lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20020923202606.GV2691@darkuncle.net>
From: lists_full-disclosure at darkuncle.net (lists_full-disclosure@...kuncle.net)
Subject: Re: MS-02-052 + blackholing MS

On Fri, Sep 20, 2002 at 06:43:53PM -0500, SMoyer@...re.com said:
> 
> Sho nuff, and all those all-Linux, all-BSD, all-Tru64, all-Websphere,
> all-IPlanet, and all-Apache shops out there have been nothing but rock-solid
> these past few months, lemme tell ya... 

Take the advisories for those products from the last 6 months and compare
with advisories for Microsoft products from the last 6 months. 'nuff said.

It's not about whether or not there have been X advisories for a product in
the last Y days/weeks/months - when I choose a product with an eye towards
security, I look at the long-term track record of the product, and of related
products produced by the same group or company. Apache has a pretty stellar
track record over its lifetime. So does OpenSSH. Microsoft may have had a
good month or two lately (or not!), but their track record ranks among the
worst in the industry. That said ...

> I had the no-MS approach a few years ago, but when the bottom fell out of
> the economy, telling people "no speaka NT" in an interview didn't earn me
> many points.

For me, it's both a matter of principle (I don't like MS software or business
tactics, and refuse to support either) and practicality (the idea of having
to admin a Windows network is the stuff nightmares are made of; thanks, but
no thanks).

> While WinDOS is a pain in the butt to lock down, it can be done, whether
> with 3rd-party tools or, increasingly, with stuff that actually ships with

Yes, windows server products can be locked down. My gripe is with the amount
of relative effort required to do so, compared with a good free *nix
equivalent - FreeBSD, for instance. Not to mention the disturbing trend
towards patches that have EULAs requiring one to give remote administrative
access to MS for the purpose of ensuring no copyright infringement, etc. (I'm
sure they have cleaned up the PR disaster that issue was; the underlying
corporate attitude that caused it has not changed in the last 10+ years.)

> it. Actually, in a lot of ways the default installs of Solaris and HP/UX
> could be argued as being more trusting than, or at least as trusting as, 2K.
> And don't even get me started on Linux. Slack 8.1 still has portmap on by
> default. Blarg.

*nod* there are bad examples everywhere. Like I said, in my view it's a
matter of considering a product's track record, and most importantly, whether
or not the tool fits the job at hand. IMO, while Windows products may be the
right tool for the job in the desktop environment (not in mine, but granted
I'm not your standard business customer), they are almost _never_ the right
tool in the server room. Just because X Linux Distro ships with some insecure
options on by default doesn't make WindowsXP Enterprise Professional .NET
BackOffice Server Corporate Edition a better choice. In the end, if it's a
choice between trying to admin a Windows network and a UNIX network, well,
there's not much question in my mind. YMMV.

> The way I look it, business needs and developers define the environment, and

Businesses (or customers in general) define the needs. Developers, both
commercial and otherwise, produce products to fit those needs. MS tends to
produce products whose primary purpose is to produce a continual revenue
stream for MS (primarily through license and upgrade fees). Security and
functionality take a backseat to creating a revenue stream. Many open source
software projects perform at least as well as, and in many cases are vastly
superior to, the equivalent from MS. Developers don't define the environment
- they build tools for use by end users. End users decide what tool will best
fit their needs - unfortunately, end users are also rather susceptible to
marketing and herd mentality.

> our Sisyphean task is to keep it up and solid within the constraints we're
> provided. Some platforms make it harder than others, but that's why we get

That's true enough - sysadmins are frequently stuck with what's there when
they get hired. Some of us are fortunate enough to have the latitude to
rebuild things The Right Way. Others of us are hobbled and must resign
ourselves to endless bandaids and patching of systems that should have been
allowed to return to the dust long since.

> to drive sports cars and wear leather pants to DefCon. 

wow, I must be in the wrong end of system administration. :) Maybe if I
started drinking the Microsoft koolaid I'd start sharing in their obscene
profit level ...

> I'll continue to curse MS daily, but I'll curse FBSD, HP, Cisco, Nortel,
> Theo, and whoever else ends up being a thorn in my side just as much.

*nod* As will I. But MS garners about 98% of my ire, because they're
responsible for about 98% of my hassle and frustration as as administrator.

> Dismissing a platform outright is not an option for me, and it's not an
> option for most people either. If it is for you, Steve, rock on. Hell, I'd

I think MS has built enough of a track record to warrant outright dismissal
in the server arena, but even if for some reason it hasn't, in the end, it's
still about using the best tool for the job. If you honestly think a
Microsoft product is the best tool for the job, all things considered, then
go with it. I rarely arrive at that conclusion myself.

> shut down our I-net pipes if I could do it, and put every one back on
> VT220's and go back to one VMS box for the whole company, if I could do it
> and if it still served our business needs.
> 
> All our Hushmail-ites on this list are probably sitting on 2K / XP or VMWare
> boxes themselves; at least I've never been able to get it to work in
> Mozilla. So sometimes you gotta dance with the devil, whether you want to or
> not... You just make sure and wear a flame-retardant cumberbund and a crash
> helmet. :)

:)

> Besides, isn't this required reading in Redmond nowadays? --->
> http://www.microsoft.com/mspress/books/5612.asp

Reading ain't doing, apparently. :)

> (Hypocrisy disclaimer: I just gave hellNbak crap for running an Exchange box
> on the I-net three days ago. So sue me.)

Right tool, right job. That's what it boils down to.
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020923/06a60d01/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ