lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200311120959.07984.jeremiah@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Microsoft prepares security assault on Linux ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 12 November 2003 07:49, amebix@...cast.net wrote:
> With Linux you have the ability to not install certain things. With Windows
> you have no choice, messenger will be installed and enabled. Its going to
> be exploitable out of the box. 

This is true...  A new XP box - installed from Media - requires over 90 MB of 
new download patches!  God help the  <128Kbps crowd.  This is applied VERY 
slowly.  We are talking two hours on a PIII 750MHz.  Three reboots are 
required, with a manual re-initialization of the patching sequence.  How will 
MS improve this?  Mandatory patching?  Retroactively enforced on machines 
they /can't/ get to install the current fixes?

MS ought to make payments to high-speed ISPs!

> Take for example Debian Woody. Quite 
> possibly the greatest operating system package ever released. 

No argument!  But the security of Woody is subject to a bunch of apt-get 's 
after install - not too different from the MS situation - except for the 
speed!  

I always grab a subset of the Adamantix packages and I run Bastille to 
automate securing defaults on the whole mess.  Paid for my paranoia...

> Basic install 
> is a kernel, C library, shell, and networking functions , etc. Its
> incredibly secure from default, and from that point on you download the
> up-to-date packages that YOU WANT. 

Why does supposedly modern Windows require a reboot after installing .dot net 
crap?  That would be like making Deb reboot after adding Python and XML/RPC 
libraries...   After 9 years to work on this, 32-bit Windows really /is/ 
pathetic.

I DO miss getting a working Deb 2.x in less than 35 MB.  I'd recycle Sparc 5 
and IPX machines this way for auth gateways and SMTP forwarders - etc...

> Your not forced into anything you dont 
> need. Windows is not more secure, ANY and i do mean ANY bloated operating
> system is going to be more vulnerable then one that is slimmed to your
> needs. 

Yeah.  The choir agrees.

> Windows is just to bloated and therefore insecure compared to a 
> slimmed down Linux install. MS needs to kill the messenger service, enable
> ICF and give the user some more power of his / her box when it comes to
> security. 

Good point about MS Messenger being default, and ICF not!

You can make meaningless counts of patches.  You can compare numbers of 
incidents.  You can make rhetorical mountains out of statistical molehills. 
Really, at the end of the day, MS lives in a glass-house.  They will rue the 
stone-throwing, even if they do manage to damage corporate and government 
acceptance of Linux, etc.

None of this posturing affects Winders security - just press releases and 
dubious "off-white" papers.  The next Blaster waits around the corner.  
Bolting IPSec to a turd won't help!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/snTrJi2cv3XsiSARAgPvAJ4rp45KtjoBGXdUjxVL933AXXdoDwCfZzKx
I1YkOny40W6WGkytn86BG7c=
=XOo7
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ