Slashdot Mirror
Microsoft Vows Security Commitment on Win2K
dieMSdie writes "MSFT is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs" reads this story on CNN. There is also a poll; the results so far are quite amusing." I bet they'll be even more amusing once our readers get a crack at it.
Did these professors have any real world experience? Had they ever done anything more than answer questions in a politically correct fashion and cobble together a few papers on an as-needed basis?
I didn't think so.
Oh well.
You have definitely lead a soft life. Please read some of the released (recently declassified) CIA/FBI files to find out how heinously interested the government can be in the affairs of its law-abiding citizens, if they do not think as mandated.
Then read up on history and blacklisting, and internment camps, and McArthy-ism (sp?).
The government, particularly of the United States, is a force to be vigilant about especially when it constantly attempts to usurp its citizen's rights. Do you remember the CDA? Have you ever been pepper-sprayed into submission? Does Seattle make your heart grow lite?
Sorry, but you really should be more proactive in this realm. It's not paranoia but a necessary reaction of defensiveness to an often overtly offensive government. (/end rant)
-Yardley
You blew that sentence in the first two words.
The part where you said you think.
Cut the guy some slack, he makes a valid point. He said he was in marketing.
What's perhaps most funny about it is not so much the results, per se, but the fact that the very same lusers and PHBs whose cluelessness M$ depends upon to buy and use their shoveware are the ones who will be most likely to lend credence to the poll results :-). A case of "hoist upon their own petard" if ever these was one!
As for us (where I work): we don't really care. I avoid M$-WinNT/2k primarily because it's a pain to Admin and M$ solutions don't play well with others. Corporate IT has asserted that it won't be used in server roles because there are more reliable solutions. (shrug) So for us, M$-WinNT/2k security, or the lack thereof, is somebody else's problem.
And M$-Win desktop systems no sane Admin trusts any further than [s]he can throw 'em. So who really give a fsck?
They moderate pro-Micro$oft stuff up because they're paid to.
Yep! That's the error that occurs when you /. a Microsoft web page.
Wouldnt changing the links from hotlinks to plain text (highlighted of course) meet the demands of the lawyers letter??????
I love to nitpick, but just about any language except C and C++ (and Forth) these days automatically checks that memory accesses are within bounds of allocated objects, thus almost completely eliminating the possibility of buffer overruns. Of course there still remains the possibility of buffer overruns in external calls to libraries and system code written in C. Besides, a language is not interpreted or compiled -- language implementations are. For example, there are several C interpreters out there, as well as a number of very good optimizing Lisp compilers. Also, even a compiled language implementation can be interactive by compiling everything you type at the prompt to machine code and then immediately executing it. Array bounds checks usually don't cause noticeable overhead since the compiler techniques required to move bounds checks away from inner loops have been well known for decades and are implemented in just about any optimizing compiler for a language with run-time checks. Many languages also provide a way to do unchecked accesses when it is absolutely necessary, and many compilers have options for removing the checks after the program has been debugged. Try an alternative language today! You just might like it... I recommend Ada 95, Common Lisp, and Eiffel. But C is popular, so it follows that I am a delusional fool and you can ignore my ramblings. han
You could have used VMWare to do this, using their transactional filesystem. It avoids the modification issue. An individual session can mess around as much as it likes. When the session is finished, the virtual disk reverts to the origitnal config. It runs under NT I belive. OTOH it costs $$'s.
Can you say "overloaded operator" ?
I love to nitpick, but just about any language except C and C++ (and Forth) these days automatically checks that memory accesses are within bounds of allocated objects, thus almost completely eliminating the possibility of buffer overruns. Of course there still remains the possibility of buffer overruns in external calls to libraries and system code written in C.
Besides, a language is not interpreted or compiled -- language implementations are. For example, there are several C interpreters out there, as well as a number of very good optimizing Lisp compilers. Also, even a compiled language implementation can be interactive by compiling everything you type at the prompt to machine code and then immediately executing it.
Array bounds checks usually don't cause noticeable overhead since the compiler techniques required to move bounds checks away from inner loops have been well known for decades and are implemented in just about any optimizing compiler for a language with run-time checks.
Many languages also provide a way to do unchecked accesses when it is absolutely necessary, and many compilers have options for removing the checks after the program has been debugged.
Try an alternative language today! You just might like it... I recommend Ada 95, Common Lisp, and Eiffel.
But C is popular, so it follows that I am a delusional fool and you can ignore my ramblings.
han
It may or may not have been naked. You can bet your life it was petrified....
I was forced to implement an IIS server at work. I was going to keep track of all of the reboots required to get the system up at SP5 with IIS and apply ALL of the patches and security fixes that MS suggests. I lost count at 20 reboots. I could have avoided 4 or 5 reboots if I could have used SP6, but SP6 had issues with the type of Compaq NIC I was using, among other huge problems. Needless to say, this project might have taken a couple of lesiurely hours if we had chosen Linux/Apache, instead I had to bust my butt just to get it all done by 5:00 PM. Another interesting MS fact is that they do not recommend that you run an FTP and Web services on the same server. I don't recall is this was in the Security Checklist, or a seperate TechNet article. So, we have our stupid little MS IIS server locked up per Microsoft's security checklist, and then we stuck it behind a Cisco PIX Firewall, because everyone knows you can't REALLY trust anything that Microsoft says about security.
Have a nice day.
Linux is by definition an unstable beta product, and by definition always will be.
Go figure, huh?
Linux and the BSDs(especially OpenBSD) have a poor(ie, all-or-nothing) security model which is very well implemented.
BS. Unix security is the "Natalie Portman" of security, whilst NTs is more like the "Richard Simmonds".
Carry on smoking that pipe dude.
1) Poster on crack
2) Poster on cheap 3$ crack
3) Moderator on crack
4) Moderator on cheap 3$ crack
Security by turning the server off.
I think it is great that someone from a marketing background (however clueless they may be about the technology) has taken the time to post here. Marketing guys ("techno-savvy" or not) are in woefully short supply on Slashdot. We need more postings like this. Come on all you lurking IT marketers, speak up
The open-source community can learn a lot from watching the techniques of the "Redmond Retards".
>> I wonder if the gurus could pass the exam
>> themselves? Probably not.
Strangely enough many gurus won't pass MSCE test for whatever lame reason, but it makes one wonder what kind of fucking purpose this test exibits if any guy with decent brains can buy a few books and pass it, but real world practical gurus can't.
One will also wonder why there are so many incompetent MSCE whose knowledge is limited to re-installing Windows.
I know I checked in on it from time to time. At one point it had an uptime of over a month.
This is horrible news! They probably don't need to learn how to crip the connector ends onto Cat 5 cable, do they?
I'm frightened to think... but tell me... they don't have to know how to rebuild the Linux kernel, either, do they?
The horror of it!!
---bn.com.. this is frightening that any company that does real business would use an unstable beta product as a mission critical internet server. Spoken like a true idiot who hasn't runned windows 2000. RC-2 and above has been solid. It's not unstable as you would like to see.
Of course you should not need to. But spare a thought for those of us who come into contact with Micro$oft's toxic waste on a daily basis. VMWare at least goes some of the way toward preventing the "tail from wagging the dog".
MS gave out the administrator password too.
To: Colin Smith You just posted FUD. How does it feel? Windows 2000 had MORE services open than PPC. Get the facts straight asshole.
Any information which shows MS in a bad light must be bad reporting, or false, or FUD, or a manifestation of blind MS-hate.
My God, what was I thinking?
Thanks for setting us straight, Zicow
Yeah, Slashcunt cries too much about polls. They eat off them like it actually makes a difference. Slashcunt going political now?
Gawd, you are like Eva Braun in the bunker.
the administrator must be real incompetent.
Another tedious attack on microsoft. Most people who slag them off dont even know what they`re talking about. If windows disappeared from peoples hard drives overnight, and people were forced to use something else (what exactly? Linux! Beos?!) - they`d be **Screwed**. End of story. There IS nothing else that even comes close.
Well, 2^128 / 2^56 = 2^72. And the 56-bit key in DES was cracked in one day by distributed.net. So if Microsoft's crypto is as easy to build a custom crackking machine for as DES, it should be safe for, oh, about 1.3e19 years.
They sent me a free Office 98 update a while back. I don't even have to download. :)
Depends on the language. In Visual Basic, it's either.
To answer your question: yes, yes they have.
FTP and telnet transmit passwords in the clear.
Far more than three, if you follow the Microsoft Checklist to the letter. For instance, most of the hotfixes for IIS and NT prompt for a reboot after application. I am sure that a lot of the hotfixes don't need a seperate reboot, but who knows? One false move with NT and you can find yourself with a huge mess that can be so convoluted and screwed up that best fix is to restore from tape or do a fresh install of the OS and IIS.
Shout. Whisper. Still an idiot.
Except that with open source OS's, you have 500 *uncoordinated* people doing *part time* work who might decide to *quit* at the drop of a pin. I would rather have 15 *qualified* and *dedicated* people working a *guaranteed* 40+ hours a week. An army of 100 can defeat an army of 10000 if they are coordinated, dedicated, and persistent.
Um, Win2k is not 35 million LOC. And the security portion of Win2k is only a fraction of the code base. More like:
0.5M LOC for security
~30K LOC per person.
Probably less.
Talk about interesting responses... http://poll.cnn.com/POLL/results/306991.html Not Found The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. Please inform the site administrator of the referring page.
There is no correspondence to the waiter and using the internet. You hand your bill to a waiter..but he's accountable...he has a known work location. Furthermore, you know you handed him the bill...if this nitwit decides to start stealing, it's very easy and very fast to figure out that all the victims ate at a certain restaurant and had a certain waiter. Getting an ID on the waiter is easy (remember the nice paperwork you fill out to get the job?) Furthermore, the number of credit cards going through his hands are in the mere hundreds...
Now, let's look at the recent Credit Card threats...they're not even bothering to skim off the numbers from traffic of high hit ecommerce sites. They're breaking in and getting them directly from the cash drawer.
Ah, but you're only responsible for the first $50 bucks, right?
And if I wasn't so ethical, I get a million or so cards, charge $49.95 to each and retire in the Bahamas. (You think the credit card companies are going to care? They don't have to cough up the cash....)
(People don't trust the internet....no reason, really... Bull. They don't trust Microsoft...damn good reasons for it too....)
I agree. I have worked at Microsoft and I can attest that, at least for the more serious teams like Windows, Office, and Visual Studio, coding habits are very very professional. And you have to be a damn good developer to even transfer into these teams (they ALWAYS interview/grill people from other teams). Now, for the less serious teams (like some of the DOZENS of multimedia teams), coding habits can vary from grossly irresponsible to hard core professionalism. But inside Microsoft, bad teams get Darwinized out. So teams that suck at coding die quickly.
Um, give us some real MS code samples that are as atrocious as you say. Unless you do, we have to assume you are just spreading more anti-MS FUD.
Where there is the smell of shit, there is a sewer.
It really irritates me when you Linux advocates preach to non-developers to use it, and then turn around and say that hacking and recompiling new software is a means for "end users" to solve their problems.
Ummm.. Take their herd of winged monkeys, and return to their home planet?
And no, I use OpenVMS.
Microsoft's so-called "support engineers" have access to a huge database of bug reports and fixes. This database is huge, and has far more problems and solutions than TechNet.
with tartare souce, of course.
The parent comment is not flamebait -- it is merely a minority viewpoint.
Sure, as stable as any Microsoft product. Oh, that gives me a lot of confidence.
Hey, It's for the same reason I kill roaches.. Letting them spread is unhealthy.
S. "start helping actual humans on the streets of your hometown" ?? I help people who can help themselves. Most homeless people are mental and should be recycled into a protein source.
NOt a good idea. If they're mental, then the might be suffering from all manner of prion-based brain diseases. Since prions are simply "evil" forms of normal proteins, they might well slip through the net of whatever protein-recycling scheme you cook up.
On a serious note, I really *hate* it when I see some tramp begging for money, then see him pissed drunk at night. No way is he getting anything from me.
This is just plain wrong. Have you even *tried* Win2k?
Microsoft is going to have to move awfully fast. I played with Release Candidate 2. 1.Try setting up an account matching the PC name. If you get any errors, its okay. Use an administrator login to change passwords. Now try to delete it. Good Luck. 2.You can only force Kerberos if your willing to drop Win95. You're still required to use NVLM2. Someone correct me if I'm wrong.
You really do think you are "the men", don't you..bunch of arrogant linux zealots more like...
...as opposed to this post, which simply meta-whines about it.
They certainly wouldn't be screwed. I suggest you actually use KDE and /or staroffice some time. Oh, and a Mac.
While microsoft's psychologists have done their best to mentally "lock in" people to their platform (eg. putting the close gadget of windows on the opposite side to what was the "normal" before win95) and encourage slack-jawed idiocy among computer users (you don't _learn_ on a microsoft platform - there's no "carrot" to lure you into programming, no powerful CLI, like there is on linux or BeOS or Amiga), the average computer user could happily switch to Mac or KDE+StarOffice or even BeOS at the drop of a hat.
In my opinion, microsoft have been careful to make it harder to move away from windows than to be a completely new computer user learning an alternative system. They do this by encouraging bad or just plain odd computer habits, not to mention their corruption of open standards so famously documented in their Halloween Memos.
If Microsoft really included everything that one should know.. no one would ever finish the exam...
So if you had to know everything that you *should* know...nevermind, just stay at the helpdesk where you belong.
A bitter windows user must've gotten trigger-happy today. The parent comment is not flamebait.
The parent comment directly responds to a statement made in its parent comment. Therefore it is on topic (and coincidentally, informative). Think for a second -- do you really want to discourage thoughtful posters like this one?
I've been running Server RC2 on my machine for some time now, dual booted with linux. As far as uptime is concerned I can run Win2k just as long as linux without any errors. As a test to how long it would stay up I ran it for a couple days shy of a month, with all of two application crashes, one of which was a win98 program, not NT. The crashes had no effect on anything on the system, no memory loss, no destabilization, nothing, except the program went down. After that Win2k was still running fine but I had to do some work in my linux environment so I was forced to reboot. And really, to think that this isn't the final release, I can't blame a company, especially if its married to winNT software, to upgrade to 2k, even running a beta of it. I can't wait to see the stability of the final.
I had a professor in college who always said "My favorite MCSE is a high-school dropout"
Another professor said "We're not going to give you 2 ends of an ethernet cable, have you plug it in to a hub, and call you a network engineer... Thats another department"
anyone have a link on coding standards to prevent security bugs?
I think his username was drone@microsoft.com.
Vows coming from a business that has historically proven uncapable of providing any security mean nada.
It's like Clinton saying he didn't touch that woman.
Er... that's why Debian has stable and unstable branches. Use the stable branch if you wanted reliability. Doofus.
-- you can't separate a product from its implementation. With a good sysadmin, you can get a good overall situation. BUT implementation is one of MS'es huge problems. MSNBC got 2,500 credit card numbers from 20 or so web sites running SQL Server 7.0 (where as a default the sa password is left blank or was in some cases the name of the company). THATS implementation (or more correctly BAD implementation). How do you respond to that?
If you meant "|<W1!" the bracket is produced by ampersand-l-t-semicolon (the other one has a g for the letter l) HTH.
They do release a fair bit of code to the public (mainly VB Macros). They tend to be atrocious.
You can also take apart MS binaries and look at how they're constructed. I've done this myself, and it's scary how lazy they are. Huge tables full of nothing much, where a linked list would make more sense. Arbitrary upper limits on things (never heard of the 0,1,n rule they teach all compscis, obviously...). Big wodges of statically-linked objects, presumably because they can't ensure compatibility across their own shared libs, thanks to their lack of a sane versioning system like any modern UNIX has (although I still prefer the Amiga's). Anyway, there's many more examples of MS idiocy docmented on the wine mailing list archives.
.
-- I wonder which group is going to win in the long run. P.S. I read that there is a virus that infects Active Directory. This is a major one as everythingi in MS W2000 relies on it. 'Oh look ma - I've just found another failure mode! '
-- Me thinks [they] doth protest too much - This line from Shakespeare sums it up. The mere fact that MS feels it has to do 'an industry call-to-action' (well those are Brian Valentine's words) shows it knows it has shoddy security standards. By the way how DARE they co-opt the entire I.T. Industry into one lump as if we all used their products. This only belays their underlying arrogance and disdain for their customers as separate entities. They are not 'hungry' enough as an organisation to ever give good, secure Operating Systems. I mean how hungry will you be when your company has a market capitalisation of $B 536?
What you don't mention is that you are up your ass. Check your facts, then post again.
Be careful with that Mandrake 7 install. I tried upgrading from 6.1 and it did some very strange things. After the third "halfway through the install and then says its safe to reboot" I was unable to login to the console as root, and then unable to "startx" as unpriviledged user (meaning no Xwindows), ppp0 dissapeared and when I tried saving my files by rerunning the 6.1 upgrade, I couldn't get 1/3 of my apps to work. Finally I wound up fdisking and putting Slack7 on my system, which seems a little more spartan at first but hasn't given me a peep of trouble since installing.
:)
In short I think I'll give Drake>6.1 a rest until it's certain the install scripts work right...If you're a newbie then 6.1 is very easy to get used to, and has always worked on a fresh install or upgrade from a lower version# for me
if you ask anyone "do you trust xxx security" 95% will answer "no". whatever xxx is. Therefore it is very childish to ask "do you trust microsoft security". Unless of course you are a microsoft basher, or linux-follower, and need this kind of things to fuel your hatred.
It is amazing. Once can also not be a suit even when wearing one. It's a harder trick to pull off though.
staff of 15 of what? Monkeys? Chincillas?
How's that offtopic - have you read the post i replied to?
Fuck moderators.
staff of 15 of what? Monkeys? Chinchillas?
-- tears are running down my face as I am typing this. That link to their IIS 4.0 security checklist is extreme. Extremely funny to me but extremely sad that they thing this sort of think is good practice. I am going to frame that web page and show it to anyone who ever talks to me again about windows 2000 security.
Would evaluate to the result of the assignment expression, e.g. to the value of Linux.
Depending on the value of Linux, this could be true (non-zero). or False if the value of Linux is zero.
It depends upon the value of Linux.
It would be easier to evaluate had the expression been the other way around, since we know the "value of Microsoft" is always zero.
Hmm. But exactly _what_ is being encrypted?
/. and that even if MS managed to get *perfect* security that it will last about as long as it takes most end-users to install their ISP's S/W...and that they will draw the same conclusions as previous MS-OSs gave them, never realizing that the problem is between the chair and monitor.
The words "Not for export" and "Do not make illegal copies of this disk" =)
Also like the AC above said, what methods are they using? and why do the magical words 128 bits make end users' eyes gloss over and give them warm fuzzies. Do people actually think that their information is safe just because it's encrypted getting to wherever it is? Or that it will protect them if they install and run the latest trojanhorse-in-a-blender game that someone wants to send them? Oh well, I have a feeling that the 93% who did not trust MS security is not entirely from
Who's Maintaining your network?
The open-source community can learn a lot from watching the techniques of the "Redmond Retards". Now you see, comments from the Linux community such as this one is why Linux still has some growing up to do.
In this context, I'd have to say the usage of the
double equal works just fine. If we start with the
assumption the the poster's attempt was to state that
which is true, all logical evaluations should be interpreted
as true. So M$ == Linux becomes a statement, because
we already know it will evaluate to 1.
But, as an action, a single equals is preferred.
IE, M$ wants "Microsoft = Linux" (as said below, this
is an assignment of value)
128-bit encryption? bah! I use 2048-bit encryption with ssh.
I take it you have never had to kill a zombie on a *nix box then...
Microsoft PR aside, they could be running DOS on their other machines. What we're talking about is their servers.
I'd like to think that IIS5 is more secure than IIS4; if not, expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.
But you do seem to understand why they are not running W2k on their servers:
On the web site, however, they can't afford to run into any such slowdowns
Which trade mag?
-yard
How many other W2000 installations are going to be fussed over by the very people who build the bloody product for Gods sake. And not only that, it only had I think one port open (80). Thats a pretty useless box in the real world. Lets wait and see before we start swallowing all the P.R. guff. I understand that you may never have been 'burnt' by MS products in the past so I forgive your sentiments. But do yourself a favour and wait before implementing W2000. Let all the other first timers get their fingers burnt, call MS, pay for the privilige, get MS to update W2000 using Windows Update and so on. P.S. just the thought of needing to use Windows Update should send shivers down your spine (how many secure boxes are net-facing these days?)
I would suspect that conservative estamates would put the number greater than Microsoft's by at least a factor of 20. Witness the power of peer review.
No, No, No...you're all confused. "20" is the number of outside people who have made any type of meaningful contribution to the Mozilla project over the last two years.
"Witness the power" indeed!
I won't tell anyone that you've obviously never even SEEN Windows 2000, let alone actually used it in depth.
"Some registry keys have moved locations and some have even changed but its not enough."
Whatever.
but will they put the patches on the net for free?
Where've you been? They've been putting their patches on the Internet free for quite a while now. Especially for NT, they've always distributed Hotfixes and Service Packs.
At the time I looked, 382 people trust MS security. 2113 people don't. I can't believe all the people voting are Slashdot readers. Someone else MUST read CNN
I'll take the 15 full-timers over any number of weekend dabblers.
I'd say it's Microsoft's problem if they put up a page which won't render properly on one the most popular browsers. Although I agree that Netscape is pretty much a piece of junk.
Check out the "do you trust microsoft security" poll on that page. Are slashdotters voting here?? :)
Is your personality this unpleasant in person?
I mean, honestly... we're to believe that 15 people combing through thousands of lines of spaghetti logic visual basic code are going to be able to make W2k a secure OS??!?
Just like we're supposed to believe that thousands of people combing through thousands of lines of crappily written PERL script are going to be able to make the Linux kernel secure, I guess.
Admitting they have security problems and they lay in the core of there system. A program started by ANY user can do anything it wants on that system and that's one of the MANY basic's that Micrsoft OS's has wrong. They need to admit this and start working there ass of to find a solution.
I wonder how different the poll would be if they asked 'Do you trust security Y/N?'
We have a 2000 box which I crashed twenty minutes after using it. The Windows SysAdmin wasn't too impressed though. I havn't tried to do anything serious with it but I know holes and bugs are going to be found and exploited.
It is not about that either. It is about rewriting (and re-thinking) the whole system from ground up. 128-bit encryption is not going to help if the system is otherwise undocumented, unpredictable, unstable and basically fscked. The suits will buy that crypto-babble, however, and the suits make decisions. Isn't it amazing how one can be a suit even without wearing one (I mean those stupid sheep-types who swallow FUD like it was free beer.) ?
Well, its no worse than the Mindcraft fiasco.
I agree... infact I find many of these holier-than-tho Linux "gurus" just like to spout out much todo about nothing. ftp? how long does that take to learn, two minutes? haha... why would that be on an MCSE exam? If Microsoft really included everything that one should know.. no one would ever finish the exam... I wonder if the gurus could pass the exam themselves? Probably not.
HELL YEAH! Tell'em cowboy!
My Fish died on me today so don't joke around about death today.
Except for the fact that EVERY OS has these types of bugs - I find it funny that not only MS, but Solaris, all the flavors of *nix, etc, all have security flaws...It really DOES come down to fixing them...I mean, c'mon - how many cases of buffer overrun can we have before these idiot programmers start doing bounds checking?
We can't just trust the end-user to solve these problems themselves," Valentine said.
> Their internal coding habits are also pretty atrocious
Have you worked for Microsoft, to know this? Or are you just spreading FUD? Unless you've actually coded for Microsoft, or seen their code, saying this is simply speculation or FUD on your part.
It's one thing to say the end product is bad; it's quite another thing to badmouth the habits of the people that produce it, sight unseen.
Try 40+ MILLION lines of code....15 people...lets see, if they can do about 1 line per 10 seconds (and thats pretty good considering the massive stack and heap they have to be watching), that would take them 26.7 million seconds, or about 51 years....
why is this 'insightful' when there were NO examples given?
Windows-loving, slashdot-reading, registered users with mod-points, perhaps? =)
It's okay at 2, maybe even 3. A score of four is pushing it.
Microsoft doesn't need to do anything but make the best OS they possible can make. Do you really think Microsoft cares about a slashdot like community hating there guts? I don't think so. If they will create a Solid OS that runs quite a bit better than NT 4 they're doing the right thing. They put themselves in a difficuly situation with the backwards compatible thing.
They just don't get it do they ?
If I were Bill, I'd call A1-g0r3 ASAFP and get him on the case. He is widely recognised amongst the hacker community as an 31337 53cur1ty xp3r7.
Obviously you never bothered going to http://technet.microsoft.com or http://support.microsoft.com to search the latest incarnation of technet or the support database in MS' website... Funny, and I didn't have to pay anything....
Adjust it to 99.5% please.
:-)
For some reason I doubt that more than 200,000 people in this world would have a clue
It was naked on the net. They used IP filtering in the Win2k IP stack.
"Things I would LOVE to see Microsoft do in Windows are proper process control - including being able to kill a process NOW" And you can do that and you've been able to do so from the first NT version. Just because the standard "Task Manager" tries to give the app a chance to save it's stuff before killing it doesn't mean you can't kill it immediatley.
Curl up and die like JonKatz ?
I have a Linux box that I crasched 5 minutes after using it. So what?
It's plain Linux. If you must refer to GNU, then why not call it Linux/GNU , after all, RMS hasn't done a multi-billion dollar IPO, has he ? So the market has already judged their relative importance.
I suppose if you code all day and weekends too and have no life you REALLY need to get into code. It becomes more important than women and using Linux makes you a hero of the free world while scoffing at those using lesser OS's. They only reason Windows needs to be so secure is because of jerky Linux users on some god awful power trip trying to get back at the world for getting pushed in the schoolyard.
Before you say, "oh you must be lame, you can't do all that stuff", think, why should I bother when Windows is so much more convenient? Get some applications out there and make it easier to set the darn things up if you want migration!
Okay, you can go back to slagging Microsoft off, now.
These days, GCC actually warns you when you use gets() and the like with a big scary warning:unsafe notice - so hopefully idiot programmers will take notice. Then again, the idiots will mainly be using visual c++, not GCC
False. While FTP may be 'application software', like ICQ, FTP is defined as part of the TCP/IP standard.
They must ram home the message to the consumer unit that Linux == Microsoft, and Microsoft==Linux.
One problem some of us (those who know a little bit about C) have with this:
'Linux == Microsoft' is not a message.
It is a question.
'Linux = Microsoft' is a message.
It's amazing how many people think that they're showing off how much they know about C by using == incorrectly in this fashion online.
It's too bad nobody broke in and installed all the available patches... ;)
and it only took them how long to come to this? This is from the people who said "BO is not a security problem, so don't worry about it".
I had an idea to upgrade my RH 6.1 with Mandrake, but its fancy installer could not even start - botched video mode on my Voodoo3 2000 - could not see anyting. (Dell Precision 410 box) Text mode boot diskette went a bit further, but choked on my SMC DEC chip network card (on-board 905b is dead).
I upgraded to some rawhide packages. Works fine.
Screw Mandrake for now..
<^>_<(ô ô)>_<^>
It's only undoccumented to the kind of people who only seek out 'doccumentation' in IRC and on 'HOWTO' websites.
Your seething hatred shows through in your text, btw. Better work on that, not good for your blood pressure or your well being.
Yes, of COURSE the win2k machine wasn't xacked.
Thunderstorm or something, was it not? Or maybe
it was solar radiation, or maybe phase of the
moon....
What was your username again?
Especially if they are experienced. What would you rather have? 80 people wandering around the code bumping into each other, fixing bugs that had already been fixed. Very few people would agree that more developers makes for better software.
Or try looking at it this way. Do you honestly think if MS thought more developers would help, they wouldn't hire more? If any company has the resources to hire more developers, I think we could all agree it's MS.
I suppose you think up new ways to dis Microsoft in your sleep.
Jesus God, get OUT more. Get a relationship. Go to the beach. Stop playing Quake and Starcraft. Stop looking for aliens with your spare CPU cycles and start helping actual humans on the streets of your hometown.
Not that I _support_ Microsoft, but holding this degree of anger against them CAN'T be healthy.
Read MY lips: the war you're fighting is SO small in the big picture that whatever the outcome, in 20 years it won't make a difference, and you'll wonder where the time went.
You said it !! As someone from an IT marketing background (my specialism is in guerrilla marketing), I have to congratulate and give kudos to Microsoft for the way they have empowered their employees to innovate round-the-clock. They have consistantly continued to develop great quality software that enhances the Internet experience, despite strong competition in the marketplace, and despite the intervention of the Government.
Cool, paradigm-busting category-killing products such as DirectX, OpenGL, DCOM, GCC, SOAP, ActiveX and the Perl rapid scripting tool are the envy of the Unix/Mainframe "old guard" who still "just don't get it". (will they ever? ;-) )
However, one thing that disturbs me about Microsoft is the way they are going about marketing Linux.
I think they may have gone just a little bit too far with their Gen-X/Slacker branding strategy, and may be alienating potential corporate customers.
In fact, sometimes it is not clear to me that Microsoft are really in control of their Linux product at all. I think the issue is one of brand-awareness amongst the target demographic. But also, the way they present Linux shows the dangers of a so-called "guerilla marketing" strategy
The spokesman for Linux, Richard Stallman is a particular problem. Sometimes it's hard to see how his comments can possibly add any shareholder value, and if these outbursts continue, the board and the stockholders would be well within their rights to attempt to have him removed. The whole point of guerilla marketing is that it only works if the target demographic is in on the joke. From what I have seen on this forum, and on other areas of AOL, it seems that many out there are at the very least, confused about Microsoft's involvement with Linux.
The whole "open-source" angle is also open to interpretation. What for instance is there to stop one of Microsoft's many competitors from simply copying the source, and claiming their system is Linux ? Or even worse, stealing Microsoft's patents ? How can Microsoft justify this, where are the future revenue streams ?
My advice to Microsoft (for what its worth) is this:
1) Cut out the gurrilla stuff - it's played out, especially the open-source gimmick. It may well mean that potential patents are not upheld in court. Can you say "major loss of $$$$s" ?
2) Change the name. Differentiation is fine, but if people don't associate Linux with Microsoft, where's the cross-branding synergy and leverage ?
3) Consider moving Richard Stallman from the GNU department into something where he can continue to innovate, but where he is not in a position to frighten potential corporate customers. Remember in business, security is very important. Anyone looking at the way Stallman dresses would assume he knows nothing about enterprise level security. At least make him get his hair cut and wear a suit and tie. That's just basic marketing 101. :-)
4) Leverage the existing user base. Do they know for instance that the GNOME desktop with the KDE browser are object-oriented and can therefore provide an out-of-the-box enhanced user experience that approaches that of the Win98/2000 family ? How about getting the Linux advocates to realise that Microsoft will never be able to make any money out of Linux so long as they continue with their immature behaviour. Without Microsoft innovation, Linux will simply fall by the wayside, like HP-UX's ill-fated CDE project did.
5) Finally, they need to seriously think about changing the name of Linux, to something more in keeping with the rest of the product line. For example ActiveUnix, ActiveUx, ActiveIx, or even perhaps ActiveGnuLinux. They must ram home the message to the consumer unit that Linux == Microsoft, and Microsoft==Linux.
Although I may not be an expert in the technology, I like to think I understand a bit about marketing, so I offer this unsolicited "open-source" :-) advice for free....
Do you trust MS security?
Yes 944 votes, 6%
No 13643 votes, 94%
no matter how much they parade security, its still software for which the user does not have source, and thus, can not trust.
DES is dead. Long live DES.
The purely computational reasoning you propose is flawed, and always will be until the exponential advances in technology and algorithms are figured into the calculations.
Distributed.net is *not* the end-all, be-all of decryption. It *is* a massive display of brute-force, cracking power. That's it.
...and if 128-bit encryption is safe enough, why can't we legally be more paranoid? That's the real question.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
:) I'm glad someone got the joke. I didn't even read the checklist, but it sounds painful...
Either someone at Microsoft has a sense of humor, or... umm. No, the alternative is too scary.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Only time will tell if they are right. no history can IMHO.
Yes, time certainly will tell - but history is also quite telling. People are slow to change - large corporations are even slower, if they can be changed at all. Microsoft has made claims like the claims that they're now making for Windows 2000 with every release of NT - and in the opinion of many, fell extremely short with each previous attempt. Hopefully they'll get closer to the target this time, but I'm not gonna be placing any bets on it...
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Well, you are talking about Microsoft products - this is, unfortunately for us (but fortunately for their revenue stream) what it takes.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Well, that's great... sounds like that wasn't documented though. (I don't know, myself - I don't use NT unless I must, and I certainly don't have it on my home machine. Wish I didn't have to run Windows at all, tho...)
I know that I'd prefer bash-style completion, though...
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
On the other hand, you sound as if most of your experience HAS been on NT. Also, you're basically saying "yes, I know NT's history hasn't been good, but ignore its history because history is meaningless."
Security depends on many things - knowledge and ability of the administrator, the quality and care put into the software used, and the willingness of the users to help make the system secure. A sloppy admin will certainly reduce security, of course. But a badly-written/badly-implemented piece of software will as well. A skilled admin may be able to work around some of a piece of software's flaws, but that doesn't make the software better.
Also, try picking up a copy of "Practical UNIX and Internet Security" by Garfinkel & Spafford at your local bookstore - nothing is ever 100% secure, unless no one can use it, which obviates the need for having it in the first place.
So maybe we should drop the whole question of "security"...
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
OK, so 128 bit encryption sounds good. But what about the encryption method? We all saw DES64 fall in less than 24 hours, and we are all watching RC5-64 still holding out after 2 years. If Microsoft decide to use XOR encryption (which they have used as recently as WindowsCE Administrator password enctyption), then it is about as secure as painting all the information in 6' high letters all along a wall.
T.
...from the OpenBSD website FAQ (OpenBSD is generally regarded to be the most secure OS).
OpenBSD is thought of by many security professionals to be the most secure UNIX-like operating system as the result of a 10-member 1.5-year long comprehensive source code security audit.
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
Sure, if you're the kind of person who needs cheap validation from others to help make all your decisions for you, even when you know deep down that the results are rigged -- I'm sure it must be wonderful. Party on, homes.
Baaaaaa.
Are you talking about a poll or a Microsoft benchmark?
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
The PPC guys added more services to the box until it cracked.
Basically W2K bug had:
HTTP
FTP
Linux had:
HTTP
FTP
TELNET
TIME
ECHO
and they gave out the root passwd.
Deleted
Isn't Microsoft Security an oxymoron? like Microsoft Works. With all systems that are connected directly to a public network, the operator should take responsibility for ensuring that the system is secure. i.e. uninstall Windows.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Do you trust Microsoft's security?
Not a chance in Hell.
Of course, if you asked me the same question about OpenBSD's security, you'd get the same answer. Two reasons: First, I'm a paranoid so I don't trust any security system. If they had asked about OpenBSD _relative to other systems_ I would have said yes (MS would still get a big no). Second, I am not going to come close to trusting any system that I don't have direct control over, as I'm sure has been said many times in this thread, no system is inherently secure, it's up to the administrator to make it so.
"Whatever can go wrong, will." --Finagle's Law
It is easy to talk about "SECURITY". You can have a million-bit encryption routine and still you are not secure, if there are backdoors readily to be cracked by spy agencies like the CIA or NSA.
What about the backdoors, Microsoft?
Muchas Gracias, Señor Edward Snowden !
What is "security"?
If backdoors are NOT important, the big brothers can cracked into your systems through the backdoors they have put in place, with the help from Microsoft, and they can wreck havoc with your system, your life, and everything that you own.
You own your computer, you put vital data into your computer thinking that it is secure, and when someone can get into your computer via backdoor, isn't _THAT_ a breach of security?
But I don't know. Maybe I am just not smart enough to know what it really means by "security".
Muchas Gracias, Señor Edward Snowden !
Thanks, Yardley, for your post.
I find it interesting that there are still many people having the thought that governments can do no wrong, and all the wrongs committed must be by the 15-year-old hacks.
I also find it alarming that the influence of media on our everyday life is so thorough that some people's mindset are being changed/programmed by the "news items" (I rather call it propaganda, but I digress) that they are being bombarded with.
Muchas Gracias, Señor Edward Snowden !
Hahaha, it should be Steve Ballmer getting himself stuck in a MOUSEtrap.
Muchas Gracias, Señor Edward Snowden !
no, Linux = Microsoft isn't a message either. It's an assignment.
Actually, in that article, Sun took over a YEAR for one of their fixes.
Comment removed based on user account deletion
No, you're incorrect. The Win2K box that was up never got hacked, unlike the LinuxPPC box. Nice try, though.
But didn't it get taken down fairly soon after it was put up, because of an internal problem? Of course, I'm probably remembering it wrong...
why is this 'insightful' when there were NO examples given?
i thought I had no sig?
I wouldn't exactly call it an out of the box install... Or at least not out of the Red Hat box... looking at all the services it wants to start by default compared to what crack.linuxppc.com offered, and it's apparent that it wasn't exactly "out of the box". It was slightly tuned for it's task.... But would have been an aweful production machine. Just HTTP means only static pages, and sites these days use only static pages? (Personal sites not included)
Why not? If they're trying to produce a foolproof, easy to use but yet secure OS, shouldn't their testers include some fools? I'm really not being sarcastic here - some of the biggest bugs are found by people who don't know how to use the product and just try what looks like a good approach.
With any product, this can easily blow up in your face. On a *nix box, typing random text into files in /etc isn't a recommended approach to system administration. But MS sells a lot on the basis of ease of use and customer familiarity with Windows. They should be testing their products with users who have no clues and are just depending on ease of use to get them through. We'll see how secure the OS is under those circumstances.
Your right to not believe: Americans United for Separation of Church and
I thought the whole point of using an NT server was that it was easy to use, and thus you don't have to hire expensive admins with real knowledge of networking, security, and so forth. The ease of use of NT should make it possible for a less-knowledgeable sysadmin to keep up an NT server just as well as a more-knowledgeable *nix admin keeps up a *nix server. Or at least that's what I hear from Microsoft...
Your right to not believe: Americans United for Separation of Church and
This paper discusses buffer overflows written by aleph-one the moderator of bugtraq. It goes on to discuss functions that should be avoided in C due to their lack of bounds checking.
f lows.txt
http://vapid.dhs.org/Library/P49-14-Aleph-One
This paper is by the w00w00 security team and it discusses heap overflows another result of bounds checking errors in C but these techniques are less widley known.
ftp://ftp.technotronic.com/rfc/w00w00-heap-over
This is a link to the UNIX secure programming FAQ.
http://www.whitefang.com/sup/secure-faq.html
Microsoft aggravates my tourettes syndrome.
Does anyone know if they have changed the security model at all? They couldnt have if they needed to maintain backwards compatability. Sorry I am not in the microsoft "know".
Microsoft aggravates my tourettes syndrome.
I'm not sure if your only knowledge of computers is how to use a web browser, but you seem to be under the impression that the only servers out there are web servers. When I said that they're using Win2K internally, I wasn't talking about just Win2K Professional (formerly Workstation) -- they're also using Win2K Server (probably Win2K Advanced Server as well, but that's one detail that I don't remember from the article), just not for their web site, for the reasons I stated above.
As far as which trade mag, I really don't remember, since I probably receive over 40 of them, and the article wasn't important enough for me to save. I know it was in the last month or two, if that helps, and if I come across it again, I'll post the URL or issue number.
Cheers,
ZicoKnows@hotmail.com
For Mindcraft II, the Linux team was invited to make all the hacks they wanted, and NT still beat it like a drum. Also, from the job titles, it sounded like everybody on the Microsoft team was a marketroid. Ouch.
Cheers,
ZicoKnows@hotmail.com
No, you're incorrect. The Win2K box that was up never got hacked, unlike the LinuxPPC box. Nice try, though.
Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...
Uh yeah, it's kinda important for e-commerce, ya know, maybe you've heard of it. Then again, since nobody uses Linux for e-commerce, maybe zealots like you really haven't heard of it.
We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*.
The Win2K guys posted the Administrator password, what's your point?
(Compare to the linux box. um... no, no comparison.)
No comparison is correct. The site running the beta OS got massively more traffic, yet still wasn't compromised like the LinuxPPC box was, even though I guess some poor souls out there considered it to be a release-quality version of Linux. Nice. Also of course, the original Win2K site didn't surrender like the original LinuxPPC site did, before shifting the contest to antionline.com to be unceremoniously broken into.
Don't give up your day job for the Improv, 'though I'll admit that your having a job would surprise me.
Cheers,
ZicoKnows@hotmail.com
Ugh. Can we please have a suggestion from someone who's actually familiar with their OSes, specifically NT/2000? I actually thought it was a pretty interesting question that was raised.
Cheers,
ZicoKnows@hotmail.com
Well, I don't think you can ever come up with one single line and say "OK, here's where the OS ends and the outside stuff begins." It's always gonna be arbitrary, but it can be annoying when people change their definition to suit their particular side in an argument.
As far as the One Microsoft Way goes, I just can't agree there -- there's just way too much 3rd party stuff for anyone to be limited if they don't want to be, and that includes a lot of GNU software.
Oh yeah, and I *was* surprised. ;)
Cheers,
ZicoKnows@hotmail.com
You know, where you can use Linux to mean anything from just the kernel all the way up to the whole shebang including commonly installed apps, depending on the side of the argument in which you're engaged. Fact is, if it had been Win2K that had been compromised due to a third party script, none of the Slashdot zealot crew would be making your argument because they'd be too busy taking cheap shots.
Cheers,
ZicoKnows@hotmail.com
Yah, it's a silly poll. However...
OK. Here's the justification for the poll answer from a sample of 1.
I have just tried to use Access2000 security (N.B.: I acknowledge that this is not Windows2000. I am generalizing.) Everything was working fine. I quit the application via a new command button that was created for me by the Access Form wizard. (Only way to test the button, right?) It was the end of the day, so I went home. I came back to work and moved the database to a new folder named work. It wouldn't open. I moved it back where it came from. It still wouldn't open. Finally I recovered from backup.
MS Securtiy seems to be aimed at preventing unauthorized users from seeing the data rather than from changing the data, which is my big desire. It also seems to go into protective mode, and refuse to come out. So I don't trust them.
Now I assume that there are ways around the problem. They just don't seem worth it to me. The security system seems designed to cause hassles that I would prefer to do without. As a result I am using a programmed in security that can be defeated by any knowledgeable user (just use the shift key while launching). It's "good enough" for my needs, and it won't lock me out of the database.
I think we've pushed this "anyone can grow up to be president" thing too far.
Ok I've read it, and I answered NO to thier funky little poll. But was it me or was there false reporting.
In the article it said that they put WIN2K on the internet and there was no breaches, yet I seem to remember it getting hacked in to on the first day, thus starting the "CRACK Linux PPC" project that ran on for ever (internet time wise).
I could have this all wrong though. Doubt it.
----
"War doesn't determine who's right, just who's left"
"War doesn't determine who's right, just who's left"
Steven Wright
Of course Microsoft care. It's a company that places a higher value on effective marketing than on good engineering. Effective marketing involves listening to the market.
/. are indicative of a market segment, and a fairly central one to a product like win2k, they are no doubt upset at the reputation they have among the particular area of the OS buying population which includes /. readers. That is to say, those who know at least a little more about *nixes than you can learn from the Linux Myths page.
I'll admit, the opinions of Slashdot may not have the marketing department running around in a mad panic, but in so much as the readers of
Amongst these people, NT has developed a certain reputation for instability and poor security. This is, to the marketing hacks at MS, unfortunate. MS is billing win2k as the OS that will secure their position against the various unix platforms, particularly GNU/Linux. Since stability and security are major concerns to unix users and administrators, MS has every reason to care about their opinions.
To put it simply, you don't steal market segments from other products by ignoring their markets and the opinions generally held there.
Of course Microsoft, with its proven track record regarding security, quality code, and rapid implementation of bug fixes, is sooo much more trustworthy than any of us are.
"Logic . . . merely enables one to be wrong with authority"
Logic ... merely enables one to be wrong with authority. -- Doctor Who
Bugs creep in despite your best efforts. The best you can do is respond to reports quickly.
Good software companies have coding standards and practices that help reduce the number of bugs, and procedures to quickly release fixes for bugs that do come up.
Plus, there is such a thing as designing for security. A lot of security features in the current (NT 4, Win98) MS offering seem to have been added on as an afterthought. Sadly, Windows is not the only OS where that is the case.
Windows2000 will use Kerberos strong encryption, which is an industry standard.
(Someone else already busted you on Kerberos being authentication, so I'll note something else.)
Let me shine a spotlight on that mac truck driving through your argument.
1) MS has a habit of extending standards. Whether or not this is good or bad I won't get into. That flame war can go elsewhere.
2) Paraphrasing Mr. Schneier, who knows more about security than your and I put together, "The implementation of an algorithm/protocol/etc, can be the weakest link. A poor implementation can destroy even the strongest encryption."
Guess what this means about MS's 'enhancements'.
We should sponsor a contest -
Guess the minimum number of reboots required by this checklist and win a free service pack.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
35 million LOC / 15 people = over 2 million loc per person.
Yeah right.
-B
The checklist is provided in the form of a self-extracting Zip file. Just save it to disk and run it to extract the HTML file it contains.
Bahaha!
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
when have they actually said they "vowed"
something and kept it ?
:)
"We can't just trust the end-user to solve these problems themselves," Valentine said.
So the implication is that W2k sys admins are incompetent to maintain security and can't be trusted (his word) to do it right?
Talk about the pot calling the kettle black.
---
This comment powered by Mozilla!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
When I posted this message, the message it was attached to was rated 0 - Offtopic. Please fix this.. sure, it isn't a ground breaking comment, but it shouldn't be rated 0 - maybe 2 would be appropriate.
I don't think it was Offtopic for this article, anyway. The CNN article was contrasting MS's security practices with other Operating Systems, and this comment was On Topic with respect to that.
To the Moderator who moderated that down: Shame on you.
To anyone thinking about moderating this down (and I admit it might be a little off-topic):
ie: I can afford to be moderated down, hence I can say what someone nees to say.
Obviously I did and that's what I normally used. Unfortunately that's not all the information./ premmcsp.doc and check out the features, then check towards the bottom. Notice the pricing options. The point is, there is more information that MS has that they don't give you unless you pay.
See http://support.microsoft.com/directory/factsheets
They do in fact have different levels of support including the number of support incident calls etc. Also, the "free" knowledge base isn't all there is. Most bug fixes are free only if it solves your problem, but you have to call them, they email it to you with a password to unzip it, and then they call back to see if it fixed your problem. If it didn't then they charge you for additional support./ premmcsp.doc for the premium support of which I speak.
See this link http://support.microsoft.com/directory/factsheets
"Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts."
What they don't mention is that this is set during installation of NT Server. The only way to change this is to reinstall.
...and a giant set of programmes that each overwrite previous programmes shared libraries instead of...well...sharing them. (.DLLs)
Which is prevented by Windows 2000 from happening - it won't let anything other than a Microsoft Service Pack do that.
Simon
Coming soon - pyrogyra
I think MS did this for the reason they do anything: bring more people into their lock-in fold. Apparently they're going after IT security people, but I wonder how many of these people take MS security seriously. (The poll seemed to indicate a slashdot effect).
Anybody have good numbers on OS usage in IT security (firewalls, secure web servers, etc.) ?
- jonathan.
'Unscrew the locks from the doors!
Unscrew the doors themselves from their jambs!'
allen ginsberg
Considering the fact that Microsoft has lied in court, right in the face of a judge, why should anyone ever believe anything that Microsoft says at all? Im sorry, but anything that Microsoft, or any representative of them, says is about on the same level of trust as The Space Alien Abduction and Cattle Mutilation Magazine. Microsoft has long since entered the trust level of proven pathological liars.
(This is all just speculation, I have no fact to back it up)
There is probably some contract that MS set up with the university such that only faculty (and maybe grad students) have access to the code. Even then, if one of them *did* release the code to the general public, that person would be screwed by the university and MS.
Although I would be interested to see the code for Win2K (specifically, the kernel...I've been trying to find how it differs from a Linux/monolithic kernel, pros/cons, etc.) I doubt I will see it anytime soon.
--------------------------
But exactly _what_ is being encrypted?
One of the central questions, the others being "What Won't be encrypted" and "what encryption methods will be used"?
However, where can the line be drawn? Do you look at the security of Sendmail and say hey, that counts as Linux? Well, no...Sendmail is run on lots of platforms all over the place.
Anyway there are plenty of machines running qmail, smail, exim, etc, etc.
P.S. "start helping actual humans on the streets of your hometown" ?? I help people who can help themselves. Most homeless people are mental and should be recycled into a protein source.
Dear God, I hope that's supposed to be a reference to "A Modest Proposal" I really, really do...
And my family & friends wonder why I'm so cynical about the human race...
Intolerant people should be shot.
FTP and telnet are not designed to be, nor are they advertised as, secure. You should only use them when security is irrelevant, such as in a private network with untappable wires.
There are, however, secore replacements for both, which do not make the mistakes in MS CHAPv1.
I will not trust micro$oft security until I can /*
chmod o-a -R
(Or at least they have something practical like packet filtering!)
-- 2 + 2 = 5, for very large values of 2
Probably to ensure the security of a transmission to Bill HQ telling him my credit card numbers and other vital information.
Then in the year 2001 he's going to call every infomercial on TV and buy us all an "Abdominizer -- Rock Your Way To Fitness". And we'll all be pissed off.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
P.S. "start helping actual humans on the streets of your hometown" ?? I help people who can help themselves. Most homeless people are mental and should be recycled into a protein source.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
http://www.ddd.se/temp/CheckList.htm Looks like crap in netscape... (Can't you unzip the EXE in linux? pkunzip CheckList.exe works in DOS... I'm at work no Linux :() )
su /dev/hda > /dev/kmem
:D
cat
Try logging in as an ordinary user instead of root
One of the things in the CNN article stated by Brian Valentine was "A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said." Considering that DURING the time of the testing online they never admitted to ANY DoS problems or bugs. They CLAIMED that the reason the server was down was 1) a router problem and 2) a severe thunderstorm. Then someone wound up getting into the server through the guest book with some script. After all the lies that Microsoft has released publicly, why would ANYONE trust them?
End Of Line
I would also really like to see an intelligent attempt at command line completion. I recently discovered that NT's cmd.exe supports it, so I turned the feature on and tried it. I tried cd'ing into a directory but didn't give enough letters to make it unique, and it cd'd me into the first match. I was hoping it would give me a list like bash does, but nope, first match. Oh well...
Prudence | Justice | Fortitude | Temperance
Free to whom? MCSP = Microsoft Certified Solution Provider. To become an MCSP you must have 2 Microsoft Certified Professionals on staff. Microsoft Certification is NOT free! The Knowledge Base is free, but it does not include all Knowledge Base articles, you have to BUY technet to get all of them, invariably all the high end bugs are located on technet rather than the "FREE Knowledge Base". Not all bug fixes are free: specific example: spool32 error in windows 95. The fix was released but only for Windows 95b
"Please do not reply if you're an evil alien! Thanks"
Because insightful[opinion]!=informative[fact]?; }return(0);}
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
Except that BSD runs on a microkernel and OpenBSD runs on a scaled-down powerful, secure, and thoroughly audited system. MS-Windows runs on ~30,000,000 lines of code (unmatched by anything but IBM's system360 which has been in feature freeze for 20 years) and a giant set of programmes that each overwrite previous programmes shared libraries instead of...well...sharing them. (.DLLs)
; }return(0);}
More then 10 guys will just get lost in the ms-spaghetti code.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
I suppose you think up new ways to dis Microsoft in your sleep.
Wrong. Why?
Besides, if you want MS-positive articles, you are probably better off looking at Microsoft own website, not Slashdot!
Jesus God, get OUT more.
My name is neither Jesus, nor God. And I get "out" every once in a while, thank you. As a matter of fact, I am going to a show tonight.
Get a relationship.
Not with you, no. But thanks for the offer.
Go to the beach.
I'd love to. But I (unfortunately) do not live in a city with a beach nearby. Besides, in a lot of parts of the world, a beach in January is actually quite a cold and forbidding place. I have a suggestion: maybe you should get out of... let me guess... Sunny California? and see more of the world!
Stop playing Quake and Starcraft.
I stopped playing Quake long ago. I never played Starcraft. So there.
Stop looking for aliens with your spare CPU cycles and start helping actual humans on the streets of your hometown.
The great thing about computers is that I can do both. My computer is looking for aliens while I go out and (among other things) donate my blood and distribute food to homeless people.
What have you done lately?
Not that I _support_ Microsoft, but holding this degree of anger against them CAN'T be healthy.
I am "angry" because:
In short, MS is lying through its teeth. And such a lack of honesty makes me mad -- and it should make you mad, too, that a huge, multibillion dollar corporation, denounced recntly by the US DOJ as a "monopoly" has the gall to lie in such a way to its customers.
This being said, I really want you to feel OK -- I am not going to lose any sleep about MS or Bill Gates, really, as I have said above.
On the other hand, by attacking me personnaly, you simply prove this: MS drones do not know how to argue. You could have countered every argument I have presented above with reasoned facts and counter-claims. You did not, which is not surprising. After all, that's what Slashdot ACs are for, right?
Yours truly,
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
win2k RTM'd in the last 2 weeks.. I certainly hope they plan a server upgrade.
Not sure what calendar they use in your world, but Win2K went gold over a month ago, and prior to that, Microsoft had many partners that were using the Release Candidates and even Beta 3 in production environments. In fact, I attended a Microsoft seminar in the summer where one of the segments showed Microsoft switching their entire campus over to Win2K, long before RTM, just to show how much confidence they had in their betas. They also showed one of the world's biggest oil companies (I can't recall which one) switching to Win2K because it was easier to use than NT4 for managing remote sites and roaming users. It's not something I would do, but it does go to show that even the biggest companies in the world were running their business on an "unstable beta product."
Yes, but have they ever cocked it up quite so spectacularly as MS did with their implementation of PPTP ? I would be hard pressed to trust any company who produced something like that and called it a security feature, (feature in the opposite sense to "feature").
If a company is so massively incompetent as to implement a protocol so that it transmits a weaker hash along with a secure hash of the same password string by design, without even allowing the user to turn it off, I think I'd have doubts about that company. If the weaker hash had no salt, and converted all characters to upper case, making a dictionary attack trivial beyond belief, I'd start pointing to them and being generally derisory. And this is only part of the monumental failure that was MS-CHAPv1.
For the full (and more than slightly amusing) details, check the paper here
Can you sum it up in a word? *No.* In a noise? *Whuuuurghhhhh!*
FYI, W2K has an emergency repair function that allows you to boot to a command line. It also has a feature that will attempt to repair damaged/missing drivers. Both work pretty well.
[donning asbestos underware]
Might this not be related to the fact that there's an awful lot more closed source programs out there than GNU/Linux programs. And isn't 18 months a little short for a meaningful sample?
--
Cheers
Cheers
Jon
ROFL
Could you please show me a URL to where FTP is defined as part of the TCP/IP packet pased protocol standard?
FTP is a high level protocool that runs _ONTOP_ of TCP/IP.
The Microsoft TCP/IP test is about configuring TCP/IP in NT, using the command line tools, designing domains and sub domains, learning about subnets and a whole lot more to do with TCP/IP and NT.
Using an FTP client has as much reason to be in the TCP/IP exam as using ICQ
Maybe you should try looking into what the exam is _REALLY_ about before you spout crap.
Uh, PnP is not about Windows detecting the hardware automatically at every boot up.
PnP is about the OS's ability to adjust the resource requirements of a hardware device (eg. not hardset by jumpers).
Windows 98 just happens to do a PnP hardware scan automatically at boot up.
Windows 2000 wouldn't detect install any new hardware until you log on as a user able to add hardware (administrator).
It looks perfect with Mozilla though
---CONFLICT!!---
The Administrator can set permissions for each user (in addition to read and write). For non-PnP device drivers, you need to be Administrator, as well.
Consider the source, though, if you have the access to physically add to the machine (for example, a PnP modem), you're probably in an administrative position.
The USB does add an interesting point, however, in that it does provide another "in" to the machine. A thorough (and patient!) Administrator will find that the security has the bases covered.
--------
Oscarfish.com: tropical fish with attitude. Way t
A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.
:P
As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...
Argh, typical slashdot short-attention span. Slashdot posts about the online test, everyone labels it a marketing ploy. The Slashdot posts that it has been crashed and taken off line, everyone goes "Ha ha microsoft sucks" and moves on, figuring that's the end of it.
Then slashdotters like the one I'm replying to use this anecdotal evidence: "Yeah right, that test? They took it offline a few days after they put it up, what a test!"
If people had just bothered to go BACK to that site later, they would have found that the windows2000test.com was up for over a month! After the horrible crashing scene, they reconfigured the server, reported some bugs in the tcp/ip stack, and put it BACK ON LINE. They also had a detailed log of all the crashes, dos attacks, and problems found and fixed. By the end, the server was running strong with constant DoS banging against it with no CPU slowdown, while running HTTP, FTP, SAMBA and some other services. They identified 4 distinct DoS vunerabilities in the TCP/IP stack through the test, so they did get something of value out of it.
Oh and they got the page to display correctly in netscape too
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
From the story:
Is it just me or does that seem like a relativly small number of people to be auditing 4 million lines of code (or was it more?)?
Can some one tell me what the average number of people on a auditing team is?
-----
Can I Play With Madness?
For those of you who work for any large company that produces a product you will probably know that the marketing department lives in a totally different word then the Programmer/engineer/etc live in.
I somehow doubt this was a programmers idea. And I think now they're faced with the task of making it secure and pretty. Besides that, didn't Windows 2k allready go gold about a month ago?
"We can't just trust the end-user to solve these problems themselves," Valentine said.
So basically the word "anymore" is implied at the end....
A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.
I don't know anything about this test, but wouldn't it be a scaled down version? I mean, I'm pretty sure they wouldn't set it up as if they were a normal end-user... right out of the box, and running all services (you know what i mean).
Included in Microsoft's plans are 24-hours-per-day, seven-days-a-week security hot lines, consultations, and collaboration with other vendors on security issues, Valentine said. Microsoft will re-launch its security response centers to provide the around-the-clock responses and will respond to issues within 24 hours, Valentine said.
This quotes, among others, make this seem as if they are trying to port CERT to the Windows 2000 OS =P. The key word in the (CERT) acronym, is Response... they are trying to fix the probelms after they have been discovered, not being more careful, and preventing these problems from ever occuring. I feel that this is more of Customer Support than Security.
From the online poll conducted by the article:
Do you trust Microsoft security?
Yes 7% 823 votes
No 93% 10734 votes
Rafe
V^^^^V
Rafe
Opinions expressed by the author may not actually exist in the wild.
I thought the number of active contributers to the Linux kernel was somewhere around 10,000 (!)
Here's my DeCSS mirror, where's yours?
I was at a Microsoft tech conference recently, and they were demoing Win2K. Halfway through the demonstration, it froze up and he had to reboot it. :)
The reboot had to have taken in excess of ten minutes, too.
The point is not necessarily how stable Windows 2000 is, but the fact that they are running beta version software on a mission critical server. Not smart, even on Linux.
Here's my DeCSS mirror, where's yours?
Yeah, but what are you doing with it? Just playing around in various programs? No wonder it hasn't crashed! If it were running as a webserver taking a decent hit count, oh my how the tables would turn.
Here's my DeCSS mirror, where's yours?
You may not realize this, but a lot of professors (especially the computer ones) really do practice what they teach out in the real world.
Here's my DeCSS mirror, where's yours?
I've also realized that many of the new features in Win2K are really just old UNIX features. Active Directory is really nothing more than NT implementing $HOME directories; and it even does mount points!
Here's my DeCSS mirror, where's yours?
Windows has the best benchmarks money can buy :)
Here's my DeCSS mirror, where's yours?
Considering that Apache has a 61% marketshare of webservers... yeah, I think that poeple do.
Here's my DeCSS mirror, where's yours?
You sound as if you're under the impression it's the successor to Win98. It's not, it's the next iteration of NT. The next version of Win9x will be Windows Millennium, and it's anyones guess as to when that'll be around. It'll likely have some tidbits of the tech used in Win2k, but without the security.
Here's my DeCSS mirror, where's yours?
A program started by ANY user can do anything it wants on that system
Er, no. There might be many problems with NT/Win2K, but this isn't one of them. What a program is allowed to do depends on the permissions it has - if I'm a regular user then I certainly can't go poking around in bits of the system that don't belong to me.
Now, it is possible that there may be a bug which allows a malicious program to circumvent this security, but it's certainly not a property of the system design.
Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.
What are some rough yet realistic estimates on the number of qualified people doing this sort of thing to open source operating systems?
Remember that the people you count:
I would suspect that conservative estamates would put the number greater than Microsoft's by at least a factor of 20. Witness the power of peer review.
How about not having them in the first place? That should be kept in mind when designing in the first place.
"I always wanted to be a procrastinator,
>plug and play is FINALLY here!
So how does this integrate into a new security regime? As I understand it NT4 curently won't let anyone but the Admin group configure new hardware; this is a sensible precaution.
So how does Win2k prevent me, as a user, fom inserting a PCI modem and having it configured automagically by PnP? Does it configure the hardware but instigate some form of ACL protection to prevent users from accessing the hardware until the Admin adds them to the access list?
Does this hold true for USB devices as well? Can I just plug a scanner or mass-storage drive into the port and have it instantly recognised and enabled?
Sorry if these are naive questions, but I don't administer Windows in any environment.
Thanks.
The Microsoft culture is one that eats and breathes competetiveness and challange 24/7. I suspect that since they've been in dogfood mode with Windows 2000 for over a year now, that there has been plenty of pounding on the code to worm out bugs and problems before the release.
Of course, they don't have a bunch of clueless cretins poking around in the registry editor, so yes, there will be "customers" who find problems they didn't discover.
Security is a much larger market now than it was 10 years ago.
NT security in win2k for the most part amounts to not much more than nt4 with its additional service packs. Some registry keys have moved locations and some have even changed but its not enough.
even if you put out a super secure os, it doesnt help when you use it with an exploit laden web server (iis).
Sure microsoft has worked to make the system more secure, but without an overall picture, they will always miss potential security risks.
Not to say that other systems arent problematic but a lack of forethought will always bite microsoft in the butt.
LW
win2k RTM'd in the last 2 weeks.. I certainly hope they plan a server upgrade.
although an upgrade to freeBSD might be more advantageous :)
*grin*
ooooooooooooo.....
thems is b-linux-asphemy.
"..Constructive critizism is always welcome however."
There is a serious problem with those defacement statistics. What if WinNT sysadmins tend to be not as good and UNIX sysadmins? I wouldn't be suprised that on a whole your average WinNT sysadmin isn't as good as your average UNIX sysadmin. After all UNIX is far more forbidding then then WinNT. What OS do you think your average newbie will use?
Windows + security + open source = Linux ?????? I don't know, sounds close though
That analogy isn't as good as one might think by the way it was presented.
+++
+++
NO CARRIER
Security on open source products like Apache and Linux work for precisely that reason. They DO trust the end-users to solve their security problems.
"Given enough eyeballs, all bugs are shallow" -- Linus' law (as dubbed by Eric S Raymond)
+++
+++
NO CARRIER
Unfortunately for them, however, I don't think it would be of much benefit. 30 million lines of buggy code does not sound like an appealing project to work on.
What would probably end up happening is someone would port the APIs and some of the drivers to Linux and that would be the end of that.
+++
+++
NO CARRIER
Someone is on some serious crack! OK, smoke your crack and waste your moderation points:
At 5:19AM, vectro wrote:
Linux and the BSDs(especially OpenBSD) have a poor(ie, all-or-nothing) security model which is very well implemented.
Windows NT, on the other hand, has a really good security model, but the implementation sucks.
WMBC freeform/independent online radio.
Mozilla changed my subject at the last minute, without asking, AGAIN! BAD mozilla! Sit in the corner!
WMBC freeform/independent online radio.
Slashdot posted a link to a study like this a day or so ago. It was comparing Red Hat, Solaris, and Microsoft. Red Hat blew the other 2 away, basically, proving that it takes both *NIX _and_ Open Source. The study made MS look really bad (much higher # of incidents), and Sun look really slow (up to 3 months for a fix!)
WMBC freeform/independent online radio.
OK, let's break down the words "holier-than-thou". It implies that we're better than something else, right? OK, I think that the security of Linux is better than that of NT. Right.
"Over the years", maybe. Sorry, but I've only been using Linux for 1.5 years, so I wouldn't know about before that. But if you hang out on BUGTRAQ, the number of bugs in closed-source OSs and programs WAY outnumber the number of bugs in GNU/Linux. That's over this LAST year, anyway.
Every OS will always have security problems--an OS is a huge, complicated piece of software. The goal is to have less, and to fix them as soon as they are discovered. Linux and GNU applications have succeeded in this goal, far more than MS has.
WMBC freeform/independent online radio.
Come ON, people. This is NOT insightful! This is a self-contradicting post which says nothing, poorly!
WMBC freeform/independent online radio.
I have no doubt Micro$oft has the capabilites to quickly and effectivly get security patches deistibuted, but the question is if I, alone, find a major security flaw and report it to Microsoft..will they hurry and get out a patch, or tryand cover it up and hope it doesn't become common knowledge? We all KNOW they have done this before...what's to stop them from doing this again? Christopher Hylarides
Why should you have to buy a complete other product from another company do what the original product was supposed to do in the first place?
--Nothing is impossible to the man who doesn't have to do it himself.--
Open Source, Open Standards, Open Minds
I happen to think Mandrake rocks.. it's Redhat but better....we use it on a couple of our servers. And I use Mandrake 7.0 now as my personal OS (Used to use Debian)..I've tried EVERY distribution...we have FreeBSD, Mandrake, Debian, Redhat and Slack running on our servers
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
tell me, why would I believe you, that MS told a lie, and not MS? because they are liers, right? I've been reading and posting to that guestbook on www.windows2000test.com every day during the test. They had found some severe leaks in the tcp stack, some crappy bugs in the script, some DoS results, but after a month... all were gone... no attack gave any result. Ok, you obviously won't believe the statistics they posted every day about the amount of DoS packets or hack attemts the server received, but it was an awefull lot. They were very informative when the server was down or when they found a bug or when the server was crashed (it crashed a couple of times in the debugger). Also think about the fact that no firewall was there, every spoof package was passed through. Sure, any unix server which was setup by a security professional, would have survived it too, but just because there weren't any security leaks reported, as people breaking into the server, doesn't have to mean MS is lying.
After all, it was a technical test. They do that too, you know.
Never underestimate the relief of true separation of Religion and State.
About kerberos, you're correct. It was a dumb phrase of me to call it encryption. It's a system to secure authentication like lanmananger protocl is, ok. I ment that, I used 'encryption', which is of course not the case. It's however a step in the good direction to let go the lanmanager protocol and choose something that is already implemented and has proven to be ok (at least to be better than what's there today in NT ;). Implementing it with bad code is of course the nail on the coffin of a secure NT system. What I ment to say with my zillion lines is that IMHO MS has learned from the past (so history IS important but not in a way to prove the future will be bad as well) and will commit itself to a more secure environment so the weak spots are not due to weak software as demon also pointed out and we all know was true for a few years in NT land. The topic is/was if MS will commit itself to a secure OS, and I say, looking at what they've put into their new OS plus what they've done to make NT 4 secure... yes, they will.
:)
But time will tell. IMHO they've tried hard enough. Open source IMHO wouldnt have made it any better, because a lot more developers have looked at the code outside MS (for example a lot of developers at IBM have), than before. Ah well...
Never underestimate the relief of true separation of Religion and State.
Long posting... Main line of my posting: nothing is secure, you have to make it secure yourself. So that means, I'm not saying NT is more secure than anyting else or anything else is more secure than NT. (offtopic discussion, btw.).
Few things: about the security fixes... the few security leaks in NT in 1999 were patched within a day or 2 and downloadable for everybody. And about the history.... my point was: the history of NT when it was first released and with the bad servicepacks 2 and 4, is not necessary true for the future. You USE that history to make it look bad, while from your text I can IMHO conclude you don't have a lot of experience with administrating NT server. That's not bad, but calling it bad, plus it's security bad, BECAUSE history tells you so, is IMHO a bit shortsighted. It doesn't matter which OS, if the admin is sloppy, the system is insecure.
Never underestimate the relief of true separation of Religion and State.
I'm a programmer, worked on both unix and NT for years, not administrated them (well NT I did, only admin on AIX a few years back). I won't say history is meaningless, every day we learn it is not meaningless, but in productcycles, you can't predict the quality of a future product, looking JUST at a history record or lists of bugs in the early days. :). If the software is flawed, it's of course undoable to make it work 100%. IMHO if you throw up as many steep hills as possible, it's almost undoable for a hacker to break in. It must become uninteresting for a hacker to go on. I think then you can cover the last bit of percent all systems indeed lack in total security. I'm glad MS finally is aware that the market is not waiting for lots of NEW stuff, but actually WORKING stuff. Which also means the tools to make it secure. (so it's the admin's fault that there is a hack).
Only time will tell if they are right. no history can IMHO.
Never underestimate the relief of true separation of Religion and State.
I'm not sure if your only knowledge of computers is how to use a web browser,
...expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.
That's a rather poorly thought out conclusion. I was replying in the context set up by the original poster:
Now a more appropriate conclusion is that the servers under discussion are web servers. As shown in my original post, Barnes and Noble is not running W2K on their servers. What they may or may not be running on their internal servers is up for pure speculation.
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
In the CNN article, they said that microsoft gave the source code for Win2k to some universities. Does anyone know which universities they gave it to? This would be a total suprise, because giving something to a university is almost like giving it out on the net. All it takes is one student to post it. . . . . Mark
Most Respectfully Yours Mark Allyn Bellingham, Washington
The desktop user does tolerate BSOD's and the occasional reboot (once an hour is annoying, but provided you don't lose data, it's fine ...).
This install of NT4 BSOD'ed once on installation, because i was foolish enough to install with network support on hardware several years younger than the install disk, rather than servicePacking first and networking later. I've not seen the BSOD in the intervening 21 months.
I like to reboot about once a month anyway, 'cos i'm old-fashioned like that.
Yes it would be lovely to be able to servicepack without a reboot, but it's not something i lose much sleep over.
TomV
Picture this if you will... CEO Steve Ballmer sitting at his PC repeatedly loading the CNN poll and choosing "Yes" to the question "Do you trust Microsoft security?" When suddenly... "BLUE SCREEN OF DEATH". What makes you feel the most secure? "... a staff of 15 people..." or an entire open source community. "...interacting with users and rival vendors to detect software breaches and bugs,.." If you ask me, that's going to be one very busy group of people! This one paragraph however, sums it all up perfectly. "A conference attendee said that Microsoft officials were making all the right statements pertaining to security, but it remains to be seen whether the company can live up to its commitment." The M$ security site is pretty funny, I belive the phrase "best interests of consumers or the industry" was used. I mean who would have thought?
Could someone please help out us poor non-Windows users and post the checklist? It has a .exe extension, something my Linux box doesn't seem to support.
P.S. I'm feeling very insecure.
Ummm, these 15 people don't need to review EVERY line of code. That was all done in the development process by a whole lot more people. These 15 people are more like custodians who deal with security issues AFTER Windows2000 is released.
"We can't just trust the end-user to solve these problems themselves," Valentine said.
pretty much says it all, doesn't it? opensource^-1.
- "We've got to get these two together." - "I think that would be extraordinarily dangerous." -
Throwing 15 guys at reviewing the code is a total joke. This, coupled with the statement that "we simply cannot trust these matters the the end users" illustrates M$ utter contempt for the masses that compose their client-state.
Besides, how effective can 15 guys possibly be? "Here, go find the security leaks, do nothing but look for leaks. When you're tired, go sleep on the couch and have a few cans of coke when you wake up." Sounds like a death march to me...
cat
"And you can do that" Nope. I've seen one instance when trying to kill a runaway perl process that it could not be killed. When you are Administrator and you can't kill a process you know your OS has major problems. We would try multible times to kill it and then wait 10 minutes w/o anything happening. Of course the only solution is to reboot. It seems to me that NT still has problems with process control.
"Drug related crime" is a misnomer, "prohibition related crime" is the more accurate and correct phrase.
I'll agree that M$ has pretty decent security habits but the main issue in my perspective is this: How many times have they intentionally struggled to keep one quiet long enough for the fix to be put within a Service Pack? Anyone remember one of the first Hotmail holes? M$ did their best to keep it quiet. It's my opinion that they deserve a kudos for intent but fifteen lashes from a flogging stick for end user turnaround time.
I haven't really been able to get the right numbers on this. Scenario: Linux and NT are afflicted with similar security breach. How long does it take for MS to plug hole? How long does it take for Linux to plug hole? Is it possible that everyone knowing how to get in is better than only fifteen people knowing how to get in? It really looks like MS is trying to do its best to compromise. Question is, will MS now fully share the information about how the system was breached? They can't do that because they've already painted themselves into the corner on that one. But my guess would be that they're gonna try to sell it like they were Linux incarnate. Well, not much of a guess I suppose.
Come on guys, the security issue that we are talking about is something more subtle. Like the way the other guy says, it is the 15 year old kid down the road that I am more afraid of, because they know no limits to their actions. NSA or CIA .. bah ... it is their job to spy on us all. That's what inteligence gathering is all about. Does not mean that they have any inteligence up in their brain box thought. So stop the paranoid invation of people's personal right. It was never there, only an illusion of it. Thus we are happy with that for a long time. As for Microsoft's security issue, as I hope that they do beaf up as it is really troubling my bosses that their porn mails can be read by other people. God forbids that ever happends.
------ Life is as random as it goes, sometimes you just end up in high ground when you least expect to. -----
Heh. Sure... they might respond faster... but will they put the patches on the net for free? Or are they going to fix it in the next release, and charge everyone for it, like they've always done? (Windows 3.1, 3.11, 3.11 WFW, NT 3.1 ad nauseum, Windows 95, Windows 95b, Windows 98....)
---
I can't wait for proper speech-recognition.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Hahahahah. I think I'll use that one at my next job interview. :) "I'm better than an MCSE, because I actually know how a TCP connection is made. And to think that I'm self taught..."
---
I can't wait for proper speech-recognition.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I think that's pretty obvious when they don't open source the OS! :)
Actually, I think it's pretty obvious when something like 85% (or probably more) of the people who use windows have -at best!- only the tiniest sliver of a clue. Most of that 85% don't have any clue at all. To them, "Windows security" means that you should lock your doors and windows at night before going to bed.
---
I can't wait for proper speech-recognition.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Do you get the feeling that the poll for the do you think M$ is secure is getting slightly blown out of proportion from all of the linux users now?
Great isn't it? =)
Matt D
http://www.looroll.com/
"unzip" under Linux will allow you to read the contents of this file.
--
Xenu loves you!
NT's security is NOTHING like you'll find on linux or any other unix or similar
Wow, you think? NT has to implement access control on many different types of things... yes, everything's an "object" - but on Unix and Unix-alike systems, everything is a file. That's why NT's security is very different from Unix security - it's just a plain different approach.
On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?
That doesn't necessarily make it more or less secure (unless something in the OS is implemented badly, has some kind of hole, etc.)...
NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.
Uhhh. They'd have to have government permission to export "strong" encryption outside of the US. Also, "worldwide" is a relative term - there're still several nations on the US government's shitlist that they won't allow ANYONE to export crypto technology to (and some like France, where they simply don't permit crypto technology at all). Simply, I think you don't know what you're talking about here.
Windows2000 will use Kerberos strong encryption
Uhhh. You obviously don't understand what Kerberos is - Kerberos is NOT an encryption method, it is a secure ticket-based authentication system. (It doesn't necessarily use "strong" crypto, afaik.) And an "industry standard"? It's certainly a standard, but (a) it's not a standard in "the industry" proper (because far as I know, most Unix vendors don't ship a commercial Unix with Kerberos plugged into it), and (b) Microsoft, of course, is using their own bastardized version of Kerberos, not the standard protocols that the rest of the world uses (minimizing compatibility, as usual).
MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.
I don't know what planet you've been living on, but Microsoft has taken its sweet time fixing security-related issues. (Unless of course, you're a huge corporate customer...)
Still, unskilled administrators install the basic set [of IIS modules].
"[U]nskilled administrators"? I believe I heard it said best like this (roughly quoted): "If you need point and click to be an administrator, you shouldn't BE an administrator." Microsoft harps on how "easy" it is to admin NT - yet all the people I know who admin NT say "you really need to know what you're doing, not just any monkey in a 3-piece suit can do it"... Next.
IE holes are a problem, but who surfs the net on a production server.
Well, when EVERY Microsoft product requires IE to be installed for installation, and all the help and stuff like that is provided via IE, that's what you get. YASMD. (Yet Another Stupid Microsoft Decision)
but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers
I don't have 10-12 years of experience (I have 4-5 years of Linux experience under my belt now), but most people I know consider me fairly learned, and I read ORA books, check up on BugTraq, and try to keep up on recent information and issues. You don't have to have a virtual lifetime of experience, but you need to have some, and you need to read up. That's the same whether you're running NT or Solaris or IRIX or Linux or HPUX or whatever.
No-one says unix is unsave because sendmail is crap.
Well, that's very true, but Sendmail is just one MTA - there are several others; also, the bad old days of poor Sendmail security have mostly passed us by. I think the developers of Sendmail learned a LOT from the days of the Internet worm.
if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.
All I can say to that is this: It's a lot easier to secure a Unix box than an NT box, if you know what you're doing. And by the very admission of NT admins that I've spoken with, you need to know what you're doing on NT too. Besides, with closed source, you never know what ports they're leaving open (at least till you portscan your own box), and that can be dangerous. I'd rather stick with Linux, where I can verify my own security (as well as having someone from outside check it), instead of depending on big daddy MS to do it for me.
Ask all those Solaris administrators currently suffering the DoS worms
Which are those? The main admins I feel bad for are SCO admins (seen loads of recent SCO issues on BugTraq) - and admins of NT 4 systems, who are soon to be orphaned unless they pay big bucks to update to the latest, greatest Microsoft product.
Bashing the FUTURE without knowing what it will bring with the facts of old material from the past is not fair.
It's called history. History is important - those who do not remember it are doomed to repeat it.
If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions
Not everyone runs the most holey of distros, but Linux security holes do (in general) get patched quickly. I happily run Debian, and have found it to be plenty secure for my needs (masq box/shell server/Web server for a public school district), and any security issues are quickly resolved with Debian, in my experience. NT's holes are just harder for the end-user to deal with - namely because you have to wait for them to come from above. You can't do anything about them on your own.
Your claim that NT security is "better" than Unix security is, IMO, quite false. Look at the history - then tell me what you believe.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Too bad they can't be bothered to pick more secure default settings.
9:30 A.M. CDT
Poll: Do you trust Microsoft's Security?
GAHH! Looks like all 835 of Microsoft's directors and managers weren't at work in the last couple days. (Blatant UserFriendly reference)
Chas - The one, the only.
THANK GOD!!!
Chas - The one, the only.
THANK GOD!!!
If that has been your experience, then you didn't know how to utilize the resources that are presented to you as an MCSP from MS. Business down calls to their highest level support is FREE for MCSPs. Access to the knowledge base is FREE for EVERYONE. You get 5 or so support incidents to their premium level support for FREE. Bug fixes or problems because cost you NOTHING for their support. MS charges NOTHING for their current security website fixes.
One of the trade mags had an article about Barnes and Noble recently. They are using Win2K internally and on the back end now, but not for their web site. The thinking being, if they ran into issues due the beta status of Win2K on the shipping side of things, they can take the time to sort the problem out. On the web site, however, they can't afford to run into any such slowdowns, because people expect to be able to place their orders immediately, and if they ran into a problem, might switch to another bookseller. This was especially relevant during the Christmas shopping season.
Cheers,
ZicoKnows@hotmail.com
We're talking e-commerce here, not pages for family pets and innumberable "How to set up PPP under Linux" pages. NT is slaying Linux when it comes to e-commerce, even Netcraft's SSL statistics show this.
Cheers,
ZicoKnows@hotmail.com
- When I use "Add/Remove Programs" to uninstall Microsoft Office from my C: drive, and then reinstall it on my E: drive, it should actually remove the "Microsoft Office" folder from my C: drive. At the very least, if I do this and then delete the "C:\Program Files\Microsoft Office" folder myself, running the Word program that's on my E: drive shouldn't give me an "Unable to locate DLL" error.
- When my colleagues have compiled a class library with version N of Microsoft's C++ compiler, and all I have is version N+1, I should be able to compile a program with my compiler that links to their class libraries.
ObSecurity: if they can't release software that handles these simple interactions with other software from the same company, how can they write an OS that protects users from malicious code written by outsiders?...--
"But, Mulder, the new millennium doesn't begin until January 2001."
send all spam to theotherwhitemeat@ropine.com
The fact that they've only put 15 people on fixing the gaping holes suggests that this is not in earnest. I mean, honestly... we're to believe that 15 people combing through thousands of lines of spaghetti logic visual basic code are going to be able to make W2k a secure OS??!? I would suggest that this is merely a way for them to say "look!! we're secure!!"
waiting on my OS/2 cds and Mandrake 7.. gotta nuke this win98 install.
jim
That's funny.. considering it already went gold!
Of course it has an 'NTish options'.. it *IS* NT.
It's NT 5.0, they just renamed it to Windows 2000. Remember.. it was *going* to be their new OS.. they were going to scrap the 9x line... but that's not gonna happen either...
There's a difference between having security bugs and having an insecure OS policy. Ever since the PC-AT (80286), MS-DOS has refused to use protective hardware and has insisted that major parts of the system (hardware and software) be available to every program. It made malicious programs trivial. I suppose then there were no security problems as there was no security. (But "Then" is still "Now" as MS Windows runs MS-DOS...as every virus checking program knows)
I would also really like to see an intelligent attempt at command line completion. I recently discovered that NT's cmd.exe supports it, so I turned the feature on and tried it. I tried cd'ing into a directory but didn't give enough letters to make it unique, and it cd'd me into the first match. I was hoping it would give me a list like bash does, but nope, first match. Oh well...
Nice try, but that's not the behavior of the command line at all - it doesn't just "Cd you into the first match"... it shows you the first match, after which you can hit TAB again to show the next match, or hit SHIFT+TAB to show the previous one. Sheesh.
Simon
Coming soon - pyrogyra
The issue is not about finding bugs and security breaches but about fixing them quickly.
dave
(strangely tempted to shout first post, but resisting)
Well, security is one thing - everyone talks about security, however, we forget that the main threat to security is the human element. Passwords discarded in trashcans, to start off with. Disgruntled employees. One could make a whole list of these. Furthermore, any vendor which doesn't list security as a primary concern should be shot anyway.
...). However, let's look at the back-end for a change?
Well done to MS, they're now looking at security. How about stability? I know for a fact that quite a few financial institutions use NT on the desktop, but have banned it from their servers. Or actively discouraged the use of it there. How about MS showing us definite proof of W2K's stability, as compared to, for example a Sun Enterprise server or SGI enterprise class server, or IBM, or HP etc etc etc.
The desktop user does tolerate BSOD's and the occasional reboot (once an hour is annoying, but provided you don't lose data, it's fine
.my 2p
The stable kernel branch is not beta (it's release quality), and it's certainly more stable than most other software that gets pushed out the door by certain corporations. Most of the system apps you're running have had stable versions for years. Most of the non system apps you're running have had stable versions for years.
In conclusion: Linux is not an unstable beta product and is not one by definition. Just because there's always a development version getting kicked around at a furious pace (and immediately so after a stable version is declared so), doesn't speak to the contrary.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
I guess everyone here in /. already knows that M$ does not hold a track record for providing bug free software. Their internal coding habits are also pretty atrocious and its credit to the programmers that they are producing stuff that are as stable (*cough*) as it is now.
Giving the source out to 70 external agencies is a
meaningless gesture. Is it going to be ALL of the code? or some of the code? or maybe just snippets here and there? And of course these agencies will
likely have to sign NDA's which will limit the exposure to the people who actually *can* help.
And for helping out, what do we get? Do we get a piece of the M$ pie? Stock mebbe?? I think NOT.
It's likely that M$ will charge for the source as well.. So us grubby non-M$ coders will have to like.. *PAY* to take a look at it.
All in all, its a lose-lose situation for anyone
involved in this goofy business..
Sheesh.
-vanth
I'm assuming this also reveals their previous strategy for securing the operating system.
"Gosh, if they want security, I'm sure they'll just solve the problems themselves. No reason we should spend any of our monopoly supported profits on fixing the problems for them."
Work for Change & GET PAID!
A couple of points I'd like to make:
:-) The K.I.S.S. principle applies doubly to security. Keeping track of more possible permutations of security aside, MS is not targetting this enchanced security model at people who understand it -- "Learn Windows NT in 21 Days" has become the rule of the day, which means it's wasted and (more often than not) leads to more problems than it solves.
"NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example."
1) Linux supports stuff like this via POSIX.1e, which allows you to flexibly drop what you don't need (super user wise). An example is ProFTPD, which has mod_linuxprivs. When it's used, ProFTPD loses all super user abilities, except for the binding to ports lower than 1024 one.
2) More complex does not mean better. During WWII, German artillery had 49 moving parts and could strike more accurately, whereas American artillery only had 9 movings parts -- it's only feature was it broke less
"MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded."
It doesn't take ages to get a fix.. It just takes ages for them to post it on their website. They do really have a long latency time between a patch, and a posted patch.
"IE holes are a problem, but who surfs the net on a production server. "
Except that IE is now integrated into many other applications that don't need it (I've tried NT 5, and I really hate the grey-child-like Notepad common dialogs which huge "My Network Friends" buttons, and webenabling).. When you take an insecure code base, and cram it everywhere to stop people from ripping it out, you compromise a lot more than your morals. Then you have the marketdroid angle -- NT 5 Work^H^H^H^H Professional (where's the non-professional?) is targetted at those people who like saying they're using the "professional" version. I betcha they surf the web lots.. Do you want your CEO to go and get BOed because of their workstation OS choice?
"MS provides a bulkload of security documents how to implement security on your servers."
I'll have to go with Theo (de Raadt) on this one, and say ship the default config secured -- don't document what you have to do after the fact. When you have to install 500 workstations with a secure setup, it doesn't pay to have to go to each one and click on the same frickin' security wizards, over and over. There are ways around this, but I don't know why they don't ship with more things turned off, or at least with a visible off switch. I received some funny emails from my IDS when NT 5's probing of port 445 ("microsoft-ds") on the Linux firewall set it off..
NT 5 is better, but the ideas behind it are a mishmash of idealistic engineering, hopeful marketting, and sadly failed implementation. As the users on Bugtraq said, "it's getting better [with things like run as alternate user], but it still has lots to catch up on compared to Unix."
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Encryption keys are great for security only if you can't compromise the system some other way.
MS has already released 2 security bulletins this week alone, and of course, these are publically known exploits.
They release fixes as quickly as they release bulletins, but anyone who installs a hotfix the day it is released is pretty much a masochistic guinea pig. I mean really, how does a service pack that totally borks WINSOCK get released?
..... subject says it all.
DO NOT DISTURB THE SE
It's C++
DO NOT DISTURB THE SE
That bugs are the result of human fallibility was implied by the statement. Software's nature comes from human hands; humans make mistakes; therefore software is buggy. I didn't think it needed to be said; I guess some people like everything spelled out for them. *shrug*
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
And the reason that there are so many bugs in the first place is because that is the nature of software. Any piece of code, even slightly complex, will probably be buggy until you take the time to debug it.
Sorry, but you are wrong. Bugs are not the nature of software, but a symptom of the nature of human beings.
Our software is faulty because we are fallible. And that's because our software development processes mostly suck. Is your software buggy? Your process was lousy, and your own fallibility got you.
I would like to ask every coder around here to read this great article, only to learn a little about what perfect software development takes, and how difficult it is to tame our own tendency to screw things up.
Of course it is possible to write perfect software, just eliminate the coders' ability to fail. Perfect software development is very non-human.
personnally i think that their 24/7 'bug line' wont really help as i know it. personnally i dont use windows 2000, and usually 70% of the people using it will be people that if you'll say bug near them they'll say "huh?!", and if it comes to submiting bugs, also if they've found a bug, and they know what is it, i doubt if they'll ever submit it. it's not the same with linux, when people are programmers and are aware of bugs and submit them as fast as they can. therefore, they're 'bug line' efficiency is in doubt.
Dan.
it's hard to use this list to compare linux vs. NT, because lots of the bugs listed for the operating systems are in add-ons and third-party products.
the nearest statistical comparison of openrating-system-security is on attritions web-defacement-counter. in the overall OS-count from august 1999 to present Win-NT is leading clearly with 55%, followed by linux with 19% and solaris with 13%. source: http://www.attrition.org/mirror/att rition/os.html
these total number of defacements should also take into account, that there are more webservers running on linux than on NT, as can be seen here.
open source brings a security-problem which is not as big in closed source: it's far easier to write trojans. but this risk is small compared to backdoors intentionally implemented by clodes-source software manufactures. a good example is the international version of lotus notes where the NSA knows 24bit of the 64bit-key.
>We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*.
>The Win2K guys posted the Administrator password, what's your point?
His point is that the machine was NOT naked on the internet, it was behind a firewall. That test had nothing to do with cracking Win2K.
Perhaps you weren't paying attention, but the Linux box was compromised due to an insecure 3rd party CGI script. That is the fault of the administrator for using such a script, not the OS.
What do you know, Zico? I wonder...
WMBC freeform/independent online radio.
1. Don't open-source the code. Some poor college students who love MS will waste hours poring over it, and their SO's will dump them.
2. Get rid of the required GUI. That's just asking for trouble, really. If people want the shiny happy face buttons, let them have them. But maybe if your OS overwrites the video drivers randomly, people should be able to at least boot their server to a useable state until they can comfortable fix it after-hours.
3. Actually do what they just said. Every week a new bug comes out in ActiveX. Every few weeks, an exploit comes out for NT or 9x. It always takes them a lot longer to fix it than the Linux or BSD people. Plus, when they found a bug in the Linux 3C59x driver, I hand-edited the file and fixed it myself. However, I DON'T want them to go OSS, as stated above.
4. Keep the "happy marketing" away from the server products. Servers are not named "My Computer". Servers have ugly names, so that crackers cannot guess them, unless you feel like putting up a script-kiddie magnet by naming it something like "exchange.getbent.com". I am not in a Network Neighborhood; I'm on a LAN. Blechh.
WMBC freeform/independent online radio.
According to Netcraft, Barnes and Noble is running IIS4., not IIS5
www.bn.com
is running Microsoft-IIS/4.0 on NT4 or Windows 98
www.barnesandnoble.com
is running Microsoft-IIS/4.0 on NT4 or Windows 98
This leads me to speculate that you do not have a source for your information.
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
Someone on one of the local newsgroups at my ISP spoke about "Cargo Cult Security" recently. The Cargo Cults were people who lived in remote areas of the Pacific who, seeing the wealth of the people who could call down the bright shiny airplanes, built replica airplanes and runways out of vines to entice the airplanes to visit them and give them wealth. Cargo Cult Security is installing software of following some second hand security recommendations without understanding why you are doing it. The biggest problem here is that when something breaks, you won't know how to fix it or even that it's broken. That is the biggest problem with Microsoft "security".
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
Although NT's security model is easily vulnerable to a plethora of attacks, -As are all the Backoffice products, are they any more vulnerable than most other OS's? If you have the most secure OS in the world (I, know, NetBSD) and it is set up incorrectly and most importantly administered incorrectly, then you'll never achieve a level of security that is satisfactory. One _downfall_ of NT is it's useability. I know this is an advantage to many, but also it lets a NOVICE admin guy set up a server any time. If NT OR Linux, Or nearly any other OS is set up by some fool who clicks "next,next,next", you are not going to have the best performing or secure OS in the world. I will say that NT's defaults are some of the worst choices that could ever be made, but these are intended again - to produce an OS thats optimized out of the box - for an idiot. Do you think that "EVERYONE" Full Control is a great default permission? It Sucks. MS Has PLENTY of resources to fix this though. If your NT Server, BSD Server, or Linux Server is working like a sick horse- or being routinely cracked from the web, don't criticize MS or anyone else- RTFM, and then RTFM again. That box is there because someone made a choice to install it. They chose to install it and run whatever backoffice application that your now concerned with. I've worked with NT, Linux, FreeBSD, OS2, BeOS, and many others for as many years as I can remember. If the admin on any of these is lazy in his/her auditing and PRO-active security measures, then the OS is vulnerable. New cracks WILL be found- Its evolution. People with more time on their hands than me spend it finding them. WHEN the company fixes the holes - the Admin has to apply the fix.... Any way- NT is optimized for a half-wit out of the box. If you leave it so, then its your choice. MS neads quicker response time, but SO do most network administrators. Check out http://www.ntsecurity.net http://www.ntfaq.com RTFM. Regards, L0ki
"You never truly understand a thing until you can explain it to your grandmother" -Albert Einstein
Hmm. But exactly _what_ is being encrypted? Your passwords? (does it matter how strong this encryption is, when there's 1000 backdoors waiting to be discovered?) Your network connection? Or just your browser? Do they even say? Does it really matter? Knowing how secure Microsoft OS's have been historically, this sounds like putting a strong deadbolt into a flimsy wood-panel door that's really only suitable for indoor doors.
And here's an even better question: can you export this encryption? (The French just might not care anyway, if it's the only strong link in a weak chain.) Another is to ask whether the filesystem has any security whatsoever, besides "are you sure you want to delete everything in this directory?" Of course, filesystem security doesn't mean jack when you can do whatever you want from the outside anyway.
---
I can't wait for proper speech-recognition.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Actually, if they open sourced the OS, or if they completely redesigned it so that I don't have to reboot it so bloody often, I would cheer them on. I've been begging for _years_ for Microsoft to _please_ make an operating system that wasn't able to suck a golf ball through a garden hose. The last thing I want to do is spend such a large percentage of the time I spend fixing computer problems by waiting for the bloody OS to reboot. 18 times in one session. (okay, I exagerate about the 18 times... more like only 9)
;) but at least I won't hate them for making Billions of dollars each year off of something that completely sucks and everyone would love to be without.
It wouldn't be so bad if we've got a "standard" operating system (alright, dominant/monopoly) that actually works very very well.
Things I would LOVE to see Microsoft do in Windows are proper process control - including being able to kill a process NOW, because _I_ think it's safe, rather than letting whatever program has gone zombie decide if it's safe or not, before finally letting the operating system say "okay, it's dead now. Should I kill it?" after about 45 seconds. The applications that most people use to create documents with already have some sort of functionality to automatically save your work every couple of minutes, just in case things go bad. (why? Because everything is so damn unstable...) The process control Windows has now doesn't help this problem any, because once a program has gone south, 99% of the time there is No Going Back to save your files anyway. Included in "proper process control" are things like telling any process to re-read its configuration file, which you just changed, and to do it without rebooting the whole OS. I hear they've managed this with W2K, but I'm skeptical.
I'd also like to see some decent Protected Memory designed into the OS. I understand that they might have gotten it sort of right this time with W2k, with its much-hailed stability.
And for the love of god, design the filesystem so that you don't _have_ to defrag the drive! It takes long enough to do on a 2 gig drive, let alone the 20 gigs that are typically in new computers.
Another neat functionality that any unix user would really appreciate, is a checkbox somewhere, maybe even hidden deep in the GUI away from clueless eyes, saying "No, I'm not an idiot. You can stop asking me if I'm really sure I wanna do that. (I hereby declare that if I screw up, it's my own damn fault, and I won't sue Microsoft.)"
If Microsoft can do all of these things, that would make me very happy to use Windows. I still won't like Microsoft, because they're Completely Evil(TM), (It's true! Isn't that what the CE in Windows CE means?
---
I can't wait for proper speech-recognition.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
No matter WHAT they do, they're going to be raked over the coals here.
If they hire 1000 people to do nothing but track down bugs and security problems, you people will say it's not enough.
If they totally open-source Win2000 and give away everything, including the source code....you people will say "oh, they're just trying to jump on the Open Source bandwagon...it's all hype".
If they say: "ok, we give up...we're getting out of the OS business"...you people will THEN yell at them for being quiters.
So what I want to know is this....WHAT do you want Microsoft to do?
I disagree. Different people have different skill-sets. If you are an 31337 crypto expert, by all means work on the security, however, if time pressures or a "real" job or plain lack of talent (in my case) or whatever prevent you from contributing actual code base, you can still make a difference to the progress of the open-source steamroller by exposing Micro$haft to ridicule wherever their marketing-driven FUD rears its ugly head. Remember that the mis-perception of a platform's security is in itself, a security flaw.
The poster of the self-extracting .exe link made a valuable contribution. Remember, in marketing perception not reality is everything.
After reading that link, my perception of Microsoft's commitment to security was that it is non-existant.
I'm no expert on win2k security, but I do notice the addition of Kerberos 5, which was not in NT4. Kerberos 5 is not a "minor change".
And what is the "overall picture" you're speaking of? Sounds kinda vague.
I'd like to think that IIS5 is more secure than IIS4; if not, expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.
Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.
VMS has had it's share of security problems too. So what? A more interesting metric is not whether an OS, or any underlying apps, present security holes, but how quickly they are fixed. See this Securityportal cover story for a comparison of time from announcement to vendor fix between Redhat Linux, Windows NT, and Sun Solaris (see, I can add gratuitous links as well!) I note that Redhat Linux won hands down in this competition, and that's only security updates from a vendor supplied source! I don't know about you, but when I hear about a serious security hole in lpd (for example), I don't wait around for Redhat to go recompile the fix. However, the Securityportal article makes a reasonable assumption that most small to medium sized businesses would probably rely on vendor supplied fixes rather than trying to find a hot Linux guru to compile up to the minute security fixes.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
DUH. Because C doesn't bounds check during compilation or run time. That's just ONE reason. Look, I'm no security "expert", but if you're uptight about security, and don't consider yourself competent at securing your own code, then either hire a professional to go through your C code with a fine tooth comb, or write it in some interpreted language like perl, LISP, Scheme, Python (whatever) and let the LANG developers deal with security.
Not that this will make your application any more secure, but it will pass the buck to the likes of Larry.
Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.
This is bogus. And I run OpenBSD, the BSD distribution tailored for security, on my cablemodem gateway and consider it an excellent secure distribution out of the box (CD). But, so what? Can you give me ANY specific examples of userspace application security holes present in Linux that were not present in BSD? Hell, most of the networking kernel holes seemed ubiquitous across just about every OS and networking stack, BSD sockets and streams based.
On the kernel side I seem to remember that both BSD and Linux (and NT!) were vulnerable to the Ping of Death, various Tear Drop attacks and fragmented TCP attacks, and those lovely smurf DOS attacks. Don't see a significant difference here... both the BSD's and Linux kernel groups figured the problems out and posted solutions in record time, while the commercial vendors picked their butts and didn't post fixes for their products I might add.
On the userspace side of things, this is managed project by project. Since much our application software is ported between the BSDs, Linux, and most any other commercial UNIX, there's little difference. A bug in one version of lpd on Linux is almost surely the same bug on BSD
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
There. Now you said something rational.
For all the things Microsoft say they will do, and which should have been done before, they just don't have the necessary level of paranoia guiding the design.
I haven't tried Win2000 yet, but under NT4 if you can gain access to the PC I use, and you can steal my NT domain password then you can use my digital identity. I selected high security when installing it in browser and mailer, but those applications can just use my private key without so much as a dialog to warn me. It is as if they had decided that dialling in the combination of the safe is too inconvenient so they provide a robot that will do it for anyone who can walk into my office.
There needs to be a fundamental change of attitude, not just some fixing of holes (although that is necessary).
Linux and the BSDs (especially OpenBSD) have a poor (ie., all-or-nothing) security model which is very well-implemented.
Windows NT, on the other hand, has a really good security model but the implementation sucks.
(/me waits for howls of laughter from Slashdot)
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
I am a big fan of accuracy, and so I think that people should probably all use "Linux" when talking about the kernel, and "GNU/Linux" when talking about the system commonly known as "Linux". But that's not going to happen...heck, _I_ don't even follow it :)
However, where can the line be drawn? Do you look at the security of Sendmail and say hey, that counts as Linux? Well, no...Sendmail is run on lots of platforms all over the place. Do you look at a hideous malformation like rdist? Not really...I don't even think that's GNU. X Windows? Not GNU, either.
What, then, is left of Linux? In my mind, Debian shows it best. If you install from floppy disks, you have your basic UNIX system, about 30MB of software. Tar, gzip, more, ftp, telnet--all the collectable charachters! THIS is Linux. Though even then, tcpwrappers is included, which is not Linux-specific...
Of course, the reason that I agree with you is that no one could use that system. OpenSSH or SSH would go first, and then Apache, Sendmail, etc. depending on the function...but, I could just as easily use AOLserver, zeuss, zmailer, qmail, etc. as those 2. That's why it's hard to nail apps to Linux...sure, there are ones that MOST people use, but there are no real DEFAULTS. With Linux, you get to pick from several GNU alternatives, each interesting in its own way. With NT, you get One Microsoft Way...not fuzzy at all. But not my style, either.
And, it is too bad about the zealots. My machine _is_ dual boot, and I know my TNT is faster under '98...but I haven't booted '98 in months, since I got the PSX...
WMBC freeform/independent online radio.
NT's security is NOTHING like you'll find on linux or any other unix or similar. Whohoa. On what kind of fact is this based?? On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?
To me it sounds like people who rate NT's security as 'lame and nowhere the level of security on Unix is' really don't have a clue about how NT's security works.
Let me sum up a small list of items, related to the topic. This is not ment for a flamebate, but to let unixpeople learn it's not windows 9x we're talking about, but NT/windows2000.
- NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.
- NT 3.x and 4.x uses the weak NTLM protocol. It could be tough to break but in areas outside US/Canada, the encryptionkey was too short to hold long. Windows2000 will use Kerberos strong encryption, which is an industry standard. Poking at MS that their encryption is weak (especially in their upcoming product) is without ground, because Kerberos is a proven secure technology.
- NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example.
- MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.
- In the past year, there were some minor security glitches in NT itself. The security bugs in IIS are due to leaks in modules that IIS uses, not IIS itself, like the idq.dll module for old style indexserver queries. Today you don't need these modules. Still, unskilled administrators install the basic set. Like unskilled administrators will with RedHat 6.x on their hands. That's why there are idiotproof docs to guide these (majority, unfortunately) people.
:) - IE holes are a problem, but who surfs the net on a production server.
- MS provides a bulkload of security documents how to implement security on your servers. These are perhaps silly for die hard techies ("Duh! don't install the examples!!"), but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers. Don't forget that. Most sites which are hacked are setup by not well skilled people. Pointing at the OS is silly. No-one says unix is unsave because sendmail is crap. the administrator should be aware that the sendmail on his system is likely an older version than available today.
- Which brings the last and most important subject to the surface: if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.
NT 4 was a wise lesson for MS. They have it on track now, but it has been a long road. It's nowhere near the end, there are still areas for improvement, but these are there too in other OS-es, like Linux or *BSD. Being aware of the weaknesses of your own system is a Good Thing (tm). You can then secure it more. Blinding yourself with talk that only MS makes insecure stuff is silly. Ask all those Solaris administrators currently suffering the DoS wormsBashing the FUTURE without knowing what it will bring (have you all used Win2K server??? have you tested the security???) with the facts of old material from the past is not fair. If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions which were found in the last 2 years and say: "linux is not secure... because of all those leaks in it in the past years." is that fair? I'm pretty sure you'll say: "No!".
Never underestimate the relief of true separation of Religion and State.
Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...
We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*. (Compare to the linux box. um... no, no comparison.)
What are they going to do to enhance security, stop selling Office? Those pesky macros, always making my paperclip sick...
But seriously, folks, now that Microsoft released this to the press, that they're really *really* serious about it this time, and they're going to be extra-nice by charging us more for this week's upgrade, don't you think we should let them play with the big boys yet?
Nah, I didn't think so either.
Sure, it's easy to criticise Microsoft. Because it's so much fun. And historically accurate. I mean, if they wanted to try to do better now, they'd have to issue a formal apology to anyone who ever had to suffer through an unpatched Windows bug. Whoops, I think that's everyone!
</CHEAP SHOT>
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I think that's pretty obvious when they don't open source the OS! :)
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
This marketroid piece was so full of holes it's not even funny anymore...
Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.
15 people to review... What was it? 30 MILLION lines of code? And what was the qualification of these people? Script Kiddies??
A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.
As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...
Source code also was delivered to 70 agencies and universities around the world for their perusal.
*Yawn* Which Universities? Which Agencies? (Mindcraft???!!!) Names, references, Web site? Results of aforementioned "perusal"? Are these results published anywhere? (Probably not...) Were the "agencies" able to modify the source code?
As someone else said: "Microsoft is not an answer. Microsoft is a question. The answer is: No".
Read my lips Microsoft: Open-Source is going to bury you alive. Commodification of hardware, commodification of OS is the end of Bill's Evil Empire. The penguin and the demon will dance on your graves... (insert Dr Evil most sinister laughter here)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
This is too funny - check out what Microsoft recommends for you to do, to see the IIS 4.0 Security checklist.
It's good to see that they're giving us those safety tips already.
This is off of http://www.microsoft.com/security/ - the link is in the article too, but it's broken.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I used to work for a Microsoft Solution Provider, whose job it was to sell and support Microsoft products. And yet they have several different levels of support which they charged us for. We actually had to pay for "Premium" support to get access to information, knowledge base articles etc that would help us fix or workaround a problem one of our clients had with their products. In other words, they were denying us access to information, fixes, known problems, incompatabilities, etc. that would help us do our job supporting THEM and THEIR software unless we paid them. And we were an "Official" Microsoft Solution Provider!!
Microsoft, security, commitment, 128-bit encryption....
I've read this yesterday:
There was a kangaroo in one zoo. And every day it somehow been managing escaping from its cell. Then the zoo has built higher fencing around it. But kangaroo escaped once again. Then the zoo has built a 20 feet high fence. Once again - kangaroo escaped. A neighbour hippo chatting with our hero:
H: Well, how high you think they'll build it?
K: Don't know, 100 feet maybe. But really - they should've start locking my cell door first.
Morale: No zillion bits encryption will help M$ as long as their "NT security guide" is dedicated to selecting proper chains to attach servers to the room walls.
Asking several interesting poll questions to the average cnn reading user:
Do you trust linux security?
Average users thoughts: "hmm that's internet isn't it? that must be insecure"
result:
yes : 25%
no : 75%
Do you trust *BSD?
"huh, *BSD? that must be something I don't know
result:
yes : 5%
no : 95%
Do you hand a waiter you don't know your credit card to pay the bill?
"what would they mean by that? why not?"
result:
yes : 95%
no : 5%
Again I feel forced to criticize this "poll". Ppeople don't trust internet.. why? no reason really.
They trust the mailman with postcards but they don't trust a server with their boring e-mail message.
They trust waiters in tiny restaurants in the most corrupt nations in the world with their credit card yet they have doubts about using that card in a way that actually transmits their number/expiry date encrypted.
So what do we learn from this poll?
Well, the only thing I learn is that people don't want to do or use stuff for irrational reasons until told by those people who are least knowledgable about said stuff (their neighbours-brothers- second cousin) that doing/using it is ok.
The internet is just as secure as any shopping street, but you need a college level education to be a pickpocket.
I know I don't have to say it, but the security is nothing like what you'd find in Linux (or any UNIX that comes to mind). The Win 2000 "Administrator" account has nothing on root :)
Thumbs up to Microsoft for (at least) making a decent effort at a flexible, easy to use, and relatively secure operating system (to say it bluntly, "as good as Windows will be for a long while").
Build 2195 has also made some great strides from the bugged menus and SMP slipups of the early betas (you might remember even RC1 had some serious pitfalls). As much as I may hate to admit it, Microsoft did its homework on this one.
Win 2000, although perhaps not the Ultimate answer to Linux, is IMHO better in most aspects than NT. It's going on my first personal box for the time being (Red Hat 6.1 on the other) - and also on my webcam server until there's decent USB support in Linux.
--------
Oscarfish.com: tropical fish with attitude. Way t