I've come to a conclusion on M$ security

Quote:

---

Originally posted here by Tiger Shark
I would rather run Windows because I can control _it_......

So the whole argument is, as usual, moot....

Next subject..... ;)

---

But why? Flat, unsupported statements that are as coherent as Mike Tyson are so much fun to read.. let them bash Windows and Microsoft and praise Unix and Linux to be cool even though most of them haven't the slightest clue about penetration testing, write ups, nor any other level of security testing to make such statements.. just let it be and enjoy the read as comical as it may be. Maybe once in a while a smart comment will be made, kudos to whomever does it, but this is a great joke.. starting with the first post.. =}

TT:

Because, simply put.... In the two years I have been here this "issue" has been beaten to death.... And I _mean_ death..... The horse has been flayed till the bones show....

It's a boring waste of bandwidth that has been satisfactorily concluded on more than one occasion, (Usually by Catch....).

If you are looking for "entertainment" then do a search on all Catch's post and read them. You'll see all his arguments, (those with me included), and in the final conclusion, (through all the giggles you could ever need), you will find a conclusive argument for an operating system with regard to it's security. If you still need to laugh to a search for "Pooh Sun Tzu"'s posts and you will find a similarly compelling series of arguments.

We don't need a single other post on "who's OS is the most secure".... We've had about 5,000 of them.... Let it die.....

Chsh said it in another thread:

Quote:

---

Seriously, it depends on the role of the box. Security's a rather complicated thing, and happens in layers

---

It is nice to see that some of the arguments have moved away (not to far though) from the I hate windows because.. then read list of problems that Windows v2 had ..

/me sighs.
Tiger's right on this one, everything that was to be said got said. Catch conveniently sidestepped answering questions the last go around (he was going to PM me stuff which conveniently never arrived), so anyone looking to get into a heated debate with him, my advice is just ignore the guy, he likes to operate in a little world where government models are 100% adhered to, and unless your data is a national secret you shouldn't do so much as put a personal firewall on the box.

Just my $0.02.

csch:

Quote:

---

he likes to operate in a little world where government models are 100% adhered to, and unless your data is a national secret you shouldn't do so much as put a personal firewall on the box.

---

Yeah, but he makes a compelling and logical argument for it...... It's just not always possible or appropriate...... ;)

Ah chsh back trolling again...

The reason I ignored your questions was because I'd already answered them and to be honest, I really have better things to do with my spare time then to educate the likes of you. That is people who have already made up their mind and just wish to fight and post so much **** that it isn't practical for me to take the time to respond to every little piece.

Security is measurable.
Theoretical security is a measure of security capabilities and their assurances. (edited for clarity).
Practical security is a measure of costs.
Comparing OS security is theoretical, consequently capabilities are to be measured.
Penetration tests are used to measure practical security and make no statement on the systems capabilities, only its current state.

With that said:

Security by default isn't relevant to this conversation, for it focuses on the business aspect of the vendors marketing scheme and not the operating system's security capabilities.

Windows has a more powerful security policy, including the following features:

More finely grained access controls including "deny" functionality.
Segregation of Administrators and Operators. (aka no superuser account)
A microkernel architecture including a security kernel and a limited reference monitor.

Linux offers none of this functionality, it relies on simple ogw/rwx discretionary access controls, operator level users are not supported, and a monolithic architecture with no security kernel or even the theoretical possibility of a reference monitor is utilized.

For commercial uses, both tend to be good enough... and both are worthless when looking at what can actually be done with a secure system, but that is not what this thread is about...

I don't care what anyone thinks is better for their own uses, or which anyone thinks is better... I merely advise that people compare more than anecdotal evidence (which is all exploit counts are) when making their own choice... look what you can do with the system, not what someone else has done.

cheers,

catch

PS. Windows NT did _not_ evolve from DOS, it evolved from Secure XENIX which in turn came out of Secure MULTICS.

Well, I have a sort of "deja vu" feeling when I read this thread. As undies said:

Quote:

---

It is nice to see that some of the arguments have moved away (not to far though) from the I hate windows because.. then read list of problems that Windows v2 had ..

---

Errrrrrrrr..............better make that Win3.1x for workgroups. :p Up until then, PCs were run as stand alone devices for the most part. Earlier versions of Windows were not true operating systems, they were GUIs that ran on the back of DOS. Up until Win95 you had to load DOS BEFORE you could load Windows.

I have a machine running DOS 5.0 and Win 2.03 :cool: Now I can tell you that version of Windows does very little for you; Norton (System Commander) was much better, as were the GUIs that shipped with Apple and Acorn machines.

Back in those days, security was not considered to be an issue, so it is unreasonable IMHO to parcel all the Microsoft OSes into one bundle, given that they span such a long period of rapid development in IT.

Furthermore, MS had a policy of providing "domestic" and commercial products, and security was not considered to be a major issue with the domestic ones. They were intended as stand alone systems, as witnessed by the fact that everyone logs on with Admin rights.

It is like comparing a B-17 to a B-2 or an F-22 to a P-37. Pretty irrelevant, and totally useless if you don't know how to fly!

I will not comment on the various "technical" arguments as they have already been "done to death" I am making a strong point for considering the historical context and the target market of the product.

Catch:

Quote:

---

PS. Windows NT did _not_ evolve from DOS, it evolved from Secure XENIX which in turn came out of Secure MULTICS.

---

Well, sort of...............take a look in the Sys32 folder of NT4.0 and you will find four executables with a .bas extension.................they are Qbasic, and that shipped with DOS 5.0!!!!!!!!!!!!!!!

Win2000 (NT5.0) and XP are the first truly DOS free MS OSes.

just my thoughts

Quote:

---

Originally posted here by Sphyenx
It sucks, not because the OS, but because the people making it try to throw it out so fast that it never gets the full attencion it deserves. It should under go much more work to make it more secure and a truely better OS, not every one cares about the windows media player that they spend years on developing when they put a day or two in to a firewall that is about as strong as a paper bag, and wow there not to sturdy. I think maybe bill and his buddied should wake up and smell the java, and build a better OS next time around. Maybe longhorn will prove me wrong!, thank you, eNIX

---

read this:

Cyberinsecurity: The Cost of Monopoly (aka the day Dan Greer got fired)
http://www.ccianet.org/papers/cyberinsecurity.pdf

:-)

p.s. - i doubt longhorn will be any different. MS follow *particular* software development model.

Quote:

---

Cyberinsecurity: The Cost of Monopoly

---

You know, it's interesting that people only view MS as having issues of Monopoly when it comes to entirely MS networks. The question I have is: what kind of effect would occur if a serious flaw was found in ALL versions of BIND? Last time I checked they were a bit of a monopoly on many of the DNS servers that exist. What about CISCO? Don't they claim that the Internet runs on them (ie., they represent the majority of network devices). I'd hate to see what might have occurred if they had a serious flaw found.

There are some serious issues relating to the way Microsoft views security. But you cannot deny that they have improved. They aren't perfect but they do listen -- somewhat (some things that they do make me wonder sometimes). MS is in the proverbial rock and hard place. On the one side is the security admins screaming for security, "NOW DAMMIT JIM!". On the other side is the user who wants things to work without having to think or do any research, "NOW DAMMIT JIM!". Generally speaking we have three options: stability, security, ease of use. You can only pick two is often the accepted belief (for right or wrong).

It's real easy for us to sit here and point fingers at the lack of security by MS but I really wouldn't want to be in their shoes. I don't think any other OS gets as much scrutiny as theirs do. Nor do I think any OS gets as badly abused as theirs does. When you look at things under a microscope you tend to see more. Perhaps there is more flaws in Linux we don't know about because... well, they haven't been found yet (I'm not saying this is true, I'm just hypothesizing).

It would be nice to have any OS truly locked down from the start, be useable, stable and easy to use -- and all without having to RTFM. That ain't going to happen (at least I don't think it will in my lifetime).

That said, keep this in mind: as long as MS continues to make products that require an administrator to be a BOFH to users, you'll all be employed for a long, long, long time. :D

Greetings:

IMHO, the #1 difficulty that Microsoft has to deal with, that I don't think has been brought up enough, is the consumer's demand for backward compatibility. How much easier would it be for Microsoft to release a more secure OS if they didn't have to worry about making sure old apps designed for their old OS still work? Or make sure that their new OS can still communicate the same way with their old OS on the same lan? This is a TREMENDOUS burden that has held back a lot of innovation that Microsoft has been developing over the years.

I think it's a problem that they face in a way that no other OS currently has to.

Quote:

---

Originally posted here by nihil
It is like comparing a B-17 to a B-2 or an F-22 to a P-37. Pretty irrelevant, and totally useless if you don't know how to fly!

---

Very true, there are just to many Internet pilots out there... without a license.... hehe

If anything should be done, there should be a better tutorial on computers to teach those that do not know much about computers. Or a forum just like this one that everybody has with a bookmark or favorite automatically added to the new persons PC for advice.
Most new PC users "have not a clue" to what is actually out there waiting for them. They purchased the PC for fast graphic games and email, not how well the security is. But once they have problems with their PC, they will have somebody else fix it for them, or eventually start to learn about their PC's.
The person that started this thread probably did not read most the forum yet, or used the "search" and just posted anyway. I'll have to admit, I have done the same thing once or twice here.
I rarely ever post just for the fact everybody else is doing enough posting that I can barely keep up with all the daily new posts.
Keep up the good work guys and continue to help the new guys out. :D

Quote:

---

the #1 difficulty that Microsoft has to deal with, that I don't think has been brought up enough, is the consumer's demand for backward compatibility.

---

That is a good point. We can see this on major vendors too, such as IBM Mainframe. On Z/OS for instace, you can still run old OS/MFT programs.

Since MS is the leader and has a huge market, MS needs to maintain crap compatibilities (such some XP compatibilities with WIN9x) to keep the market and "conduce" their clients to the new platform. And with the minimal effort.

On the other hand, on linux platform everything must be reinstalled (most of the times). I would prefer the linux approach, but i cant see the home market will think like me...

I still think the MS (Windows) platform is a very good one and im continuing to deploy it to my clients (and linux too :) )


(p.s. missing pooh ....)

Quote:

---

On the other hand, on linux platform everything must be reinstalled (most of the times). I would prefer the linux approach, but i cant see the home market will think like me...

---

I'm sorry. What do you mean "everything must be reinstalled"? I've rarely had to do that and the closest thing to re-installed I've had to do is with upgrades (newer products) or updates. The concept of auto-notification for upgrades/updates in Linux is starting to trickle through (that's actually one feature I like -- makes Patch management a little bit easier to manage).

I do think the industry is getting a little lax however when it comes to testing stuff. I know that time is critical but sometimes it can be annoying (and sometimes not necessarily cost effective) to have a test box to ensure that an update (service pack) doesn't trash a system. One colleague I know had to rebuild his Windows 2000 box (with SQL 2000) after applying a SQL fix. That took him 36 hours. He didn't have a test box for it and it cost him (it was a legit box that was used for a single situation -- at least he backed up the data so he could recover that).

Quote:

---

Originally posted here by JP
[B]Greetings:

IMHO, the #1 difficulty that Microsoft has to deal with, that I don't think has been brought up enough, is the consumer's demand for backward compatibility.

---

i am not sure i would agree with you that they (MS) care very much about backward compatability.

Quote:

---

Originally posted here by MsMittens
I'm sorry. What do you mean "everything must be reinstalled"? I've rarely had to do that and the closest thing to re-installed I've had to do is with upgrades (newer products) or updates. The concept of auto-notification for upgrades/updates in Linux is starting to trickle through (that's actually one feature I like -- makes Patch management a little bit easier to manage).

I do think the industry is getting a little lax however when it comes to testing stuff. I know that time is critical but sometimes it can be annoying (and sometimes not necessarily cost effective) to have a test box to ensure that an update (service pack) doesn't trash a system. One colleague I know had to rebuild his Windows 2000 box (with SQL 2000) after applying a SQL fix. That took him 36 hours. He didn't have a test box for it and it cost him (it was a legit box that was used for a single situation -- at least he backed up the data so he could recover that).

---

i like linux. i use it. but i do not want to be the one to teach users how to convert from MS to Linux.

your colleague spent 36 hrs re-building a windows box. that says more about your colleague than about windows boxes.

once upon a time, this more senior guy gave me a great piece of advice that i follow to this day:

"always have a fall back!"

he was very open and didn't care what you wanted to patch, install, or tweak on his servers as long as:
a) you have a good case and reason for it and can prove it!
b) you have a fall back plan in case it went wrong

Quote:

---

your colleague spent 36 hrs re-building a windows box. that says more about your colleague than about windows boxes.

---

Actually, he was applying the patch and it trashed the box. This meant a complete rebuild of the box, all the patches, services packs, etc. It was a rather long process that is sort of built up over time.

Greetings:

Quote:

---

Originally posted here by secure_lockdown
i am not sure i would agree with you that they (MS) care very much about backward compatability.

---

Sure they do, and they care a little bit TOO much if you ask me. One perfect example? WinFS

Microsoft has to worry about backward compatibility for a reason that Linux does not: Third Party Software Vendors. Here's an interesting article about the topic by Dvorak. Contrast this to Linux, where the "3rd party software developers" don't have to worry about "selling" software in the short term, or about short term profits. Why not? Because they're designing, programming, and releasing their software for free.

http://abcnews.go.com/sections/scite...ag_040909.html

Quote:

---

Originally posted here by JP
Microsoft has to worry about backward compatibility for a reason that Linux does not: Third Party Software Vendors. Here's an interesting article about the topic by Dvorak. Contrast this to Linux, where the "3rd party software developers" don't have to worry about "selling" software in the short term, or about short term profits. Why not? Because they're designing, programming, and releasing their software for free.

---

That's not entirely accurate. There are plenty of third party developers that have no problems with developing on linux, and charging for it. Some of them pretty hefty contenders in the server market, like Oracle, IBM, even the littler guys like Kaspersky, MySQL, and so on. The support and willingness to spend money to run on a free OS is there, otherwise Oracle, IBM, and so forth wouldn't bother.
As for backwards compatibility, I think Microsoft has rather clearly stated with XP SP2 that they WILL sacrifice useability and app functionality for security if it will dredge their name out of the mud. If not, why go out of your way to break so many apps so that they need patches?

Quote:

---

You know, it's interesting that people only view MS as having issues of Monopoly when it comes to entirely MS networks. The question I have is: what kind of effect would occur if a serious flaw was found in ALL versions of BIND? Last time I checked they were a bit of a monopoly on many of the DNS servers that exist. What about CISCO? Don't they claim that the Internet runs on them (ie., they represent the majority of network devices). I'd hate to see what might have occurred if they had a serious flaw found.

---

Umm.. They have.. There was an snmp flaw last year that affected almost all cisco routers. Cisco kept it quiet and silently released the patch to all of the major networking and telephone companies so that they could patch themselves before the general public knew about it. Once all of those companies were patched, they released the information about the exploit.

There has also been major flaws in BIND. Atleast two that I can think of over the last couple of years...

As for taking 36 hours to rebuild a windows machine... I have to wonder about how well your colleague had documented how his machine was configured, and what skill level does he/she have? I have rebuilt entire servers in less than 8 hours, and that is including restoring SQL and Exchange databases along with reinstalling. When we stage a new server we plan for it to take 1 week, that is five eight hour days, or 40 hours. The first three days are spent configuring and doing a second programmer check. The second programmer check basically consists of double checking every critical setting on the machine, which usually takes the better part of 12 hours. The initial build is usually done in the first day, and then the last two days are a burn in to make sure that there are not any hardware issues before going production. This is for Exchange, IIS, and SQL servers. So at most 24 hours to build and double check the configuration.

In a production environment where two days of downtime can equal thousands or millions of dollars in lost productivity there is no excuse for not testing first. We had a 5 hour outage the other day because of a hardware failure and we calculated the cost to the company in lost productivity to be approximately 180k dollars.

Quote:

---

Originally posted here by chsh
That's not entirely accurate. There are plenty of third party developers that have no problems with developing on linux, and charging for it. Some of them pretty hefty contenders in the server market, like Oracle, IBM, even the littler guys like Kaspersky, MySQL, and so on. The support and willingness to spend money to run on a free OS is there, otherwise Oracle, IBM, and so forth wouldn't bother.
As for backwards compatibility, I think Microsoft has rather clearly stated with XP SP2 that they WILL sacrifice useability and app functionality for security if it will dredge their name out of the mud. If not, why go out of your way to break so many apps so that they need patches?

---

i agree. there is *the potential* for tons & tons of money to be made from linux. note *the potential* in pervious sentence. ibm, novell, et la all know it.

right now - too much hot air being blown around. very hard to know the truth. i am pretty sure unix shops are very willing to spend money on linux and convert. unix is probably f*&ked in near future!

but MS shops?? not so sure about that one.

here is a little ditty....

http://crn.com/sections/breakingnews...cleId=48800553

nice way to save some $$$ & make Linux look like it's a lot more popular than it is.

whereever there is a buck to be made (or saved!) trust us humans to make sure it gets exploited to the fullest, eh?

As a security professional and someone who learned to code almost 30 years ago, poor code is poor code. The best security is the kind that is bilt in from the beginning not patched in later. Also, the vulnerabilities that we see today are a result of coding and design mistakes. It is a lot easier just to throw together code and not do the appropriate error checking in your program. Best practice is to always validate your data construct in your program prior to applying your logic. This way you push back the garbage and not process it.

In regards to M$Security, or the lack there of, is a business decision they have made to place profit before quality. They take the strategy of good-enough vs. good, less alone never great. It is their responsibility to sell a quality product. None of us would buy a car with such quality issues or with the warranty they provide (MS EULA).

We should all objectively assess your options. Read Walt Mossberg's article in the Wall Street Journal for an unbiased opinion.

http://ptech.wsj.com/archive/ptech-20040916.html
http://ptech.wsj.com/archive/ptech-20040923.html

Execrcise your right to choose.

JoeMacDaddy, you have a good point. But lets not forget:

If your silly microsoft OS on your PC malfunctions - you loose some data.
If your car malfunctions - you and maybe someone else die !

there is a big difference between the two.

MS technology is being placed in British Warships on weapons control systems. Someone can die.

Quote:

---

Originally posted here by JoeMacDaddy
MS technology is being placed in British Warships on weapons control systems. Someone can die.

---

well that's a different story. maybe they should use closed systems.

They have dropped support for their UNIX systems and are moving to Windows. Several people have resigned over the issue.

The MS technology that is being placed on British and US ships/weapondry, etc. is not the same as what you get in the store. IIRC (from a news article I saw a while ago) it's a specialized, stripped down version.

Quote:

---

They have dropped support for their UNIX systems and are moving to Windows. Several people have resigned over the issue.

---

Is there a source for this? (Nevermind, Google showed me)

[edit

There appears to be more here than meets the eye. While the issue of MS being a "foreign" product, the issue of OS and not knowing it's origins can also be questionable if there is concern about who creates the product. That said, I wouldn't be surprised if there was some strong suggestions political for this move as a support of the US. (but that's politico babble).

Quote:

---

As a security professional and someone who learned to code almost 30 years ago, poor code is poor code. The best security is the kind that is bilt in from the beginning not patched in later. Also, the vulnerabilities that we see today are a result of coding and design mistakes. It is a lot easier just to throw together code and not do the appropriate error checking in your program. Best practice is to always validate your data construct in your program prior to applying your logic. This way you push back the garbage and not process it

---

JoeMacDaddy,
I do agree on the GIGO theory and in some part, with your analysis of coding procedures. I was a mainframe programmer and from day one, my boss harped on quality over quantity. Our clients were no joke either (Honeywell, Tristar, Boeing) and didn't take too well to program errors. Granted, every program should be checked and re-checked against every possible situation that's humanly concievable but that's the problem...it's almost impossible to account for every single situation when you initially code a program. On new projects, we wouldn't even *touch* the computer for the first day or two. We constructed flow charts and desgined everything on paper first, to minimize bad coding logic. After a program was finished, off it went to our testing facility in California where they beat the snot out of our programs looking for any kind of errors well before the program went into production. Add to that, that the programmers vigorously tested their own programs well before it went to the testing facility, not to mention all the coding was reviewed by the other programmers looking for potentially bad logic. With all this, you would think our programs would be flawless, but time and time again, we would encounter some situation we never thought would occur and of course, it caused errors. My point is simple, while I agree that bad code is bad code, you can't also expect programmers to be omniscient. Maybe in some utopian world, programs can be coded perfect the first time around but back here on earth, the only thing that perfects a program is time and real-world conditions.

Quote:

---

Originally posted here by JoeMacDaddy
The best security is the kind that is bilt in from the beginning not patched in later. Also, the vulnerabilities that we see today are a result of coding and design mistakes. It is a lot easier just to throw together code and not do the appropriate error checking in your program. Best practice is to always validate your data construct in your program prior to applying your logic. This way you push back the garbage and not process it.

In regards to M$Security, or the lack there of, is a business decision they have made to place profit before quality. They take the strategy of good-enough vs. good, less alone never great. It is their responsibility to sell a quality product. None of us would buy a car with such quality issues or with the warranty they provide (MS EULA).

---

What you have there is a software development paradigm. For one thing there are the developers who feel that software is best when it comes from just sitting down and writing it, this is a popular agile development methodology known as extreme programming, for those of you who may not know, but then again there are other developers who feel that software construction is not too dissimilar from building a bridge or building, that it requires careful planning and design, while there are advantages and disadvantages to both, the fact remains, it requires a secure programmer to create secure software. That being said I think you're right. Patched security is on a much lower level than default security. Programming practices are the best way to heighten security and the best way to practice secure programming is to spend most of you development cycle working on the security, therefore you suffer from a slip in productivity (from a project management view point). So for the developer it is a lose - lose situation, program in a method that is secure, because you take your time and possibly suffer the consequences of lacking productivity, or meet the deadlines and worry about the consequences later.

I'm not sure if that was on topic, but you all have made some very good points.
-BigDick

Quote:

---

Originally posted here by ShagDevil
JoeMacDaddy,
I do agree on the GIGO theory and in some part, with your analysis of coding procedures. I was a mainframe programmer and from day one, my boss harped on quality over quantity. Our clients were no joke either (Honeywell, Tristar, Boeing) and didn't take too well to program errors. Granted, every program should be checked and re-checked against every possible situation that's humanly concievable but that's the problem...it's almost impossible to account for every single situation when you initially code a program. On new projects, we wouldn't even *touch* the computer for the first day or two. We constructed flow charts and desgined everything on paper first, to minimize bad coding logic. After a program was finished, off it went to our testing facility in California where they beat the snot out of our programs looking for any kind of errors well before the program went into production. Add to that, that the programmers vigorously tested their own programs well before it went to the testing facility, not to mention all the coding was reviewed by the other programmers looking for potentially bad logic. With all this, you would think our programs would be flawless, but time and time again, we would encounter some situation we never thought would occur and of course, it caused errors. My point is simple, while I agree that bad code is bad code, you can't also expect programmers to be omniscient. Maybe in some utopian world, programs can be coded perfect the first time around but back here on earth, the only thing that perfects a program is time and real-world conditions.

---

someone should invent self-healing or self reparing programs. is that even possible?

didn't i just recently read an article about these new networks or something that "repair" themselves? i got to dig that up.

Quote:

---

Originally posted here by JoeMacDaddy
They have dropped support for their UNIX systems and are moving to Windows. Several people have resigned over the issue.

---

i wish i could have the luxury to resign because we are switching from one NOS to a M$ NOS. unfortunatly, i live in the "real world", and given the IT job market landscape the way it is, if i resign i will never get another job it IT. :-(

Self-repairing programs are possible, but they are quite complex, in fact there are very few languages with which such a thing could be done, these are mostly your languages used in A.I., languages such as Haskell and Common LiSP. But there are problems with such programs, they would, over time, make the software developer essentially obsolete because they could write themselves.

-BigDick