lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dinis at ddplus.net (Dinis Cruz)
Subject: Anti-MS drivel

Hello David

I'm interested in your comment 

"... Windows has a severe design flaw that has cost the world economy
billions of dollars.  That design flaw (the encoding of metadata --
specifically, "executableness" -- in filenames) has been known since at
least 1987 to be highly dangerous in a network environment.
Furthermore, that design flaw has been exploited several thousand times
in the past.  Finally, that design flaw cannot be fixed without
fundamentally changing the way Windows works...."

Can you send me more details about this vulnerability and design flaw?

Thanks

Dinis Cruz

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of David F.
Skoll
Sent: 20 January 2004 00:58
To: Gregh
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Anti-MS drivel

On Sun, 18 Jan 2004, Gregh wrote:

> I wonder if you would have the job you have or know the things you
know were
> it not for MS.

I wasn't planning on responding, but I changed my mind.

Of course I can't answer if I'd have the job I have now if not for MS.
That's
a silly question; would you have the job you have now if not for UNIX?
IBM?
The transistor?

> I get tired of anti-MS drivel.

*I* get tired of people who dismiss reasoned arguments as "anti-MS
drivel."

Look.  I'll try to spell it out simply.

Windows has a severe design flaw that has cost the world economy
billions
of dollars.  That design flaw (the encoding of metadata -- specifically,
"executableness" -- in filenames) has been known since at least 1987 to
be highly dangerous in a network environment.  Furthermore, that design
flaw has been exploited several thousand times in the past.  Finally,
that design flaw cannot be fixed without fundamentally changing the way
Windows works.

So where does that leave us in 2004?

It leaves me running Linux, and waking up tomorrow to breakfast on a
bagel.
It leaves thousands of Windows administrators staying up all night to
ensure
that Bagle doesn't breakfast on their Windows machines.

It's pathetic that 17 years after CHRISTMA EXEC, hundreds of thousands
of
Windows machines are succumbing to the same easily-preventable security
flaw.
In the last 12 hours, my very low-volume mail server has dropped 16
Bagle
viruses.  By message volume, Windows viruses account for between 4-7%
of our daily mail volume.  Because they tend to be large, they account
for
between 30-60% of our mail traffic if you count the number of bytes.

Windows people, I think we have a problem here.

> The fact is that around my area the businesses are medium-small to
> small and of course home users. Without MS, there wouldn't be
> anywhere near the amount of computer users there are now from whom I
> can make a living.

This is a revealing statement.  Better to make a buck from people
chronically in need of support due to a crummy operating system, than
sell them something that works and doesn't need support.

Trus me, if MS hadn't come along at the right time, someone else would
have
(and I'd be bitching about Apple/IBM/whomever. :-))

> MS has weaknesses to be sure but if you think you can write a much
better OS
> from the ground up with no holes in it, let me know. I would like to
use it!

Linux/UNIX/*BSD/etc are much better OS's written from the ground up,
with no *serious design flaws* comparable to the one I outlined in
Windows.  I'd never be as arrogant as to claim that Linux has no holes
in it, but I will go out on a limb and say that for a general-purpose
operating system, the security holes in Linux are due to
implementation errors rather than design errors.

I will keep quiet now. :-)

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ