MS stolen source code

Discussion in 'NZ Computing' started by Dave - Dave.net.nz, Nov 11, 2004.

  1. Wasnt there meant to be some melt down caused by this? something about
    how it was going to be sloppy code full of security holes and back doors?

    maybe it was clean and tidy?

    Did I miss something in the news?
     
    Dave - Dave.net.nz, Nov 11, 2004
    #1
    1. Advertising

  2. Dave - Dave.net.nz

    Mr Scebe Guest

    "Matthew Poole" <> wrote in message
    news:cn0fb4$dju$...
    > In article <>, "Dave - Dave.net.nz"

    <> wrote:
    > >Wasnt there meant to be some melt down caused by this? something about
    > >how it was going to be sloppy code full of security holes and back doors?
    > >
    > >maybe it was clean and tidy?
    > >

    > The concensus was that it wasn't particuarly tidy. Even some comments
    > about MS hating the OSS model because it would mean their sloppy coding
    > would see the light of day.


    Ah the haters and wreckers rear their ugly heads. And what do you base this
    on, softcock? All the reports i have read say that the code was well
    written, and a lot considering how many applications it had to deal with.
    For example:
    http://www.kuro5hin.org/story/2004/2/15/71552/7795

    "Quality
    Despite the above, the quality of the code is generally excellent. Modules
    are small, and procedures generally fit on a single screen. The commenting
    is very detailed about intentions, but doesn't fall into "add one to i"
    redundancy.
    There is some variety in the commenting style. Sometimes blocks use a // at
    every line, sometimes the /* */ style. In some modules functions have a
    history, some do not. Some functions describe their variables in a comment
    block, some don't. Microsoft appears not to have fallen into the trap of
    enforcing over-rigid standards or universal use of over-complicated
    automatic tools. They seem to trust their developers to comment well, and
    they do."

    While the article is not all praise, it does provide a valuable insight into
    how MS codes it's operating system, and as an extension, why that operating
    system works so well.


    --
    Mr Scebe
    Losersh always whine about their 'besht'.
    Winnersh go home and **** the prom queen".
    ~Sean Connery in "The Rock"
     
    Mr Scebe, Nov 11, 2004
    #2
    1. Advertising

  3. In article <>, "Dave - Dave.net.nz" <> wrote:
    >Wasnt there meant to be some melt down caused by this? something about
    >how it was going to be sloppy code full of security holes and back doors?
    >
    >maybe it was clean and tidy?
    >

    The concensus was that it wasn't particuarly tidy. Even some comments
    about MS hating the OSS model because it would mean their sloppy coding
    would see the light of day.

    >Did I miss something in the news?

    It's hard to tell. One MS vulnerability looks much like any other.
    It's not like they've been getting away unscathed on the security front,
    but nobody's going to say that they found a vulnerability by looking
    through the code because they would then be admitting having been in
    posession of the code.

    --
    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
     
    Matthew Poole, Nov 11, 2004
    #3
  4. "Matthew Poole" <> wrote in message
    news:cn0fb4$dju$...
    > In article <>, "Dave - Dave.net.nz"
    > <> wrote:
    >>Wasnt there meant to be some melt down caused by this? something about
    >>how it was going to be sloppy code full of security holes and back doors?
    >>
    >>maybe it was clean and tidy?
    >>

    > The concensus was that it wasn't particuarly tidy. Even some comments
    > about MS hating the OSS model because it would mean their sloppy coding
    > would see the light of day.
    >
    >>Did I miss something in the news?

    > It's hard to tell. One MS vulnerability looks much like any other.
    > It's not like they've been getting away unscathed on the security front,
    > but nobody's going to say that they found a vulnerability by looking
    > through the code because they would then be admitting having been in
    > posession of the code.
    >
    > --
    > Matthew Poole Auckland, New Zealand
    > "Veni, vidi, velcro...
    > I came, I saw, I stuck around"
    >
    > My real e-mail is mattATp00leDOTnet


    I love that fluffy "the consesus was" comment, if I tried that sort of thing
    I'm sure the FUD Police would come down on me like a ton of bricks :)
    Just to set the record straight, Microsoft source code is made available to
    a wide variety of academic institutions, OEM's, governments, developers and
    customers via the Shared Source initiative and others.

    As for "the security front" you might be interested to know that YTD there
    have been 18 security advisories for Windows Server 2003 Enterprise Edition,
    84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for Debian. This
    is freely-available data from Secunia www.secunia.com (and no we didn't pay
    for it) :)

    Brett Roberts
    Microsoft NZ
     
    Brett Roberts, Nov 11, 2004
    #4
  5. Dave - Dave.net.nz

    Chris Hope Guest

    Brett Roberts wrote:

    > "Matthew Poole" <> wrote in message
    > news:cn0fb4$dju$...
    >> In article <>, "Dave - Dave.net.nz"
    >> <> wrote:
    >>>Wasnt there meant to be some melt down caused by this? something about
    >>>how it was going to be sloppy code full of security holes and back doors?
    >>>
    >>>maybe it was clean and tidy?
    >>>

    >> The concensus was that it wasn't particuarly tidy. Even some comments
    >> about MS hating the OSS model because it would mean their sloppy coding
    >> would see the light of day.
    >>
    >>>Did I miss something in the news?

    >> It's hard to tell. One MS vulnerability looks much like any other.
    >> It's not like they've been getting away unscathed on the security front,
    >> but nobody's going to say that they found a vulnerability by looking
    >> through the code because they would then be admitting having been in
    >> posession of the code.
    >>
    >> --
    >> Matthew Poole Auckland, New Zealand
    >> "Veni, vidi, velcro...
    >> I came, I saw, I stuck around"
    >>
    >> My real e-mail is mattATp00leDOTnet

    >
    > I love that fluffy "the consesus was" comment, if I tried that sort of
    > thing
    > I'm sure the FUD Police would come down on me like a ton of bricks :)
    > Just to set the record straight, Microsoft source code is made available
    > to a wide variety of academic institutions, OEM's, governments, developers
    > and customers via the Shared Source initiative and others.
    >
    > As for "the security front" you might be interested to know that YTD there
    > have been 18 security advisories for Windows Server 2003 Enterprise
    > Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    > Debian. This is freely-available data from Secunia www.secunia.com (and no
    > we didn't pay
    > for it) :)


    Well let's see now, we'll have a look at some of these security advisories
    for RedHat Enterprise Linux AS3 shall we?

    Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a 3rd
    party database server. I'm betting that security advisories for Windows
    don't include MSSQL Server (or MySQL for that matter, which will run on
    Windows as well as Linux and other Unix based systems).

    Red Hat update for xpdf. Again, an additional 3rd party application, this
    one for viewing pdfs. Probably not something you'd even install if you're
    using it as a server.

    Red Hat update for gaim. Instant messaging software. Again, you probably
    wouldn't install this.

    Red Hat update for openoffice.org. Office application software. Again, you
    probably wouldn't install this.

    I am not going to argue either way whether I think MS/Linux/OpenBSD etc is
    more secure, but you have to be wary of statistics like this when you are
    comparing apples with oranges. Windows (apples) comes with server software
    only (nothing wrong with this of course) so the security advisories only
    deal with this. A Linux distro (oranges) comes with dozens/hundreds of 3rd
    party applications for doing just about everything, and these may or may
    not be installed when you set the it up. I know I wouldn't be setting up
    xpdf, openoffice or gaim on my RHEL AS3 server if I were using it for
    serving files or websites etc, so these vulnerabilities would not affect
    me.

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
     
    Chris Hope, Nov 11, 2004
    #5
  6. "Chris Hope" <> wrote in message
    news:1100217523_14698@216.128.74.129...
    > Brett Roberts wrote:
    >
    >> "Matthew Poole" <> wrote in message
    >> news:cn0fb4$dju$...
    >>> In article <>, "Dave - Dave.net.nz"
    >>> <> wrote:
    >>>>Wasnt there meant to be some melt down caused by this? something about
    >>>>how it was going to be sloppy code full of security holes and back
    >>>>doors?
    >>>>
    >>>>maybe it was clean and tidy?
    >>>>
    >>> The concensus was that it wasn't particuarly tidy. Even some comments
    >>> about MS hating the OSS model because it would mean their sloppy coding
    >>> would see the light of day.
    >>>
    >>>>Did I miss something in the news?
    >>> It's hard to tell. One MS vulnerability looks much like any other.
    >>> It's not like they've been getting away unscathed on the security front,
    >>> but nobody's going to say that they found a vulnerability by looking
    >>> through the code because they would then be admitting having been in
    >>> posession of the code.
    >>>
    >>> --
    >>> Matthew Poole Auckland, New Zealand
    >>> "Veni, vidi, velcro...
    >>> I came, I saw, I stuck around"
    >>>
    >>> My real e-mail is mattATp00leDOTnet

    >>
    >> I love that fluffy "the consesus was" comment, if I tried that sort of
    >> thing
    >> I'm sure the FUD Police would come down on me like a ton of bricks :)
    >> Just to set the record straight, Microsoft source code is made available
    >> to a wide variety of academic institutions, OEM's, governments,
    >> developers
    >> and customers via the Shared Source initiative and others.
    >>
    >> As for "the security front" you might be interested to know that YTD
    >> there
    >> have been 18 security advisories for Windows Server 2003 Enterprise
    >> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >> Debian. This is freely-available data from Secunia www.secunia.com (and
    >> no
    >> we didn't pay
    >> for it) :)

    >
    > Well let's see now, we'll have a look at some of these security advisories
    > for RedHat Enterprise Linux AS3 shall we?
    >
    > Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a
    > 3rd
    > party database server. I'm betting that security advisories for Windows
    > don't include MSSQL Server (or MySQL for that matter, which will run on
    > Windows as well as Linux and other Unix based systems).
    >
    > Red Hat update for xpdf. Again, an additional 3rd party application, this
    > one for viewing pdfs. Probably not something you'd even install if you're
    > using it as a server.
    >
    > Red Hat update for gaim. Instant messaging software. Again, you probably
    > wouldn't install this.
    >
    > Red Hat update for openoffice.org. Office application software. Again, you
    > probably wouldn't install this.
    >
    > I am not going to argue either way whether I think MS/Linux/OpenBSD etc is
    > more secure, but you have to be wary of statistics like this when you are
    > comparing apples with oranges. Windows (apples) comes with server software
    > only (nothing wrong with this of course) so the security advisories only
    > deal with this. A Linux distro (oranges) comes with dozens/hundreds of 3rd
    > party applications for doing just about everything, and these may or may
    > not be installed when you set the it up. I know I wouldn't be setting up
    > xpdf, openoffice or gaim on my RHEL AS3 server if I were using it for
    > serving files or websites etc, so these vulnerabilities would not affect
    > me.
    >
    > --
    > Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/


    Are they part of the default install ?
     
    Brett Roberts, Nov 12, 2004
    #6
  7. Dave - Dave.net.nz

    tatties Guest

    "Brett Roberts" <> wrote in message
    news:...

    >
    > I love that fluffy "the consesus was" comment, if I tried that sort of
    > thing I'm sure the FUD Police would come down on me like a ton of bricks
    > :) Just to set the record straight, Microsoft source code is made
    > available to a wide variety of academic institutions, OEM's, governments,
    > developers and customers via the Shared Source initiative and others.
    >
    > As for "the security front" you might be interested to know that YTD there
    > have been 18 security advisories for Windows Server 2003 Enterprise
    > Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    > Debian. This is freely-available data from Secunia www.secunia.com (and no
    > we didn't pay for it) :)
    >
    > Brett Roberts
    > Microsoft NZ
    >


    You and your marketers persist in deceptively comparing security advisories
    for a base install of Windows Server 2003, to the security advisories of a
    full linux distribution such as Debian containing 8700 packages. RHEL is
    proportionately a smaller distribution with less packages.

    You know this, so I would have to accept you are doing this on behalf of
    your company in order to deceive us.
    As a Microsoft customer this gives me no confidence in your integrity
     
    tatties, Nov 12, 2004
    #7
  8. "tatties" <> wrote in message
    news:...
    >
    > "Brett Roberts" <> wrote in message
    > news:...
    >
    >>
    >> I love that fluffy "the consesus was" comment, if I tried that sort of
    >> thing I'm sure the FUD Police would come down on me like a ton of bricks
    >> :) Just to set the record straight, Microsoft source code is made
    >> available to a wide variety of academic institutions, OEM's, governments,
    >> developers and customers via the Shared Source initiative and others.
    >>
    >> As for "the security front" you might be interested to know that YTD
    >> there have been 18 security advisories for Windows Server 2003 Enterprise
    >> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >> Debian. This is freely-available data from Secunia www.secunia.com (and
    >> no we didn't pay for it) :)
    >>
    >> Brett Roberts
    >> Microsoft NZ
    >>

    >
    > You and your marketers persist in deceptively comparing security
    > advisories for a base install of Windows Server 2003, to the security
    > advisories of a full linux distribution such as Debian containing 8700
    > packages. RHEL is proportionately a smaller distribution with less
    > packages.
    >
    > You know this, so I would have to accept you are doing this on behalf of
    > your company in order to deceive us.
    > As a Microsoft customer this gives me no confidence in your integrity
    >


    Actually it was the BSD one I found the most interesting as their strategy
    is effectively one of minimising attack surface area by minimising what gets
    installed.
     
    Brett Roberts, Nov 12, 2004
    #8
  9. "Allistar" <> wrote in message
    news:tbTkd.947$...
    > Brett Roberts wrote:
    >
    >>
    >> "Chris Hope" <> wrote in message
    >> news:1100217523_14698@216.128.74.129...
    >>> Brett Roberts wrote:
    >>>
    >>>> "Matthew Poole" <> wrote in message
    >>>> news:cn0fb4$dju$...
    >>>>> In article <>, "Dave - Dave.net.nz"
    >>>>> <> wrote:
    >>>>>>Wasnt there meant to be some melt down caused by this? something about
    >>>>>>how it was going to be sloppy code full of security holes and back
    >>>>>>doors?
    >>>>>>
    >>>>>>maybe it was clean and tidy?
    >>>>>>
    >>>>> The concensus was that it wasn't particuarly tidy. Even some comments
    >>>>> about MS hating the OSS model because it would mean their sloppy
    >>>>> coding
    >>>>> would see the light of day.
    >>>>>
    >>>>>>Did I miss something in the news?
    >>>>> It's hard to tell. One MS vulnerability looks much like any other.
    >>>>> It's not like they've been getting away unscathed on the security
    >>>>> front, but nobody's going to say that they found a vulnerability by
    >>>>> looking through the code because they would then be admitting having
    >>>>> been in posession of the code.
    >>>>>
    >>>>> --
    >>>>> Matthew Poole Auckland, New Zealand
    >>>>> "Veni, vidi, velcro...
    >>>>> I came, I saw, I stuck around"
    >>>>>
    >>>>> My real e-mail is mattATp00leDOTnet
    >>>>
    >>>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>>> thing
    >>>> I'm sure the FUD Police would come down on me like a ton of bricks :)
    >>>> Just to set the record straight, Microsoft source code is made
    >>>> available
    >>>> to a wide variety of academic institutions, OEM's, governments,
    >>>> developers
    >>>> and customers via the Shared Source initiative and others.
    >>>>
    >>>> As for "the security front" you might be interested to know that YTD
    >>>> there
    >>>> have been 18 security advisories for Windows Server 2003 Enterprise
    >>>> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >>>> Debian. This is freely-available data from Secunia www.secunia.com (and
    >>>> no
    >>>> we didn't pay
    >>>> for it) :)
    >>>
    >>> Well let's see now, we'll have a look at some of these security
    >>> advisories for RedHat Enterprise Linux AS3 shall we?
    >>>
    >>> Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a
    >>> 3rd
    >>> party database server. I'm betting that security advisories for Windows
    >>> don't include MSSQL Server (or MySQL for that matter, which will run on
    >>> Windows as well as Linux and other Unix based systems).
    >>>
    >>> Red Hat update for xpdf. Again, an additional 3rd party application,
    >>> this
    >>> one for viewing pdfs. Probably not something you'd even install if
    >>> you're
    >>> using it as a server.
    >>>
    >>> Red Hat update for gaim. Instant messaging software. Again, you probably
    >>> wouldn't install this.
    >>>
    >>> Red Hat update for openoffice.org. Office application software. Again,
    >>> you probably wouldn't install this.
    >>>
    >>> I am not going to argue either way whether I think MS/Linux/OpenBSD etc
    >>> is more secure, but you have to be wary of statistics like this when you
    >>> are comparing apples with oranges. Windows (apples) comes with server
    >>> software only (nothing wrong with this of course) so the security
    >>> advisories only deal with this. A Linux distro (oranges) comes with
    >>> dozens/hundreds of 3rd party applications for doing just about
    >>> everything, and these may or may not be installed when you set the it
    >>> up.
    >>> I know I wouldn't be setting up xpdf, openoffice or gaim on my RHEL AS3
    >>> server if I were using it for serving files or websites etc, so these
    >>> vulnerabilities would not affect me.
    >>>
    >>> --
    >>> Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

    >>
    >> Are they part of the default install ?

    >
    > I'm pretty sure it would install what you tell it to install. I've never
    > installed Redhat before, but have Mandrake and Gentoo (both many times)
    > and
    > you always have the option of what to include/exclude.
    >
    > Allistar.


    Yes, it's the same for most software I guess however I would venture that
    the majority of installations (60% ? 80% ?) of any software are default
    installs.
     
    Brett Roberts, Nov 12, 2004
    #9
  10. Dave - Dave.net.nz

    Allistar Guest

    Brett Roberts wrote:

    >
    > "Chris Hope" <> wrote in message
    > news:1100217523_14698@216.128.74.129...
    >> Brett Roberts wrote:
    >>
    >>> "Matthew Poole" <> wrote in message
    >>> news:cn0fb4$dju$...
    >>>> In article <>, "Dave - Dave.net.nz"
    >>>> <> wrote:
    >>>>>Wasnt there meant to be some melt down caused by this? something about
    >>>>>how it was going to be sloppy code full of security holes and back
    >>>>>doors?
    >>>>>
    >>>>>maybe it was clean and tidy?
    >>>>>
    >>>> The concensus was that it wasn't particuarly tidy. Even some comments
    >>>> about MS hating the OSS model because it would mean their sloppy coding
    >>>> would see the light of day.
    >>>>
    >>>>>Did I miss something in the news?
    >>>> It's hard to tell. One MS vulnerability looks much like any other.
    >>>> It's not like they've been getting away unscathed on the security
    >>>> front, but nobody's going to say that they found a vulnerability by
    >>>> looking through the code because they would then be admitting having
    >>>> been in posession of the code.
    >>>>
    >>>> --
    >>>> Matthew Poole Auckland, New Zealand
    >>>> "Veni, vidi, velcro...
    >>>> I came, I saw, I stuck around"
    >>>>
    >>>> My real e-mail is mattATp00leDOTnet
    >>>
    >>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>> thing
    >>> I'm sure the FUD Police would come down on me like a ton of bricks :)
    >>> Just to set the record straight, Microsoft source code is made available
    >>> to a wide variety of academic institutions, OEM's, governments,
    >>> developers
    >>> and customers via the Shared Source initiative and others.
    >>>
    >>> As for "the security front" you might be interested to know that YTD
    >>> there
    >>> have been 18 security advisories for Windows Server 2003 Enterprise
    >>> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >>> Debian. This is freely-available data from Secunia www.secunia.com (and
    >>> no
    >>> we didn't pay
    >>> for it) :)

    >>
    >> Well let's see now, we'll have a look at some of these security
    >> advisories for RedHat Enterprise Linux AS3 shall we?
    >>
    >> Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a
    >> 3rd
    >> party database server. I'm betting that security advisories for Windows
    >> don't include MSSQL Server (or MySQL for that matter, which will run on
    >> Windows as well as Linux and other Unix based systems).
    >>
    >> Red Hat update for xpdf. Again, an additional 3rd party application, this
    >> one for viewing pdfs. Probably not something you'd even install if you're
    >> using it as a server.
    >>
    >> Red Hat update for gaim. Instant messaging software. Again, you probably
    >> wouldn't install this.
    >>
    >> Red Hat update for openoffice.org. Office application software. Again,
    >> you probably wouldn't install this.
    >>
    >> I am not going to argue either way whether I think MS/Linux/OpenBSD etc
    >> is more secure, but you have to be wary of statistics like this when you
    >> are comparing apples with oranges. Windows (apples) comes with server
    >> software only (nothing wrong with this of course) so the security
    >> advisories only deal with this. A Linux distro (oranges) comes with
    >> dozens/hundreds of 3rd party applications for doing just about
    >> everything, and these may or may not be installed when you set the it up.
    >> I know I wouldn't be setting up xpdf, openoffice or gaim on my RHEL AS3
    >> server if I were using it for serving files or websites etc, so these
    >> vulnerabilities would not affect me.
    >>
    >> --
    >> Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

    >
    > Are they part of the default install ?


    I'm pretty sure it would install what you tell it to install. I've never
    installed Redhat before, but have Mandrake and Gentoo (both many times) and
    you always have the option of what to include/exclude.

    Allistar.
     
    Allistar, Nov 12, 2004
    #10
  11. Dave - Dave.net.nz

    Chris Hope Guest

    Brett Roberts wrote:

    >
    > "Chris Hope" <> wrote in message
    > news:1100217523_14698@216.128.74.129...
    >> Brett Roberts wrote:
    >>
    >>> "Matthew Poole" <> wrote in message
    >>> news:cn0fb4$dju$...
    >>>> In article <>, "Dave - Dave.net.nz"
    >>>> <> wrote:
    >>>>>Wasnt there meant to be some melt down caused by this? something about
    >>>>>how it was going to be sloppy code full of security holes and back
    >>>>>doors?
    >>>>>
    >>>>>maybe it was clean and tidy?
    >>>>>
    >>>> The concensus was that it wasn't particuarly tidy. Even some comments
    >>>> about MS hating the OSS model because it would mean their sloppy coding
    >>>> would see the light of day.
    >>>>
    >>>>>Did I miss something in the news?
    >>>> It's hard to tell. One MS vulnerability looks much like any other.
    >>>> It's not like they've been getting away unscathed on the security
    >>>> front, but nobody's going to say that they found a vulnerability by
    >>>> looking through the code because they would then be admitting having
    >>>> been in posession of the code.
    >>>>
    >>>> --
    >>>> Matthew Poole Auckland, New Zealand
    >>>> "Veni, vidi, velcro...
    >>>> I came, I saw, I stuck around"
    >>>>
    >>>> My real e-mail is mattATp00leDOTnet
    >>>
    >>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>> thing
    >>> I'm sure the FUD Police would come down on me like a ton of bricks :)
    >>> Just to set the record straight, Microsoft source code is made available
    >>> to a wide variety of academic institutions, OEM's, governments,
    >>> developers
    >>> and customers via the Shared Source initiative and others.
    >>>
    >>> As for "the security front" you might be interested to know that YTD
    >>> there
    >>> have been 18 security advisories for Windows Server 2003 Enterprise
    >>> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >>> Debian. This is freely-available data from Secunia www.secunia.com (and
    >>> no
    >>> we didn't pay
    >>> for it) :)

    >>
    >> Well let's see now, we'll have a look at some of these security
    >> advisories for RedHat Enterprise Linux AS3 shall we?
    >>
    >> Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a
    >> 3rd
    >> party database server. I'm betting that security advisories for Windows
    >> don't include MSSQL Server (or MySQL for that matter, which will run on
    >> Windows as well as Linux and other Unix based systems).
    >>
    >> Red Hat update for xpdf. Again, an additional 3rd party application, this
    >> one for viewing pdfs. Probably not something you'd even install if you're
    >> using it as a server.
    >>
    >> Red Hat update for gaim. Instant messaging software. Again, you probably
    >> wouldn't install this.
    >>
    >> Red Hat update for openoffice.org. Office application software. Again,
    >> you probably wouldn't install this.
    >>
    >> I am not going to argue either way whether I think MS/Linux/OpenBSD etc
    >> is more secure, but you have to be wary of statistics like this when you
    >> are comparing apples with oranges. Windows (apples) comes with server
    >> software only (nothing wrong with this of course) so the security
    >> advisories only deal with this. A Linux distro (oranges) comes with
    >> dozens/hundreds of 3rd party applications for doing just about
    >> everything, and these may or may not be installed when you set the it up.
    >> I know I wouldn't be setting up xpdf, openoffice or gaim on my RHEL AS3
    >> server if I were using it for serving files or websites etc, so these
    >> vulnerabilities would not affect me.
    >>

    > Are they part of the default install ?


    When you install RedHat you are given a number of different options for
    installing. I can't remember the exact ones as it has been a while since
    I've installed a RedHat system but it's something like Server / Desktop /
    Custom and I'm pretty sure there's another option. Depending which you
    select a set of default packages will be selected, and you have the option
    to customise them if you want. You can switch on or off package groups (eg
    webserver, database server, samba server etc) and go into further detail.
    The level of detail isn't as good as the SUSE installer but it's pretty
    good, and you can do pretty minimal installs.

    However, even if you had installed gaim, xpdf, openoffice etc on your
    server, if you don't use them then the security vulnerabilities in those
    applications aren't going to affect you anyway.

    As I mentioned before I'm not going to argue either way for security of one
    system over another as just about any OS needs tweaking after installing to
    ensure it's secure. The RedHat installer for example puts in loads of
    services, users etc you just don't need so you need to lock them down just
    as you would a Windows box with all the crap it switches on by default.
    Just as you can have an insecure Windows box, you can have an insecure
    Linux box. Just as you can have a secure Linux box, you can have a secure
    Windows box. And not all vulnerabilities are created equal and it always
    pays to keep up to date with any problems and issues with any software that
    is installed on all the systems you maintain.

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
     
    Chris Hope, Nov 12, 2004
    #11
  12. Chris Hope wrote:
    > Red Hat update for gaim. Instant messaging software. Again, you probably
    > wouldn't install this.
    >
    > Red Hat update for openoffice.org. Office application software. Again, you
    > probably wouldn't install this.


    so IIS/OE shouldn't be logged under win2k/XP?
     
    Dave - Dave.net.nz, Nov 12, 2004
    #12
  13. "Chris Hope" <> wrote in message
    news:1100218623_14707@216.128.74.129...
    > Brett Roberts wrote:
    >
    >>
    >> "Chris Hope" <> wrote in message
    >> news:1100217523_14698@216.128.74.129...
    >>> Brett Roberts wrote:
    >>>
    >>>> "Matthew Poole" <> wrote in message
    >>>> news:cn0fb4$dju$...
    >>>>> In article <>, "Dave - Dave.net.nz"
    >>>>> <> wrote:
    >>>>>>Wasnt there meant to be some melt down caused by this? something about
    >>>>>>how it was going to be sloppy code full of security holes and back
    >>>>>>doors?
    >>>>>>
    >>>>>>maybe it was clean and tidy?
    >>>>>>
    >>>>> The concensus was that it wasn't particuarly tidy. Even some comments
    >>>>> about MS hating the OSS model because it would mean their sloppy
    >>>>> coding
    >>>>> would see the light of day.
    >>>>>
    >>>>>>Did I miss something in the news?
    >>>>> It's hard to tell. One MS vulnerability looks much like any other.
    >>>>> It's not like they've been getting away unscathed on the security
    >>>>> front, but nobody's going to say that they found a vulnerability by
    >>>>> looking through the code because they would then be admitting having
    >>>>> been in posession of the code.
    >>>>>
    >>>>> --
    >>>>> Matthew Poole Auckland, New Zealand
    >>>>> "Veni, vidi, velcro...
    >>>>> I came, I saw, I stuck around"
    >>>>>
    >>>>> My real e-mail is mattATp00leDOTnet
    >>>>
    >>>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>>> thing
    >>>> I'm sure the FUD Police would come down on me like a ton of bricks :)
    >>>> Just to set the record straight, Microsoft source code is made
    >>>> available
    >>>> to a wide variety of academic institutions, OEM's, governments,
    >>>> developers
    >>>> and customers via the Shared Source initiative and others.
    >>>>
    >>>> As for "the security front" you might be interested to know that YTD
    >>>> there
    >>>> have been 18 security advisories for Windows Server 2003 Enterprise
    >>>> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >>>> Debian. This is freely-available data from Secunia www.secunia.com (and
    >>>> no
    >>>> we didn't pay
    >>>> for it) :)
    >>>
    >>> Well let's see now, we'll have a look at some of these security
    >>> advisories for RedHat Enterprise Linux AS3 shall we?
    >>>
    >>> Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a
    >>> 3rd
    >>> party database server. I'm betting that security advisories for Windows
    >>> don't include MSSQL Server (or MySQL for that matter, which will run on
    >>> Windows as well as Linux and other Unix based systems).
    >>>
    >>> Red Hat update for xpdf. Again, an additional 3rd party application,
    >>> this
    >>> one for viewing pdfs. Probably not something you'd even install if
    >>> you're
    >>> using it as a server.
    >>>
    >>> Red Hat update for gaim. Instant messaging software. Again, you probably
    >>> wouldn't install this.
    >>>
    >>> Red Hat update for openoffice.org. Office application software. Again,
    >>> you probably wouldn't install this.
    >>>
    >>> I am not going to argue either way whether I think MS/Linux/OpenBSD etc
    >>> is more secure, but you have to be wary of statistics like this when you
    >>> are comparing apples with oranges. Windows (apples) comes with server
    >>> software only (nothing wrong with this of course) so the security
    >>> advisories only deal with this. A Linux distro (oranges) comes with
    >>> dozens/hundreds of 3rd party applications for doing just about
    >>> everything, and these may or may not be installed when you set the it
    >>> up.
    >>> I know I wouldn't be setting up xpdf, openoffice or gaim on my RHEL AS3
    >>> server if I were using it for serving files or websites etc, so these
    >>> vulnerabilities would not affect me.
    >>>

    >> Are they part of the default install ?

    >
    > When you install RedHat you are given a number of different options for
    > installing. I can't remember the exact ones as it has been a while since
    > I've installed a RedHat system but it's something like Server / Desktop /
    > Custom and I'm pretty sure there's another option. Depending which you
    > select a set of default packages will be selected, and you have the option
    > to customise them if you want. You can switch on or off package groups (eg
    > webserver, database server, samba server etc) and go into further detail.
    > The level of detail isn't as good as the SUSE installer but it's pretty
    > good, and you can do pretty minimal installs.
    >
    > However, even if you had installed gaim, xpdf, openoffice etc on your
    > server, if you don't use them then the security vulnerabilities in those
    > applications aren't going to affect you anyway.
    >
    > As I mentioned before I'm not going to argue either way for security of
    > one
    > system over another as just about any OS needs tweaking after installing
    > to
    > ensure it's secure. The RedHat installer for example puts in loads of
    > services, users etc you just don't need so you need to lock them down just
    > as you would a Windows box with all the crap it switches on by default.
    > Just as you can have an insecure Windows box, you can have an insecure
    > Linux box. Just as you can have a secure Linux box, you can have a secure
    > Windows box. And not all vulnerabilities are created equal and it always
    > pays to keep up to date with any problems and issues with any software
    > that
    > is installed on all the systems you maintain.
    >
    > --
    > Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/


    the "default install" thing is something that interests me - thanks for the
    detailed reply, much appreciated
     
    Brett Roberts, Nov 12, 2004
    #13
  14. Dave - Dave.net.nz

    Chris Hope Guest

    Dave - Dave.net.nz wrote:

    > Chris Hope wrote:
    >> Red Hat update for gaim. Instant messaging software. Again, you probably
    >> wouldn't install this.
    >>
    >> Red Hat update for openoffice.org. Office application software. Again,
    >> you probably wouldn't install this.

    >
    > so IIS/OE shouldn't be logged under win2k/XP?


    I would imagine IIS would be logged because it's installed with the OS, and
    then I guess that covers OE and IE as well - I did see at least one entry
    in the list for IE. However one thing confuses me with that site: if IE is
    considered to be part of the OS for these vulnerabilities then why aren't
    all 27 vulnerabilities in IE found in 2004 in the Advanced Server list?

    Do a search for IIS6 and it only shows 2 vulnerabilities in 2004.

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
     
    Chris Hope, Nov 12, 2004
    #14
  15. Chris Hope wrote:
    > However, even if you had installed gaim, xpdf, openoffice etc on your
    > server, if you don't use them then the security vulnerabilities in those
    > applications aren't going to affect you anyway.


    actually it would depend on what the vulns are, but yeah.
     
    Dave - Dave.net.nz, Nov 12, 2004
    #15
  16. Dave - Dave.net.nz

    Chris Hope Guest

    Brett Roberts wrote:

    > "Chris Hope" <> wrote in message
    > news:1100218623_14707@216.128.74.129...
    >> Brett Roberts wrote:
    >>
    >>>
    >>> "Chris Hope" <> wrote in message
    >>> news:1100217523_14698@216.128.74.129...
    >>>> Brett Roberts wrote:
    >>>>
    >>>>> "Matthew Poole" <> wrote in message
    >>>>> news:cn0fb4$dju$...
    >>>>>> In article <>, "Dave - Dave.net.nz"
    >>>>>> <> wrote:
    >>>>>>>Wasnt there meant to be some melt down caused by this? something
    >>>>>>>about how it was going to be sloppy code full of security holes and
    >>>>>>>back doors?
    >>>>>>>
    >>>>>>>maybe it was clean and tidy?
    >>>>>>>
    >>>>>> The concensus was that it wasn't particuarly tidy. Even some
    >>>>>> comments about MS hating the OSS model because it would mean their
    >>>>>> sloppy coding
    >>>>>> would see the light of day.
    >>>>>>
    >>>>>>>Did I miss something in the news?
    >>>>>> It's hard to tell. One MS vulnerability looks much like any other.
    >>>>>> It's not like they've been getting away unscathed on the security
    >>>>>> front, but nobody's going to say that they found a vulnerability by
    >>>>>> looking through the code because they would then be admitting having
    >>>>>> been in posession of the code.
    >>>>>>
    >>>>>> --
    >>>>>> Matthew Poole Auckland, New Zealand
    >>>>>> "Veni, vidi, velcro...
    >>>>>> I came, I saw, I stuck around"
    >>>>>>
    >>>>>> My real e-mail is mattATp00leDOTnet
    >>>>>
    >>>>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>>>> thing
    >>>>> I'm sure the FUD Police would come down on me like a ton of bricks
    >>>>> :) Just to set the record straight, Microsoft source code is made
    >>>>> available
    >>>>> to a wide variety of academic institutions, OEM's, governments,
    >>>>> developers
    >>>>> and customers via the Shared Source initiative and others.
    >>>>>
    >>>>> As for "the security front" you might be interested to know that YTD
    >>>>> there
    >>>>> have been 18 security advisories for Windows Server 2003 Enterprise
    >>>>> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159
    >>>>> for Debian. This is freely-available data from Secunia www.secunia.com
    >>>>> (and no
    >>>>> we didn't pay
    >>>>> for it) :)
    >>>>
    >>>> Well let's see now, we'll have a look at some of these security
    >>>> advisories for RedHat Enterprise Linux AS3 shall we?
    >>>>
    >>>> Red Hat update for mysql-server. Hmm, this isn't part of Linux but is a
    >>>> 3rd
    >>>> party database server. I'm betting that security advisories for Windows
    >>>> don't include MSSQL Server (or MySQL for that matter, which will run on
    >>>> Windows as well as Linux and other Unix based systems).
    >>>>
    >>>> Red Hat update for xpdf. Again, an additional 3rd party application,
    >>>> this
    >>>> one for viewing pdfs. Probably not something you'd even install if
    >>>> you're
    >>>> using it as a server.
    >>>>
    >>>> Red Hat update for gaim. Instant messaging software. Again, you
    >>>> probably wouldn't install this.
    >>>>
    >>>> Red Hat update for openoffice.org. Office application software. Again,
    >>>> you probably wouldn't install this.
    >>>>
    >>>> I am not going to argue either way whether I think MS/Linux/OpenBSD etc
    >>>> is more secure, but you have to be wary of statistics like this when
    >>>> you are comparing apples with oranges. Windows (apples) comes with
    >>>> server software only (nothing wrong with this of course) so the
    >>>> security advisories only deal with this. A Linux distro (oranges) comes
    >>>> with dozens/hundreds of 3rd party applications for doing just about
    >>>> everything, and these may or may not be installed when you set the it
    >>>> up.
    >>>> I know I wouldn't be setting up xpdf, openoffice or gaim on my RHEL AS3
    >>>> server if I were using it for serving files or websites etc, so these
    >>>> vulnerabilities would not affect me.
    >>>>
    >>> Are they part of the default install ?

    >>
    >> When you install RedHat you are given a number of different options for
    >> installing. I can't remember the exact ones as it has been a while since
    >> I've installed a RedHat system but it's something like Server / Desktop /
    >> Custom and I'm pretty sure there's another option. Depending which you
    >> select a set of default packages will be selected, and you have the
    >> option to customise them if you want. You can switch on or off package
    >> groups (eg webserver, database server, samba server etc) and go into
    >> further detail. The level of detail isn't as good as the SUSE installer
    >> but it's pretty good, and you can do pretty minimal installs.
    >>
    >> However, even if you had installed gaim, xpdf, openoffice etc on your
    >> server, if you don't use them then the security vulnerabilities in those
    >> applications aren't going to affect you anyway.
    >>
    >> As I mentioned before I'm not going to argue either way for security of
    >> one
    >> system over another as just about any OS needs tweaking after installing
    >> to
    >> ensure it's secure. The RedHat installer for example puts in loads of
    >> services, users etc you just don't need so you need to lock them down
    >> just as you would a Windows box with all the crap it switches on by
    >> default. Just as you can have an insecure Windows box, you can have an
    >> insecure Linux box. Just as you can have a secure Linux box, you can have
    >> a secure Windows box. And not all vulnerabilities are created equal and
    >> it always pays to keep up to date with any problems and issues with any
    >> software that
    >> is installed on all the systems you maintain.
    >>

    > the "default install" thing is something that interests me - thanks for
    > the detailed reply, much appreciated


    I think the only time I've ever done a "default" install of a Linux
    webserver was the first two I set up in 2001, and I've installed about 20
    since then.

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
     
    Chris Hope, Nov 12, 2004
    #16
  17. Dave - Dave.net.nz

    tatties Guest

    "Brett Roberts" <> wrote in message
    news:...
    > "tatties" <> wrote in message
    > news:...
    >>
    >> "Brett Roberts" <> wrote in message
    >> news:...
    >>
    >>>
    >>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>> thing I'm sure the FUD Police would come down on me like a ton of bricks
    >>> :) Just to set the record straight, Microsoft source code is made
    >>> available to a wide variety of academic institutions, OEM's,
    >>> governments, developers and customers via the Shared Source initiative
    >>> and others.
    >>>
    >>> As for "the security front" you might be interested to know that YTD
    >>> there have been 18 security advisories for Windows Server 2003
    >>> Enterprise Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD
    >>> and 159 for Debian. This is freely-available data from Secunia
    >>> www.secunia.com (and no we didn't pay for it) :)
    >>>
    >>> Brett Roberts
    >>> Microsoft NZ
    >>>

    >>
    >> You and your marketers persist in deceptively comparing security
    >> advisories for a base install of Windows Server 2003, to the security
    >> advisories of a full linux distribution such as Debian containing 8700
    >> packages. RHEL is proportionately a smaller distribution with less
    >> packages.
    >>
    >> You know this, so I would have to accept you are doing this on behalf of
    >> your company in order to deceive us.
    >> As a Microsoft customer this gives me no confidence in your integrity
    >>

    >
    > Actually it was the BSD one I found the most interesting as their strategy
    > is effectively one of minimising attack surface area by minimising what
    > gets installed.
    >


    You can do that with any distribution
     
    tatties, Nov 12, 2004
    #17
  18. Dave - Dave.net.nz

    Brendan Guest

    On Fri, 12 Nov 2004 12:33:14 +1300, Brett Roberts wrote:

    > I love that fluffy "the consesus was" comment, if I tried that sort of thing
    > I'm sure the FUD Police would come down on me like a ton of bricks :)
    > Just to set the record straight, Microsoft source code is made available to
    > a wide variety of academic institutions, OEM's, governments, developers and
    > customers via the Shared Source initiative and others.


    Under Draconian agreements.

    I thought I would have a look at some of your claims. What I found paints a
    different picture to what you are saying:

    > As for "the security front" you might be interested to know that YTD there
    > have been


    >18 security advisories for Windows Server 2003 Enterprise Edition,


    "Microsoft Windows Server 2003 Enterprise Edition with all vendor patches
    installed and all vendor workarounds applied, is currently affected by one
    or more Secunia advisories rated Less critical"

    "Currently, 4 out of 31 Secunia advisories, is marked as "Unpatched" in the
    Secunia database."

    > 84 for RedHat Enterprise Linux AS3,


    "The Secunia database currently contains 0 Secunia advisories marked as
    "Unpatched", which affects RedHat Enterprise Linux AS 3."

    >20 for OpenBSD and


    "OpenBSD 3.x with all vendor patches installed and all vendor workarounds
    applied, is currently affected by one or more Secunia advisories rated Less
    critical "

    "Currently, 1 out of 46 Secunia advisories, is marked as "Unpatched" in the
    Secunia database."

    >159 for Debian.


    "Debian GNU/Linux 3.0 with all vendor patches installed and all vendor
    workarounds applied, is currently affected by one or more Secunia
    advisories rated Moderately critical "

    "Currently, 5 out of 405 Secunia advisories, is marked as "Unpatched" in
    the Secunia database."


    I thought a few other stats might be interesting:


    Microsoft Windows XP Professional

    "Microsoft Windows XP Professional with all vendor patches installed and
    all vendor workarounds applied, is currently affected by one or more
    Secunia advisories rated Highly critical "

    "Currently, 19 out of 74 Secunia advisories, is marked as "Unpatched" in
    the Secunia database. "


    Microsoft Windows XP Home Edition

    "Microsoft Windows XP Home Edition with all vendor patches installed and
    all vendor workarounds applied, is currently affected by one or more
    Secunia advisories rated Highly critical "

    "Currently, 16 out of 67 Secunia advisories, is marked as "Unpatched" in
    the Secunia database."



    Just to be fair, here are some competing Open Source operating systems
    aimed at a general audience:

    Mandrakelinux 10.1

    "The Secunia database currently contains 0 Secunia advisories marked as
    "Unpatched", which affects Mandrakelinux 10.1."

    "Currently, 0 out of 15 Secunia advisories, is marked as "Unpatched" in the
    Secunia database."


    SuSE Linux Desktop 1.x

    "The Secunia database currently contains 0 Secunia advisories marked as
    "Unpatched", which affects SuSE Linux Desktop 1.x."

    "Currently, 0 out of 17 Secunia advisories, is marked as "Unpatched" in the
    Secunia database."

    > This is freely-available data from Secunia www.secunia.com (and no we
    > didn't pay for it) :)
    >
    > Brett Roberts
    > Microsoft NZ


    You and Nathan sure are a pair.

    --

    .... Brendan

    LAWYER, n. One skilled in circumvention of the law. -- Ambrose Bierce

    Note: All my comments are copyright 12/11/2004 1:03:14 p.m. and are opinion only where not otherwise stated and always "to the best of my recollection". www.computerman.orcon.net.nz.
     
    Brendan, Nov 12, 2004
    #18
  19. Dave - Dave.net.nz

    Bret Guest

    On Fri, 12 Nov 2004 13:13:26 +1300, Brett Roberts wrote:

    > Yes, it's the same for most software I guess however I would venture that
    > the majority of installations (60% ? 80% ?) of any software are default
    > installs.


    Whats a default install Brett?
     
    Bret, Nov 12, 2004
    #19
  20. Dave - Dave.net.nz

    Bret Guest

    On Fri, 12 Nov 2004 13:11:31 +1300, Brett Roberts wrote:

    > "tatties" <> wrote in message
    > news:...
    >>
    >> "Brett Roberts" <> wrote in message
    >> news:...
    >>
    >>>
    >>> I love that fluffy "the consesus was" comment, if I tried that sort of
    >>> thing I'm sure the FUD Police would come down on me like a ton of bricks
    >>> :) Just to set the record straight, Microsoft source code is made
    >>> available to a wide variety of academic institutions, OEM's, governments,
    >>> developers and customers via the Shared Source initiative and others.
    >>>
    >>> As for "the security front" you might be interested to know that YTD
    >>> there have been 18 security advisories for Windows Server 2003 Enterprise
    >>> Edition, 84 for RedHat Enterprise Linux AS3, 20 for OpenBSD and 159 for
    >>> Debian. This is freely-available data from Secunia www.secunia.com (and
    >>> no we didn't pay for it) :)
    >>>
    >>> Brett Roberts
    >>> Microsoft NZ
    >>>

    >>
    >> You and your marketers persist in deceptively comparing security
    >> advisories for a base install of Windows Server 2003, to the security
    >> advisories of a full linux distribution such as Debian containing 8700
    >> packages. RHEL is proportionately a smaller distribution with less
    >> packages.
    >>
    >> You know this, so I would have to accept you are doing this on behalf of
    >> your company in order to deceive us.
    >> As a Microsoft customer this gives me no confidence in your integrity
    >>

    >
    > Actually it was the BSD one I found the most interesting as their strategy
    > is effectively one of minimising attack surface area by minimising what gets
    > installed.


    Why didnt you just come out and say so then, I thought you were just
    spouting off :)
     
    Bret, Nov 12, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Author Tarun Tyagi
    Replies:
    0
    Views:
    734
    Author Tarun Tyagi
    Dec 29, 2004
  2. Replies:
    4
    Views:
    1,076
  3. Replies:
    3
    Views:
    520
    Don_Luciano
    Mar 19, 2006
  4. Lawrence D'Oliveiro

    Open-Source Good, Closed-Source Bad

    Lawrence D'Oliveiro, Oct 16, 2005, in forum: NZ Computing
    Replies:
    1
    Views:
    485
    Gordon
    Oct 16, 2005
  5. Sailor Sam

    Stolen any proprietary code lately...?

    Sailor Sam, Dec 23, 2009, in forum: NZ Computing
    Replies:
    6
    Views:
    409
    Simon
    Dec 23, 2009
Loading...

Share This Page