lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200406221445.i5MEjj425347@pop-4.dnv.wideopenwest.com>
From: mvp at joeware.net (joe)
Subject: M$ Getting Better?

Nah. I don't advertise *nix because I don't want to work that space right
now and haven't for quite a while. I want it to settle down and penetrate
the market a little better, right now in the corporate world that space is a
bunch of infighting and political positioning if it is talked about at all.
Also it still doesn't make sense for mass large deployments unless they are
very centralized like say a university or a company with one site. Microsoft
still wins in the very large distributed enterprise space. By a landslide.
Show me a centrally managed decentrally WAN located fully replicating
authentication/authorization system with the power of Active Directory in
the UNIX world and keep in mind I have had serious exposure to iPlanet,
OpenLDAP, and the two kerb dists and know what they act like once you start
to distribute them. I thought Sun was going to come out of the gates with a
good implementation as they were talking about a specialized MIT/OpenLDAP
configuration about 2-3 years ago and were promising to fix the kerb change
password issues and poor LDAP replication issues but that seems to have died
on the vine.  

Also MS is where serious corporate money is sitting and again, this isn't
religion, these are tools and this is a job. I could have picked some good
cash on an AIX position a few years back but who wants to pigeonhole
themselves into that? Work on something that has 15 instances in a Fortune
100 company or something that has hundreds of thousands of instances...
Which one needs knowledgeable people more?

I actually slipped on a couple of my pages and people have picked up on it.
I worked on *nix before I started on anything from MS. I was doing *nix on
PDP-11's and Sparc's back in the 80's and actually learned c and several
assembler languages when on them. I just recently threw out an old VI manual
and Motorola 68000 Assembler Manual from back then when stripping down my
library (too much junk). It is handy to be understanding of a product and
capabilities without others being aware of it. I don't tell people I can
speak *nix in meetings just like I don't say I can speak Windows API. You
let people go as far as they want with the rope. 

I happen to agree that there are niches that *nix makes more sense. Most of
my posts indicate that if you can read them without thinking, oh my god he
likes MS. Again, these are tools. This isn't religion. People get like this
about cars too, "I wouldn't drive that, it is a POS Chrysler!". Same deal,
the products get you from one point to another. They have different focus
points and do different things well. Choose the one that makes the most
sense for the application. 

My issue with this list isn't that people are about security, I love that as
I personally think it is extremely important. It is that many people don't
seem to want to think and look. Once bad, always bad or more specifically
once MS, always bad. This is silly and makes the whole industry look like a
bunch of boneheads. Mostly because people do it because it makes them look
cool or something I guess, I am not sure, I don't understand them. Sort of
like the boneheads who stand outside of a US embassy throwing rocks and
dancing back and forth knowing full well that there is no real danger of
doing it but acting like there is. 

MS did what customers wanted. It brought us what it did, this falls in line
with be careful what you ask for. I don't think it is a good thing, I think
it is good now though that customers want security and that is what MS is
working towards. If people had always wanted security either MS would have
been dumped long ago or more likely would have started working on it long
ago. MS has a long difficult journey ahead correcting years of issues
without burning bridges it has built. IMO, the *nix flavors have the best
chance now than any time before of having mass appeal. Not because anyone
thinks they are more secure, but because people will get and are getting
pissed that MS is changing. As another poster said, there are tens of
millions of lines of code, this isn't something you turn around in a night
and MS hasn't stopped all dev work and put everyone to working on the old
stuff to correct it. That wouldn't make sense, period. The correct answer is
to move forward and rewrite and correct the sections causing the most pain.
This is exactly what they are doing. The whole standdown and we are
reviewing everything was kind of silly from one standpoint. Anyone with a
sense of what they were tackling knew that they wouldn't fix all of the
security holes. However what it did do, is show the folks internally that
there was serious consideration for security now. It changed the focus. It
empowered the people who have been inside that have always been pushing for
security over functionality and have been overruled by marketing or customer
demands.  

I think this list would be much better served if the people with OS religion
would simply type their response and wait 5 or 6 days before posting.
Security is not an OS. It is a state of being. It is process. It is being
intelligent about what you do. It is about using the right tools in the
right place. It is about keeping your eyes and mind open to possibilities
that you may not know about. It is above all being proficient with the
systems you are working on. Could I secure a *nix system? Yes. Could I
secure it better than someone who uses it daily and exclusively? Nope. I can
openly admit that. A lot of people won't answer that way. Neither for
Windows nor *nix. But the ease of use of Windows has made it such that more
people *think* they can secure or use it than *nix. How hard could it be,
you point and click. Again, this is the fault of MS and the whole MCSE
program and quite frankly making the Server GUI look and feel like the
workstation GUI. Anyone who has ever logged onto a workstation thinks they
are a server expert. This has, unfortunately helped MS get to where it is at
though, #1 in the market. It is unfortunate because these bonehead admins
are also the cause of things like slammer or blaster eating corporate
networks up. 

Finally I am giving people a hard time for bashing MS without thinking or
when doing it in wholly unproductive whining type way. I bash MS on a
regular basis but understand what I am bashing and give them specific
examples of what is wrong, what they should consider (other than saying do
it the UNIX way or redesign from scratch both of which are silly), and what
the impact is. The company is seriously working on correcting things because
that is what corporate customers and home users are asking for now. So if
you are serious about making things better for security with Windows, this
is the time to be heard. However doing it in a whiney way that seems
paramount here and among other places that are frequented by OS Fanatics,
doesn't help anything and to those people I say, be positive, tell people
the great things your OS does, don't try to make it look good by beating on
the other OS. You are actually hurting the image of your favorite OS when
you do that. 

My hope is that if people want to beat MS, beat it productively, stop the
whining. If that is all you got, go away. You aren't helping security one
whit. 

  joe

 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
marklist@...cast.net
Sent: Monday, June 21, 2004 7:09 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] M$ Getting Better?

This guy is the king of trolls... His resume shows no experience with any
flavor of unix, yet he feels compelled to come into a security ML and try to
convice people that MS products are the most secure products around.

I for one, DO have experience in both Windows and Unix system
administration, and everyone of our internet facing machines is running
Linux.  Why?  Because for me they are easier to secure.  I can turn off any
services that I don't need, I have a fully-functional firewall on every box,
and I don't have to reboot once a month to stay secure(all updates are
currently automated, only kernel vulns need a reboot).

Yes, you may be able to do most of that on a windows box, but probably not
without purchasing 3rd party software.  

You are giving people a hard time for bashing Microsoft, but face it: this
is a security mailing list, and MS is not known for having a stellar history
as far as security goes.   You might as well call into Air America and start
pushing how great a person Ann Coulter is.  

Wrong venue... Go vent at
microsoft.public.we.love.what.billy.tells.us.to.love.


-Shub



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ