lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: StuartF at datacom.co.nz (Stuart Fox (DSL AK))
Subject: M$ - so what should they do?

 

> 
> 
> Having all the configs as text files in /etc works fine for 
> Unix-like systems. You can use any editor to look at the 
> config - no need for some proprietary editor (regedit). 
> Automating config changes is as easy as writing a simple 
> shell script. Each config is named after its application, so 
> it's easy to know which is which, and if you need to restore 
> an application, just install the app then copy your backup 
> config file into place. As a matter of fact, an entire system 
> can be restored by re-installing the apps and only restoring 
> /etc (configs) and /home (user
> data) from backup. Try that on Windows. Have you ever had a 
> successful Windows restore without a full system backup or 
> without re-configuring everything from scratch? It is 
> extremely difficult. Why? Because of the registry...
> 
> The "config file mess" is an excuse made up by MS to sell the 
> registry concept. The registry does not make it easier to 
> manage application configuration. Instead, it makes it 
> considerably more complex.
> 
> The real reason for the registry is to make it difficult to 
> copy an application from one machine to another. In other 
> words, it's a copy proctection scheme. Remember in the days 
> of Win 3.1, you could do that? It all broke in Win95 with the 
> registry.

You've got some valid points but there is one thing that you've overlooked -
auditing.  One of the(few) advantages that the registry does have is that
you can configure auditing on individual keys, so that if you want to you
can track who made changes and when.  With text files, you simply don't have
that option (of course you can audit changes to the entire file).  Having
said that, I've never actually met anyone who uses the registry auditing,
but I'm sure they're out there.

Some of your points are also a bit dubious - registry mods are mostly
scriptable (except binary data - one of my big gripes with the registry),
and I'm not sure that it makes application configuration any more or less
complex - they each have their advantages and disadvantages.  As for copying
applications, the issues are a bit deeper than the registry - if it was just
the registry it would be easy enough to export & import the relevant keys
(they are well structured).  It tends to be more related to issues such as
dll's needing to be registered etc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ