| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: edge at indiana.edu (Edge, Ronald D) Subject: RE: M$ - so what should they do? >-----Original Message----- >From: joe [mailto:mvp@...ware.net] >Sent: Tuesday, June 22, 2004 11:08 AM >To: Edge, Ronald D >Subject: RE: [Full-Disclosure] RE: M$ - so what should they do? > >Almost everything you said here is user interface, not core >Windows and why it needs a redesign. The remaining is either >wrong or (mis)configurations. >This illustrates exactly my point. I fully concur that much of >the user interface needs work, I tell this to every MS >developer I run into and many of them agree as well. They are >working on it.... You're just jerking chains here, right? Did you read what I wrote? Where in the world in what I wrote can you point to something that specifies the user interface as the problem? That is simply not true. The inability to distinguish between being logged on as root vs. non-privileged user, and the latter still in their sandbox be able to function, install their programs, do their work, yet simply not have any chance to accidentally attack and destroy the operating systems, is inherent in the Windows design as it is, and is truly at the root of current evil. This has zippity doo dah to do with the user interface. ActiveX controls are program objects. They were introduced so sites on the Internet could run programs on local computers. This is the root of much evil. There are few who argue this now. Many of them provide the ability to create user interface object superior to simple HTML, but the evil they do and can do and have done goes far, far beyond that. I should have added a final point, and that is the Misgeburt, as the Germans would call it, the registry. What a single failure point, designed to be more a study in obfuscation than an exercise in good database and system design. Even Microsoft is retreating from the registry, according to what I have heard at the last two database development conferences I have attended. The registry, to be frank, sucks. It just offers crackers fruitful paths of attack, the favorite of course being loading something in the start key so when the computer boots next time is it is toast, since the users is 95% sure to be running with full admin privileges, and the program will be able to do anything it wants. And it is so easily broken by poorly written install and uninstall programs that I would laugh, if it were funny, but it is not. I could go into the rise and fall of com objects and ole, too, but like most Microsoft stuff, it rises, some fools develop using it, and 18 months later MS changes its mind, and presto, instant obselescene in programming. Not exactly a good investment if you are still paying attention to ROI. Note that I see this as a Windows user, using development and database software on Windows, and managing 465 + machines all but about two dozen of which are windows XP or or 2000 or 2003 servers, and a remaining handful of 2000 machines. None of the usability features can override the intrinsic flaws in security design that have resulted in at this moment literally millions of Windows machines compromised world wide, and ongoing daily nightmares in just keeping things glued together so they work at least the majority of the time. Ron. Ronald D. Edge Director of Information Systems Indiana University Intercollegiate Athletics edge@...iana.edu (812)855-9010 http://iuhoosiers.com "Patriotism is not short, frenzied outbursts of emotion, but the tranquil and steady dedication of a lifetime." - Adlai Stevenson
Powered by blists - more mailing lists