I've come to a conclusion on M$ security

Printable View

Show 40 post(s) from this thread on one page

October 4th, 2004, 10:12 PM
;TT

Quote:

Originally posted here by Tiger Shark
I would rather run Windows because I can control _it_......

So the whole argument is, as usual, moot....

Next subject..... ;)

But why? Flat, unsupported statements that are as coherent as Mike Tyson are so much fun to read.. let them bash Windows and Microsoft and praise Unix and Linux to be cool even though most of them haven't the slightest clue about penetration testing, write ups, nor any other level of security testing to make such statements.. just let it be and enjoy the read as comical as it may be. Maybe once in a while a smart comment will be made, kudos to whomever does it, but this is a great joke.. starting with the first post.. =}
October 4th, 2004, 10:30 PM
Tiger Shark

TT:

Because, simply put.... In the two years I have been here this "issue" has been beaten to death.... And I _mean_ death..... The horse has been flayed till the bones show....

It's a boring waste of bandwidth that has been satisfactorily concluded on more than one occasion, (Usually by Catch....).

If you are looking for "entertainment" then do a search on all Catch's post and read them. You'll see all his arguments, (those with me included), and in the final conclusion, (through all the giggles you could ever need), you will find a conclusive argument for an operating system with regard to it's security. If you still need to laugh to a search for "Pooh Sun Tzu"'s posts and you will find a similarly compelling series of arguments.

We don't need a single other post on "who's OS is the most secure".... We've had about 5,000 of them.... Let it die.....
October 4th, 2004, 10:56 PM
Und3ertak3r

Chsh said it in another thread:

Quote:

Seriously, it depends on the role of the box. Security's a rather complicated thing, and happens in layers

It is nice to see that some of the arguments have moved away (not to far though) from the I hate windows because.. then read list of problems that Windows v2 had ..
October 4th, 2004, 11:06 PM
chsh

/me sighs.
Tiger's right on this one, everything that was to be said got said. Catch conveniently sidestepped answering questions the last go around (he was going to PM me stuff which conveniently never arrived), so anyone looking to get into a heated debate with him, my advice is just ignore the guy, he likes to operate in a little world where government models are 100% adhered to, and unless your data is a national secret you shouldn't do so much as put a personal firewall on the box.

Just my $0.02.
October 4th, 2004, 11:20 PM
Tiger Shark

csch:

Quote:

he likes to operate in a little world where government models are 100% adhered to, and unless your data is a national secret you shouldn't do so much as put a personal firewall on the box.

Yeah, but he makes a compelling and logical argument for it...... It's just not always possible or appropriate...... ;)
October 5th, 2004, 09:14 AM
catch

Ah chsh back trolling again...

The reason I ignored your questions was because I'd already answered them and to be honest, I really have better things to do with my spare time then to educate the likes of you. That is people who have already made up their mind and just wish to fight and post so much **** that it isn't practical for me to take the time to respond to every little piece.

Security is measurable.
Theoretical security is a measure of security capabilities and their assurances. (edited for clarity).
Practical security is a measure of costs.
Comparing OS security is theoretical, consequently capabilities are to be measured.
Penetration tests are used to measure practical security and make no statement on the systems capabilities, only its current state.

With that said:

Security by default isn't relevant to this conversation, for it focuses on the business aspect of the vendors marketing scheme and not the operating system's security capabilities.

Windows has a more powerful security policy, including the following features:

More finely grained access controls including "deny" functionality.
Segregation of Administrators and Operators. (aka no superuser account)
A microkernel architecture including a security kernel and a limited reference monitor.

Linux offers none of this functionality, it relies on simple ogw/rwx discretionary access controls, operator level users are not supported, and a monolithic architecture with no security kernel or even the theoretical possibility of a reference monitor is utilized.

For commercial uses, both tend to be good enough... and both are worthless when looking at what can actually be done with a secure system, but that is not what this thread is about...

I don't care what anyone thinks is better for their own uses, or which anyone thinks is better... I merely advise that people compare more than anecdotal evidence (which is all exploit counts are) when making their own choice... look what you can do with the system, not what someone else has done.

cheers,

catch

PS. Windows NT did _not_ evolve from DOS, it evolved from Secure XENIX which in turn came out of Secure MULTICS.
October 5th, 2004, 11:02 AM
nihil

Well, I have a sort of "deja vu" feeling when I read this thread. As undies said:

Quote:

It is nice to see that some of the arguments have moved away (not to far though) from the I hate windows because.. then read list of problems that Windows v2 had ..

Errrrrrrrr..............better make that Win3.1x for workgroups. :p Up until then, PCs were run as stand alone devices for the most part. Earlier versions of Windows were not true operating systems, they were GUIs that ran on the back of DOS. Up until Win95 you had to load DOS BEFORE you could load Windows.

I have a machine running DOS 5.0 and Win 2.03 :cool: Now I can tell you that version of Windows does very little for you; Norton (System Commander) was much better, as were the GUIs that shipped with Apple and Acorn machines.

Back in those days, security was not considered to be an issue, so it is unreasonable IMHO to parcel all the Microsoft OSes into one bundle, given that they span such a long period of rapid development in IT.

Furthermore, MS had a policy of providing "domestic" and commercial products, and security was not considered to be a major issue with the domestic ones. They were intended as stand alone systems, as witnessed by the fact that everyone logs on with Admin rights.

It is like comparing a B-17 to a B-2 or an F-22 to a P-37. Pretty irrelevant, and totally useless if you don't know how to fly!

I will not comment on the various "technical" arguments as they have already been "done to death" I am making a strong point for considering the historical context and the target market of the product.

Catch:

Quote:

PS. Windows NT did _not_ evolve from DOS, it evolved from Secure XENIX which in turn came out of Secure MULTICS.

Well, sort of...............take a look in the Sys32 folder of NT4.0 and you will find four executables with a .bas extension.................they are Qbasic, and that shipped with DOS 5.0!!!!!!!!!!!!!!!

Win2000 (NT5.0) and XP are the first truly DOS free MS OSes.

just my thoughts
October 5th, 2004, 12:03 PM
secure_lockdown

Re: I've come to a conclusion on M$ security

Quote:

Originally posted here by Sphyenx
It sucks, not because the OS, but because the people making it try to throw it out so fast that it never gets the full attencion it deserves. It should under go much more work to make it more secure and a truely better OS, not every one cares about the windows media player that they spend years on developing when they put a day or two in to a firewall that is about as strong as a paper bag, and wow there not to sturdy. I think maybe bill and his buddied should wake up and smell the java, and build a better OS next time around. Maybe longhorn will prove me wrong!, thank you, eNIX

read this:

Cyberinsecurity: The Cost of Monopoly (aka the day Dan Greer got fired)
http://www.ccianet.org/papers/cyberinsecurity.pdf

:-)

p.s. - i doubt longhorn will be any different. MS follow *particular* software development model.
October 5th, 2004, 12:18 PM
MrLinus

Quote:

Cyberinsecurity: The Cost of Monopoly

You know, it's interesting that people only view MS as having issues of Monopoly when it comes to entirely MS networks. The question I have is: what kind of effect would occur if a serious flaw was found in ALL versions of BIND? Last time I checked they were a bit of a monopoly on many of the DNS servers that exist. What about CISCO? Don't they claim that the Internet runs on them (ie., they represent the majority of network devices). I'd hate to see what might have occurred if they had a serious flaw found.

There are some serious issues relating to the way Microsoft views security. But you cannot deny that they have improved. They aren't perfect but they do listen -- somewhat (some things that they do make me wonder sometimes). MS is in the proverbial rock and hard place. On the one side is the security admins screaming for security, "NOW DAMMIT JIM!". On the other side is the user who wants things to work without having to think or do any research, "NOW DAMMIT JIM!". Generally speaking we have three options: stability, security, ease of use. You can only pick two is often the accepted belief (for right or wrong).

It's real easy for us to sit here and point fingers at the lack of security by MS but I really wouldn't want to be in their shoes. I don't think any other OS gets as much scrutiny as theirs do. Nor do I think any OS gets as badly abused as theirs does. When you look at things under a microscope you tend to see more. Perhaps there is more flaws in Linux we don't know about because... well, they haven't been found yet (I'm not saying this is true, I'm just hypothesizing).

It would be nice to have any OS truly locked down from the start, be useable, stable and easy to use -- and all without having to RTFM. That ain't going to happen (at least I don't think it will in my lifetime).

That said, keep this in mind: as long as MS continues to make products that require an administrator to be a BOFH to users, you'll all be employed for a long, long, long time. :D
October 5th, 2004, 12:46 PM
JP

Greetings:

IMHO, the #1 difficulty that Microsoft has to deal with, that I don't think has been brought up enough, is the consumer's demand for backward compatibility. How much easier would it be for Microsoft to release a more secure OS if they didn't have to worry about making sure old apps designed for their old OS still work? Or make sure that their new OS can still communicate the same way with their old OS on the same lan? This is a TREMENDOUS burden that has held back a lot of innovation that Microsoft has been developing over the years.

I think it's a problem that they face in a way that no other OS currently has to.

Show 40 post(s) from this thread on one page