy converted to MS and hence IIS for no obvious reasons, and it
made rather a spike on the pool. Also, again: Sturgeon's rule.
As you know, millions of flies can't ever possibly be wrong,
so let's all dine on excrement.
> As you say 'most installations are now secure by default'. Touché. 

I guess time will tell. I do not anticipate a decrease in the
number of Windows zombies anytime soon. But if it happens it 
will be certainly a pleasant surprise. 

As to tor, I just wouldn't run it on a non-server system.
(No, Windows 2003 Server is not a server OS -- I know, since
I have to support it).

Both the IP stack performance is awful, there are resource
exhaustion issues which require periodic reboots lest system
lockups occur, and you're not supposed it make it easier
for Mallory by running a router on a vulnerable system.

Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820  
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <>

More information about the tor-talk mailing list