I've come to a conclusion on M$ security

Printable View

Show 40 post(s) from this thread on one page

October 3rd, 2004, 11:29 PM
Vorlin

Quote:

Originally posted here by SDK
I agree that Linux in general has less security hole but that because they have less peoples probing their code for vulnerability that Microsoft.

What about Firefox? Every week, they keep adding new patch! I was about to switch to Firebox when I noticed it was more plagued by security bug that IE is now!

I'd say the following to your points, SDK (in good conversation form, no flames here):

1: linux is open source and has a much greater development staff than any closed-source development. You don't have to wait forever for developers to fix problems that the users find or report. Open source rules this way, in the same manner that it's more vulnerable to exploits since you CAN see the source code (see Firefox/Thunderbird/Mozilla).

2: Firefox has a bounty system that allows people to report and submit unpublished current-version-only critical flaws/exploits/bugs and will pay out up to $500.00. They patch regularly and their patches are not "reaction" patches of patches previously released that are to fix some immediate major hole in some random code (like IE has had). Patches aren't bad; it's the method of their delivery, the integrity they provide, and whether or not they insure that they don't break other things in the process. I would never, IMHO, say that Firefox has more bugs than IE.
October 4th, 2004, 04:43 AM
Juridian

This thread is a waste of space...started by a troll looking for attention.

Linux and windows both have their problems. They are as secure as the person running it makes his box.

As far as open vs closed source, most of the monkeys looking at your source aren't qualified to offer an informed opinion. There are other threads on this site where the subject is handled in far more detail. There is one in the programming security forum where it's beaten to death...I'd suggest going there.
October 4th, 2004, 05:05 AM
MilitantEidolon

We have debated this topic long and hard on which is the best OS and lost of people have always commented. What is comes down to is one thing.

THE ADMINISTRATOR!!

I know people who can make a ME box secure but people who run redhat and leave it wide-open to attack. This goes both ways mind you. But regardless I think it is the Administrator's or User's (if no controlled by and Admin) fault leaving a box open.

A weak general makes for a weak army.

- MilitantEidolon
October 4th, 2004, 05:09 AM
mohaughn

Quote:

NT is cool but one thing about it is that Microsoft used to have a thing on their web page saying that NT should be rebooted at least once a month to deal with memory leaks. This is all fine for a home user, but not for a server.

I've been supporting an exchange platform for a fortune 50 company that at one time had over 100k employees using our service. I've not seen the need to regularly reboot Windows NT since NT4.0 with no service pack. That was what, about 8 years ago.. You can't try to compare NT when it was about 6 years old to an OS such as Unix which was developed back in the 60's.

Memory leaks in server applications is actually something that is still pretty common. The 3.6 RIM Blackberry Corporate server has a pretty bad memory leak in it right now that requires the application to be restarted once a month. So MS is not the only company that has had that type of problem.

Quote:

Every Windows security flaw found, first has to have the patch downloaded one at a time, then a reboot is needed for all security updates. This is really bad, I hate rebooting. I think they should find a way to avoid this. Some people will tell you that "Well you can just restart the services on the box and not need a reboot".... Yea, and your point? Doing that makes the thing unstable as hell, and you'll end up rebooting anyway.

Yes, this is something that could be fixed that would really be great, but it was not always the case with unix. The number of reboots needed for the OS to update has dropped dramatically in the past 7 years. Add to that the fact that you can now use qchain and install all of your patches at once, and then reboot once, if needed. If you take the time to do your testing and engineering in advance you can drop your needed reboots by about another 50% and not risk availability. I would never use windows update to update a server, but if you do, all of the patches are downloaded at the same time, and install all together at the same time. I also don't agree with whomever has told you that you can just restart services, because in most cases the reboot is needed to get the proper DLL loaded into the DLL cache protection.

In the past year the platform I work on has been highly available. I think we are at 290 dpms right now, and about 90 of those are because of an issue with HP high availability servers crapping out on a PCI device failure, high availability my ass. I see absolutely no problem with using Win2k as a server application. The clustering functionality in Win2k blows away anything in linux. I have experience with NCR lifekeeper, not sure who markets it now, and that product sucks in comparison to Win2k clustering. When you can run such a reliable clustering service the needed reboots don't impact high availability systems as much.
October 4th, 2004, 08:34 AM
yourdeadin

hey jp

Quote:

Windows XP Service Pack 2, which was made available for FREE to all Windows XP customers, cost Microsoft over ONE BILLION US DOLLARS to develop. How many companies do you know spend $1 billion to develop something that they plan on giving away for free? I would say this shows a commitment on the part of Microsoft......

hey i may be wrong , but ms is not doing us any favour by giving us the SP packs,

1.ms is now under serious competition from linux ( all flavors)
2.though linux is open source virus es ,you can count them on your finger tips,the virus for windows are countless and you need a seperate antivirus for it ,and that is not free, yes you may also need a virus for linux, but most of them are free!!
3.the only thing linux lacks is support ,the online supprt of ms is good ,after sales services are good,here is where ms takes over
4.Ms does not give any thing free ( xcluding ie and windows media player,that too with security holes),if it had then i would say ms is good an dcommited, but the truth is that it does not.do
5.if ms stops giving services packs then what would be the difference left btw ms and linux (may be the gui)
6.almost every other product of ms has a venurability.
7. if ms has spent 1 billion in sp 2 ,then it might have earned more the a 100billion in sales of xp in europe and america alone

so say ms is not doing us any renAISSANCE by provindin ur free sp 2
October 4th, 2004, 09:10 AM
muert0

1) I don't see any serious competition on the home front seeing as they get their money from any computer that is bought preassembled. And with business I'm sure they have their fair share of the market. And the cost of switching from windows to linux in a business environment is expensive from what I've read here. Since you have to pay to train staff and other details that I'm not to knowledgeable in. But I'm sure someone around here can fill in the blanks on that or you can search the forums. It's been posted on before.
2)You don't even really need anti-virus software if you don't download stupid crap and if you do want it there are a couple of companies that offer it free.
http://free.grisoft.com/freeweb.php/doc/2/
And a few free online scanners:
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
3) There is so much support for just about any distro of linux that you could think of it's not even funny. And Microsoft does have good support so they may be even on this front.
4)Linux offers free software for home users but on the business front a lot of distros cost a little money.
http://www.redhat.com/apps/commerce/
http://www.suse.com/us/business/prod...s/pricing.html
http://www.suse.com/us/business/prod...ld/prices.html
5)Linux offers updates to or service packs... whatever you want to call them.
6)A lot of nonmicrosoft products have vulnerabilities and you've obviously never done an update on a linux box. Not to mention the two newest vulnerabilities that I've heard of have been in non-microsoft products made for windows.
7)There is no point to this statement in my eyes. Who cares how much they have made they are trying to make a step toward better securing the OS for the home user as opposed to what they were doing in the past and they are still hearing **** from people who don't know WTF they are talking about.

Now say something and back it up with evidence don't just sit there and spout off bullshit that has no backing to it.
October 4th, 2004, 09:58 AM
yourdeadin

you have got me all wrong i was commenting on JP's ( look at the quote ) plz read the post properly
1.linux is givin ms serious competion as many of my friends have changed to linux and free bsd
2.

Quote:

You don't even really need anti-virus software if you don't download stupid crap

then what is the use of an os
see not all flavor of linux give suport for instance look at pcquest linux, launched by an indian magzine called linux,you do not have assistance one the web ,no downloads.

plz don't neg me gore i am as of low on antipoints ,so plz if you can't do me any good then don't do me any harm!
October 4th, 2004, 10:09 AM
MrLinus

Quote:

then what is the use of an os

Well, it is more than just downloading. For companies it's for use of email, creating PR campaigns, storing data, creating data, computating profits, doing research, etc. For individuals, games, internet access, entertainment, etc.

Quote:

linux is givin ms serious competion as many of my friends have changed to linux and free bsd

But that's a narrow view. It's your perception because of who you associate with but may not be an indication of total usage. That may not be true worldwide. In North America, maybe MS is picking up steam. IMO, I do believe that Linux is challenging MS to a degree but how serious it is, I don't know. I don't have an figures to state which way the proverbial wind blows.

Quote:

plz don't neg me i am as of low on antipoints ,so plz if you can't do me any good then don't do me any harm!

This would be better served as a PM, for the two of you to deal with and is beyond the scope of this thread.
October 4th, 2004, 10:48 AM
Sphyenx

Quote:

Originally posted here by catch
Wow... I can vividly remember the day when, if I were to defend Windows security I'd have gotten poorly flamed on all sides from Linux, misc UN*X, Solaris, Mac, Amiga, whatever, etc users.

Good to see the change of pace.

I would really love to see someone describe why they think NT sucks so much when it comes to security. I mean with real figures not "is well not even 80% safe", whatever the hell that is supposed to mean. Seriously, something that takes into account system capabilities, not merely a specific configuration. An argument that talks about conceptual exploit availability, not just statistically incomparable incident reporting.

In the last nine years I have never been able to find such a document (save those comparing NT to high assurance, static specification, trusted operating systems or pipe dreams like EROS), yet I've seen heaps against UN*X and Linux, including documents put out by the good people of the NSA and its subordinate organization the NCSC.

catch

You dont have to get on my case ok, You know what I ment. Windows goit tomany leaks and holes. I wish it didnt. I LOVE WINDOWS, and im stuck with it for the rest of my life unless corperate goes bsd or nix.
October 4th, 2004, 12:27 PM
catch

Quote:

we can have a really secure default Windows install.

Why do you want a secure default install? The default configuration of a system should be the most functional possible, not the most secure. Security should be applied on a case by case basis with the help of the trusted facilities manual, not with sweeping broad strokes laid down by the vendor with no regard for the specific implementation.

Quote:

NT is cool but one thing about it is that Microsoft used to have a thing on their web page saying that NT should be rebooted at least once a month to deal with memory leaks. This is all fine for a home user, but not for a server.

Two points in response to this, one is this is a legal safety net. Two, NT servers at the enterprise level are intended to be run in clusters, so rebooting the systems one at a time has virtually no effect on business. This is a stark contrast to the mentality of many UN*X operations where a single HP-UX or whatever system with god knows how many processors does the work by itself and single system uptime is a far greater concern.

Quote:

Now, install Linux with nothing but the things you get with Windows.

You'll end up with the Kernel, and toss in mpg123 for the media player, links for a browser, Vi and Emacs, and Midnight Commander.

Don't forget the weaker, less finely grained access control system. Don't forget the gaping security concern of superuser account. Where's the reference monitor? Need I go on? ;)

Quote:

When people say Linux has more security flaws than Windows, they are counting an install that has everything, and Linux comes with A LOT more than Windows does.

When people like me say it, they are speaking of the operating system's security architecture, not applications that run on it. That would be discussing those applications' security, not the operating system's. A secure operating system can protect itself from insecure applications.

Quote:

Just my opinion, but Windows as a secure server platform is a fairytail unless you're REALLY good.

Including things like "really good" negates the entire argument. :-P My point is that NT has a greater capacity for security as it has a more powerful security architecture.

Quote:

Everyone has it, knows it, and there's a ton of software out there to hurt or hack it.

Exactly, everyone has it... what does this mean? It means that bugs spend significantly less time in 0-day land. Is this a good thing or a bad thing?

Quote:

linux is open source and has a much greater development staff than any closed-source development. You don't have to wait forever for developers to fix problems that the users find or report.

Ah this fine argument... two responses (per my usual), one made a post awhile ago (in my attached documents, I'll look later if you can't find it) that featured an article quantifying the average kernel bug's life span in Linux... the average was over 3 years, with some lasting as long as seven years! The second point is that programmers know code, as a rule they know very little about security architecture... microkernel development, reference monitors, more finely grained access controls, they lot. Because Linux is open source, with a programmer at the helm, there has been no overall focus toward a superior security model, all Linux has been doing is making the same mistakes UN*X did over 20 years ago.

Quote:

We have debated this topic long and hard on which is the best OS and lost of people have always commented. What is comes down to is one thing.

THE ADMINISTRATOR!!

This argument would indicate that the two and in fact all systems have exactly the same capacity for security and the only difference is the admin... I hope the rest of you know better.

[quote]Windows goit tomany leaks and holes.[quote]

Name one that actually affects CIA and can't be fixed by proper configuration.

cheers,

catch

Show 40 post(s) from this thread on one page