Re: Microsoft security risk

Discussion in 'NZ Computing' started by Nathan Mercer, Sep 26, 2003.

  1. "Peter" <> wrote in message
    news:...
    >
    > Some security experts have concluded that the Microsoft monoculture is a


    For clarification the some being some of Microsoft's biggest competitors
    http://www.ccianet.org/membership.php3
    AOL, Intuit, Sun, Nokia, Oracle, Yahoo

    > major security risk to society, particularly with the less knowledgable
    > home users, who are now getting better computers and broadband

    connections.
    > The solution is to avoid Microsoft software, especially with important

    data
    > and functions, such as government and public utilities.


    And the solution is? Start running something else? And when that product
    starts having hacks because of its prevalence what next?
    Nathan Mercer, Sep 26, 2003
    #1
    1. Advertising

  2. Nathan Mercer

    Evil Bastard Guest

    On Sat, 27 Sep 2003 10:27:37 +1200, Nathan Mercer wrote:

    > And the solution is? Start running something else? And when that product
    > starts having hacks because of its prevalence what next?


    "Ahh yes, they only attack us here at Microslut because we're the biggest
    and most successful company. It's got nothing to do with the fact that we
    greedily hide our source code and interface details from the world, and
    encourage our users to remain 'blissfully' ignorant."

    Listen, M$ - you guys did a sweet job of integration, and jumped onto the
    single biggest business opportunity in decades - an understandable
    graphical user interface, approachable internet clients, merged in with
    Berkeley TCP/IP stack for Internet access. But your security sucks golf
    balls through hoses.

    Would you have really lost this opportunity by taking a bit of time - even
    a lousy 6-12 months - to hire some outside experts to review the security
    of your code before hyping it up and putting it out there?

    From a security point of view, your internal QA systems are reactive, not
    proactive. You didn't encourage your engineers to deliberately look for
    vulnerabilities. You're doing that now, but too little too late.

    And, you introduced innumerable points of attack by over-integrating. Like
    an email client that executes javascript in messages!?!? Gimme a break!

    Wake up - your software is the equivalent of a naive superstitious dumb
    blonde prostitute. Tantalizingly attractive, an affordable ****, everyone
    wants to get in to her pants, but she's full of sexually transmitted
    diseases, and she won't let the doctor run a blood test because she's
    scared of giving away her secrets.

    Microsoft has a history of being able to make vast strategic handbrake
    turns on a sixpence. Your real long-term success could be secured by
    forgetting Longhorn and instead building a slutted-up Linux or BSD based
    OS, like what Apple did by packaging FreeBSD as OS-X.
    Evil Bastard, Sep 27, 2003
    #2
    1. Advertising

  3. Nathan Mercer

    Lennier Guest

    On Fri, 26 Sep 2003 22:16:24 -0700, techie wrote:

    > We're still waiting for a really really secure Microsoft OS.


    Micro$oft is simply not capable of creating a secure OS.

    The words "Microsoft" and "secure" have opposite meanings.

    Lennier
    Lennier, Sep 27, 2003
    #3
  4. Nathan Mercer

    Steven H Guest

    In article <pan.2003.09.26.23.50.08.553721@127.0.0.1>, postmaster@
    127.0.0.1 says...

    > Wake up - your software is the equivalent of a naive superstitious dumb
    > blonde prostitute. Tantalizingly attractive, an affordable ****, everyone
    > wants to get in to her pants, but she's full of sexually transmitted
    > diseases, and she won't let the doctor run a blood test because she's
    > scared of giving away her secrets.


    if my system is so fucking insecure then why isnt it rooted yet.

    like ANY operating system security is reletave to the user, run as root
    on *nix and your fucked, run as admin on NT and your fucked.
    misconfigure either and your fucked.

    Wake up.

    --
    ===================================================
    Steven H
    Steven H, Sep 27, 2003
    #4
  5. Nathan Mercer

    dOTdASH Guest

    "techie" <> wrote in message
    news:p...
    > On Fri, 26 Sep 2003 16:50:09 -0700, Evil Bastard wrote:
    >
    > > From a security point of view, your internal QA systems are reactive,
    > > not proactive. You didn't encourage your engineers to deliberately look
    > > for vulnerabilities. You're doing that now, but too little too late.

    >
    > They were going to make Windows 98 really really secure.
    >
    > They were going to make Windows NT really really secure.
    >
    > They were going to make Windows ME really really secure.
    >
    > They were going to make Windows 2000 really really secure.
    >
    > They were going to make Windows XP really really secure.
    >
    > We're still waiting for a really really secure Microsoft OS.


    Hello ???? We're still waiting for a really really secure <insert any vendor
    here> OS. I don't see too much mention of the recent openSSH multiple
    vulnerability debacle or the constant stream of sendmail patches either. Is
    it just me or are some pro-Linux/anti-MS people suffering from OS myopia ?
    No OS is 100% secure and a properly configured Windows XP box is just as
    secure as a properly configured RH9 box.
    dOTdASH, Sep 27, 2003
    #5
  6. Hi there,

    Nathan Mercer wrote:
    > "Peter" <> wrote in message
    > news:...
    >
    >>Some security experts have concluded that the Microsoft monoculture is a

    >
    >
    > For clarification the some being some of Microsoft's biggest competitors
    > http://www.ccianet.org/membership.php3
    > AOL, Intuit, Sun, Nokia, Oracle, Yahoo
    >
    >
    >>major security risk to society, particularly with the less knowledgable
    >>home users, who are now getting better computers and broadband

    >
    > connections.
    >
    >>The solution is to avoid Microsoft software, especially with important

    >
    > data
    >
    >>and functions, such as government and public utilities.

    >
    >
    > And the solution is? Start running something else? And when that product
    > starts having hacks because of its prevalence what next?


    I don't think you get it. The security risks posed by Windows are due
    not only to its prevalence in the desktop PC market, but also its simple
    lack of a secure architecture.

    If Linux were OS #1 across the globe of course we would see an increase
    in virii aimed at it, but the inherently more secure architecture would
    ensure virus authors would have a much tougher time of cracking it...

    Kind regards,

    Chris Wilkinson, Christchurch.
    Chris Wilkinson, Sep 27, 2003
    #6
  7. Nathan Mercer

    dOTdASH Guest

    "Chris Wilkinson" <> wrote in message
    news:...
    > Hi there,
    >
    > Nathan Mercer wrote:
    > > "Peter" <> wrote in message
    > > news:...
    > >
    > >>Some security experts have concluded that the Microsoft monoculture is a

    > >
    > >
    > > For clarification the some being some of Microsoft's biggest competitors
    > > http://www.ccianet.org/membership.php3
    > > AOL, Intuit, Sun, Nokia, Oracle, Yahoo
    > >
    > >
    > >>major security risk to society, particularly with the less knowledgable
    > >>home users, who are now getting better computers and broadband

    > >
    > > connections.
    > >
    > >>The solution is to avoid Microsoft software, especially with important

    > >
    > > data
    > >
    > >>and functions, such as government and public utilities.

    > >
    > >
    > > And the solution is? Start running something else? And when that

    product
    > > starts having hacks because of its prevalence what next?

    >
    > I don't think you get it. The security risks posed by Windows are due
    > not only to its prevalence in the desktop PC market, but also its simple
    > lack of a secure architecture.
    >
    > If Linux were OS #1 across the globe of course we would see an increase
    > in virii aimed at it, but the inherently more secure architecture would
    > ensure virus authors would have a much tougher time of cracking it...
    >
    > Kind regards,
    >
    > Chris Wilkinson, Christchurch.
    >


    If you're talking Windows 95 and 98 I'd tend to agree, remembering of course
    that the architecture was probably designed 5 to 10 years before the first
    version of Linux saw the light of day. The Win2K/XP platform is as secure
    architecturally as any other PC OS
    dOTdASH, Sep 27, 2003
    #7
  8. Hi there,

    Steven H wrote:
    > In article <pan.2003.09.26.23.50.08.553721@127.0.0.1>, postmaster@
    > 127.0.0.1 says...
    >
    >>Wake up - your software is the equivalent of a naive superstitious dumb
    >>blonde prostitute. Tantalizingly attractive, an affordable ****, everyone
    >>wants to get in to her pants, but she's full of sexually transmitted
    >>diseases, and she won't let the doctor run a blood test because she's
    >>scared of giving away her secrets.

    >
    > if my system is so fucking insecure then why isnt it rooted yet.
    >
    > like ANY operating system security is reletave to the user, run as root
    > on *nix and your fucked, run as admin on NT and your fucked.
    > misconfigure either and your fucked.


    ....and running Win 9x/ME/2k/XP at all has pretty much the same effect...

    I do not argue your statement, but if I even start X-windows as root I
    get a humungoid warning saying its a dicey thing to do. Among the first
    things any new Linux user learns is to NOT RUN DAY_TO_DAY STUFF AS ROOT!

    I would imagine most Linux users are well aware of that...

    Kind regards,

    Chris Wilkinson, Christchurch.
    Chris Wilkinson, Sep 27, 2003
    #8
  9. "Steven H" <> wrote in message
    news:...
    > In article <pan.2003.09.26.23.50.08.553721@127.0.0.1>, postmaster@
    > 127.0.0.1 says...
    >
    > > Wake up - your software is the equivalent of a naive superstitious dumb
    > > blonde prostitute. Tantalizingly attractive, an affordable ****,

    everyone
    > > wants to get in to her pants, but she's full of sexually transmitted
    > > diseases, and she won't let the doctor run a blood test because she's
    > > scared of giving away her secrets.

    >
    > if my system is so fucking insecure then why isnt it rooted yet.
    >
    > like ANY operating system security is reletave to the user, run as root
    > on *nix and your fucked, run as admin on NT and your fucked.
    > misconfigure either and your fucked.
    >
    > Wake up.


    "When you have people who hook up these machines that weren't designed for
    the Internet, and they don't even want to know about all the intricacies of
    network security, what can you expect? We get what we have now: a system
    that can be brought down by a teenager with too much time on his hands.
    Should we blame the teenager? Sure, we can point the finger at him and say,
    ''Bad boy!'' and slap him for it. Will that actually fix anything? No. The
    next geeky kid frustrated about not getting a date on Saturday night will
    come along and do the same thing without really understanding the
    consequences. So either we should make it a law that all geeks have dates --
    I'd have supported such a law when I was a teenager -- or the blame is
    really on the companies who sell and install the systems that are quite that
    fragile."

    Linus Torvalds
    http://www.nytimes.com/2003/09/28/magazine/WLN104109.html
    Olson Johnson, Sep 27, 2003
    #9
  10. Nathan Mercer

    Gordon Guest

    On Sat, 27 Sep 2003 10:27:37 +1200, Nathan Mercer wrote:

    >
    > "Peter" <> wrote in message
    > news:...


    >> The solution is to avoid Microsoft software, especially with important

    > data
    >> and functions, such as government and public utilities.

    >
    > And the solution is? Start running something else? And when that product
    > starts having hacks because of its prevalence what next?


    The point is, diversity makes a virus alot less likely to go on the
    rampage. It can not get get going as often the tranmission to the next
    platform leaves it dead on the HD.

    Think of nature.

    --
    Gordon

    Google knows where to find things, ask at http://www.google.com
    Works for me, will work for you, so be it.
    Gordon, Sep 27, 2003
    #10
  11. Nathan Mercer

    Evil Bastard Guest

    On Sat, 27 Sep 2003 15:34:44 +1200, Lennier wrote:

    > The words "Microsoft" and "secure" have opposite meanings.


    Not entirely true.

    Microsoft has an excellent grasp of security.

    Security of growth and returns to shareholders, of course! :p
    Evil Bastard, Sep 27, 2003
    #11
  12. On Sat, 27 Sep 2003 16:57:09 +1200, dOTdASH wrote:

    > If you're talking Windows 95 and 98 I'd tend to agree, remembering of course
    > that the architecture was probably designed 5 to 10 years before the first
    > version of Linux saw the light of day. The Win2K/XP platform is as secure
    > architecturally as any other PC OS


    Probably more so, being VMS based.

    However that's utterly torpedoed by MS and other software insisting that
    it must be run as admin (or worse, local system admin) privileges.
    Uncle StoatWarbler, Sep 27, 2003
    #12
  13. On Sat, 27 Sep 2003 17:22:35 +1200, Chris Wilkinson wrote:

    > I disagree. 2K/XP are not very secure, and the current spate of quite
    > nasty little virii are testament to that. As a 'normal' user of Linux I
    > cannot even look in some directories unless the root user decides it is
    > OK, but the same cannot be said of Windows, where system and hidden
    > files are quite easily viewed by Joe Average users...


    Your challenge, Mr Phelps, is to try and do that on a $orkplace w2k box
    I've locked down.

    No, you cannot have administrator access to install
    $INSERT_RANDOM_SOFTWARE_HERE, lowly user. Nya ha haa

    Even with those lockdowns, the boxes are still vulnerable to certain
    attacks thanks to all the MS services running as local admin when they
    don't need to be. Hence they are checked daily and heavily firewalled -
    both in and outbound.
    Uncle StoatWarbler, Sep 27, 2003
    #13
  14. On Sat, 27 Sep 2003 16:19:27 +1200, Steven H wrote:

    > if my system is so fucking insecure then why isnt it rooted yet.


    How do you know it hasn't been?

    $hint: a stealthy version of nachi would give few clues there was anything
    wrong. Most of the IRC zombie installs are _very_ stealthy.

    I just read over in one of the netabuse groups that Blueyonder (a cable
    ISP with about 200k users) has had to lock down about 23,000 users in the
    last week because they didn't respond to warnings their machines had been
    backdoored, or fix the fault.
    Uncle StoatWarbler, Sep 27, 2003
    #14
  15. On Fri, 26 Sep 2003 22:16:24 -0700, techie wrote:

    > We're still waiting for a really really secure Microsoft OS.



    Uh, no.

    We're still waiting for a mildly secure Micrisoft OS

    Really really is a long way off yet...


    --
    There are 2 sorts of email opt-in lists:
    1: Those which can demonstrate the provenance of every subscription request.
    2: Fraud
    Uncle StoatWarbler, Sep 27, 2003
    #15
  16. Nathan Mercer

    Peter Guest

    this quote is from Nathan Mercer of Sat, 27 Sep 2003 10:27 :
    >
    > And the solution is? Start running something else? And when that product
    > starts having hacks because of its prevalence what next?


    Perhaps the best chance of a solution is diversity - diversity of OS and of
    mail clients.

    This is the approach of nature, where species have lots of genetic
    diversity. As well as giving strong evolutionary progress through multiple
    development paths, it provides some measure of protection in that an
    adverse impact will likely only affect a portion of the population.

    It promises to work this way in software as well. With a monoculture (ie
    everyone has the same OS and the same browser and the same mail client), a
    cracker need only develop one successful exploit for this platform, and
    they can infect the whole population. Propagation is also much more rapid
    in a homogenous environment.

    Of course, Microsoft won't like this approach, as it would mean an end to
    their unlawful monopoly practices.
    It would be good news for everyone else, though.


    Peter
    Peter, Sep 28, 2003
    #16
  17. Hi there,

    Uncle StoatWarbler wrote:
    > On Sat, 27 Sep 2003 17:22:35 +1200, Chris Wilkinson wrote:
    >
    >
    >>I disagree. 2K/XP are not very secure, and the current spate of quite
    >>nasty little virii are testament to that. As a 'normal' user of Linux I
    >>cannot even look in some directories unless the root user decides it is
    >>OK, but the same cannot be said of Windows, where system and hidden
    >>files are quite easily viewed by Joe Average users...

    >
    > Your challenge, Mr Phelps, is to try and do that on a $orkplace w2k box
    > I've locked down.
    >
    > No, you cannot have administrator access to install
    > $INSERT_RANDOM_SOFTWARE_HERE, lowly user. Nya ha haa
    >
    > Even with those lockdowns, the boxes are still vulnerable to certain
    > attacks thanks to all the MS services running as local admin when they
    > don't need to be. Hence they are checked daily and heavily firewalled -
    > both in and outbound.


    Exactly, and thats how virii/hackers get in and exploit supposedly
    bombproof security on these NT/2k/XP boxes...

    The person on the keyboard will have more trouble hacking the PC
    than someone who has found an open TCP port via the internet...

    Kind regards,

    Chris Wilkinson, Christchurch.
    Chris Wilkinson, Sep 28, 2003
    #17
  18. Nathan Mercer

    pbs Guest

    Uncle StoatWarbler wrote:
    > On Sat, 27 Sep 2003 16:57:09 +1200, dOTdASH wrote:
    >
    >
    >>If you're talking Windows 95 and 98 I'd tend to agree, remembering of course
    >>that the architecture was probably designed 5 to 10 years before the first
    >>version of Linux saw the light of day. The Win2K/XP platform is as secure
    >>architecturally as any other PC OS

    >
    >
    > Probably more so, being VMS based.


    That was NT -- same chif designer as VMS . Not Win9x which sits on top
    of MS-DOS.
    pbs, Sep 28, 2003
    #18
  19. Nathan Mercer

    pbs Guest

    dOTdASH wrote:
    >
    > If you're talking Windows 95 and 98 I'd tend to agree, remembering of course
    > that the architecture was probably designed 5 to 10 years before the first
    > version of Linux saw the light of day. The Win2K/XP platform is as secure
    > architecturally as any other PC OS


    No! This has to be a Troll!

    Linux is a kernel, the GNU software which surrounds it is older.
    Windows 95 came out in 95 or was it 96? The earliest Linux kernels were
    already out, the first internet posting was on 25-Aug-1991.
    http://linux-bangalore.org/articles/bday.php
    By 1992 it was developed engough to be defended in a flame war:
    http://people.fluidsignal.com/~luferbu/misc/Linus_vs_Tanenbaum.html

    You are saying that Windows 95 was designed 5 to 10 years before 1991,
    that it's earlies start date was 1981 and it's latest was 1986. MS-DOS
    1.0 came out in 1981, PC-DOS 3.3 in 1987. In other words, Windows 95
    at the earliest was in design at the time MS-DOS was released and at the
    lates it was being designed before Windows 2.0 was release in 1987!
    http://www.geocities.com/thecyberprice/dostimeline.htm
    http://www.technicalminded.com/windows_timeline.htm

    If that is true then you have to except that the open source development
    model as described in "The Cathedral and the Bazarre" is far superior to
    MS design departments! http://catb.org/~esr/writings/cathedral-bazaar/

    Most of the GNU software is a rewrite of the UNIX software which was
    already (I use the term loosly) "designed" and working before MS DOS
    1.1.

    > The Win2K/XP platform is as secure architecturally as any other PC OS


    I think this should read "The Win2K/XP platform is as *most*"

    As far as I know it has MS Win2K/XP C2 Orange Book ("OB") security
    levels http://www.gl.iit.edu/gartner2/research/90000/90012/90012.html

    Trusted Solaris 2.5.1 will run at B1 OB security levels. I am not sure
    it it is released on PCs thought. http://sunflash.sun.com/6/1/sw/index.shtml

    There is also NSA's B1 OB security-enhanced Linux
    : The project was started when the NSA decided that existing mainstream
    : operating systems lacked the critical security feature required for
    : enforcing separation - mandatory access control.
    http://www.itweek.co.uk/News/1125743

    And probably half a dozen more.

    BUT this is a little cosmetic, as all standard PCs have a hardware
    holes because it is to easy to mess with the hardware eg:
    http://www.gcn.com/archives/gcn/1995/September4/nthole.htm
    http://www.trustedcomputing.org/home
    pbs, Sep 28, 2003
    #19
  20. On Sun, 28 Sep 2003 15:49:22 +1200, pbs wrote:

    >>>If you're talking Windows 95 and 98 I'd tend to agree, remembering of
    >>>course that the architecture was probably designed 5 to 10 years before
    >>>the first version of Linux saw the light of day. The Win2K/XP platform
    >>>is as secure architecturally as any other PC OS

    >>
    >> Probably more so, being VMS based.

    >
    > That was NT -- same chif designer as VMS . Not Win9x which sits on top
    > of MS-DOS.


    I wasn't talking about Win9x, which as you say is simply a fancy GUI on
    top of Messy-DOG.

    WRT claims of linux, etc, I was using Linux/X as far back as late 1993 and
    at that stage win3.11 (major bugfix edition) had really only just come
    out.

    --
    There are 2 sorts of email opt-in lists:
    1: Those which can demonstrate the provenance of every subscription request.
    2: Fraud
    Uncle StoatWarbler, Sep 28, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Young

    Windows Media Player 9 is a security risk

    Steve Young, Oct 22, 2003, in forum: Digital Photography
    Replies:
    230
    Views:
    3,118
    Mxsmanic
    Nov 10, 2003
  2. Wireless Devices - Security Risk?

    , Jun 9, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    430
    Colonel Flagg
    Jun 9, 2004
  3. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Information Security Risk Analysis", Thomas R. Peltier

    Rob Slade, doting grandpa of Ryan and Trevor, Jun 21, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    687
    Rob Slade, doting grandpa of Ryan and Trevor
    Jun 21, 2004
  4. Chris Wilkinson

    Re: Microsoft security risk

    Chris Wilkinson, Sep 27, 2003, in forum: NZ Computing
    Replies:
    95
    Views:
    1,476
    Steven H
    Oct 14, 2003
  5. Nathan Mercer

    Re: Microsoft security risk

    Nathan Mercer, Oct 1, 2003, in forum: NZ Computing
    Replies:
    4
    Views:
    369
    Mainlander
    Oct 2, 2003
Loading...

Share This Page