lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <be950f350607262316p4967cc4br6fd1c4ba37a31b91@mail.gmail.com>
Date: Thu, 27 Jul 2006 02:16:11 -0400
From: wac <waldoalvarez00@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 70 million computers are using Windows 98 right
	now

On 7/26/06, Eliah Kagan <degeneracypressure@...il.com> wrote:
>
> Waldo--
>
> > It will run  everything  (almost) that runs on top of a win32
> > subsystem...(the top bar is higer actullay, it goes for native java,
> native
> > linux, native DOS, OS2 etc.. is a long list) and drivers as well,
> enought
> > for migration ;). Anyway you take it if you want, is free to try :D.
>
> It aims to run everything that runs on top of a win32 subsystem and
> more, and it will probably succeed. I am very happy about the ReactOS
> project--but I think it's important to realize the difference between
> what an OS will be and what it is now. In the context of security,
> Windows 98's developers are no longer committed to security for
> Windows 98 (even to the degree to which they were before), and
> ReactOS's developers *cannot* be committed to security for ReactOS
> because ReactOS is not stable--i.e. the developers do not classify it
> as stable, i.e. the developers are perfectly willing to have bad,
> insecure code in the system for an extended period of time if doing so
> is most conducive to development.
>
> > It is
> > even smaller than 98 and will work with 32 Mb of RAM (maybe less in the
> > future, some ppl are already testing at 8 MB!!!! hey that's better than
> even
> > win 95 and is a full NT Box WOW I beleive M$ make some millions to spend
> a
> > couple of dollars in memory chips!!).
>
> It was really, really small the day before the first line of code was
> written. It was pretty small after the first hundred lines of code
> were written. In it's still incomplete state, it is no surprise that
> it is still smaller than a complete operating system to which it
> eventually is slated to contain comparable functionality in most or
> all areas.


It is more complete than incomplete ;) If someone can ever say that a
software is complete. But ceirtanly there is not much missing. I would say
that it is about 70-80 %. Of course what's left are the most hard to do
parts beacause being Windows so closed there are still many obscure points
that needs to be clarified.

I may be misremembering, but I'm pretty sure that my old 75MHz P1
> no-MMX Packard Bell box had 8MB of RAM when I put Windows 98 on it
> (due to the other 8MB not being properly seated in the RAM slots at
> the factory...ah Packard Bell, brings back memories...). Windows 98
> crashed a lot, but it didn't crash any more often than I've heard it
> crashes on just about any box, due to it being Windows 98.
>
> What is cool is that ReactOS can be run, more or less, with 8MB of
> RAM, and ReactOS is an *NT* style system--I wouldn't attempt that with
> Windows NT 4.0. I've never used any version of NT before 4.0, and I
> don't know what their memory footprints were. Perhaps they were less.


 I beleive you can wake up NT 4.0 with a minimun of 16 Mb. I could give it a
try with some virtualization software to figure out but is not one of my
priorities right now. Anyway it will run on a machine where windows 98 runs.
It's hardware requirements are equal or lower.

> Today linux distros take 128 Mb or
> > more to run decently. So IMHO it is a replacement candidate for some
> > situations already.
>
> You have a good point--it may be a reasonable replacement candidate
> for Windows 95/98/ME systems **where a guarantee of security being a
> priority, from the vendor, is not required**. This implies that the
> user knows enough about security to manage the risk that the vendor is
> not managing. A guarantee of security from the vendor may not
> translate into actual security, but it does translate into security
> professionals getting pissed off and vocal when actual security is not
> delivered.
>
> I doubt ReactOS is a good replacement candidate for a Linux system--if
> memory is the primary concern, OpenBSD or a small Debian system with
> the kernel rebuilt sans unnecessary code would be a better option. If
> a working Linux or other POSIX-like API is implemented as a subsystem
> then it might be a reasonable replacement for Linux and/or other *nix
> systems.


No,  of course not.  Not even a fully working windows is a replacement at
all for linux in most situations. Anyway if we put the
linux+wine+ndiswrapper the memory footprint of that configuration is
probably high. You could be righ here, I have not seen the memory
requirements of those configurations.

>  Now, Linux is definitely not a natural migration pathway. That theory of
> > adapting server oriented operating systems to the desktop, and believe
> if
> > was going to be a succes has proven to be wrong.
>
> Really? Windows 2000, Windows XP, and Mac OS X seem to work pretty
> well for novice users...


Sorry I don't get the point here.

Or are you belaboring the misguided claim that Linux is fundamentally
> a server-based system but that Windows NT is not?


There was Windows NT workstation ;). With windows was the other way. From
desktop to server. Of course you can change Linux so much that it won't be
Linux anymore. Definitely putting an X server on top of unix won't make it
ready for desktop, that's a fact.


> I wonder if mi parents
> > will manage someday to even install it :D. (yes I'm making a
> constructive
> > critic here)
>
> Have them install ReactOS without assistance, and get back to me.
> (Hopefully their machine doesn't have fake parity RAM.)


Is the same way as windows 2000 and they have done that already.

> Also do not forget about drivers. Keep in mind that some
> > win9x drivers run or will run in ReactOS ;) and NT drivers as well. Ye
> you
> > can support X or Y hardware for linux (after some hard working time) but
> > then with ROS X or Y hardware is or will be supported for sure with
> little
> > delay because is already there. You don't have to reinvent the wheel,
> you
> > just need to make the wheel work properly :D.
>
> Or you could use NDISwrapper in Linux (or FreeBSD) and run your
> Windows drivers, without rewriting any driver code. Sure, it doesn't
> work for everything. Neither does ReactOS.


Why try to put patches to linux when you can have a non patched system ready
to go? And with 0 lerning time too ;). From the security point of view
that's important since it starts right at the user. Remember how many
security problems we see today with incorrectly configured systems.  Observe
also that you have to patch the thing from 2 sides, putting an emulation
layer on top of it and down in the kernel.

> 9x was never stable at all.
>
> I dare you to run your 100 favorite Windows 98 applications on Windows
> 98 and ReactOS, and see which one seems more stable in the end. (And
> taking files out of proprietary Windows and putting them into your
> ReactOS system for this purpose is cheating.)


You are probably right here. Anyway Win98 is not supported anymore (we
wouldn't be talking about this at all). ReactOS is supported and will be at
least for a long time. Mainly the stability problems related with ROS are
due to memory management and maybe because some code still runs in ring-0.
Of course bugs too. Anyway I am not the most indicated person to talk about
the subject. The point is.. if it doesn't works for you right now (maybe it
does) stay tuned as it probably will someday.

It was never stable in the sense that any operating system that
> crashes constantly and has an insane design is never stable. On the
> other hand, it worked well enough that millions of users put money in
> Microsoft's pocket to use it.


Millions of users never had a choice. I'm happy that some have it now.

Microsoft is a company oriented around
> company profit, not user empowerment, and there was nothing keeping
> company profit in line with user empowerment. This followed naturally
> from the fact that Microsoft was a proprietary software vendor
> competing in a market of proprietary software vendors. That Microsoft
> has many of the attributes of a monopoly helps, too. When a Microsoft
> spokesperson says that an operating system of theirs is stable, that
> means that it's stable enough that people will buy it. (Just like when
> a car company says their new vehicle is safe, it means it's safe
> enough that people will buy it and the government won't go after
> them--and of course they might be lying...it might not even be that
> safe.) Microsoft now has to compete with developers who put user
> empowerment first (or who put company profit first but have worked
> hard to align company profit with user empowerment), and consequently
> Microsoft must take users' desire to exercise control over their own
> property (which is what security is about anyway, at the end of the
> day) into account.


I agree.

> In fact it was the big lie of the century to
> > claim it as a production release.
>
> The big lie was that as a server-oriented operating system, Windows NT
> wouldn't scale to the non-"enterprise", and that consequently Windows
> 9x had to continue to crash the computers of millions of home users.
> The only serious reason why a home user might not have wanted to use
> Windows NT 4.0, besides the slightly higher system requirements (and
> come on, I've had it running smoothly on a 486 with 32MB of RAM), was
> because there was less driver support, the installation process sucked
> worse, and the cost was high. There is no reason why Microsoft
> couldn't have dealt with those problems easily, released a variant of
> NT as an OS for home users, and killed Windows 98 back when it
> deserved to die--i.e. sometime before it was renamed from Windows 95C
> (OEM). It ended up taking Windows ME to convince the folks at
> Microsoft that NT was better than 9x, even for home users.
>
> When Windows 2000 was first released, software retailers were telling
> people not to buy it because it was only good for business use. There
> was no sense in this, but people believed the retailers and didn't buy
> it. (It was pretty buggy when it was first released, though, so maybe
> the net effect of this retailer uncriticality was positive.) Now you
> are saying it ("[t]hat theory of adapting server oriented operating
> systems to the desktop, and believe if was going to be a success has
> proven to be wrong"), and there is still no sense in it. Or am I
> missing something?


Yes there is sense. I'm making a critic to those that make things hard
without need. Also why adapt a server oriented OS when you don't have to?
What is more effective, that some people develop something situable or
millions have to learn something without need? Definitely less resources
will be wasted. And we are talking about a big difference.

> Don't you think is a better idea?
>
> If you're asking, do I think it's a better idea to run ReactOS than to
> run Windows 98 (or than to run Linux), then I think that's a
> not-well-formed question. What operating system is best depends on who
> is running it on what, doing what, and with what needs.


I agree with that too. For example I'm not running it because right now I
need a stable windows compatible box to work. Also remember we are talking
about windows 98 users that have to keep with their hardware and/or license.

I would certainly prefer to run ReactOS than to run Windows 98 on any
> of my machines. I attempted to install ReactOS on one of my machines,
> but it failed to do anything, probably due to the damn fake parity RAM
> that was in the machine and not due to any fault of ReactOS. I'm happy
> I got that machine for free, because it had a sticker on it that said
> it was stocked with ECC and I would've been pissed if I had paid for
> that and got XOR gates instead. (And no, I'm not now nor have I ever
> run Windows 98 on that machine--I have Windows 2000 on it. Gotta do
> something with that consarned Windows 2000 license...)
>
> > I'm even happy that
> > 98 is finally in the trash bin at least from the M$ side of the game.
>
> You're happy that Microsoft no longer helps users of the product or
> evolves the codebase of the product? How does this fit in with your
> apparent claim (with which I agree) that the product is bad because
> Microsoft didn't put enough work into it before releasing it?


Both. Some users will search for better alternatives. Unfortunately some
(probably most) will remain stocked, that's inevitable. I'm pretending to
let them find that alternative wich someday finally will give us some
freedom. And for the evolution of the codebase of course. I'm happy that the
Frankestein just doesn't grows bigger. Jej is even good for those not having
direct contact with it. We'll have less zombie machines shooting out worms
and/or virus and less services going down because of that at least. And that
is just the peak of the iceberg, imagine how much possibly corrupt
information we'll get rid with the change and of course less data loss. I
think is a beter idea to kill than to try to fix the twisted thing.

I think this discussion is still materially related to security
> vulnerabilities, and consequently is suitable for being on FD. If you
> agree, then feel free to post what I have said here to FD with your
> reply. If you feel it best to keep it one-to-one, that's fine with me,
> too.


Sure. Why not? I like when many people participates in discussions, maybe we
all end up getting more knoweledge and better points of view.

-Eliah
>


Regards
Waldo

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ