lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <343561e9040819192263898927@mail.gmail.com>
From: abaker at gmail.com (ASB)
Subject: [ok] RE: MS should re-write code with security in mind

Well said...

-ASB

On Thu, 19 Aug 2004 11:18:00 -0300, James Tucker <jftucker@...il.com> wrote:
> First of all, almost all Windows users demand backward compatibility.
> While MS's software is not open source, MSDN indexes a huge number of
> libraries and most all of these would have to be wrapped up to work
> under a newly written OS if backward compatibility is to be
> maintained. Programmers of 3rd party windows software also have a long
> history of not doing things the way they should (are told to) and this
> will lead to further problems if the quirks of the OS are removed.
> 
> This is an issue which MS will face for years to come, and they are
> trying to re-write major portions of the OS in Longhorn. SP2 was a
> step in the right direction protecting most of the buffers in the OS.
> 
> A drastic but potentially good option they have is actually to release
> their old legacy operating systems free of charge. Source release for
> MS is probably not a good idea, as allot of the source does not
> change, and it is likely that many new exploits would be theorised in
> a very short space of time. At least if the legacy OS's were available
> consumers with legacy applications would not have so much to complain
> about, in terms of lack of support and patching.
> 
> There are a great deal of old DOS based applications in the world
> which have yet to be rebuilt on any more modern systems; and yet to
> re-install these systems it is nearly impossible these days. To find a
> fresh copy of DOS is very hard now. More importantly it is even more
> difficult to find a boot disk formatted with the correct generation of
> boot loader.
> 
> Built in encryption is available in NT and this can be hardened with
> security upgrades available on MS's site. There are laws which govern
> MS in this regard and restrict them from exporting high encryption
> OS's from the US, the specifics of which I do not know, but google
> would be able to tell you.
> 
> NT is a multi-user OS, it has a client server hierarchy to it also.
> The process scheduling system in NT is a "proper" process scheduler
> and allot of work went into changing this in Windows XP. In fact
> certain details were changed in SP1 and it is not unlikely that they
> changed again in SP2, although I have not heard as such.
> 
> I am sure you are probably aware of the issues of attempting to secure
> and authenticate all mail transfer. Authentication unfortunately
> directly conflicts with privacy, in that if a user is to prove who
> they are, then you know who they are. Server side authentication can
> be useful, although this still requires some kind of centralisation in
> order to properly authenticate. Backwards compatibility issues are
> obvious, and more importantly you will note that holes in the system
> will appear any time traditional plain text SMTP is allowed.
> 
> Deep packet inspection ISP side to stop SPAM and viruses is possible,
> however as you should be aware, being a firewall consultant, this is
> neither fast nor cheap. The best recent solution being the regexp
> system in Checkpoint FW1 NG+AI.
> 
> Finally, it is not impossible for you to implement what you want
> without MS's involvement. Theoretically there is nothing to stop the
> community from writing an application which simply redirects all IP
> traffic through encrypted and fully authenticated channels. This kind
> of solution could work very effectively in a LAN scenario where all
> machines speak the same language. On the Internet the game changes,
> but of course, it was the Internet we were worried about in the first
> place.
> 
> It is true to say that closing all holes in MS software would reduce
> the volume of SPAM and viruses on the Internet. Of course this would
> take some time however, as many places which remain infected (which
> contribute to most of the volume) simply would not update for a long
> time anyway (and it is this lack of updates and security which puts
> them there in the first place).
> 
> If administrators and users of MS software are simply made more aware
> of the issues which face the Internet and the professionals who
> support it, we will slowly see a big improvement. SP2, good or bad,
> was a step in this direction, at the very least the security center
> will encourage users to buy / upgrade their anti virus solutions, and
> the recompilation of major portions of the OS with buffer checking
> will reduce the number of exploits possible in the OS.
> 
> Software is unfortunately imperfect, and will rarely be perfect. It is
> likely that as most systems become more secure, the viewed need for
> vigilance on security will be lost among non IT-pro's. When that time
> comes, it will be the rare exploits which will cause major damage, not
> the near daily patches we see now.
> 
> "there are no problems, only income opportunities!" -Tony Lawrence.
> 
> my 2c.
> 
> 
> 
> 
> On Wed, 18 Aug 2004 16:00:05 -0500, Curt Purdy <purdy@...man.com> wrote:
> > Clairmont, Jan M wrote:
> > > M$ should just bite the bullet and re-write windows with
> > > security in mind, give it a true process scheduler, multi-user
> > > with windows as a client server processes.
> > <snip>
> >
> > It ain't gonna happen.  There is so much legacy code, dating all the way
> > back to NT 3.5 in 2K XP that no-one really knows how it works.  Of course,
> > that is the beauty of open-source, lots of people know how Linux works.
> >
> > Of course you don't have to be open-source to be secure, as Netware was
> > always built with security in mind.  Novell engineers have a saying, "We
> > patch Netware twice a year whether it needs it or not."  I hate to see it
> > go.  I love SuSE linux, am running the 64-bit version on AMD, but I wish
> > they were keeping the Netware kernal also, for my security-critical clients.
> > Sadly, the days of not having to run around patching servers all the time
> > will be gone after Netware 7.
> >
> > BTW, when I have to run windows (rarely), I start a VMWare session under
> > SuSE, do what I need, and close it out as quickly as possibe, after checking
> > for patches of course ;)
> >
> > Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> > Information Security Engineer
> > DP Solutions


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ