Another new "critical" hole in Windoze.

[Nitro]

mandraketux, I know what you mean. if microsoft released the windows source, it's pretty much a guarantee that coders and hackers everywhere would be reading through the source finding vulnerabilites. it would (in theory) also make windows more secure because like linux, people everywhere could contribute patches, but of course, not before many windows boxes would be compromised

-noix-

[catch]

No matter how many times I say that, people always come back and ask which is the most secure. To answer that question you must ask them a questions. "Which one are you most knowledgeable about." because thats what it comes down to with security

According to the good people of ISO-15408 auditing, Windows is more secure than Linux.
According to the good people of the DOD, Windows is more secure than Linux.

System security is _not_ measured by the configuration, it is measured by capabilities and assurances. These are highly quantitative and not all abstract like admin skill.

mandraketux, I know what you mean. if microsoft released the windows source, it's pretty much a guarantee that coders and hackers everywhere would be reading through the source finding vulnerabilites. it would (in theory) also make windows more secure because like linux, people everywhere could contribute patches, but of course, not before many windows boxes would be compromised

Source auditing is utterly awful for the point of security and if your system relies on it, then your development model is just beyond awful and your whole system needs to be scratched. Review the security life cycle components of the advanced waterfall development model sometime and tell me where you see source audit.

Proper development consists of two aspects validation and verification, not debugging. Predefined test suites are developed for testing purposes. (More hard core cases would likely involve the code in question going through a Boyer-Moore theorem prover, but this is rare.) Debugging is what people with no development process do and the end product as a result tends to be garbage and inspires "truths" like "no software can be perfect." Which is, of course an utter lie as software is only capable of binary logic, which is provable.

Case in point, the Linux source has been gone over countless times, yet no one has fixed the damned access controls! How much more basic could you get? Coders don't tend to know things like multi-actioned security commands being inheirently secure... so no one fixes it. No one fixes the kernel either! It's the 21st century and people are still using a monolithic system? *gag* Yet the source is availible and it hasn't been fixed.

Microsoft needs to go back to proving security solutions for those who care, but telling the rest of the world to piss off by selling a very insecure product by default.
Linux, on the other hand needs to be touched by someone that went to college.

catch

[seabass55]

Another problem we have is that alot of the insecurities coming from MS are with 4 main things. The OS itself, Outlook, Media Player 9 and Internet Explorer. The total amount of linux vulribilities doesn't come from a small number of things like that but a great number of things. The operating system itself isn't to blame but other programs that are associated with the OS which would come seperatly with Windows. This is where statistics comes into play and you can make statistics go anyway that you'd like. Compare the a compete Redhat distribution which comes with everything you'd ever need on the desktop to Windows which is just an OS, internet browser and mail reader. Now lets just compare linux itself, mozilla and balsa to windows. Oh well look at there...the numbers seem to be different.

Next we go back to the money thing. A multibillion dollar OS with thousands of PAID engineers has more (or less depending who you ask). If I'm going to pay for a product (quite a hefty penny at that) I want a product which is much better than Windows. Especially a product that so much of the WORLD relies on. If I worked for MS products I'd feel pretty bad knowing alot of people around the world are putting out a better product (arguabily) than I am.

Seabass

[catch]

Another problem we have is that alot of the insecurities coming from MS are with 4 main things. The OS itself, Outlook, Media Player 9 and Internet Explorer. The total amount of linux vulribilities doesn't come from a small number of things like that but a great number of things. The operating system itself isn't to blame but other programs that are associated with the OS which would come seperatly with Windows.

That and the VAST majority of NT holes can be fixed with using a suggested non-default configuration. Nearly all Linux holes require source code fixes. (It's not that Linux lacks configuration problems, just that these are rarely reported because Linux has such a myriad of default configurations.)

Why is this the case? Because NT security is far more finely grained than Linux's and consequently hardening is more effective. Linux's multi-action commands lead to a situation where rights propigation is mathematically impossible to predict and the system will organically transport rights where they should not go. NT's single action command ability allow for full predition of right propigation and consequently the security policy is not constantly in a spiral towards entropy as Linux's is.

catch

[gore]

Originally posted here by catch

Case in point, the Linux source has been gone over countless times, yet no one has fixed the damned access controls! How much more basic could you get? Coders don't tend to know things like multi-actioned security commands being inheirently secure... so no one fixes it. No one fixes the kernel either! It's the 21st century and people are still using a monolithic system? *gag* Yet the source is availible and it hasn't been fixed.
catch

So then, why dont you download the code to the kernel and FIX IT? Sitting there bitching about how someone codes an OS and saying how easy it is to fix...Well what are YOU doing about it?

If it's so easy, fix it, send it in, and make the world a better place. It's much better than sitting there judging someone, which no one but God has the right to do. It's one thing to poke fun at an OS but when you attack it and claim how easy it would be to fix it...Well do it then, ****.

While we are talking about security for once:

When you install Windows, you have to sit there for how many hours updating it? And half of them, if not all of them, need a damned reboot after. My Linux box has needed a reboot ONCE. I updated the Nvidia drivers. Thats it. Windows, and I mean 95-server 2003, needs to be rebooted for EVERYTHING.

You install an update, reboot, install a game, reboot, install a security patch for the game, reboot, install a security patch for the OS, reboot, install a security patch for the security patch you just installed, reboot.

I thought it was odd, after installing Windows 2000 pro, I had updated a few things, and instead of getting ahead, every patch I installed, Windows update would add more I needed, to fix the fixes.

Also, you cant tell me that Windows would make an all around better server. For one, the fact that a GUI needs to be loaded at ALL times, makes it need more RAM, *NIX doesnt even need a GUI, therefore needing less RAM than a Windows server.

And unless I'm totally misunderstanding the server part here, the more RAM you have for the system, the better it can do it's tasks. Also, have you EVER seen a *NIX box crash? I have not. I'v seen Windows pass out from a ping though.

Windows is good for desktops, thats about it. And the firewalls for Windows...****, send the right packets and you can take them down, or make them crash. There was a port blocker on the net like a few months ago, it was very good. But if you could make it crash or confuse it, it shut down. Thats NOT secure. Guess thats why all those Windows boxes have OpenBSD firewalls.

[catch]

So then, why dont you download the code to the kernel and FIX IT? Sitting there bitching about how someone codes an OS and saying how easy it is to fix...Well what are YOU doing about it?

Because I have no desire to, the whole Linux movement doesn't do anything for me. I like to work within more mature development models.

If it's so easy, fix it, send it in, and make the world a better place. It's much better than sitting there judging someone, which no one but God has the right to do. It's one thing to poke fun at an OS but when you attack it and claim how easy it would be to fix it...Well do it then, ****.

Fix it? It should have been shot in the design stage. I am judging no one, I am judging Linux. Again, why would I want to fix it? There are many better system that I enjoy and give my time to. Linux isn't one of them. (The PSOS people have my attention right now.)

When you install Windows, you have to sit there for how many hours updating it? And half of them, if not all of them, need a damned reboot after. My Linux box has needed a reboot ONCE. I updated the Nvidia drivers. Thats it. Windows, and I mean 95-server 2003, needs to be rebooted for EVERYTHING.

Windows updating is rarely needed and I rarely do it, most of the security updates are just to fix things that be be fixed with good configuration. Rebooting? Win95 is beyond the scope of this conversation, but the NT line not only has tools to skip rebooting, or you can just kill and restart explorer for nearly everything. Not only that, but at the corporate level NT clustering technology is just light years ahead of Linux's if you really want to talk about stability.

You install an update, reboot, install a game, reboot, install a security patch for the game, reboot, install a security patch for the OS, reboot, install a security patch for the security patch you just installed, reboot.

You may because you never bothered to look into alternatives, I however did a little research and don't. Most of my Win2k systems have been up just over 23 months now.

I thought it was odd, after installing Windows 2000 pro, I had updated a few things, and instead of getting ahead, every patch I installed, Windows update would add more I needed, to fix the fixes.

You are confusing updates and patches. If you update your Media Player or MSIE or the likes, there are then new patches for that release as well, this is because MS supports two multiple revs at the same time and in such it makes more sense to have seperate updates, rollups, and patches.

Also, you cant tell me that Windows would make an all around better server. For one, the fact that a GUI needs to be loaded at ALL times, makes it need more RAM, *NIX doesnt even need a GUI, therefore needing less RAM than a Windows server.

Considering RAM is dirt cheap these days, that really isn't an issue, plus the inactive GUI uses very little resources. However, yes if you are looking to run a personal server and you are on welfare and have no requirements besides cost. Go with Linux.

And unless I'm totally misunderstanding the server part here, the more RAM you have for the system, the better it can do it's tasks. Also, have you EVER seen a *NIX box crash? I have not. I'v seen Windows pass out from a ping though.

The more RAM, the better it can do its tasks to a point. My current web server cluster (4 systems) never get over a cumulative of around 900MB and I have 768 per... so yeah, I'm good for a while. The benefits I gain from spending an extra $30 on RAM more than compensate for this. Have I seen a UN*X system crash? Um.. yeah? So what, is that supposed to represent some great proof?

Windows is good for desktops, thats about it. And the firewalls for Windows...****, send the right packets and you can take them down, or make them crash. There was a port blocker on the net like a few months ago, it was very good. But if you could make it crash or confuse it, it shut down. Thats NOT secure. Guess thats why all those Windows boxes have OpenBSD firewalls.

The NT microkernel architecture gives the opportunity for far superior kernel proxying firewalls, not that ghetto 3rd generation stuff that openBSD runs.

You say you want to talk security... yet you don't make a single security related point. You are defending a system that is two weak to even be evaluated against the DOD-STD-5200.28? A system that scored a pathetic EAL2 against ISO-15408? A single level system, with a super user and trasitive rights? A monolithic system ("finitie state machine? duh what is that?") with perhaps the least finely grained access control model of any OS? A system which features no integrity controls, no temporal access controls, no trusted subsystems, no security kernel, no network flags, no structured domains, no CAF, no serperation of administrators and operators, no ISO account, no covert channel protections, no secure logon sequence even.

Yeah let's talk about security, but speak in facts... not personal attacks, accusations, or highly subjective terms... personal observations and the likes.

catch

PS. Windows NT and SUE are not the same, mixing the two just makes you look like you haven't a clue.

[seabass55]

And again...I'd expect nothing less from an OS that I have to pay for. I get/use linux for free and I seem to have alot less problems than anyone that I work with (who all use Windows). It's not about which is better or worse...it's the freedom to choose. Yeah so what if I have just as many patches to install as a Windows user? They paid for their software I didn't (those who use pirated software excluded ofcourse)...so if I were using that product I'd be pretty mad that I paid for it and have to update/patch the same amount as the guy next door that got his for free.

And gore makes another great point. The reboots. I was installing Win2K on my laptop a few weeks ago. In the mean time I was chatting on IRC (www.bitchx.org)...well over two (2) hours into the install I was still rebooting. I counted 11 reboots...that's right 11 by the time I got it up and running. And this was just installing windows and patching updating everything. I hadn't even begun to install software yet. No thank you...you can keep that.

On the machine I'm on right now I ran Win2K for a long time. Decided I had enough of it and put RH9 on it. That was 53 days ago. Install took right around one (1) hour. This included ofcourse the OS and all software that I'll ever pretty much need (some games excluded). I had an office suit, graphics suit, internet access, mail program, etc. I did download Mozilla-Firebird afterwards since it came out after RH9 was released. I patched a few things here and there...I was at a hour and a half. One reboot! A few days later I installed Return to Castle Wolfenstien (RTCW), RTCW Enemy Territory, Unreal Tournament, Unreal Tournament 2003 and Quake 3. Still...only had that one reboot from when I first installed it. I patched 2 things this week (I was slacking) and still....ONE REBOOT from when I installed it. The only time you have to reboot a linux box is a hardware change, kernel rebuild or a power outage. Now let me ask my wife how many times she's had to reboot her XP machine in the past two months.

[seabass55@TFHS seabass55]$ uptime
21:20:19 up 53 days, 42 min, 2 users, load average: 0.16, 0.11, 0.09
[seabass55@TFHS seabass55]$

So you know what...for not spending a penny (other than the games I bought which you'd have to buy in Windows too) I say I'm pretty happy. Why is the wife using windows....work...otherwise...buh bye.

[mohaughn]

With the proper tools a windows system can be built to current patch levels with a straight install from cd. You just have to slipstream the patches into the install cd.

http://support.microsoft.com/default...b;en-us;814847

You can also install multiple patches without rebooting using qchain.

http://support.microsoft.com/default...296861&sd=tech

In many cases if you are maintaining many machines or have a need to build systems frequently, you can keep these utilities around in batch files that you keep updated. Then you can quickly and easily build NT systems.

[catch]

seabass55 brings up some good points, though unlikely in the way they were intended.

NT is _not_ a great home user system. If you are new to computers or lazy MacOS is better and if you like to constantly tinker with your system and don't feel like spending any more Linux is the way to go.

However, if you wish to run a secure home system without spending thousands of dollars... NT is the best non-research project you can get. If you are a company that doesn't want to spend tens of thousands of dollars developing and having approved a due care, best practices guide for your system, again NT is the way to go. If you work in an environment that requires >=EAL4 systems... well Linux ain't gonna cut it.

If you have an old 486 laying around with 16mb of ram... don't even dream about stick Win2003 on that system... Linux is a far better choice.

Etc, etc, etc...

I do have a request though... please, please... please do not debate with personal opinion. Just because something happened for you doesn't mean that is the norm. It could mean that you have hardware damage, it could mean that cosmic rays had it in for you, it could even mean that you are just not educated enough to do something the right way. When comparing systems... they need to be compared against a standard yardstick and for security (what I thought this thread was about) that yardstick is the Common Criteria (ISO-15408).

catch

[catch]

lol, you gotta be kidding me. Are you Bill ****ing gates? First, for the record, I use more OSs in a week than most people know exist. Everything from BSD, Linux, UNIX, Windows server 2003, Windows 2000, Windows XP, DOS, and a few things I wont mention for your sake.

Don't talk down to me, there is no need for that. I have been an assistant moderator on the ACM's OS SIG for quite a while now. I have been on independent auditing teams for the NT B feasibility papers, the Standard Mail Guard and its parent system LOCK. I have consulted on the KSOS ASIC port project and am currently working on an R12k PSOS under IRIX project. And for my day job I was on the Sr. design team for AITOS (the first OS since LOCK to formally target the NCSC A1 criteria)
You don't need to ohh and awe but talking down to me is uncalled for as well.

RAM being dirt cheap doesnt mean **** if your running something like hotmail.com which by the way ran FreeBSD untill everyone laughed at Microsoft for it. After a few months they actually got the site "ueable" on Windows 2000 boxes, with of course Solaris holding it up in the BG.

They ran it on FBSD because it was a monumental task of swapping over a 100 million user system, the likes of which had never been done before. They are currently in the process of switching the back end and keep in mind, the only reason MS purchased hotmail was to switch it over to Win2k to develop the case study. The switch was always part of the plan, not because they got laughed at for it.

Microsoft shouldv stuck with XENIX, its the best server OS they ever sold. Ugh, I cant even begin to think WHY someone would run Windows as a server. And as for you updating... Dude are you ****ing nuts? Every virii writer on earth targets Windows and you dont hardly update?

Viruses can be defeated with proper configuration, I use no anti-virus software, neither does my work and neither of us have ever had a problem. It's just a matter if dealing with process propagation and trusted resources correctly.

Your network must have more ****ing bugs than a whore on 7 mile. Oh well, you seem like one of those corporate ass kissers who believes piracy is actually a threat to software companies like Microsoft. And then you tell me I seem like I have no idea what I'm talking about? Man your rambling on a bunch of ****. What the **** is your job? Innovative spender?

Again you are needlessly rude... are you switching to insults because you have no facts to defend your points? Piracy is a threat and my current position is really not relevant.

Ok, I just got done watching C.H.U.D. so I'm in a good mood. Lets have a challenge, You stick to Windows...Which we all know are nothing more than see through glass covering a big ****ing hole in your wall, and I'll take Solaris.

A challenge... heh ok... you present fact one and we can discuss it, otherwise kindly keep these highly uncalled for comments and language to yourself.

catch