lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: full-disclosure at royds.net (Bill Royds)
Subject: Support the Sasser-author fund started

 The real problem is the MS Operating Systems are toys that are trying to
grow up. They still have code and design decisions that were part of the DOS
operating systems of the early 80's.
All the features required of mature operating systems were added as an
afterthought and not designed in. Such things as memory management and file
access control have been grafted on a single user/single process/non-network
OS. To maintain backward compatibility with DOS and Windows 95, key OS data
structures have many assumptions about things like buffer size that lead to
buffer overflows. Witness the assumption about machine names that led to
Slammer. The whole Microsoft OS effort has been to grow from a system
designed for minimal size machines such as the 640K PC to something that can
be used as a system for commerce. Features have been bolted on as they are
deemed sellable to make a profit. It wasn't until NT that the file system
even had the concept of access control and backward compatibility has meant
that the default ACL is give everyone full control.
  Unix, by contrast, has always been designed as a multi-user/multi-process
system so things like file security and separation of processes are
inherent. The Unix security model is actually much simpler than the NT one,
so Unix/Linux users are able to apply it. The NT one, despite its great
power and flexibility, creates such complexity that most administrators give
up and drop real security because they are not sure of the consequences of
strong security.  This complexity in the security model leads to complexity
in the code that implements it, so things like LSASS.EXE need to be
complicated (and therefore buggy) to implement it. The whole patchwork that
is Active-X/COM/COM+/OLE/DLL etc. is a sign that  they don't have an
overarching design and just try to add new systems to add to flawed designs
rather than biting the bullet and fixing their mistakes.

  Unix has a consistency in design (single hierarchy for files and devices,
separation of files from their names etc.) that shows its elegant beginning.
Microsoft OS show that design by sales droid that leads to a real quagmire. 
  True professional systems run using non-Microsoft OS, like Solaris and
other Unix, MVS, VMS, QNX.  

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
scosol@...sol.org
Sent: May 16, 2004 3:19 PM
To: Seth Alan Woolley
Cc: Shane C. Hage; Georgi Guninski; Tobias Weisserth;
full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Support the Sasser-author fund started

Seth Alan Woolley wrote:
> On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote:
> 
>>Why should Microsoft have more blame?
>>
>>In my opinion, I believe that software companies, especially Microsoft,
have
>>taken all of the appropriate steps to provide security within their
>>products.
> 
> 
> Keep your head in the sand, then.  The design from the very beginning
> was put together without security in mind.  Their OS revolutionized the
> anti-virus industry.  There are numerous alternative operating systems
> and cases where worms and viruses have been created for them (cf. the
> Morris worm, slapper, etc), and most of the bandwidth in the world sits
> on non-Microsoft software, mind you.

Isn't that more of a very gray area?
Yes, MS operating systems weren't really designed with security in mind 
until (IMO) NT4, and then- that security wasn't really pushed to the 
consumer until Win2k- but- that was *5 years ago* that it was.
Win2k and WinXP aren't that different from OSX or most popular Linux 
distros from the "number of network servers enabled" perspective-
The MS operating systems are the main source of problems for really only 
2 reasons:
1) their popularity makes them the most valuable targets
2) people don't update

All of us on this list know that if all consumers ran auto-update 
properly and had it install stuff automatically, these worms would 
become very rare occurences. (while admittedly creating an interesting 
new set of problems)
I don't really see what more MS can be expected to do, short of shoving 
auto-update down everyone's throats whether they like it or not (which 
will bring the tinfoil-hat crowd out in force)
It is very seldom that a worm is out before the fix for the exploited 
vulnerability- it's just a matter of diligence.

Also- your argument of "most of the bandwidth in the world sits
on non-Microsoft software" is IMO invalid- these machines that you speak 
of are not operated by consumers- people are paid to keep them updated 
and secure.

-- 
AIM: IMFDUP
http://www.scosol.org/
RIP Red-Boy - 1998-2004 - "jupiter accepts your offer"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists