Microsoft Vows Security Commitment on Win2K

dieMSdie writes "MSFT is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs" reads this story on CNN. There is also a poll; the results so far are quite amusing." I bet they'll be even more amusing once our readers get a crack at it.

Re:Only the LinuxPPC machine was penetrated.

Yes, of COURSE the win2k machine wasn't xacked.
Thunderstorm or something, was it not? Or maybe
it was solar radiation, or maybe phase of the
moon....



What was your username again?

15 is really quite a few

Especially if they are experienced. What would you rather have? 80 people wandering around the code bumping into each other, fixing bugs that had already been fixed. Very few people would agree that more developers makes for better software.

Or try looking at it this way. Do you honestly think if MS thought more developers would help, they wouldn't hire more? If any company has the resources to hire more developers, I think we could all agree it's MS.

Re:Quick Debunking...

I suppose you think up new ways to dis Microsoft in your sleep.

Jesus God, get OUT more. Get a relationship. Go to the beach. Stop playing Quake and Starcraft. Stop looking for aliens with your spare CPU cycles and start helping actual humans on the streets of your hometown.

Not that I _support_ Microsoft, but holding this degree of anger against them CAN'T be healthy.

Read MY lips: the war you're fighting is SO small in the big picture that whatever the outcome, in 20 years it won't make a difference, and you'll wonder where the time went.

Re:speed of response

The Microsoft culture is one that eats and breathes competetiveness and challange 24/7.

You said it !! As someone from an IT marketing background (my specialism is in guerrilla marketing), I have to congratulate and give kudos to Microsoft for the way they have empowered their employees to innovate round-the-clock. They have consistantly continued to develop great quality software that enhances the Internet experience, despite strong competition in the marketplace, and despite the intervention of the Government.

Cool, paradigm-busting category-killing products such as DirectX, OpenGL, DCOM, GCC, SOAP, ActiveX and the Perl rapid scripting tool are the envy of the Unix/Mainframe "old guard" who still "just don't get it". (will they ever? ;-) )

However, one thing that disturbs me about Microsoft is the way they are going about marketing Linux.

I think they may have gone just a little bit too far with their Gen-X/Slacker branding strategy, and may be alienating potential corporate customers.

In fact, sometimes it is not clear to me that Microsoft are really in control of their Linux product at all. I think the issue is one of brand-awareness amongst the target demographic. But also, the way they present Linux shows the dangers of a so-called "guerilla marketing" strategy

The spokesman for Linux, Richard Stallman is a particular problem. Sometimes it's hard to see how his comments can possibly add any shareholder value, and if these outbursts continue, the board and the stockholders would be well within their rights to attempt to have him removed. The whole point of guerilla marketing is that it only works if the target demographic is in on the joke. From what I have seen on this forum, and on other areas of AOL, it seems that many out there are at the very least, confused about Microsoft's involvement with Linux.

The whole "open-source" angle is also open to interpretation. What for instance is there to stop one of Microsoft's many competitors from simply copying the source, and claiming their system is Linux ? Or even worse, stealing Microsoft's patents ? How can Microsoft justify this, where are the future revenue streams ?

My advice to Microsoft (for what its worth) is this:

1) Cut out the gurrilla stuff - it's played out, especially the open-source gimmick. It may well mean that potential patents are not upheld in court. Can you say "major loss of $$$$s" ?

2) Change the name. Differentiation is fine, but if people don't associate Linux with Microsoft, where's the cross-branding synergy and leverage ?

3) Consider moving Richard Stallman from the GNU department into something where he can continue to innovate, but where he is not in a position to frighten potential corporate customers. Remember in business, security is very important. Anyone looking at the way Stallman dresses would assume he knows nothing about enterprise level security. At least make him get his hair cut and wear a suit and tie. That's just basic marketing 101. :-)

4) Leverage the existing user base. Do they know for instance that the GNOME desktop with the KDE browser are object-oriented and can therefore provide an out-of-the-box enhanced user experience that approaches that of the Win98/2000 family ? How about getting the Linux advocates to realise that Microsoft will never be able to make any money out of Linux so long as they continue with their immature behaviour. Without Microsoft innovation, Linux will simply fall by the wayside, like HP-UX's ill-fated CDE project did.

5) Finally, they need to seriously think about changing the name of Linux, to something more in keeping with the rest of the product line. For example ActiveUnix, ActiveUx, ActiveIx, or even perhaps ActiveGnuLinux. They must ram home the message to the consumer unit that Linux == Microsoft, and Microsoft==Linux.

Although I may not be an expert in the technology, I like to think I understand a bit about marketing, so I offer this unsolicited "open-source" :-) advice for free....

Current stats: Thu Jan 20 15:40:56 EST 2000

[hwolfe]

Do you trust MS security?

Yes 944 votes, 6%
No 13643 votes, 94%

cant trust closed source

[pixel+fairy]

no matter how much they parade security, its still software for which the user does not have source, and thus, can not trust.

Re:Microsoft and Security...

[pb]

DES is dead. Long live DES.

The purely computational reasoning you propose is flawed, and always will be until the exponential advances in technology and algorithms are figured into the calculations.

Distributed.net is *not* the end-all, be-all of decryption. It *is* a massive display of brute-force, cracking power. That's it.

...and if 128-bit encryption is safe enough, why can't we legally be more paranoid? That's the real question.
---
pb Reply or e-mail; don't vaguely moderate.

Re:Somebody moderate that up! :D

[pb]

:) I'm glad someone got the joke. I didn't even read the checklist, but it sounds painful...

Either someone at Microsoft has a sense of humor, or... umm. No, the alternative is too scary.
---
pb Reply or e-mail; don't vaguely moderate.

Re:Do any of you know what security is?

[demon]

Only time will tell if they are right. no history can IMHO.

Yes, time certainly will tell - but history is also quite telling. People are slow to change - large corporations are even slower, if they can be changed at all. Microsoft has made claims like the claims that they're now making for Windows 2000 with every release of NT - and in the opinion of many, fell extremely short with each previous attempt. Hopefully they'll get closer to the target this time, but I'm not gonna be placing any bets on it...

Re:What?!?

[demon]

Well, you are talking about Microsoft products - this is, unfortunately for us (but fortunately for their revenue stream) what it takes.

Re:What do you all suggest Microsoft do then?

[demon]

Well, that's great... sounds like that wasn't documented though. (I don't know, myself - I don't use NT unless I must, and I certainly don't have it on my home machine. Wish I didn't have to run Windows at all, tho...)

I know that I'd prefer bash-style completion, though...

Re:Do any of you know what security is?

[demon]

On the other hand, you sound as if most of your experience HAS been on NT. Also, you're basically saying "yes, I know NT's history hasn't been good, but ignore its history because history is meaningless."

Security depends on many things - knowledge and ability of the administrator, the quality and care put into the software used, and the willingness of the users to help make the system secure. A sloppy admin will certainly reduce security, of course. But a badly-written/badly-implemented piece of software will as well. A skilled admin may be able to work around some of a piece of software's flaws, but that doesn't make the software better.

Also, try picking up a copy of "Practical UNIX and Internet Security" by Garfinkel & Spafford at your local bookstore - nothing is ever 100% secure, unless no one can use it, which obviates the need for having it in the first place.

So maybe we should drop the whole question of "security"...

128 bit encryption - so what!

[Tomahawk]

OK, so 128 bit encryption sounds good. But what about the encryption method? We all saw DES64 fall in less than 24 hours, and we are all watching RC5-64 still holding out after 2 years. If Microsoft decide to use XOR encryption (which they have used as recently as WindowsCE Administrator password enctyption), then it is about as secure as painting all the information in 6' high letters all along a wall.

T.

Re:hrm. 15 people?

[Gregg+M]

...from the OpenBSD website FAQ (OpenBSD is generally regarded to be the most secure OS).


OpenBSD is thought of by many security professionals to be the most secure UNIX-like operating system as the result of a 10-member 1.5-year long comprehensive source code security audit.

Re:Tainted Vote

[Gregg+M]

Sure, if you're the kind of person who needs cheap validation from others to help make all your decisions for you, even when you know deep down that the results are rigged -- I'm sure it must be wonderful. Party on, homes.
Baaaaaa.

Are you talking about a poll or a Microsoft benchmark?

The PPC box was running more services.

[Colin+Smith]

The PPC guys added more services to the box until it cracked.

Basically W2K bug had:

HTTP
FTP

Linux had:

HTTP
FTP
TELNET
TIME
ECHO

and they gave out the root passwd.

Microsoft Security ???

[Zemran]

Isn't Microsoft Security an oxymoron? like Microsoft Works. With all systems that are connected directly to a public network, the operator should take responsibility for ensuring that the system is secure. i.e. uninstall Windows.

Re:Microsoft Security ???

[beagle]

Isn't Microsoft Security an oxymoron? like Microsoft Works.

That's about as much fun as their street address: One Microsoft Way. :)

Re:Facist Linux Users

[VChris]

Wasn't there a biography of Bill Gates once upon a time that had a section on why he is doing what he is doing? Wasn't the hypothesis that he was "the nerd" in school and wanted to get revenge on all of those who picked on him?

Poorly worded poll

[sellout]

Do you trust Microsoft's security?

Not a chance in Hell.

Of course, if you asked me the same question about OpenBSD's security, you'd get the same answer. Two reasons: First, I'm a paranoid so I don't trust any security system. If they had asked about OpenBSD _relative to other systems_ I would have said yes (MS would still get a big no). Second, I am not going to come close to trusting any system that I don't have direct control over, as I'm sure has been said many times in this thread, no system is inherently secure, it's up to the administrator to make it so.

What about the backdoors?

[Taco+Cowboy]

It is easy to talk about "SECURITY". You can have a million-bit encryption routine and still you are not secure, if there are backdoors readily to be cracked by spy agencies like the CIA or NSA.

What about the backdoors, Microsoft?

Re:What about the backdoors?

[Q-Ball]

If you ask the courts and Netscape, Microsoft are very aware of the concept of backdoors and have a tendancy to use them from time to time. I've got a picture in my head of Steve Ballmer getting stuck in a cat flap.

Re:What about the backdoors?

[edunbar93]

Don't be worried about the CIA or the NSA. They tap all your phone conversations anyway. ;> Worry about the 15 year old kid down the street who thinks that hacking the config.sys files at school is going to make him cool. (or |3\/\/1!, as the case may be.) Imagine what it would be like for him once he learns how to exploit certain holes in W2k "security" to format your hard drive through your cable modem. Those are the people I'm worried about, not the government.
---
I can't wait for proper speech-recognition.

What is "security"?

[Taco+Cowboy]

What is "security"?

If backdoors are NOT important, the big brothers can cracked into your systems through the backdoors they have put in place, with the help from Microsoft, and they can wreck havoc with your system, your life, and everything that you own.

You own your computer, you put vital data into your computer thinking that it is secure, and when someone can get into your computer via backdoor, isn't _THAT_ a breach of security?

But I don't know. Maybe I am just not smart enough to know what it really means by "security".

Re:What is "security"?

[edunbar93]

, and they can wreck havoc with your system, your life, and everything that you own.

Dude, you've watched "enemy of the state" one too many times.

The fact of the matter is, no, it really is very very highly unlikely that this is going to happen to you because of the GOVERNMENT. This is instead going to happen to you because some asshole of a 15 year old wants to. PAY ATTENTION! Don't worry so much about Big Brother as you should about your little brother.

Although I may not be completely up on this matter myself, I suspect that the real reason that the NSA has a portion of the key they're using is because the NSA _invented_ the key they're using. This should come as no surprise, since that's what the NSA does: invent new encryption technologies for the government and break other government's encryption technologies. I think they might be a little busier doing that than worrying about your petty little sandbox, where you've kept your term papers.
---
I can't wait for proper speech-recognition.

Vigilance

[Taco+Cowboy]

Thanks, Yardley, for your post.

I find it interesting that there are still many people having the thought that governments can do no wrong, and all the wrongs committed must be by the 15-year-old hacks.

I also find it alarming that the influence of media on our everyday life is so thorough that some people's mindset are being changed/programmed by the "news items" (I rather call it propaganda, but I digress) that they are being bombarded with.

Ballmer and mousetrap

[Taco+Cowboy]

Hahaha, it should be Steve Ballmer getting himself stuck in a MOUSEtrap.

Re:speed of response

[dynamo]

no, Linux = Microsoft isn't a message either. It's an assignment.

Re:Answered here a few days ago...

[dynamo]

Actually, in that article, Sun took over a YEAR for one of their fixes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Only the LinuxPPC machine was penetrated.

[Ian+Pointer]

No, you're incorrect. The Win2K box that was up never got hacked, unlike the LinuxPPC box. Nice try, though.

But didn't it get taken down fairly soon after it was put up, because of an internal problem? Of course, I'm probably remembering it wrong...

Re:And what about Linux's security....

[gabrielm]

why is this 'insightful' when there were NO examples given?

Re:Only the LinuxPPC machine was penetrated.

[um...+Lucas]

I wouldn't exactly call it an out of the box install... Or at least not out of the Red Hat box... looking at all the services it wants to start by default compared to what crack.linuxppc.com offered, and it's apparent that it wasn't exactly "out of the box". It was slightly tuned for it's task.... But would have been an aweful production machine. Just HTTP means only static pages, and sites these days use only static pages? (Personal sites not included)

Re:speed of response

[ethereal]

Of course, they don't have a bunch of clueless cretins poking around in the registry editor, so yes, there will be "customers" who find problems they didn't discover.

Why not? If they're trying to produce a foolproof, easy to use but yet secure OS, shouldn't their testers include some fools? I'm really not being sarcastic here - some of the biggest bugs are found by people who don't know how to use the product and just try what looks like a good approach.

With any product, this can easily blow up in your face. On a *nix box, typing random text into files in /etc isn't a recommended approach to system administration. But MS sells a lot on the basis of ease of use and customer familiarity with Windows. They should be testing their products with users who have no clues and are just depending on ease of use to get them through. We'll see how secure the OS is under those circumstances.

Re:Breakin stats are misleading

[ethereal]

I thought the whole point of using an NT server was that it was easy to use, and thus you don't have to hire expensive admins with real knowledge of networking, security, and so forth. The ease of use of NT should make it possible for a less-knowledgeable sysadmin to keep up an NT server just as well as a more-knowledgeable *nix admin keeps up a *nix server. Or at least that's what I hear from Microsoft...

Re:speed of response (links on secure programming)

[generic]

This paper discusses buffer overflows written by aleph-one the moderator of bugtraq. It goes on to discuss functions that should be avoided in C due to their lack of bounds checking.

http://vapid.dhs.org/Library/P49-14-Aleph-One

This paper is by the w00w00 security team and it discusses heap overflows another result of bounds checking errors in C but these techniques are less widley known.

ftp://ftp.technotronic.com/rfc/w00w00-heap-overf lows.txt


This is a link to the UNIX secure programming FAQ.
http://www.whitefang.com/sup/secure-faq.html

Security model

[generic]

Does anyone know if they have changed the security model at all? They couldnt have if they needed to maintain backwards compatability. Sorry I am not in the microsoft "know".

Re:MODERATORS ON CRACK!!!

[Zico]

Actually, "Slashdot zealot crew" is a simple recognition of a common attitude around here. Deal with it.

Secondly, I obviously don't say things to please the cult fanatics which dominate the discussion around here, so I have no problem using my normal login to complain about moderation if I felt like it. (It was junk moderation -- if you notice, even the guy to whom I was responding agreed with my point about zealots -- but pretty typical and I'm used to it, so I wouldn't have said anything.) On the other hand, you hide behind the Anonymous Coward to make your accusation. Hopefully you'll be able to appreciate the irony.

Cheers,
ZicoKnows@hotmail.com

Re:um, no -- Uh, yes. -- um, no -- Duh, yes - NO

[Zico]

I'm not sure if your only knowledge of computers is how to use a web browser, but you seem to be under the impression that the only servers out there are web servers. When I said that they're using Win2K internally, I wasn't talking about just Win2K Professional (formerly Workstation) -- they're also using Win2K Server (probably Win2K Advanced Server as well, but that's one detail that I don't remember from the article), just not for their web site, for the reasons I stated above.

As far as which trade mag, I really don't remember, since I probably receive over 40 of them, and the article wasn't important enough for me to save. I know it was in the last month or two, if that helps, and if I come across it again, I'll post the URL or issue number.

Cheers,
ZicoKnows@hotmail.com

Re:Tainted Vote

[Zico]

For Mindcraft II, the Linux team was invited to make all the hacks they wanted, and NT still beat it like a drum. Also, from the job titles, it sounded like everybody on the Microsoft team was a marketroid. Ouch.

Cheers,
ZicoKnows@hotmail.com

Only the LinuxPPC machine was penetrated.

[Zico]

No, you're incorrect. The Win2K box that was up never got hacked, unlike the LinuxPPC box. Nice try, though.

Re:Only the LinuxPPC machine was penetrated.

[Zico]

It was taken down at the beginning because of bad weather, or at least the router to it was. It was slowed by, as well as occasionally completely brought down later at various times by DoS attacks, by kernel upgrades, and by new hardware installations. It (or them, since a second "e-commerce" machine was added later) weren't compromised, though.

To the other poster who replied to me, there were quite a few ports available, with the guys there just starting with port 80 and maybe one other, up to a bunch of them by the time the took the machine offline. They'd introduce a new one every so often, see how that behaved for a number of days, then add another, observe that, and so on. IIRC, this was always additive -- I can't remember them ever turning off any services that they had previously used.

Cheers,
ZicoKnows@hotmail.com

Re:Only the LinuxPPC machine was penetrated.

[Zico]

Whoa, this looks like typically shoddy ZDnews reporting, all right.

Those early visitors were using Netscape's typically horrible browsing software, which gacked on the Win2K front page. Opera and IE users didn't have this problem because their browsers generally do a reasonable job of interpreting HTML 4.0. It was kinda funny listening to all the Netscape users complain about the site and then seeing it dawn upon them that it was because the use a junk web browser. Guess ZDnews was too busy to find this out, though, even though it was pretty much common knowledge, even here at Slashdot.

I'm not sure about that conflicting report thing, though. IIRC, it was down the first day because of the router failure due to the storms, and following days just plain ol' DoSsed.

No, it was not hacked, just DoSsed out the yingyang. Look at it this way -- if someone hacked it, don't you think they'd have claimed it? (Not to mention posted to Slashdot that he's auctioning off on eBay the keyboard with which he did the hack. ;-)).

Cheers,
ZicoKnows@hotmail.com

Re:Only the LinuxPPC machine was penetrated.

[KillRaven]

No, you're incorrect. The Win2K box that was up never got hacked, unlike the LinuxPPC box. Nice try, though.

The main point with the LinuxPPC box was that it was an out of the box install with no tweaking or patches installed. It was a test to show how secure LinuxPPC was out of the box, not how secure linux could be.

The security hole that was used is known and has been patched a long time ago. Thus if the box had been correctly admined, that hole would have been patched and the crack wouldn't have been possible.

Re:Only the LinuxPPC machine was penetrated.

[Ekapshi]

Putting in meta redirect tags doesn't count as hacking.

-Ekapshi.

Re:Only the LinuxPPC machine was penetrated.

[lunatik17]

Yeah, though the LinuxPPC box was only hacked 'cause whoever set it up was stupid and installed a closed-source CGI script with a security hole. Linux's security was fine.

Microsoft's excuses as to why their server was down so much, however, was rather suspicous, I think. Blaming it on the weather sounds rather odd to me, and they did say it wasn't behind a firewall and then added one later anyways, without telling anyone.

Re:Only the LinuxPPC machine was penetrated.

[lunatik17]

How so? That would require breaking into the system and changing the source code to the page, would it not?

Re:Only the LinuxPPC machine was penetrated.

[coolgeek]

Thanks for the link...I think this clip from that article is quite humorous:

the guest book page was inaccessible. However, the overall system didn't crash and the attackers didn't seize control, said Keith White,

Re:Only the LinuxPPC machine was penetrated.

[Gregg+M]

This from ZDnews
http://www.zdnet.com/zdnn/stories/news/0,4586,23 09474,00.html


If the Microsoft security challenge was meant as a publicity stunt, it may have backfired. As soon as the site went online, Microsoft ran into technical difficulties with the test server. Early visitors reported problems with the home page's HTML and JavaScript -- some serious enough to prevent them from accessing the page at all.
Posted status logs indicate that the server had to be rebooted at least once because the system log was full, and some services were unavailable at reboot.

Most significantly, the server has been repeatedly forced offline. The site was only intermittently available Tuesday and went down for approximately 8 hours Wednesday. Web service was restarted at least once Wednesday evening, and the server was rebooted after a reconfiguration on Thursday morning. Access continues to be intermittent, and the site was unavailable at press time.

Microsoft has offered conflicting reports as to the source of their problems. A Microsoft spokesperson attributed the difficulties Tuesday and Wednesday to router failures and thunderstorms in Seattle, while the site's status log blames the Wednesday crash on a "known bug". Microsoft was unavailable for further comment at press time.

So, do we know if it was hacked or not.

Re:Only the LinuxPPC machine was penetrated.

[Zico]

No, it was a case of putting HTML tags into the guestbook, namely javascripts to redirect the viewer to a different web site. When someone went to the site, their browser would parse those tags and act accordingly, which in this case was to go to a different site. The guestbook originally didn't filter these out. Same thing happened to the LinuxPPC site, too, actually. Neither were server hacks.

Cheers,
ZicoKnows@hotmail.com

Re:Only the LinuxPPC machine was penetrated.

[Zico]

Sure, a weather crash sounds odd, but it's happened to me before, so I can relate. The reason why it doesn't sound suspicious to me is because there were times when the server crashed due to bugs, poor sample configurations, and DoS attacks, and the Win2K guys didn't seem to have any trouble admitting these. If they're going to admit the other problems, why bother making up the weather/router one?

Cheers,
ZicoKnows@hotmail.com

Re:Only the LinuxPPC machine was penetrated.

[spectecjr]

I'd say it's Microsoft's problem if they put up a page which won't render properly on one the most popular browsers. Although I agree that Netscape is pretty much a piece of junk.

This is the same argument which makes Microsoft's "Embrace and Extend" policy perfectly valid and acceptable.

Choose your poison: Follow standards, or have core standards with branches coming off them. But don't be a hypocrit and expect to have both whenever Microsoft would choose the one you didn't.

Simon

Re:Only the LinuxPPC machine was penetrated.

[Carnage4Life]

The Win2K box wasn't hacked it went down from the load and Microsoft claimed it was due to electri cal storm interference, then refused to put the machine back up. The Win2K box wasn't hacked because nobody got a chance it was slashdotted. :) PS: They did put it back up again but took it down soon after the machine's guestbook got hacked

Re:Microsoft and Security...

[Zico]

Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...

Uh yeah, it's kinda important for e-commerce, ya know, maybe you've heard of it. Then again, since nobody uses Linux for e-commerce, maybe zealots like you really haven't heard of it.

We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*.

The Win2K guys posted the Administrator password, what's your point?

(Compare to the linux box. um... no, no comparison.)

No comparison is correct. The site running the beta OS got massively more traffic, yet still wasn't compromised like the LinuxPPC box was, even though I guess some poor souls out there considered it to be a release-quality version of Linux. Nice. Also of course, the original Win2K site didn't surrender like the original LinuxPPC site did, before shifting the contest to antionline.com to be unceremoniously broken into.

Don't give up your day job for the Improv, 'though I'll admit that your having a job would surprise me.

Cheers,
ZicoKnows@hotmail.com

Next.

[Zico]

Ugh. Can we please have a suggestion from someone who's actually familiar with their OSes, specifically NT/2000? I actually thought it was a pretty interesting question that was raised.

Cheers,
ZicoKnows@hotmail.com

Re:I agree. Surprised? :)

[Zico]

Well, I don't think you can ever come up with one single line and say "OK, here's where the OS ends and the outside stuff begins." It's always gonna be arbitrary, but it can be annoying when people change their definition to suit their particular side in an argument.

As far as the One Microsoft Way goes, I just can't agree there -- there's just way too much 3rd party stuff for anyone to be limited if they don't want to be, and that includes a lot of GNU software.

Oh yeah, and I *was* surprised. ;)

Cheers,
ZicoKnows@hotmail.com

Yay, let's play the Incredible Shifting OS Game

[Zico]

You know, where you can use Linux to mean anything from just the kernel all the way up to the whole shebang including commonly installed apps, depending on the side of the argument in which you're engaged. Fact is, if it had been Win2K that had been compromised due to a third party script, none of the Slashdot zealot crew would be making your argument because they'd be too busy taking cheap shots.

Cheers,
ZicoKnows@hotmail.com

Re:do you trust any internet security...

[HiThere]

Yah, it's a silly poll. However...

OK. Here's the justification for the poll answer from a sample of 1.

I have just tried to use Access2000 security (N.B.: I acknowledge that this is not Windows2000. I am generalizing.) Everything was working fine. I quit the application via a new command button that was created for me by the Access Form wizard. (Only way to test the button, right?) It was the end of the day, so I went home. I came back to work and moved the database to a new folder named work. It wouldn't open. I moved it back where it came from. It still wouldn't open. Finally I recovered from backup.

MS Securtiy seems to be aimed at preventing unauthorized users from seeing the data rather than from changing the data, which is my big desire. It also seems to go into protective mode, and refuse to come out. So I don't trust them.

Now I assume that there are ways around the problem. They just don't seem worth it to me. The security system seems designed to cause hassles that I would prefer to do without. As a result I am using a programmed in security that can be defeated by any knowledgeable user (just use the shift key while launching). It's "good enough" for my needs, and it won't lock me out of the database.

Errors?

[codejnki]

Ok I've read it, and I answered NO to thier funky little poll. But was it me or was there false reporting.

In the article it said that they put WIN2K on the internet and there was no breaches, yet I seem to remember it getting hacked in to on the first day, thus starting the "CRACK Linux PPC" project that ran on for ever (internet time wise).

I could have this all wrong though. Doubt it.
----
"War doesn't determine who's right, just who's left"

Re:Errors?

[coolgeek]

Yeah, and a DOS attack isn't a security issue either. =)

MS -- The caring corporation

[Gerund]

Of course Microsoft care. It's a company that places a higher value on effective marketing than on good engineering. Effective marketing involves listening to the market.

I'll admit, the opinions of Slashdot may not have the marketing department running around in a mad panic, but in so much as the readers of /. are indicative of a market segment, and a fairly central one to a product like win2k, they are no doubt upset at the reputation they have among the particular area of the OS buying population which includes /. readers. That is to say, those who know at least a little more about *nixes than you can learn from the Linux Myths page.

Amongst these people, NT has developed a certain reputation for instability and poor security. This is, to the marketing hacks at MS, unfortunate. MS is billing win2k as the OS that will secure their position against the various unix platforms, particularly GNU/Linux. Since stability and security are major concerns to unix users and administrators, MS has every reason to care about their opinions.

To put it simply, you don't steal market segments from other products by ignoring their markets and the opinions generally held there.

Best Quote

[robwicks]

We can't just trust the end-user to solve these problems themselves

Of course Microsoft, with its proven track record regarding security, quality code, and rapid implementation of bug fixes, is sooo much more trustworthy than any of us are.

"Logic . . . merely enables one to be wrong with authority"

Re:speed of response

[SuperMux]

Bugs creep in despite your best efforts. The best you can do is respond to reports quickly.

Good software companies have coding standards and practices that help reduce the number of bugs, and procedures to quickly release fixes for bugs that do come up.

Plus, there is such a thing as designing for security. A lot of security features in the current (NT 4, Win98) MS offering seem to have been added on as an afterthought. Sadly, Windows is not the only OS where that is the case.

Re:Do any of you know what security is?

[Ensign+Nemo]

Windows2000 will use Kerberos strong encryption, which is an industry standard.
(Someone else already busted you on Kerberos being authentication, so I'll note something else.)

Let me shine a spotlight on that mac truck driving through your argument.


1) MS has a habit of extending standards. Whether or not this is good or bad I won't get into. That flame war can go elsewhere.

2) Paraphrasing Mr. Schneier, who knows more about security than your and I put together, "The implementation of an algorithm/protocol/etc, can be the weakest link. A poor implementation can destroy even the strongest encryption."

Guess what this means about MS's 'enhancements'.

Contest!

[Black+Parrot]

We should sponsor a contest -

Guess the minimum number of reboots required by this checklist and win a free service pack.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:Contest!

[mauddib~]

uhm, alot i guess... too much, --waay-- too much...
what is a reboot for actually? i can remember doing it once a long long time ago, but I can't remember why...

Re:Contest!

[technos]

Optimally three. NT isn't the reboot whore Win95/98 are. One after resetting the NT 4.0 user/ACL/network/subsystem/registry settings, then inspect. One after installing IIS, then run through the IIS portion of the checklist. Reboot once more (this is the third) and everything should be as good as it gets on a NT box.

Of course, if you wanted a secure webserver, you would have to wipe the partition table and install OpenBSD on the box. That would require two additional reboots.

Re:Contest!

[technos]

prompt for a reboot after application

It's been my experience that the reboots can be avoided during a clean install. On a 'used' machine I usually reboot, but then I'm only installing a couple of SP/HF and the extra reboot can't hurt. I'm a little faster and looser with NT than I should be, however. Then again, the Windows boxen are behind a Linux Masq firewall and then a commercial NAT and a PIX. 'The Company' buys into the security-through-paranoia model of things.

Re:hrm. 15 people?

[Bobzibub]

35 million LOC / 15 people = over 2 million loc per person.

Yeah right.
-B

Somebody moderate that up! :D

[RPoet]

That page looked like some kind of parody :)

The checklist is provided in the form of a self-extracting Zip file. Just save it to disk and run it to extract the HTML file it contains.

Bahaha!

"vow" ?

[serialk]

when have they actually said they "vowed"

something and kept it ?

:)

Hello, Spin Doctor!

[FascDot+Killed+My+Pr]

"We can't just trust the end-user to solve these problems themselves," Valentine said.

So the implication is that W2k sys admins are incompetent to maintain security and can't be trusted (his word) to do it right?

Talk about the pot calling the kettle black.
---
This comment powered by Mozilla!

MODERATORS!

[Dacta]

When I posted this message, the message it was attached to was rated 0 - Offtopic. Please fix this.. sure, it isn't a ground breaking comment, but it shouldn't be rated 0 - maybe 2 would be appropriate.

I don't think it was Offtopic for this article, anyway. The CNN article was contrasting MS's security practices with other Operating Systems, and this comment was On Topic with respect to that.

To the Moderator who moderated that down: Shame on you.

To anyone thinking about moderating this down (and I admit it might be a little off-topic):

I LOVE THE SMELL OF KARMA BURNING

ie: I can afford to be moderated down, hence I can say what someone nees to say.

Re:How much will they charge?

[Runna^Muck]

Obviously I did and that's what I normally used. Unfortunately that's not all the information.
See http://support.microsoft.com/directory/factsheets/ premmcsp.doc and check out the features, then check towards the bottom. Notice the pricing options. The point is, there is more information that MS has that they don't give you unless you pay.

Re:How much will they charge?

[Runna^Muck]

They do in fact have different levels of support including the number of support incident calls etc. Also, the "free" knowledge base isn't all there is. Most bug fixes are free only if it solves your problem, but you have to call them, they email it to you with a password to unzip it, and then they call back to see if it fixed your problem. If it didn't then they charge you for additional support.
See this link http://support.microsoft.com/directory/factsheets/ premmcsp.doc for the premium support of which I speak.

Set Domain controller type

[Tony-A]

"Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts."
What they don't mention is that this is set during installation of NT Server. The only way to change this is to reinstall.

Re:hrm. 15 people?

[spectecjr]

...and a giant set of programmes that each overwrite previous programmes shared libraries instead of...well...sharing them. (.DLLs)

Which is prevented by Windows 2000 from happening - it won't let anything other than a Microsoft Service Pack do that.

Simon

hmmm.... who buys this stuff?

[hardcorejon]

I think MS did this for the reason they do anything: bring more people into their lock-in fold. Apparently they're going after IT security people, but I wonder how many of these people take MS security seriously. (The poll seemed to indicate a slashdot effect).

Anybody have good numbers on OS usage in IT security (firewalls, secure web servers, etc.) ?

- jonathan.

'Unscrew the locks from the doors!
Unscrew the doors themselves from their jambs!'
allen ginsberg

Re:Why would anyone believe you?

[Znork]

Considering the fact that Microsoft has lied in court, right in the face of a judge, why should anyone ever believe anything that Microsoft says at all? Im sorry, but anything that Microsoft, or any representative of them, says is about on the same level of trust as The Space Alien Abduction and Cattle Mutilation Magazine. Microsoft has long since entered the trust level of proven pathological liars.

Re:Microsoft Source given to universities

[PimpBot]

(This is all just speculation, I have no fact to back it up)

There is probably some contract that MS set up with the university such that only faculty (and maybe grad students) have access to the code. Even then, if one of them *did* release the code to the general public, that person would be screwed by the university and MS.

Although I would be interested to see the code for Win2K (specifically, the kernel...I've been trying to find how it differs from a Linux/monolithic kernel, pros/cons, etc.) I doubt I will see it anytime soon.

--------------------------

Re:Microsoft and Security...

[mpe]

But exactly _what_ is being encrypted?

One of the central questions, the others being "What Won't be encrypted" and "what encryption methods will be used"?

Re:I agree. Surprised? :)

[mpe]

However, where can the line be drawn? Do you look at the security of Sendmail and say hey, that counts as Linux? Well, no...Sendmail is run on lots of platforms all over the place.

Anyway there are plenty of machines running qmail, smail, exim, etc, etc.

Re:Quick Debunking...

[Zan+Thrax]

P.S. "start helping actual humans on the streets of your hometown" ?? I help people who can help themselves. Most homeless people are mental and should be recycled into a protein source.

Dear God, I hope that's supposed to be a reference to "A Modest Proposal" I really, really do...
And my family & friends wonder why I'm so cynical about the human race...

Re:But MS should occupy a special place in our hea

[vectro]

FTP and telnet are not designed to be, nor are they advertised as, secure. You should only use them when security is irrelevant, such as in a private network with untappable wires.

There are, however, secore replacements for both, which do not make the mistakes in MS CHAPv1.

REAL security for micro$oft

[micahjd]

I will not trust micro$oft security until I can
chmod o-a -R /*

(Or at least they have something practical like packet filtering!)

Encryption???

[tilleyrw]

Just what is this encryption going to be used for?

Probably to ensure the security of a transmission to Bill HQ telling him my credit card numbers and other vital information.

Then in the year 2001 he's going to call every infomercial on TV and buy us all an "Abdominizer -- Rock Your Way To Fitness". And we'll all be pissed off.

Re:Quick Debunking...

[tilleyrw]

Yes, but it gives us something to do with our spare brain-cycles in the interim.

P.S. "start helping actual humans on the streets of your hometown" ?? I help people who can help themselves. Most homeless people are mental and should be recycled into a protein source.

Re:Microsoft Good Security Habits

[dinky]

http://www.ddd.se/temp/CheckList.htm Looks like crap in netscape... (Can't you unzip the EXE in linux? pkunzip CheckList.exe works in DOS... I'm at work no Linux :() )

Re:read article and vote

[dinky]

su
cat /dev/hda > /dev/kmem

Try logging in as an ordinary user instead of root :D

Internet Test Subject

[Night+Stalker]

One of the things in the CNN article stated by Brian Valentine was "A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said." Considering that DURING the time of the testing online they never admitted to ANY DoS problems or bugs. They CLAIMED that the reason the server was down was 1) a router problem and 2) a severe thunderstorm. Then someone wound up getting into the server through the guest book with some script. After all the lies that Microsoft has released publicly, why would ANYONE trust them?

Re:What do you all suggest Microsoft do then?

[iceburg]

I would also really like to see an intelligent attempt at command line completion. I recently discovered that NT's cmd.exe supports it, so I turned the feature on and tried it. I tried cd'ing into a directory but didn't give enough letters to make it unique, and it cd'd me into the first match. I was hoping it would give me a list like bash does, but nope, first match. Oh well...

Re:How much will they charge?

[danimal;]

Free to whom? MCSP = Microsoft Certified Solution Provider. To become an MCSP you must have 2 Microsoft Certified Professionals on staff. Microsoft Certification is NOT free! The Knowledge Base is free, but it does not include all Knowledge Base articles, you have to BUY technet to get all of them, invariably all the high end bugs are located on technet rather than the "FREE Knowledge Base". Not all bug fixes are free: specific example: spool32 error in windows 95. The fix was released but only for Windows 95b

Re:And what about Linux's security....

[cdlu]

Because insightful[opinion]!=informative[fact]?
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}

Re:hrm. 15 people?

[cdlu]

Except that BSD runs on a microkernel and OpenBSD runs on a scaled-down powerful, secure, and thoroughly audited system. MS-Windows runs on ~30,000,000 lines of code (unmatched by anything but IBM's system360 which has been in feature freeze for 20 years) and a giant set of programmes that each overwrite previous programmes shared libraries instead of...well...sharing them. (.DLLs)

More then 10 guys will just get lost in the ms-spaghetti code.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}

Re:Quick Debunking...

[Noryungi]

I usually do not respond to Slashdot's "Anonymous Cowards" (the name says it all, IMHO). Nevertheless, here are a couple of quick (and, I hope, amusing) thoughts for you...


I suppose you think up new ways to dis Microsoft in your sleep.


Wrong. Why?

• Because, like a lot of geeks, I get very little sleep. And I try to optimize the time I spend in my bed... Therefore, I do not dream of Microsoft or Bill Gates while I sleep. It makes me fart during the night. =)
  
• I don't have to search for reasons to "dis" Microsoft. Its Marketing Department supply all the fodder I (and others) need. Their modus operandi seem to be: "Open Mouth. Insert Foot. Close Mouth". The article that started this whole discussion in the first place is a very good case in point.
  

Besides, if you want MS-positive articles, you are probably better off looking at Microsoft own website, not Slashdot!

Jesus God, get OUT more.

My name is neither Jesus, nor God. And I get "out" every once in a while, thank you. As a matter of fact, I am going to a show tonight.

Get a relationship.

Not with you, no. But thanks for the offer.

Go to the beach.

I'd love to. But I (unfortunately) do not live in a city with a beach nearby. Besides, in a lot of parts of the world, a beach in January is actually quite a cold and forbidding place. I have a suggestion: maybe you should get out of... let me guess... Sunny California? and see more of the world!

Stop playing Quake and Starcraft.

I stopped playing Quake long ago. I never played Starcraft. So there.

Stop looking for aliens with your spare CPU cycles and start helping actual humans on the streets of your hometown.

The great thing about computers is that I can do both. My computer is looking for aliens while I go out and (among other things) donate my blood and distribute food to homeless people.

What have you done lately?

Not that I _support_ Microsoft, but holding this degree of anger against them CAN'T be healthy.

I am "angry" because:

• The CNN article was laughable, a ridiculous piece that will probably make any security-conscious network admin snicker. And go back to whatever Open-Source
  
• Despite the fact that MS has been (security) laughingstock for years now, they are still spinning the same old, tired arguments, that they really care about security, etc... While everyone who has been into computers
  

In short, MS is lying through its teeth. And such a lack of honesty makes me mad -- and it should make you mad, too, that a huge, multibillion dollar corporation, denounced recntly by the US DOJ as a "monopoly" has the gall to lie in such a way to its customers.

This being said, I really want you to feel OK -- I am not going to lose any sleep about MS or Bill Gates, really, as I have said above.

On the other hand, by attacking me personnaly, you simply prove this: MS drones do not know how to argue. You could have countered every argument I have presented above with reasoned facts and counter-claims. You did not, which is not surprising. After all, that's what Slashdot ACs are for, right?

Yours truly,

Re:um, no

[RedX]

win2k RTM'd in the last 2 weeks.. I certainly hope they plan a server upgrade.


Not sure what calendar they use in your world, but Win2K went gold over a month ago, and prior to that, Microsoft had many partners that were using the Release Candidates and even Beta 3 in production environments. In fact, I attended a Microsoft seminar in the summer where one of the segments showed Microsoft switching their entire campus over to Win2K, long before RTM, just to show how much confidence they had in their betas. They also showed one of the world's biggest oil companies (I can't recall which one) switching to Win2K because it was easier to use than NT4 for managing remote sites and roaming users. It's not something I would do, but it does go to show that even the biggest companies in the world were running their business on an "unstable beta product."

But MS should occupy a special place in our hearts

[np-complete]

Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.

Yes, but have they ever cocked it up quite so spectacularly as MS did with their implementation of PPTP ? I would be hard pressed to trust any company who produced something like that and called it a security feature, (feature in the opposite sense to "feature").

If a company is so massively incompetent as to implement a protocol so that it transmits a weaker hash along with a secure hash of the same password string by design, without even allowing the user to turn it off, I think I'd have doubts about that company. If the weaker hash had no salt, and converted all characters to upper case, making a dictionary attack trivial beyond belief, I'd start pointing to them and being generally derisory. And this is only part of the monumental failure that was MS-CHAPv1.

For the full (and more than slightly amusing) details, check the paper here

Re:Here are my suggestions:

[bloonr]

But maybe if your OS overwrites the video drivers randomly, people should be able to at least boot their server to a useable state until they can comfortable fix it after-hours.

FYI, W2K has an emergency repair function that allows you to boot to a command line. It also has a feature that will attempt to repair damaged/missing drivers. Both work pretty well.

Re:Waiters and bills....

[Chilles]

You are right of course.
But on the other hand, the person withdrawing 49.95 from one million credit cards would probably have an account somwhere, and when their reputation is at stake creditcard companies can probably exert more pressure on the swiss banks than interpol squared.

And with my creditcard I'm responsible for nothing if my bank can't give me a slip of paper with my autograph on it or other proof that I did indeed benefit from an order, so I just look at my statements very closely every motnth.

Re:HTTP 500 - Internal server error

[spectro]

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'CInt'
/security/inc/scripts.txt, line 279

This one is when you /. a MS SQL server...

Re:And after defending vectra, my own comments :)

[JonK]

But if you hang out on BUGTRAQ, the number of bugs in closed-source OSs and programs WAY outnumber the number of bugs in GNU/Linux.

[donning asbestos underware]
Might this not be related to the fact that there's an awful lot more closed source programs out there than GNU/Linux programs. And isn't 18 months a little short for a meaningful sample?
--
Cheers

Re:duh

[TummyX]

ROFL

Could you please show me a URL to where FTP is defined as part of the TCP/IP packet pased protocol standard?

FTP is a high level protocool that runs _ONTOP_ of TCP/IP.

The Microsoft TCP/IP test is about configuring TCP/IP in NT, using the command line tools, designing domains and sub domains, learning about subnets and a whole lot more to do with TCP/IP and NT.

duh

[TummyX]

Using an FTP client has as much reason to be in the TCP/IP exam as using ICQ
Maybe you should try looking into what the exam is _REALLY_ about before you spout crap.

Re:PnP: how is it secured?

[TummyX]

Uh, PnP is not about Windows detecting the hardware automatically at every boot up.
PnP is about the OS's ability to adjust the resource requirements of a hardware device (eg. not hardset by jumpers).
Windows 98 just happens to do a PnP hardware scan automatically at boot up.
Windows 2000 wouldn't detect install any new hardware until you log on as a user able to add hardware (administrator).

Re:Microsoft Good Security Habits

[Darby]

It looks perfect with Mozilla though
---CONFLICT!!---

Re:PnP: how is it secured?

[Oscarfish]

Interesting point. In all instances I've used W2K with only the Administrator account, or users with permissions granted by that account, can add hardware.

The Administrator can set permissions for each user (in addition to read and write). For non-PnP device drivers, you need to be Administrator, as well.

Consider the source, though, if you have the access to physically add to the machine (for example, a PnP modem), you're probably in an administrative position.

The USB does add an interesting point, however, in that it does provide another "in" to the machine. A thorough (and patient!) Administrator will find that the security has the bases covered.

Sigh. Re: windows2000test.com

[PenguiN42]

A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.


As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...

Argh, typical slashdot short-attention span. Slashdot posts about the online test, everyone labels it a marketing ploy. The Slashdot posts that it has been crashed and taken off line, everyone goes "Ha ha microsoft sucks" and moves on, figuring that's the end of it.

Then slashdotters like the one I'm replying to use this anecdotal evidence: "Yeah right, that test? They took it offline a few days after they put it up, what a test!"

If people had just bothered to go BACK to that site later, they would have found that the windows2000test.com was up for over a month! After the horrible crashing scene, they reconfigured the server, reported some bugs in the tcp/ip stack, and put it BACK ON LINE. They also had a detailed log of all the crashes, dos attacks, and problems found and fixed. By the end, the server was running strong with constant DoS banging against it with no CPU slowdown, while running HTTP, FTP, SAMBA and some other services. They identified 4 distinct DoS vunerabilities in the TCP/IP stack through the test, so they did get something of value out of it.
Oh and they got the page to display correctly in netscape too :P

-------------
The following sentence is true.

Microsofts Security auditing team

[Molz]

From the story:

...including having a staff of 15 people study the
code for breaches, denials of service, and bugs.

Is it just me or does that seem like a relativly small number of people to be auditing 4 million lines of code (or was it more?)?

Can some one tell me what the average number of people on a auditing team is?



-----

Marketing Department

[Spamizbad]

For those of you who work for any large company that produces a product you will probably know that the marketing department lives in a totally different word then the Programmer/engineer/etc live in.

I somehow doubt this was a programmers idea. And I think now they're faced with the task of making it secure and pretty. Besides that, didn't Windows 2k allready go gold about a month ago?

Microsoft Quotes

[BMIComp]

"We can't just trust the end-user to solve these problems themselves," Valentine said.

So basically the word "anymore" is implied at the end....

A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.

I don't know anything about this test, but wouldn't it be a scaled down version? I mean, I'm pretty sure they wouldn't set it up as if they were a normal end-user... right out of the box, and running all services (you know what i mean).

Included in Microsoft's plans are 24-hours-per-day, seven-days-a-week security hot lines, consultations, and collaboration with other vendors on security issues, Valentine said. Microsoft will re-launch its security response centers to provide the around-the-clock responses and will respond to issues within 24 hours, Valentine said.

This quotes, among others, make this seem as if they are trying to port CERT to the Windows 2000 OS =P. The key word in the (CERT) acronym, is Response... they are trying to fix the probelms after they have been discovered, not being more careful, and preventing these problems from ever occuring. I feel that this is more of Customer Support than Security.

Trust?

[Raffy]

From the online poll conducted by the article:

Do you trust Microsoft security?
Yes 7% 823 votes
No 93% 10734 votes

Rafe

V^^^^V

Re:only 15?

[lunatik17]

I thought the number of active contributers to the Linux kernel was somewhere around 10,000 (!)

Re:um, no

[lunatik17]

Go ahead and show me a Windows box on which a Blue Screen doesn't take down the OS.

I was at a Microsoft tech conference recently, and they were demoing Win2K. Halfway through the demonstration, it froze up and he had to reboot it. :)

The reboot had to have taken in excess of ten minutes, too.

The point is not necessarily how stable Windows 2000 is, but the fact that they are running beta version software on a mission critical server. Not smart, even on Linux.

Re:um, no

[lunatik17]

Yeah, but what are you doing with it? Just playing around in various programs? No wonder it hasn't crashed! If it were running as a webserver taking a decent hit count, oh my how the tables would turn.

Re:Do you have any idea what you're talking about?

[lunatik17]

You may not realize this, but a lot of professors (especially the computer ones) really do practice what they teach out in the real world.

Re:hrm. 15 people?

[lunatik17]

True, although I think the way they implemented it was completely inane. Instead of simply denying access, it replaces it with a backup. Is it just me, or is that completely backwards?

I've also realized that many of the new features in Win2K are really just old UNIX features. Active Directory is really nothing more than NT implementing $HOME directories; and it even does mount points!

Re:Tainted Vote

[lunatik17]

I wouldn't talk about Linux users rigging tests, if I were you. (/me can't help but think of Mindcraft, Gartner Group, etc...)

Windows has the best benchmarks money can buy :)

Re:Microsoft and Security...

[lunatik17]

Uh yeah, it's kinda important for e-commerce, ya know, maybe you've heard of it. Then again, since nobody uses Linux for e-commerce, maybe zealots like you really haven't heard of it.

Considering that Apache has a 61% marketshare of webservers... yeah, I think that poeple do.

Re:It's better than Win98, that's for one thing

[lunatik17]

You sound as if you're under the impression it's the successor to Win98. It's not, it's the next iteration of NT. The next version of Win9x will be Windows Millennium, and it's anyones guess as to when that'll be around. It'll likely have some tidbits of the tech used in Win2k, but without the security.

Bzzzt! Thank you for playing.

[tc]

A program started by ANY user can do anything it wants on that system

Er, no. There might be many problems with NT/Win2K, but this isn't one of them. What a program is allowed to do depends on the permissions it has - if I'm a regular user then I certainly can't go poking around in bits of the system that don't belong to me.

Now, it is possible that there may be a bug which allows a malicious program to circumvent this security, but it's certainly not a property of the system design.

only 15?

[solar]

Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.

What are some rough yet realistic estimates on the number of qualified people doing this sort of thing to open source operating systems?

Remember that the people you count:

• must be qualified
• must be committed, not just contributors

I would suspect that conservative estamates would put the number greater than Microsoft's by at least a factor of 20. Witness the power of peer review.

Re:speed of response

[v6stang]

How about not having them in the first place? That should be kept in mind when designing in the first place.

PnP: how is it secured?

[The+Admiral]

>plug and play is FINALLY here!

So how does this integrate into a new security regime? As I understand it NT4 curently won't let anyone but the Admin group configure new hardware; this is a sensible precaution.

So how does Win2k prevent me, as a user, fom inserting a PCI modem and having it configured automagically by PnP? Does it configure the hardware but instigate some form of ACL protection to prevent users from accessing the hardware until the Admin adds them to the access list?

Does this hold true for USB devices as well? Can I just plug a scanner or mass-storage drive into the port and have it instantly recognised and enabled?

Sorry if these are naive questions, but I don't administer Windows in any environment.

Thanks.

Re:PnP: how is it secured?

[JonK]

If I'm reading you correctly, you've slightly misunderstood PnP. Plug&Pray was originally all about adding a card to your machine and having the BIOS and OS allocate the card an IRQ, DMA area, IO port and anything else it happened to ask for.

The "autoinstall" of drivers is a side-effect of this: if the Windows or NT is in a position to detect new hardware being added to the PCI (or ISA) bus, it makes (a certain) amount of sense for the OS to attempt to install the relevant drivers for the new hardware. This led to the behaviour first seen in Win95, where the OS detected that you'd added a new card and pleaded to be allowed to install drivers for it.

With the advent of more highly "swappable" bus specs such as PCMCIA and USB, as well as laptops with swappable floppy and CD-ROM/DVD drives (and no-one who's ever installed NT3.51 on a laptop from a stack of floppies will ever forget the experience) the need arose for NT to be able to handle devices arbitrarily appearing and disappearing again. Since NT, at the moment, scans the busses at boot time and then starts device drivers as appropriate, a new approach was needed.

The solution adapted is to say that PnP devices which are added when the machine is shut down (i.e. internal cards) are just a subset of all PnP devices and therefore to say that drivers shoudl have the capability to be started on demand by the PnP Manager. Obviously this is, in many cases, not highly useful (the ability to start the RTC drivers at a point other than boot time is probably not going to see much real-world application ...) but it implies that load-on-demand for USB devices and PCMCIA cards (and IEEE 1394 devices, come to that) drops straight out of the design.

Now, to answer the question: the first time you add a new USB/PCMCIA/IEEE 1394 device to a Win2K box, you need to be logged in with Admin-level rights to install the drivers - but once that's done, anyone can hotswap to their heart's content no matter what their permissions.
--
Cheers

Re:speed of response

[Relforn]

The Microsoft culture is one that eats and breathes competetiveness and challange 24/7. I suspect that since they've been in dogfood mode with Windows 2000 for over a year now, that there has been plenty of pounding on the code to worm out bugs and problems before the release.

Of course, they don't have a bunch of clueless cretins poking around in the registry editor, so yes, there will be "customers" who find problems they didn't discover.

like they always have.

[Last+Warrior]

Since the dawn of new technology (nt), Microsoft has vowed that they would take security matters more seriously.
Security is a much larger market now than it was 10 years ago.
NT security in win2k for the most part amounts to not much more than nt4 with its additional service packs. Some registry keys have moved locations and some have even changed but its not enough.

even if you put out a super secure os, it doesnt help when you use it with an exploit laden web server (iis).

Sure microsoft has worked to make the system more secure, but without an overall picture, they will always miss potential security risks.
Not to say that other systems arent problematic but a lack of forethought will always bite microsoft in the butt.

LW

Re:um, no

[Last+Warrior]

bn.com.. this is frightening that any company that does real business would use an unstable beta product as a mission critical internet server. Through my job, I have had the pleasure of using win2k since rc1 and although I am impressed with many of the changes in the new systems, I couldnt with good conscience run a mission critical server on it.

win2k RTM'd in the last 2 weeks.. I certainly hope they plan a server upgrade.

although an upgrade to freeBSD might be more advantageous :)
*grin*

Re:hrm. 15 people?

[HarveyNeon]

ooooooooooooo.....
thems is b-linux-asphemy.

Breakin stats are misleading

[retep]

There is a serious problem with those defacement statistics. What if WinNT sysadmins tend to be not as good and UNIX sysadmins? I wouldn't be suprised that on a whole your average WinNT sysadmin isn't as good as your average UNIX sysadmin. After all UNIX is far more forbidding then then WinNT. What OS do you think your average newbie will use?

Re:Microsoft.

[jams757]

Windows + security + open source = Linux ?????? I don't know, sounds close though

Re:do you trust any internet security...

[mrdisco99]

On the other hand, encrypted credit card packets have the potential to be seen by a whole lot more eyes than the credit card you hand to your waiter...

That analogy isn't as good as one might think by the way it was presented.

+++

Re:Amusing...

[mrdisco99]

I think that comment makes it clear how Microsoft simply does not get the idea of open source security.

Security on open source products like Apache and Linux work for precisely that reason. They DO trust the end-users to solve their security problems.

"Given enough eyeballs, all bugs are shallow" -- Linus' law (as dubbed by Eric S Raymond)

+++

Re:What do you all suggest Microsoft do then?

[mrdisco99]

I think it would be wonderful if they open-sourced the OS.

Unfortunately for them, however, I don't think it would be of much benefit. 30 million lines of buggy code does not sound like an appealing project to work on.

What would probably end up happening is someone would port the APIs and some of the drivers to Linux and that would be the end of that.

+++

Yea, verrily

[autechre]

Someone is on some serious crack! OK, smoke your crack and waste your moderation points:

At 5:19AM, vectro wrote:

Linux and the BSDs(especially OpenBSD) have a poor(ie, all-or-nothing) security model which is very well implemented.

Windows NT, on the other hand, has a really good security model, but the implementation sucks.

above post title: WTF, that WAS ON-TOPIC!

[autechre]

Mozilla changed my subject at the last minute, without asking, AGAIN! BAD mozilla! Sit in the corner!

Answered here a few days ago...

[autechre]

Slashdot posted a link to a study like this a day or so ago. It was comparing Red Hat, Solaris, and Microsoft. Red Hat blew the other 2 away, basically, proving that it takes both *NIX _and_ Open Source. The study made MS look really bad (much higher # of incidents), and Sun look really slow (up to 3 months for a fix!)

And after defending vectra, my own comments :)

[autechre]

OK, let's break down the words "holier-than-thou". It implies that we're better than something else, right? OK, I think that the security of Linux is better than that of NT. Right.

"Over the years", maybe. Sorry, but I've only been using Linux for 1.5 years, so I wouldn't know about before that. But if you hang out on BUGTRAQ, the number of bugs in closed-source OSs and programs WAY outnumber the number of bugs in GNU/Linux. That's over this LAST year, anyway.

Every OS will always have security problems--an OS is a huge, complicated piece of software. The goal is to have less, and to fix them as soon as they are discovered. Linux and GNU applications have succeeded in this goal, far more than MS has.

And a score of 5 is CRACK!!

[autechre]

Come ON, people. This is NOT insightful! This is a self-contradicting post which says nothing, poorly!

Re:speed of response

[Tuzanor]

I have no doubt Micro$oft has the capabilites to quickly and effectivly get security patches deistibuted, but the question is if I, alone, find a major security flaw and report it to Microsoft..will they hurry and get out a patch, or tryand cover it up and hope it doesn't become common knowledge? We all KNOW they have done this before...what's to stop them from doing this again? Christopher Hylarides

What?!?

[billyt007]

Why should you have to buy a complete other product from another company do what the original product was supposed to do in the first place?
--Nothing is impossible to the man who doesn't have to do it himself.--

Mandrake is damn good

[xtremex]

I happen to think Mandrake rocks.. it's Redhat but better....we use it on a couple of our servers. And I use Mandrake 7.0 now as my personal OS (Used to use Debian)..I've tried EVERY distribution...we have FreeBSD, Mandrake, Debian, Redhat and Slack running on our servers

Why would anyone believe you?

[Otis_INF]

tell me, why would I believe you, that MS told a lie, and not MS? because they are liers, right? I've been reading and posting to that guestbook on www.windows2000test.com every day during the test. They had found some severe leaks in the tcp stack, some crappy bugs in the script, some DoS results, but after a month... all were gone... no attack gave any result. Ok, you obviously won't believe the statistics they posted every day about the amount of DoS packets or hack attemts the server received, but it was an awefull lot. They were very informative when the server was down or when they found a bug or when the server was crashed (it crashed a couple of times in the debugger). Also think about the fact that no firewall was there, every spoof package was passed through. Sure, any unix server which was setup by a security professional, would have survived it too, but just because there weren't any security leaks reported, as people breaking into the server, doesn't have to mean MS is lying.

After all, it was a technical test. They do that too, you know.

Re:Do any of you know what security is?

[Otis_INF]

About kerberos, you're correct. It was a dumb phrase of me to call it encryption. It's a system to secure authentication like lanmananger protocl is, ok. I ment that, I used 'encryption', which is of course not the case. It's however a step in the good direction to let go the lanmanager protocol and choose something that is already implemented and has proven to be ok (at least to be better than what's there today in NT ;). Implementing it with bad code is of course the nail on the coffin of a secure NT system. What I ment to say with my zillion lines is that IMHO MS has learned from the past (so history IS important but not in a way to prove the future will be bad as well) and will commit itself to a more secure environment so the weak spots are not due to weak software as demon also pointed out and we all know was true for a few years in NT land. The topic is/was if MS will commit itself to a secure OS, and I say, looking at what they've put into their new OS plus what they've done to make NT 4 secure... yes, they will.

But time will tell. IMHO they've tried hard enough. Open source IMHO wouldnt have made it any better, because a lot more developers have looked at the code outside MS (for example a lot of developers at IBM have), than before. Ah well... :)

Re:Do any of you know what security is?

[Otis_INF]

Long posting... Main line of my posting: nothing is secure, you have to make it secure yourself. So that means, I'm not saying NT is more secure than anyting else or anything else is more secure than NT. (offtopic discussion, btw.).
Few things: about the security fixes... the few security leaks in NT in 1999 were patched within a day or 2 and downloadable for everybody. And about the history.... my point was: the history of NT when it was first released and with the bad servicepacks 2 and 4, is not necessary true for the future. You USE that history to make it look bad, while from your text I can IMHO conclude you don't have a lot of experience with administrating NT server. That's not bad, but calling it bad, plus it's security bad, BECAUSE history tells you so, is IMHO a bit shortsighted. It doesn't matter which OS, if the admin is sloppy, the system is insecure.

Re:Do any of you know what security is?

[Otis_INF]

I'm a programmer, worked on both unix and NT for years, not administrated them (well NT I did, only admin on AIX a few years back). I won't say history is meaningless, every day we learn it is not meaningless, but in productcycles, you can't predict the quality of a future product, looking JUST at a history record or lists of bugs in the early days. :). If the software is flawed, it's of course undoable to make it work 100%. IMHO if you throw up as many steep hills as possible, it's almost undoable for a hacker to break in. It must become uninteresting for a hacker to go on. I think then you can cover the last bit of percent all systems indeed lack in total security. I'm glad MS finally is aware that the market is not waiting for lots of NEW stuff, but actually WORKING stuff. Which also means the tools to make it secure. (so it's the admin's fault that there is a hack).

Only time will tell if they are right. no history can IMHO.

whatever

[Yardley]

I'm not sure if your only knowledge of computers is how to use a web browser,

That's a rather poorly thought out conclusion. I was replying in the context set up by the original poster:

...expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.

Now a more appropriate conclusion is that the servers under discussion are web servers. As shown in my original post, Barnes and Noble is not running W2K on their servers. What they may or may not be running on their internal servers is up for pure speculation.

Microsoft Source given to universities

[mallyn]

In the CNN article, they said that microsoft gave the source code for Win2k to some universities. Does anyone know which universities they gave it to? This would be a total suprise, because giving something to a university is almost like giving it out on the net. All it takes is one student to post it. . . . . Mark

Re:Other Issues?

[TomV]

The desktop user does tolerate BSOD's and the occasional reboot (once an hour is annoying, but provided you don't lose data, it's fine ...).

This install of NT4 BSOD'ed once on installation, because i was foolish enough to install with network support on hardware several years younger than the install disk, rather than servicePacking first and networking later. I've not seen the BSOD in the intervening 21 months.

I like to reboot about once a month anyway, 'cos i'm old-fashioned like that.

Yes it would be lovely to be able to servicepack without a reboot, but it's not something i lose much sleep over.

TomV

Re:Microsoft Good Security Habits

[Q-Ball]

Picture this if you will... CEO Steve Ballmer sitting at his PC repeatedly loading the CNN poll and choosing "Yes" to the question "Do you trust Microsoft security?" When suddenly... "BLUE SCREEN OF DEATH". What makes you feel the most secure? "... a staff of 15 people..." or an entire open source community. "...interacting with users and rival vendors to detect software breaches and bugs,.." If you ask me, that's going to be one very busy group of people! This one paragraph however, sums it all up perfectly. "A conference attendee said that Microsoft officials were making all the right statements pertaining to security, but it remains to be seen whether the company can live up to its commitment." The M$ security site is pretty funny, I belive the phrase "best interests of consumers or the industry" was used. I mean who would have thought?

Re:Microsoft Good Security Habits

[dotslasher2]

Could someone please help out us poor non-Windows users and post the checklist? It has a .exe extension, something my Linux box doesn't seem to support.

P.S. I'm feeling very insecure.

Re:hrm. 15 people?

[RatKeeper]

Ummm, these 15 people don't need to review EVERY line of code. That was all done in the development process by a whole lot more people. These 15 people are more like custodians who deal with security issues AFTER Windows2000 is released.

Re:What's the score? Anybody?

[lopakanaia]

"We can't just trust the end-user to solve these problems themselves," Valentine said.
pretty much says it all, doesn't it? opensource^-1.

Re:speed of response

[coolgeek]

That must be what their "staff of 15" people to study security issues is for. What a crock. The very statement shows that Microsoft has no interest in security. Any market segment worth >$10M, that has emerged in the past 5 years, has been met with a response by M$ to start a product group of at least, well, more than 15 drones to make a product in that same segment.

Throwing 15 guys at reviewing the code is a total joke. This, coupled with the statement that "we simply cannot trust these matters the the end users" illustrates M$ utter contempt for the masses that compose their client-state.

Besides, how effective can 15 guys possibly be? "Here, go find the security leaks, do nothing but look for leaks. When you're tired, go sleep on the couch and have a few cans of coke when you wake up." Sounds like a death march to me...

Re:What do you all suggest Microsoft do then?

[BetaJim]

"And you can do that" Nope. I've seen one instance when trying to kill a runaway perl process that it could not be killed. When you are Administrator and you can't kill a process you know your OS has major problems. We would try multible times to kill it and then wait 10 minutes w/o anything happening. Of course the only solution is to reboot. It seems to me that NT still has problems with process control.

Re:Microsoft Good Security Habits

[AlphaInsight]

I'll agree that M$ has pretty decent security habits but the main issue in my perspective is this: How many times have they intentionally struggled to keep one quiet long enough for the fix to be put within a Service Pack? Anyone remember one of the first Hotmail holes? M$ did their best to keep it quiet. It's my opinion that they deserve a kudos for intent but fifteen lashes from a flogging stick for end user turnaround time.

What's the score? Anybody?

[0000+0111]

I haven't really been able to get the right numbers on this. Scenario: Linux and NT are afflicted with similar security breach. How long does it take for MS to plug hole? How long does it take for Linux to plug hole? Is it possible that everyone knowing how to get in is better than only fifteen people knowing how to get in? It really looks like MS is trying to do its best to compromise. Question is, will MS now fully share the information about how the system was breached? They can't do that because they've already painted themselves into the corner on that one. But my guess would be that they're gonna try to sell it like they were Linux incarnate. Well, not much of a guess I suppose.

Movies anyone?

[izchan]

Come on guys, the security issue that we are talking about is something more subtle. Like the way the other guy says, it is the 15 year old kid down the road that I am more afraid of, because they know no limits to their actions. NSA or CIA .. bah ... it is their job to spy on us all. That's what inteligence gathering is all about. Does not mean that they have any inteligence up in their brain box thought. So stop the paranoid invation of people's personal right. It was never there, only an illusion of it. Thus we are happy with that for a long time. As for Microsoft's security issue, as I hope that they do beaf up as it is really troubling my bosses that their porn mails can be read by other people. God forbids that ever happends.

Re:speed of response

[edunbar93]

Heh. Sure... they might respond faster... but will they put the patches on the net for free? Or are they going to fix it in the next release, and charge everyone for it, like they've always done? (Windows 3.1, 3.11, 3.11 WFW, NT 3.1 ad nauseum, Windows 95, Windows 95b, Windows 98....)
---
I can't wait for proper speech-recognition.

OMG! REALLY?!?

[edunbar93]

Hahahahah. I think I'll use that one at my next job interview. :) "I'm better than an MCSE, because I actually know how a TCP connection is made. And to think that I'm self taught..."
---
I can't wait for proper speech-recognition.

Re:Amusing...

[edunbar93]

We can't just trust the end-user to solve these problems themselves," Valentine said.

I think that's pretty obvious when they don't open source the OS! :)

Actually, I think it's pretty obvious when something like 85% (or probably more) of the people who use windows have -at best!- only the tiniest sliver of a clue. Most of that 85% don't have any clue at all. To them, "Windows security" means that you should lock your doors and windows at night before going to bed.
---
I can't wait for proper speech-recognition.

Tainted Vote

[ReVMD]

Do you get the feeling that the poll for the do you think M$ is secure is getting slightly blown out of proportion from all of the linux users now?

Great isn't it? =)

Matt D
http://www.looroll.com/

Re:Tainted Vote

[Zico]

Great isn't it?

Sure, if you're the kind of person who needs cheap validation from others to help make all your decisions for you, even when you know deep down that the results are rigged -- I'm sure it must be wonderful. Party on, homes. Baaaaaa.

Cheers,
ZicoKnows@hotmail.com

You can open this with unzip.

[Paul+Crowley]

"unzip" under Linux will allow you to read the contents of this file.
--

Re:Do any of you know what security is?

[demon]

NT's security is NOTHING like you'll find on linux or any other unix or similar

Wow, you think? NT has to implement access control on many different types of things... yes, everything's an "object" - but on Unix and Unix-alike systems, everything is a file. That's why NT's security is very different from Unix security - it's just a plain different approach.

On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?

That doesn't necessarily make it more or less secure (unless something in the OS is implemented badly, has some kind of hole, etc.)...

NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.

Uhhh. They'd have to have government permission to export "strong" encryption outside of the US. Also, "worldwide" is a relative term - there're still several nations on the US government's shitlist that they won't allow ANYONE to export crypto technology to (and some like France, where they simply don't permit crypto technology at all). Simply, I think you don't know what you're talking about here.

Windows2000 will use Kerberos strong encryption

Uhhh. You obviously don't understand what Kerberos is - Kerberos is NOT an encryption method, it is a secure ticket-based authentication system. (It doesn't necessarily use "strong" crypto, afaik.) And an "industry standard"? It's certainly a standard, but (a) it's not a standard in "the industry" proper (because far as I know, most Unix vendors don't ship a commercial Unix with Kerberos plugged into it), and (b) Microsoft, of course, is using their own bastardized version of Kerberos, not the standard protocols that the rest of the world uses (minimizing compatibility, as usual).

MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.

I don't know what planet you've been living on, but Microsoft has taken its sweet time fixing security-related issues. (Unless of course, you're a huge corporate customer...)

Still, unskilled administrators install the basic set [of IIS modules].

"[U]nskilled administrators"? I believe I heard it said best like this (roughly quoted): "If you need point and click to be an administrator, you shouldn't BE an administrator." Microsoft harps on how "easy" it is to admin NT - yet all the people I know who admin NT say "you really need to know what you're doing, not just any monkey in a 3-piece suit can do it"... Next.

IE holes are a problem, but who surfs the net on a production server.

Well, when EVERY Microsoft product requires IE to be installed for installation, and all the help and stuff like that is provided via IE, that's what you get. YASMD. (Yet Another Stupid Microsoft Decision)

but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers

I don't have 10-12 years of experience (I have 4-5 years of Linux experience under my belt now), but most people I know consider me fairly learned, and I read ORA books, check up on BugTraq, and try to keep up on recent information and issues. You don't have to have a virtual lifetime of experience, but you need to have some, and you need to read up. That's the same whether you're running NT or Solaris or IRIX or Linux or HPUX or whatever.

No-one says unix is unsave because sendmail is crap.

Well, that's very true, but Sendmail is just one MTA - there are several others; also, the bad old days of poor Sendmail security have mostly passed us by. I think the developers of Sendmail learned a LOT from the days of the Internet worm.

if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.

All I can say to that is this: It's a lot easier to secure a Unix box than an NT box, if you know what you're doing. And by the very admission of NT admins that I've spoken with, you need to know what you're doing on NT too. Besides, with closed source, you never know what ports they're leaving open (at least till you portscan your own box), and that can be dangerous. I'd rather stick with Linux, where I can verify my own security (as well as having someone from outside check it), instead of depending on big daddy MS to do it for me.

Ask all those Solaris administrators currently suffering the DoS worms

Which are those? The main admins I feel bad for are SCO admins (seen loads of recent SCO issues on BugTraq) - and admins of NT 4 systems, who are soon to be orphaned unless they pay big bucks to update to the latest, greatest Microsoft product.

Bashing the FUTURE without knowing what it will bring with the facts of old material from the past is not fair.

It's called history. History is important - those who do not remember it are doomed to repeat it.

If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions

Not everyone runs the most holey of distros, but Linux security holes do (in general) get patched quickly. I happily run Debian, and have found it to be plenty secure for my needs (masq box/shell server/Web server for a public school district), and any security issues are quickly resolved with Debian, in my experience. NT's holes are just harder for the end-user to deal with - namely because you have to wait for them to come from above. You can't do anything about them on your own.

Your claim that NT security is "better" than Unix security is, IMO, quite false. Look at the history - then tell me what you believe.

Re:Microsoft Good Security Habits

[Nathaniel]

After downloading it and using unzip to get the CheckList.htm file, I found that it's 62 pages long (lynx at 80x25, you do the math).

Too bad they can't be bothered to pick more secure default settings.

MEIN GOTT!

[Chas]

9:30 A.M. CDT

Poll: Do you trust Microsoft's Security?

• Yes: 715 votes (8%)
• No: 8738 votes (92%)

GAHH! Looks like all 835 of Microsoft's directors and managers weren't at work in the last couple days. (Blatant UserFriendly reference)


Chas - The one, the only.
THANK GOD!!!

Re:How much will they charge?

[Mr.+Objectivity]

If that has been your experience, then you didn't know how to utilize the resources that are presented to you as an MCSP from MS. Business down calls to their highest level support is FREE for MCSPs. Access to the knowledge base is FREE for EVERYONE. You get 5 or so support incidents to their premium level support for FREE. Bug fixes or problems because cost you NOTHING for their support. MS charges NOTHING for their current security website fixes.

Re:um, no -- Uh, yes. -- um, no

[Zico]

One of the trade mags had an article about Barnes and Noble recently. They are using Win2K internally and on the back end now, but not for their web site. The thinking being, if they ran into issues due the beta status of Win2K on the shipping side of things, they can take the time to sort the problem out. On the web site, however, they can't afford to run into any such slowdowns, because people expect to be able to place their orders immediately, and if they ran into a problem, might switch to another bookseller. This was especially relevant during the Christmas shopping season.

Cheers,
ZicoKnows@hotmail.com

Re:Microsoft and Security...

[Zico]

We're talking e-commerce here, not pages for family pets and innumberable "How to set up PPP under Linux" pages. NT is slaying Linux when it comes to e-commerce, even Netcraft's SSL statistics show this.

Cheers,
ZicoKnows@hotmail.com

Re:What do you all suggest Microsoft do then?

[sethg]

Based on my experiences this week, I have a couple of modest requests:

• When I use "Add/Remove Programs" to uninstall Microsoft Office from my C: drive, and then reinstall it on my E: drive, it should actually remove the "Microsoft Office" folder from my C: drive. At the very least, if I do this and then delete the "C:\Program Files\Microsoft Office" folder myself, running the Word program that's on my E: drive shouldn't give me an "Unable to locate DLL" error.
• When my colleagues have compiled a class library with version N of Microsoft's C++ compiler, and all I have is version N+1, I should be able to compile a program with my compiler that links to their class libraries.

ObSecurity: if they can't release software that handles these simple interactions with other software from the same company, how can they write an OS that protects users from malicious code written by outsiders?...
--
"But, Mulder, the new millennium doesn't begin until January 2001."

hrm. 15 people?

[jimmyphysics]

The fact that they've only put 15 people on fixing the gaping holes suggests that this is not in earnest. I mean, honestly... we're to believe that 15 people combing through thousands of lines of spaghetti logic visual basic code are going to be able to make W2k a secure OS??!? I would suggest that this is merely a way for them to say "look!! we're secure!!"

waiting on my OS/2 cds and Mandrake 7.. gotta nuke this win98 install.

jim

Equipping it, eh?

[mindstrm]

That's funny.. considering it already went gold!

Re:It's better than Win98, that's for one thing

[mindstrm]

Of course it has an 'NTish options'.. it *IS* NT.
It's NT 5.0, they just renamed it to Windows 2000. Remember.. it was *going* to be their new OS.. they were going to scrap the 9x line... but that's not gonna happen either...

Re:speed of response

[SEWilco]

There's a difference between having security bugs and having an insecure OS policy. Ever since the PC-AT (80286), MS-DOS has refused to use protective hardware and has insisted that major parts of the system (hardware and software) be available to every program. It made malicious programs trivial. I suppose then there were no security problems as there was no security. (But "Then" is still "Now" as MS Windows runs MS-DOS...as every virus checking program knows)

Re:What do you all suggest Microsoft do then?

[spectecjr]

I would also really like to see an intelligent attempt at command line completion. I recently discovered that NT's cmd.exe supports it, so I turned the feature on and tried it. I tried cd'ing into a directory but didn't give enough letters to make it unique, and it cd'd me into the first match. I was hoping it would give me a list like bash does, but nope, first match. Oh well...

Nice try, but that's not the behavior of the command line at all - it doesn't just "Cd you into the first match"... it shows you the first match, after which you can hit TAB again to show the next match, or hit SHIFT+TAB to show the previous one. Sheesh.

Simon

speed of response

[odaiwai]

The issue is not about finding bugs and security breaches but about fixing them quickly.

dave

(strangely tempted to shout first post, but resisting)

Re:speed of response

[odaiwai]

Done much programming?
Bugs creep in despite your best efforts. The best you can do is respond to reports quickly.

dave (not even going to comment on the claim that "we put it naked on the internet")

Re:speed of response

[TheCarp]

> Except for the fact that EVERY OS has these
> types of bugs - I find it funny that not only
> MS, but Solaris, all the flavors of *nix, etc,
> all have security flaws...It really DOES come
> down to fixing them.

It does and it doesn't. I think there are a
couple of issues here. YES, most programmers
make mistakes or fail to consider things and these
bugs DO creep in, even in the skilled code of the
best programmers.
(being a programmer, and NOT one of "the best" I
find it comforting to know they are human too)

It is a matter of learning from ones mistakes and
the mistakes of others, and thinking about
security.

You will not write secure code if you are not
writting it from a security consious mindset.
Every time your code takes input from a user, or
anything outside of your own code, then you must
be thinking to yourself "what if I get back what
im not expecting".

Its easy to make the mistake of allocating a
static bufffer thinking "no username will be
longer than X chars", and never think someone
might purposfully HOPE you assumed that.

Now...how does this relate to microsoft?

They are well known for having all night hacking
runs for days on end as it comes down to the
wire. When they see that release date aproaching,
its "balls to the wall" time to code like a
madman.

I do not think that that type of event is
condusive to writting a secure system. Its
allot easier to forgo bounds checking on every
little variable that came from userspace and
to take dangerous shortcuts as that clock ticks
away.

Of course, you are right, careful programming only
goes so far (however it *IS* the first step).
After that response is what matters. I think that
their response has shown to be pretty bad too.

They have earned a reputation for denying the
existance of problems and stalling. They have
made it difficult to find real information on
the security problems in their OS. (back when
I used windows...I found that every time I went
to their website looking for security patches etc
I found them increasingly hard to find every time)

-Steve

Other Issues?

[nazerim]

Well, security is one thing - everyone talks about security, however, we forget that the main threat to security is the human element. Passwords discarded in trashcans, to start off with. Disgruntled employees. One could make a whole list of these. Furthermore, any vendor which doesn't list security as a primary concern should be shot anyway.

Well done to MS, they're now looking at security. How about stability? I know for a fact that quite a few financial institutions use NT on the desktop, but have banned it from their servers. Or actively discouraged the use of it there. How about MS showing us definite proof of W2K's stability, as compared to, for example a Sun Enterprise server or SGI enterprise class server, or IBM, or HP etc etc etc.

The desktop user does tolerate BSOD's and the occasional reboot (once an hour is annoying, but provided you don't lose data, it's fine ...). However, let's look at the back-end for a change?

No

[/]

The stable kernel branch is not beta (it's release quality), and it's certainly more stable than most other software that gets pushed out the door by certain corporations. Most of the system apps you're running have had stable versions for years. Most of the non system apps you're running have had stable versions for years.

In conclusion: Linux is not an unstable beta product and is not one by definition. Just because there's always a development version getting kicked around at a furious pace (and immediately so after a stable version is declared so), doesn't speak to the contrary.

This be a marketing gimmick, folks

[vanth]

I guess everyone here in /. already knows that M$ does not hold a track record for providing bug free software. Their internal coding habits are also pretty atrocious and its credit to the programmers that they are producing stuff that are as stable (*cough*) as it is now.

Giving the source out to 70 external agencies is a
meaningless gesture. Is it going to be ALL of the code? or some of the code? or maybe just snippets here and there? And of course these agencies will
likely have to sign NDA's which will limit the exposure to the people who actually *can* help.

And for helping out, what do we get? Do we get a piece of the M$ pie? Stock mebbe?? I think NOT.

It's likely that M$ will charge for the source as well.. So us grubby non-M$ coders will have to like.. *PAY* to take a look at it.

All in all, its a lose-lose situation for anyone
involved in this goofy business..

Sheesh.

-vanth

Re:Amusing...

[Cy+Guy]

I'm assuming this also reveals their previous strategy for securing the operating system.

"Gosh, if they want security, I'm sure they'll just solve the problems themselves. No reason we should spend any of our monopoly supported profits on fixing the problems for them."

Re:Do any of you know what security is?

[Inoshiro]

A couple of points I'd like to make:

"NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example."

1) Linux supports stuff like this via POSIX.1e, which allows you to flexibly drop what you don't need (super user wise). An example is ProFTPD, which has mod_linuxprivs. When it's used, ProFTPD loses all super user abilities, except for the binding to ports lower than 1024 one.
2) More complex does not mean better. During WWII, German artillery had 49 moving parts and could strike more accurately, whereas American artillery only had 9 movings parts -- it's only feature was it broke less :-) The K.I.S.S. principle applies doubly to security. Keeping track of more possible permutations of security aside, MS is not targetting this enchanced security model at people who understand it -- "Learn Windows NT in 21 Days" has become the rule of the day, which means it's wasted and (more often than not) leads to more problems than it solves.

"MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded."

It doesn't take ages to get a fix.. It just takes ages for them to post it on their website. They do really have a long latency time between a patch, and a posted patch.

"IE holes are a problem, but who surfs the net on a production server. "

Except that IE is now integrated into many other applications that don't need it (I've tried NT 5, and I really hate the grey-child-like Notepad common dialogs which huge "My Network Friends" buttons, and webenabling).. When you take an insecure code base, and cram it everywhere to stop people from ripping it out, you compromise a lot more than your morals. Then you have the marketdroid angle -- NT 5 Work^H^H^H^H Professional (where's the non-professional?) is targetted at those people who like saying they're using the "professional" version. I betcha they surf the web lots.. Do you want your CEO to go and get BOed because of their workstation OS choice?

"MS provides a bulkload of security documents how to implement security on your servers."

I'll have to go with Theo (de Raadt) on this one, and say ship the default config secured -- don't document what you have to do after the fact. When you have to install 500 workstations with a secure setup, it doesn't pay to have to go to each one and click on the same frickin' security wizards, over and over. There are ways around this, but I don't know why they don't ship with more things turned off, or at least with a visible off switch. I received some funny emails from my IDS when NT 5's probing of port 445 ("microsoft-ds") on the Linux firewall set it off..

NT 5 is better, but the ideas behind it are a mishmash of idealistic engineering, hopeful marketting, and sadly failed implementation. As the users on Bugtraq said, "it's getting better [with things like run as alternate user], but it still has lots to catch up on compared to Unix."

---

Great, 128 bits and more unchecked buffers...

[AugstWest]

Encryption keys are great for security only if you can't compromise the system some other way.

MS has already released 2 security bulletins this week alone, and of course, these are publically known exploits.

They release fixes as quickly as they release bulletins, but anyone who installs a hotfix the day it is released is pretty much a masochistic guinea pig. I mean really, how does a service pack that totally borks WINSOCK get released?

He already said he was working for an MCSP

[Pfhreakaz0id]

..... subject says it all.

Ummm. Win2K isn't written in VB...

[Pfhreakaz0id]

It's C++

Re:Bugs are not the nature of software

[Dirtside]

That bugs are the result of human fallibility was implied by the statement. Software's nature comes from human hands; humans make mistakes; therefore software is buggy. I didn't think it needed to be said; I guess some people like everything spelled out for them. *shrug*

Bugs are not the nature of software

[jquiroga]

And the reason that there are so many bugs in the first place is because that is the nature of software. Any piece of code, even slightly complex, will probably be buggy until you take the time to debug it.

Sorry, but you are wrong. Bugs are not the nature of software, but a symptom of the nature of human beings.

Our software is faulty because we are fallible. And that's because our software development processes mostly suck. Is your software buggy? Your process was lousy, and your own fallibility got you.

I would like to ask every coder around here to read this great article, only to learn a little about what perfect software development takes, and how difficult it is to tame our own tendency to screw things up.

Of course it is possible to write perfect software, just eliminate the coders' ability to fail. Perfect software development is very non-human.

feedbacking bugs

[malkodan]

personnally i think that their 24/7 'bug line' wont really help as i know it. personnally i dont use windows 2000, and usually 70% of the people using it will be people that if you'll say bug near them they'll say "huh?!", and if it comes to submiting bugs, also if they've found a bug, and they know what is it, i doubt if they'll ever submit it. it's not the same with linux, when people are programmers and are aware of bugs and submit them as fast as they can. therefore, they're 'bug line' efficiency is in doubt.

security-stats: Microsoft vs. Open Source

[arnim]

the number of vulnaribilities which show up in securityfocus.com show that this is really necessary for MS to get back ANY reputation in security. the securityfocus-list shows 29 holes for microsofts IIS in the years 1998-1999. for apache there are two, both from 1996.

it's hard to use this list to compare linux vs. NT, because lots of the bugs listed for the operating systems are in add-ons and third-party products.

the nearest statistical comparison of openrating-system-security is on attritions web-defacement-counter. in the overall OS-count from august 1999 to present Win-NT is leading clearly with 55%, followed by linux with 19% and solaris with 13%. source: http://www.attrition.org/mirror/att rition/os.html

these total number of defacements should also take into account, that there are more webservers running on linux than on NT, as can be seen here.

open source brings a security-problem which is not as big in closed source: it's far easier to write trojans. but this risk is small compared to backdoors intentionally implemented by clodes-source software manufactures. a good example is the international version of lotus notes where the NSA knows 24bit of the 64bit-key.

Re:Microsoft and Security...

[autechre]

>We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*.

>The Win2K guys posted the Administrator password, what's your point?

His point is that the machine was NOT naked on the internet, it was behind a firewall. That test had nothing to do with cracking Win2K.

Perhaps you weren't paying attention, but the Linux box was compromised due to an insecure 3rd party CGI script. That is the fault of the administrator for using such a script, not the OS.

What do you know, Zico? I wonder...

Here are my suggestions:

[autechre]

1. Don't open-source the code. Some poor college students who love MS will waste hours poring over it, and their SO's will dump them.

2. Get rid of the required GUI. That's just asking for trouble, really. If people want the shiny happy face buttons, let them have them. But maybe if your OS overwrites the video drivers randomly, people should be able to at least boot their server to a useable state until they can comfortable fix it after-hours.

3. Actually do what they just said. Every week a new bug comes out in ActiveX. Every few weeks, an exploit comes out for NT or 9x. It always takes them a lot longer to fix it than the Linux or BSD people. Plus, when they found a bug in the Linux 3C59x driver, I hand-edited the file and fixed it myself. However, I DON'T want them to go OSS, as stated above.

4. Keep the "happy marketing" away from the server products. Servers are not named "My Computer". Servers have ugly names, so that crackers cannot guess them, unless you feel like putting up a script-kiddie magnet by naming it something like "exchange.getbent.com". I am not in a Network Neighborhood; I'm on a LAN. Blechh.

Re:um, no -- Uh, yes.

[Yardley]

According to Netcraft, Barnes and Noble is running IIS4., not IIS5

www.bn.com
is running Microsoft-IIS/4.0 on NT4 or Windows 98

www.barnesandnoble.com
is running Microsoft-IIS/4.0 on NT4 or Windows 98

This leads me to speculate that you do not have a source for your information.

Cargo Cult Security

[Anomalous+Canard]

Someone on one of the local newsgroups at my ISP spoke about "Cargo Cult Security" recently. The Cargo Cults were people who lived in remote areas of the Pacific who, seeing the wealth of the people who could call down the bright shiny airplanes, built replica airplanes and runways out of vines to entice the airplanes to visit them and give them wealth. Cargo Cult Security is installing software of following some second hand security recommendations without understanding why you are doing it. The biggest problem here is that when something breaks, you won't know how to fix it or even that it's broken. That is the biggest problem with Microsoft "security".
Anomalous: inconsistent with or deviating from what is usual, normal, or expected

MS Security is NOT the BIG problem

[l0ki]

Although NT's security model is easily vulnerable to a plethora of attacks, -As are all the Backoffice products, are they any more vulnerable than most other OS's? If you have the most secure OS in the world (I, know, NetBSD) and it is set up incorrectly and most importantly administered incorrectly, then you'll never achieve a level of security that is satisfactory. One _downfall_ of NT is it's useability. I know this is an advantage to many, but also it lets a NOVICE admin guy set up a server any time. If NT OR Linux, Or nearly any other OS is set up by some fool who clicks "next,next,next", you are not going to have the best performing or secure OS in the world. I will say that NT's defaults are some of the worst choices that could ever be made, but these are intended again - to produce an OS thats optimized out of the box - for an idiot. Do you think that "EVERYONE" Full Control is a great default permission? It Sucks. MS Has PLENTY of resources to fix this though. If your NT Server, BSD Server, or Linux Server is working like a sick horse- or being routinely cracked from the web, don't criticize MS or anyone else- RTFM, and then RTFM again. That box is there because someone made a choice to install it. They chose to install it and run whatever backoffice application that your now concerned with. I've worked with NT, Linux, FreeBSD, OS2, BeOS, and many others for as many years as I can remember. If the admin on any of these is lazy in his/her auditing and PRO-active security measures, then the OS is vulnerable. New cracks WILL be found- Its evolution. People with more time on their hands than me spend it finding them. WHEN the company fixes the holes - the Admin has to apply the fix.... Any way- NT is optimized for a half-wit out of the box. If you leave it so, then its your choice. MS neads quicker response time, but SO do most network administrators. Check out http://www.ntsecurity.net http://www.ntfaq.com RTFM. Regards, L0ki

Re:Microsoft and Security...

[edunbar93]

Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...

Hmm. But exactly _what_ is being encrypted? Your passwords? (does it matter how strong this encryption is, when there's 1000 backdoors waiting to be discovered?) Your network connection? Or just your browser? Do they even say? Does it really matter? Knowing how secure Microsoft OS's have been historically, this sounds like putting a strong deadbolt into a flimsy wood-panel door that's really only suitable for indoor doors.

And here's an even better question: can you export this encryption? (The French just might not care anyway, if it's the only strong link in a weak chain.) Another is to ask whether the filesystem has any security whatsoever, besides "are you sure you want to delete everything in this directory?" Of course, filesystem security doesn't mean jack when you can do whatever you want from the outside anyway.
---
I can't wait for proper speech-recognition.

Re:What do you all suggest Microsoft do then?

[edunbar93]

Actually, if they open sourced the OS, or if they completely redesigned it so that I don't have to reboot it so bloody often, I would cheer them on. I've been begging for _years_ for Microsoft to _please_ make an operating system that wasn't able to suck a golf ball through a garden hose. The last thing I want to do is spend such a large percentage of the time I spend fixing computer problems by waiting for the bloody OS to reboot. 18 times in one session. (okay, I exagerate about the 18 times... more like only 9)

It wouldn't be so bad if we've got a "standard" operating system (alright, dominant/monopoly) that actually works very very well.

Things I would LOVE to see Microsoft do in Windows are proper process control - including being able to kill a process NOW, because _I_ think it's safe, rather than letting whatever program has gone zombie decide if it's safe or not, before finally letting the operating system say "okay, it's dead now. Should I kill it?" after about 45 seconds. The applications that most people use to create documents with already have some sort of functionality to automatically save your work every couple of minutes, just in case things go bad. (why? Because everything is so damn unstable...) The process control Windows has now doesn't help this problem any, because once a program has gone south, 99% of the time there is No Going Back to save your files anyway. Included in "proper process control" are things like telling any process to re-read its configuration file, which you just changed, and to do it without rebooting the whole OS. I hear they've managed this with W2K, but I'm skeptical.

I'd also like to see some decent Protected Memory designed into the OS. I understand that they might have gotten it sort of right this time with W2k, with its much-hailed stability.

And for the love of god, design the filesystem so that you don't _have_ to defrag the drive! It takes long enough to do on a 2 gig drive, let alone the 20 gigs that are typically in new computers.

Another neat functionality that any unix user would really appreciate, is a checkbox somewhere, maybe even hidden deep in the GUI away from clueless eyes, saying "No, I'm not an idiot. You can stop asking me if I'm really sure I wanna do that. (I hereby declare that if I screw up, it's my own damn fault, and I won't sue Microsoft.)"

If Microsoft can do all of these things, that would make me very happy to use Windows. I still won't like Microsoft, because they're Completely Evil(TM), (It's true! Isn't that what the CE in Windows CE means? ;) but at least I won't hate them for making Billions of dollars each year off of something that completely sucks and everyone would love to be without.
---
I can't wait for proper speech-recognition.

What do you all suggest Microsoft do then?

No matter WHAT they do, they're going to be raked over the coals here.

If they hire 1000 people to do nothing but track down bugs and security problems, you people will say it's not enough.

If they totally open-source Win2000 and give away everything, including the source code....you people will say "oh, they're just trying to jump on the Open Source bandwagon...it's all hype".

If they say: "ok, we give up...we're getting out of the OS business"...you people will THEN yell at them for being quiters.

So what I want to know is this....WHAT do you want Microsoft to do?

Re:What do you all suggest Microsoft do then?

[weave]

So what I want to know is this....WHAT do you want Microsoft to do?

For starters, I'd love for reality to live up their hype. Example:

I needed to deploy dozens of computers running web browsers in a college library. These computers need to be fairly locked down.

I downloaded the IEAK (IE admin Kit) *and* bought their IE admin book too. 75% of the book was marketing hype talking about all these great things you could do with the kit, including being able to change customizations through policies, etc...

Great! So I spent two weeks just trying to get it to work. The docs on how actual policy restrictions work and what they do amounted to TWO PAGES. I was forced to experiment.

But then I learned some harsh lessons. First, to get customizations and restrictions to actually apply to a NT user logon, the RunOnce key must be r/w to the user. Yes, that's correct. Even though numerous Microsoft KBs say to *not* make RunOnce r/w to users due to security problems, to make IE restrictions kick in, it must be because rundll32 for some reason wants it that way.

Then the Custom directory must be r/w and all files in it r/w so customizations can be downloaded from a web server and applied to the machine.

Even with all that, all customizations wouldn't work right. Bottom line, the only way to get the browser customizations to work as advertised was to give the logon account ADMINISTRATOR PRIVS.

Then there were other hassles, like the fact that unless your web server MIME types .ins to be application/x-internet-startup, the customization file won't apply (not documented because that's the default in IIS I guess).

So I use and support Microsoft products constantly. All I want, all I really want from Microsoft, is to live up to the hype because these days whenever I read about nifty new features of their software and OSes, I just can't believe a word of it. :-(

Re:And what about Linux's security....

Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.

I disagree. Different people have different skill-sets. If you are an 31337 crypto expert, by all means work on the security, however, if time pressures or a "real" job or plain lack of talent (in my case) or whatever prevent you from contributing actual code base, you can still make a difference to the progress of the open-source steamroller by exposing Micro$haft to ridicule wherever their marketing-driven FUD rears its ugly head. Remember that the mis-perception of a platform's security is in itself, a security flaw.

The poster of the self-extracting .exe link made a valuable contribution. Remember, in marketing perception not reality is everything.

After reading that link, my perception of Microsoft's commitment to security was that it is non-existant.

um, no

[Matt+Lee]

I'm no expert on win2k security, but I do notice the addition of Kerberos 5, which was not in NT4. Kerberos 5 is not a "minor change".

And what is the "overall picture" you're speaking of? Sounds kinda vague.

I'd like to think that IIS5 is more secure than IIS4; if not, expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.

Re:And what about Linux's security....

[maynard]

Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.

VMS has had it's share of security problems too. So what? A more interesting metric is not whether an OS, or any underlying apps, present security holes, but how quickly they are fixed. See this Securityportal cover story for a comparison of time from announcement to vendor fix between Redhat Linux, Windows NT, and Sun Solaris (see, I can add gratuitous links as well!) I note that Redhat Linux won hands down in this competition, and that's only security updates from a vendor supplied source! I don't know about you, but when I hear about a serious security hole in lpd (for example), I don't wait around for Redhat to go recompile the fix. However, the Securityportal article makes a reasonable assumption that most small to medium sized businesses would probably rely on vendor supplied fixes rather than trying to find a hot Linux guru to compile up to the minute security fixes.

Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?

DUH. Because C doesn't bounds check during compilation or run time. That's just ONE reason. Look, I'm no security "expert", but if you're uptight about security, and don't consider yourself competent at securing your own code, then either hire a professional to go through your C code with a fine tooth comb, or write it in some interpreted language like perl, LISP, Scheme, Python (whatever) and let the LANG developers deal with security.

Not that this will make your application any more secure, but it will pass the buck to the likes of Larry.

Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.

This is bogus. And I run OpenBSD, the BSD distribution tailored for security, on my cablemodem gateway and consider it an excellent secure distribution out of the box (CD). But, so what? Can you give me ANY specific examples of userspace application security holes present in Linux that were not present in BSD? Hell, most of the networking kernel holes seemed ubiquitous across just about every OS and networking stack, BSD sockets and streams based.

On the kernel side I seem to remember that both BSD and Linux (and NT!) were vulnerable to the Ping of Death, various Tear Drop attacks and fragmented TCP attacks, and those lovely smurf DOS attacks. Don't see a significant difference here... both the BSD's and Linux kernel groups figured the problems out and posted solutions in record time, while the commercial vendors picked their butts and didn't post fixes for their products I might add.

On the userspace side of things, this is managed project by project. Since much our application software is ported between the BSDs, Linux, and most any other commercial UNIX, there's little difference. A bug in one version of lpd on Linux is almost surely the same bug on BSD

Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.

There. Now you said something rational.

Marketing makes Convenience overrule Security

[Shirotae]

For all the things Microsoft say they will do, and which should have been done before, they just don't have the necessary level of paranoia guiding the design.

I haven't tried Win2000 yet, but under NT4 if you can gain access to the PC I use, and you can steal my NT domain password then you can use my digital identity. I selected high security when installing it in browser and mailer, but those applications can just use my private key without so much as a dialog to warn me. It is as if they had decided that dialling in the combination of the safe is too inconvenient so they provide a robot that will do it for anyone who can walk into my office.

There needs to be a fundamental change of attitude, not just some fixing of holes (although that is necessary).

Re:And what about Linux's security....

[vectro]

Linux and the BSDs (especially OpenBSD) have a poor (ie., all-or-nothing) security model which is very well-implemented.

Windows NT, on the other hand, has a really good security model but the implementation sucks.

Such a pledge, of course...

[Dirtside]

...indicates that Microsoft did not have any kind of commitment to providing good security for their previous operating systems.

(/me waits for howls of laughter from Slashdot)

I agree. Surprised? :)

[autechre]

I am a big fan of accuracy, and so I think that people should probably all use "Linux" when talking about the kernel, and "GNU/Linux" when talking about the system commonly known as "Linux". But that's not going to happen...heck, _I_ don't even follow it :)

However, where can the line be drawn? Do you look at the security of Sendmail and say hey, that counts as Linux? Well, no...Sendmail is run on lots of platforms all over the place. Do you look at a hideous malformation like rdist? Not really...I don't even think that's GNU. X Windows? Not GNU, either.

What, then, is left of Linux? In my mind, Debian shows it best. If you install from floppy disks, you have your basic UNIX system, about 30MB of software. Tar, gzip, more, ftp, telnet--all the collectable charachters! THIS is Linux. Though even then, tcpwrappers is included, which is not Linux-specific...

Of course, the reason that I agree with you is that no one could use that system. OpenSSH or SSH would go first, and then Apache, Sendmail, etc. depending on the function...but, I could just as easily use AOLserver, zeuss, zmailer, qmail, etc. as those 2. That's why it's hard to nail apps to Linux...sure, there are ones that MOST people use, but there are no real DEFAULTS. With Linux, you get to pick from several GNU alternatives, each interesting in its own way. With NT, you get One Microsoft Way...not fuzzy at all. But not my style, either.

And, it is too bad about the zealots. My machine _is_ dual boot, and I know my TNT is faster under '98...but I haven't booted '98 in months, since I got the PSX...

Do any of you know what security is?

[Otis_INF]

Ok, I read the standard replies on any MS related article, filtered them down. Then I read some postings with the most stunning remarks ever:
NT's security is NOTHING like you'll find on linux or any other unix or similar. Whohoa. On what kind of fact is this based?? On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?

To me it sounds like people who rate NT's security as 'lame and nowhere the level of security on Unix is' really don't have a clue about how NT's security works.

Let me sum up a small list of items, related to the topic. This is not ment for a flamebate, but to let unixpeople learn it's not windows 9x we're talking about, but NT/windows2000.

• NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.
• NT 3.x and 4.x uses the weak NTLM protocol. It could be tough to break but in areas outside US/Canada, the encryptionkey was too short to hold long. Windows2000 will use Kerberos strong encryption, which is an industry standard. Poking at MS that their encryption is weak (especially in their upcoming product) is without ground, because Kerberos is a proven secure technology.
• NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example.
• MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.
• In the past year, there were some minor security glitches in NT itself. The security bugs in IIS are due to leaks in modules that IIS uses, not IIS itself, like the idq.dll module for old style indexserver queries. Today you don't need these modules. Still, unskilled administrators install the basic set. Like unskilled administrators will with RedHat 6.x on their hands. That's why there are idiotproof docs to guide these (majority, unfortunately) people. :)
• IE holes are a problem, but who surfs the net on a production server.
• MS provides a bulkload of security documents how to implement security on your servers. These are perhaps silly for die hard techies ("Duh! don't install the examples!!"), but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers. Don't forget that. Most sites which are hacked are setup by not well skilled people. Pointing at the OS is silly. No-one says unix is unsave because sendmail is crap. the administrator should be aware that the sendmail on his system is likely an older version than available today.
• Which brings the last and most important subject to the surface: if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.

NT 4 was a wise lesson for MS. They have it on track now, but it has been a long road. It's nowhere near the end, there are still areas for improvement, but these are there too in other OS-es, like Linux or *BSD. Being aware of the weaknesses of your own system is a Good Thing (tm). You can then secure it more. Blinding yourself with talk that only MS makes insecure stuff is silly. Ask all those Solaris administrators currently suffering the DoS worms :-/

Bashing the FUTURE without knowing what it will bring (have you all used Win2K server??? have you tested the security???) with the facts of old material from the past is not fair. If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions which were found in the last 2 years and say: "linux is not secure... because of all those leaks in it in the past years." is that fair? I'm pretty sure you'll say: "No!". :)

And what about Linux's security....

Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.

Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?

Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.

Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.

Re:And what about Linux's security....

[Dirtside]

For one thing, a lot more people are working on GNU/Linux than on the BSDs combined. This will obviously find more bugs.

For another thing, the OpenBSD guys (for example) spent six months doing *NOTHING BUT SECURITY AUDITING*. This means they pretty much found every bug in the existing code. However any new code they add will be subject to just as many bugs as any other code.

For a third thing, because there are so many more people working on GNU/Linux stuff, there's more code being created, and thus more bugs.

And the reason that there are so many bugs in the first place is because that is the nature of software. Any piece of code, even slightly complex, will probably be buggy until you take the time to debug it. How many bugs do you think there are in Windows NT that haven't been found?

Furthmore, GNU/Linux users would gladly spend 100% of their time improving GNU/Linux, if that were possible -- unfortunately their brains would fry; they need sleep, food, time to relax (not having to think), and time to commit FUD against Microsoft. Not that MS doesn't deserve it.

And I didn't see any posts being holier-than-thou; they were all being funnier-than-thou.

Microsoft and Security...

[pb]

Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...

We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*. (Compare to the linux box. um... no, no comparison.)

What are they going to do to enhance security, stop selling Office? Those pesky macros, always making my paperclip sick...

But seriously, folks, now that Microsoft released this to the press, that they're really *really* serious about it this time, and they're going to be extra-nice by charging us more for this week's upgrade, don't you think we should let them play with the big boys yet?

Nah, I didn't think so either.

Sure, it's easy to criticise Microsoft. Because it's so much fun. And historically accurate. I mean, if they wanted to try to do better now, they'd have to issue a formal apology to anyone who ever had to suffer through an unpatched Windows bug. Whoops, I think that's everyone!
</CHEAP SHOT>
---
pb Reply or e-mail; don't vaguely moderate.

Amusing...

[RPoet]

We can't just trust the end-user to solve these problems themselves," Valentine said.

I think that's pretty obvious when they don't open source the OS! :)

Quick Debunking...

[Noryungi]

This marketroid piece was so full of holes it's not even funny anymore...

Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.


15 people to review... What was it? 30 MILLION lines of code? And what was the qualification of these people? Script Kiddies??

A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.


As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...

Source code also was delivered to 70 agencies and universities around the world for their perusal.

*Yawn* Which Universities? Which Agencies? (Mindcraft???!!!) Names, references, Web site? Results of aforementioned "perusal"? Are these results published anywhere? (Probably not...) Were the "agencies" able to modify the source code?

As someone else said: "Microsoft is not an answer. Microsoft is a question. The answer is: No".

Read my lips Microsoft: Open-Source is going to bury you alive. Commodification of hardware, commodification of OS is the end of Bill's Evil Empire. The penguin and the demon will dance on your graves... (insert Dr Evil most sinister laughter here)

Microsoft Good Security Habits

[pb]

This is too funny - check out what Microsoft recommends for you to do, to see the IIS 4.0 Security checklist.

It's good to see that they're giving us those safety tips already.

This is off of http://www.microsoft.com/security/ - the link is in the article too, but it's broken.
---
pb Reply or e-mail; don't vaguely moderate.

How much will they charge?

[Runna^Muck]

Included in Microsoft's plans are 24-hours-per-day, seven-days-a-week security hot lines, consultations, and collaboration with other vendors on security issues, Valentine said.

I used to work for a Microsoft Solution Provider, whose job it was to sell and support Microsoft products. And yet they have several different levels of support which they charged us for. We actually had to pay for "Premium" support to get access to information, knowledge base articles etc that would help us fix or workaround a problem one of our clients had with their products. In other words, they were denying us access to information, fixes, known problems, incompatabilities, etc. that would help us do our job supporting THEM and THEIR software unless we paid them. And we were an "Official" Microsoft Solution Provider!!

Some anecdote

[ceeam]

Microsoft, security, commitment, 128-bit encryption....

I've read this yesterday:
There was a kangaroo in one zoo. And every day it somehow been managing escaping from its cell. Then the zoo has built higher fencing around it. But kangaroo escaped once again. Then the zoo has built a 20 feet high fence. Once again - kangaroo escaped. A neighbour hippo chatting with our hero:
H: Well, how high you think they'll build it?
K: Don't know, 100 feet maybe. But really - they should've start locking my cell door first.

Morale: No zillion bits encryption will help M$ as long as their "NT security guide" is dedicated to selecting proper chains to attach servers to the room walls.

do you trust any internet security...

[Chilles]

Asking several interesting poll questions to the average cnn reading user:

Do you trust linux security?
Average users thoughts: "hmm that's internet isn't it? that must be insecure"
result:
yes : 25%
no : 75%

Do you trust *BSD?
"huh, *BSD? that must be something I don't know
result:
yes : 5%
no : 95%

Do you hand a waiter you don't know your credit card to pay the bill?
"what would they mean by that? why not?"
result:
yes : 95%
no : 5%


Again I feel forced to criticize this "poll". Ppeople don't trust internet.. why? no reason really.
They trust the mailman with postcards but they don't trust a server with their boring e-mail message.
They trust waiters in tiny restaurants in the most corrupt nations in the world with their credit card yet they have doubts about using that card in a way that actually transmits their number/expiry date encrypted.

So what do we learn from this poll?
Well, the only thing I learn is that people don't want to do or use stuff for irrational reasons until told by those people who are least knowledgable about said stuff (their neighbours-brothers- second cousin) that doing/using it is ok.

The internet is just as secure as any shopping street, but you need a college level education to be a pickpocket.

It's better than Win98, that's for one thing

[Oscarfish]

I've been using it for a while now (build 2195 final) and I like the NT'ish multiuser, administration, and security options. It's not a "perfect" Windows, by any means, and I don't think it will have such a hold on desktop PCs as Win 98 did, but for NT users craving for more (plug and play is FINALLY here!) and those brave Win 98 people looking for a little more control, it's a good solution.

I know I don't have to say it, but the security is nothing like what you'd find in Linux (or any UNIX that comes to mind). The Win 2000 "Administrator" account has nothing on root :)

Thumbs up to Microsoft for (at least) making a decent effort at a flexible, easy to use, and relatively secure operating system (to say it bluntly, "as good as Windows will be for a long while").

Build 2195 has also made some great strides from the bugged menus and SMP slipups of the early betas (you might remember even RC1 had some serious pitfalls). As much as I may hate to admit it, Microsoft did its homework on this one.

Win 2000, although perhaps not the Ultimate answer to Linux, is IMHO better in most aspects than NT. It's going on my first personal box for the time being (Red Hat 6.1 on the other) - and also on my webcam server until there's decent USB support in Linux.