Microsoft plans Windows overhaul to fight hackers - Page 6
Page 6 of 7 FirstFirst ... 4567 LastLast
Results 51 to 60 of 62

Thread: Microsoft plans Windows overhaul to fight hackers

  1. #51
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Giving you a weak system securely configured and myself a stronger one horribly configured proves that the system is more important than the admin.

    Giving us the same system would demonstrate nothing on the importance of the system type. Remember, my whole arguement is that the system type is more important than the admin. Having a secure system configured as badly as damn near possible be more secure than another system heavily locked down proves my point soundly.

    If your argument was correct, it wouldn't matter what systems we used, yours would be configured better and would therefore be more secure by your logic on how it all comes down to the admin.

    I use the exagurated systems to prove the point clearly, but it is just as true when comparing more similar systems.

    Any "normal", production OS written for general "consumption" reaches a point where it can no longer be secured without it becoming unusable
    This would be a myth except for your use of the very vauge terms "normal" and "general." I have a few highly secured NT/UN*X work alikes that are radically different in structure from what most people are used to, yet your average user cannot tell the difference and they drop in seemlessly into normal general consumption environments. The only way you can tell it is different is my using a normal exploit against it.

    catch

  2. #52
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    332
    catch-

    Just curiously. You mentioned computer security criteria above. Are the rainbow books worth reading? If so, do you know where I might get a copy of the rainbow books? Either electronic, or hardcopy.
    Thanks

    As far as that goes, anybody whom knows the answer.
    Please feel free to assist me. I have heard mention of these books more than once, and again. He threw out the word criteria. Made me think of the rainbowbooks.
    Your heart was talking, not your mind.
    -Tiger Shark

  3. #53
    Banned
    Join Date
    May 2003
    Posts
    1,004
    YES the rainbow books are very worth reading and I mentioned the Orange book (DOD-STD-5200.28) in a previous post in this thread.

    You can find the series at the national Computer Security Center:

    http://www.radium.ncsc.mil/tpep/libr...bow/index.html

    Also at www.radium.ncsc.mil you will find the evaluation notes for NT's C2 evaluations, notes on the Common Criteria (ISO 15408) and lots of other goodies.

    catch

  4. #54
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Catch:

    Giving us the same system would demonstrate nothing on the importance of the system type
    I dunno if there is a typo there - I'm reading it as "nothing _of_ the importance" since it seems more logical in the context and am answering my reading of it..... If I'm wrong - Oh well.... I was wrong once before.....

    Er... No. It proves nothing regarding system type. If I was skilled on your AITOS6 system and we went head to head the system is just as irrelevant as if we used Win98. Then it comes down purely to the Admin. The better admin will produce the more secure system given the same systems. All you prove by putting your AITOS6 systems against a real-world system is that you have more dollars and more time - and then were back to the uneven playing field again. With all things equal then it is the human that makes the difference in the long run.

    Having a secure system configured as badly as damn near possible be more secure than another system heavily locked down proves my point soundly
    But your bad admin on your super-secure box _will_ be bitten in the @$$ someday by someone with the time and the talent - which is my point. You appear to be moving the question away from the use of an admin towards a "better" OS. Our original difference was the fact that a good admin on any system is _not_ irrelevant to the security of the box - it was subsequent to that that you brought up the fact that system matters..... That isn't the point since the discussion is about the real-world rather than the super secure/dollar cost/time invested systems to which you are now referring. Plainly, if I'm using a system written by a moron and your using a system written by the most talented and security conscious group of programmers on the planet then the question of admins making any difference becomes moot. And again, that is not the subject I took issue with.

    If your argument was correct, it wouldn't matter what systems we used, yours would be configured better and would therefore be more secure by your logic on how it all comes down to the admin.
    Now that statement is simply flawed logic on your part. Look at it like this: There's a building with 50 floors. You have a ladder that is 500 feet long and you give me a ladder that is 50 feet long and challenge me to reach the same level as you by using only the ladder. What chance do I have?????? That's what you are giving me in your example - a fifty foot ladder. Now if we both start with a 500 foot ladder and you get vertigo before I do then I will attain a higher level on the building than you. You had a chance - but you were not as able to use the same equipment as successfully as I did. Hence, ladders being equal, the ladder climber is more important - which is what I am arguing, and have been all along.

    This would be a myth except for your use of the very vauge terms "normal" and "general."
    Which you promptly followed with:-

    The only way you can tell it is different is my using a normal exploit against it.
    Well, you got me on that one..... Sorry, I found it very funny...... But with regard to the point you are making I really don't fear the "normal" exploits..... Because I know about them, they are published and my systems are either mitigated against them or patched against them or both. The problem comes from the "abnormal" exploits - and yes, your going to tell me that your on super-secure box it is easier to pick up on the fact that it has been exploited - but the reality is it was exploited just like my poor little Win98 box..... Exploited is exploited, period, and just like the fact that no matter how tough you think you are there is always someone tougher out there the same applies here - no matter how good you think your OS and security measures are if someone can get to the box then they can find a way in eventually. All you are doing by using your system as an example is to put off the inevitable longer than I can.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #55
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by catch

    Actually trusted systems are quite frequently used by large corporation, though on limited servers. Rarely will you see an entire multi level subnet.
    I know for a fact that nearly ever major bank uses them as well as many technology companies, (IBM, HP, HDS, Intel, SUN, and SGI to name a few) and of course all secure US government/DoD systems.
    catch
    Catch, are you considering MVS to be a trusted system? If not, then what you are saying is not true at all. MVS runs most banks and utilities. In all of the work that I have done in large corporations and with everyone I know in IT, I have never come across a trusted system that was not being used in relation to DoD, other government projects, or "secret" commercial product development.

    You also mistook my comment. "It is just that those type of OS'es are not at all applicable in a business environment that requires flexibility and adaptability." A trusted OS gives you maximum security at the cost of not being flexible or easily usable. Easy is a very relative term here as an expert in trusted OS'es can easily use them, but a computer idiot would be lost. So yeah, there is always the possibility that a large corporation could have a couple of trusted systems. However, those systems are not what is running the business. The systems that are running the businesses are MVS, Unix, and Windows.

  6. #56
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Tiger, you said that "It all comes down to who runs the box."
    This is simply _not true_

    My challenge proves that. The better admin with a weaker base in my example will end up with a less secure system, no two ways about it.
    This is to everyone out there that says :"It doesn't matter what system you use, it is all about how good your admin is." Which, is utter BS.
    To further the point, AITOS6 has a comprehensive TFM, so with no prior experience anyone could follow is procedures and end up with the most secure configuration.

    You have a ladder that is 500 feet long and you give me a ladder that is 50 feet long and challenge me to reach the same level as you by using only the ladder. What chance do I have??????
    You're the one that said it doesn't matter what ladder (OS) you have, just who is climbing (admining) it. Don't hold me responsible for your receiving the shorter end of the stick in my example.

    But with regard to the point you are making I really don't fear the "normal" exploits..... Because I know about them, they are published and my systems are either mitigated against them or patched against them or both.
    By "normal" I mean normal type of exploit, 0-day or not. For these systems to be exploited the exploit must specifically target a flaw security kernel device, which allows the system developer a far smaller surface area to worry about.

    no matter how good you think your OS and security measures are if someone can get to the box then they can find a way in eventually
    This is also simply not true. In the example my AITOS6 system is still theoretically impossible to compromise remotely. You would be required to create an exception in the security kernel and its security is a verified finite machine. (every single possible state the security kernel could ever possibly exist in has been mapped and verified as being a secure state.) This system was of course initially based off of the Ford OS KSOS, developed in the late 70's.

    So again, if weak systems with poor assurances (eg no/bad TFM) are concerned... then yes the admin is important and when comparing Linux to OpenBSD for example it does all come down the the admin. When comparing different capability systems or high assurance systems (with well formed TFMs) the question of the admin goes out the window and it is possible to migrate to a more mature organizational architecture. The CMM link ( http://www.sei.cmu.edu/cmm/ ) I provided a few posts ago applies to administration as well as development.

    mohaughn ACF-MVS is a trusted system, so are VVOS, Trusted Solaris, and Pitbull. All of which can be frequently found in large banks and corporations. As far as users and low level admins are concerned these systems function as their untrusted counterparts, but they are in fact trusted systems and no longer MVS or UN*X. Only high level admins should have enough system exposure to know better, normal users/low level admins will exist within a single compartment/level so it is of no concern to them.

    catch

  7. #57
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Catch: I don't know if you are being deliberately obtuse or what, but at this point I'm leaning towards that...... Which is unfortunate.....

    As an aside.... I took a ten minute womble through Google this lunchtime.... You know, I can't find a single sensible or informative piece of information regarding AITOS6/AIT OS6/AIT OS 6/AIT/AIT secure OS etc. etc. etc. (I found quite a bit about tape drives made by AIT though......) That indicates to me that there isn't exactly a high density, worldwide installed user base for it if it even exists..... That makes your challenge a lot like proving the existence of a supreme being..... Impossible!

    I have been talking in a real world, even playing field scenario while you seem to want to play in a no-apparent-world on a playing field that exhausts me before I get to the ten yard line.

    In short, I have become tired of playing your games with words and I surrender. You can feel free to roam your world happy in the knowledge that you managed to wear down a working stiff doing the best he can. I shall remain down here in my world utterly unaffected by your phyrric victory.

    It was interesting for a while.........
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #58
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I feel it is you that are being obtuse.

    You say "It all comes down to who runs the box."

    I say, it does not all come down to who runs the box, the system type is important as well. And my example of comparing dissimilar systems proves that.

    Why are you incapable of seeing that?

    Of course you can't find any data on AITOS6, it isn't availible for public. I was using it as an extreme example to make a point. If you prefer it could be STOP or LOCK or KSOS, it really doesn't matter. Hell it can even be Linux vs Win98, any two dissimilar systems and the less alike they are, the simpler the example. I didn't realize you were going to refuse abstract thought, my bad. If a logical construct can be disproven with clear variables, it holds just as false with murky ones... real world or not.

    The point is, some systems are objectively more secure than others. the argument about it being entirely about the admin is one made by those who fail to understand system security at the level where they are capable of comparison.

    I am genuinely confused about what you are failing to understand.

    You keep shifting the subject around, the exact system in question (as if it matters) and comparing identical systems (well duh configuration is important if all other things are equal)?

    catch

  9. #59
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    How about you both agree to disagree as it feels your both running in circles, knocking each other's head?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #60
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    MsMittens: You can see that too huh? My head is so freaking sore right now and I don't even have a hangover.....yet...

    Catch: I understand your philosophical position...... But philosophy isn't necessarily reality. The reality is that there a a pile of systems out there that are actually connected to the internet that don't have an army of drones following their precious TFM to keep it safe. Those machines are managed daily by admins.... Some well, most badly.

    While it is fine to take the philosophical "high ground" and tell me that it can be done the reality is that without your, all but, non-existent system and a couple of others, the real world is muddling through with actual operating systems. The discussion started when you made the comment that admins are not required to make a secure system. You know... You're dead right..... In your world..... As I said before...... Additionally, to reiterate, I pointed out that in the real world admins are important..... In fact, they are the only thing the system has there.....

    After that the conversation has seemed to deteriorate and that is why I have raised my white flag.......

    Have fun..... just not too much.... It'll probably be bad for you....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •