BugTraq's Elias Levy Talks Security

LiquidPC writes: "UnderLinux.com.br has an interview with the BugTraq moderator, Elias Levy or Aleph1. Questions ranging from what he thinks of 'Hacking Exposed' to whether BSD is more secure than Linux. Kind of short, but interesting nonetheless." He notes the interesting difference between the approaches to security taken by FreeBSD (which he praises) and Linux -- lots of projects vs. a single unified one, and emphasizes that security is ongoing, not defeating any single problem.

OpenBSD, not FreeBSD

[X-ViRGE]

Um, just FYI, he said OpenBSD, not FreeBSD. I think most people would agree about the security of OpenBSD.

FreeBSD != OpenBSD.

[mattdm]

Geez.

And he doesn't really "praise" anything, although his comments are interesting.

security

[Lumpy]

It's very true, Anything can be secured including windows NT/200/xp/zp/ww3p it just takes more time and more money to do it than BSD or linux. but many companies take the stance of hiring a security consultant, get's an audit, fixes what's wrong and then believes that they've done what was needed and that they are secure now. They never think, or dont want to think that security is a moving target that requires full-time attention and trained people to take care of it. Send your IS/It staff to security training and seminars, keep the staff trained.

unfortunately in today's economic world, those programs and positions will be among the first to be cut by the CEO's.

Re:security

[mindstrm]

I don't even buy that it's 'easier' to secure BSD.

It may take a few less keystrokes out of the box, on any particular version, but that's where it ends.

Running *real* live systems, it takes the same amount of diligence and effort to keep them secured. You have to be aware of each new application you install, and how it impacts your security. It's no different on any OS.

Win2k is not hard to secure; neither is any other MS system.

Re:security

[Simon+Brooke]

Win2k is not hard to secure; neither is any other MS system

[simon@beesianum simon]$ cat /var/log/httpd/*access* | grep msadc | wc -l
133

Not bad for a worm that's been live for less than seven hours, and attacks an operating system that's 'easy to secure'.

Re:security

I disagree. Win2K is hard to secure because Microsoft's policy regarding security is to release a patch once a vulnerability is identified. Furthermore, a multitude of services are enabled per default, and in a sea of product updates, it can be difficult, if not impossible, to determine which update applies to the system at hand.

Contrast this with OpenBSD. Their approach is much more pro-active. Regular code audits leads to a more secure codebase. However, if something slips through the cracks, a patch is released. Since OpenBSD is "secure by default" it is a simple matter to determine if the patch applies to your system, becase the administrator must enable services as the need arises.

Both systems can be secured, certainly, but Microsoft's security policy is shit, so I'd rather not have to try and secure a windows box when there are better options available.

Re:security

[Error27]

>>Win2k is not hard to secure; neither is any other MS system.

Well, actually Windows 98 is pretty difficult to secure.

In particular, I would point out the large number of local root exploits.

Re:security

[MeowMeow+Jones]

The worm might be new, but the patch for the exploit in question was released in October 2000. Here are some links that are of interest:

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/lockto ol.asp

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/iis5ch k.asp

Re:security

[coolgeek]

the patch for the exploit in question was released in October 2000

I don't want to harsh on you too roughly. Blaming the end user for not patching their systems is a bit like a programmer blaming a user for pressing that wrong key at that wrong time that crashes said programmers' code. They are innocent and ignorant. Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel. Its just not practical, and it ain't never gonna happen.

Microsoft sure seems to have money to spend when it comes to sicking the BSA on its paying customers, or lobbying various public officials to look the other way while they break the law, yet seems to have $0 when it comes to educating the masses about the flaws in its products. Why not some full-page ads and television spots: "We're sorry we made a boo-boo. Please visit windowsupdate.microsoft.com to repair your Windows installation, and help keep The Internet safe for all of us." (and I have my doubts about whether that plugs these leaks) How about just putting some "Free MSN and Windows Repair CDs" next to the free AOL CDs you see everywhere. Instead, Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies in the form of lost productivity, upstream bandwidth fees, law enforcement investigations, etc. I would speak to their possible motives as to why they might want us all to waste our time and money, but I've sworn off the flamebait for a while.

Re:security

[Webmonger]

MS DOS is easy to secure? What are you smoking? And can I have some?

Sure MS DOS isn't subject to worms or IP spoofing, but that's 'cause it doesn't ship with and IP stack. You may be amazed to hear that my toaster is also secure from Internet attacks! And these days, my toaster is more useful than MS DOS. The hot, buttery toast I'm chewing is testament to that. Why, the last time I saw the DOS command prompt was when I installed Windows 98.

What about Windows 3.1, 95, 98 or ME? They didn't have a very firm grasp on the notion of multiple users. Anyone could read anyone else's files, for crying out loud! That's not secure, that's Swiss cheese. My apologies to the Swiss. I like that cheese.

I've never touched Windows CE. I hear it sucks less now, which is good. I wonder how many IPAQs it would take to run a medium-sized web site? How many would it take to weather the Slashdot effect?

Windows NT, I grant, is far more secure than any MS System. But I shouldn't really mention NT and 2000 separately, since I lumped 95 in the same pile as ME. Even Windows 2000 has a nasty habit of lying to you about certain file extensions. It can also hide files and directories from the administrator.

As for other products, well-- When you say "system", you must mean operating system, 'cause we can't go around comparing Linux to Microsoft Word. That would be silly.

Shall we compare compare Word and Outlook to VI and Mutt?

Re:security

[heybrakywacky]

Come on! Look, I'll be the first to admit that Microsoft could do a better job with many aspects of the securing of their operating systems (like other people have mentioned, things like not turning on every last service under the sun by default, that kind of thing).

But as for your argument, windowsupdate.microsoft.com is about the easiest method I've come across for any operating system to keep your system up to date. I do hold the end user responsible for that reason, because in the age of the internet and high-speed home connections, as a user, you have an elevated responsibility over days past to keep your systems secure. It's simply a fact of life.

Every OS has holes. Linux, BSD, Solaris, Win[92XM]*, they all have 'em. Very few operating systems are designed and implemented with security as a top priority. In addition, MS OSes enjoy the massive user base and visibility, not to mention the low entry-level of computer knowledge, of no other OS, which means they're going to be more vulnerable, to some extent.

But it's definitely not rocket science to keep your MS OS patched. They make it really easy. Could they be more visible about it? Perhaps. Could everyone else? Just as arguably, yes. Does anyone else out there have better visibility for security issues/updates for their OS? With very few exceptions, I'd say no.

Re:security

[Tony-A]

I'd say yes.

Try redhat.com/errata
In addition to links to Errata for 7.1 going back to 4.0,
Notable Security Exploits

Red Hat Linux users who have applied all Red Hat security updates are usually not vulnerable to worms and other security exploits. Click on the links below to read about each recent exploit and what you can do to prevent being affected.
The Adore Worm
Discovered April 3, 2001
The Lion Worm
Discovered March 23, 2001
Bind Exploit
Discovered January 29, 2001
The Ramen Noodle Worm
Discovered January, 2001

http://openbsd.com/errata.html
even better organized

http://www.freebsd.org/releases/4.3R/errata.html

Re:security

[snake_dad]

In particular, I would point out the large number of local root exploits.

Like, pressing ESC at the login prompt? :->

Re:security

[budgenator]

Thats the problem, its turned on by default, most users of MS systems don't have a clue what going on in their machine, therefore no due diligence is involved. My site sever logs were showing codeRed probes as lately as 9/10/01. There is so much flying arround on the web today that no one can keep on top of it all.

Come on People you have to get out and contact those "six pack Joe computer users" you know your non-geek friends and start to teach'em a little bit about security. It the simple stuff they need, like running anti-virus, running a firewall, downloading updates from MS or where-ever and simple Email security. The internet is much more a community than ever before, when one get sick they either need to be quarentined or cure period. All of the silly stuff flying arround makes it harder to see the dangerous stuff.

Some one need to write a MS versoin of top so it easy see average people to see what thier machine are doing. Maybe that way Joe might notice that he has 100 threads of codeRed trying to run in 32K of memory, and a easy way to do something about it.

Re:security

[Sloppy]

Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel.

A motorist does know that periodic oil changes are needed, even if they don't know how to change the oil themselves. Everyone who has a car, either changes their own oil, or has someone else (e.g. a pro) do it for them. If they put their head in the sand and just assume that the car will work forever w/out needing maintenance, then they are destined for disappointment.

MS Windows and IIS are no different. There have been repeated incidents and stories in then news for years about this stuff. Anyone who buys them without the expectation that they're going to have to spend some time on maintenance (or hire someone) is denying reality.

I'm not saying this is a desirable situation; it isn't. But the buyer knew about it before he signed the check. He knew what he was getting into and he decided to proceed anyway. That's not a Microsoft victim, that's a self victim, or maybe a gambler at best.

Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies

Users are apparently content to pick up that tab too; all they have to do is Just Say No. Microsoft's attitude will change after users' attitudes change.

Just Say No. It solves most of life's problems.

Re:security

[coolgeek]

I would cast the analogy between fueling and oiling ones car to proper file management, labelling floppies/cds and making backups. Patching the system, to me, is more analogous to changing spark plugs, etc. which most motorists don't know how or simply won't do themselves. As with spark plugs too, a mistake during installation can go unnoticed, and creating new drains on resources.

Re:security

[coolgeek]

windowsupdate is very easy to use, I am not arguing that. My points are:

1) M$ really lags when it comes to posting security updates on windowsupdate
2) The unwashed masses of computer users are unaware that windowsupdat exists.
3) windowsupdate is really practicial only for people that have bandwidth. Most people still use 56K or less. (At least that's what they are saying)

When it comes to applying security patches, and one wishes to do so in a timely fashion, I do not consider it trivial. All those Qxxxxxx.exe files one needs to download from the M$ Security Center, and the Rube Goldberg add-ons that are needed to apply more than one Qxxxxxx.exe per reboot are not "easy to use", especially not for an end user. Personally, I find it easier to download new kernels and Apache source and recompiling from scratch to maintain the Linux boxes than running the Qxxxxxx.exe files from M$.

You make a good point about their relative visibility compared to other OSs. I argue due to M$ monopolistic market share, especially in the workstation market, they have an implied duty to do far more than other OS vendors to make this stuff available.

Re:security

[mindstrm]

I'm sorry, but from a realistic point of view, the fact that Windows ships with some services that need to be disabled does not equate to being 'hard to secure'.

A simple procedure applied to new systems fixes it up quickly.

Unix systems have traditionally been no different. Certainly, the openbsd distribution ships with nothing enabled. Fine.... but in the hands of someone unskilled, it becomes just as unsecure as anything else if they start enabling services they need without the proper diligence.

I don't dispute that OpenBSD, indeed, most of the free unixes are basically secure out of the box, where windows & IIS and stuff are not.. but that does not mean they are 'hard to secure', it just means you have to actually take some measures to secure it.

Re:security

[mindstrm]

Nope! I'm sorry.. The unix world is no different. You have to update your code when patches become available as vulnerabilities are discovered. The exact same argument would apply.

Having an unpatches system months later.. fair enough you say it might not be the users fault.. or not fair to blame them. but it's not microsoft's fault.. what more can they do than publish and make available the fix?

Re:security

[mindstrm]

No. They are NOT expected to know that, though most drivers probably do.
Some drivers go to service stations for all of the above, and call their local auto-association to change flats.

You are correct in that most people DO know basic automotive maintenance, even though they are not rquired to. I would expect, also, that most computer administrators would know some basic maintenance.

Of course, with computers & internet access being so cheap and easily available.. what do you expect.

Most Secure Language

[Bonker]

From the article: While we can place great efforts into teaching people how to avoid buffer overflows in languages such as C it is likely they will introduce them into their programs anyway. It makes more sense from a security perspective to replace the language with one that makes buffer overflows difficult.

This is why you shouldn't use an MS designed languages like VB or C#.

Seriously, I understand what he's saying about C. It allows low level access to a computer's hardware, and can be easily broken at that low level... Thus the need for garbage collection and careful avoidance of Stack-overflow conditions.

On the other hand, we have Java, which trades convenience for security. Sure, it's easy to get started coding in Java, but heaven help you if you want to distribute a Java-based application to everyday (non-hacker) computer users. A webpage is the only medium in which Joe-sixpack is very likely to view any given Java application, giving full-scale Java applications a somewhat more limited potential user base.

Seriously, then, what is the best application and system language in terms of security, power, and convenience?

Re:Most Secure Language

[devphil]

Agreed, to an extent. Whenever I see coders beginning to argue about "secure languages" and programming languages that "don't allow" security holes, I have to laugh and recall what Bjarne Stroustrup said about C++'s (and C's) approach to such things.

I assume that a sufficiently skilled programmer can do anything not explicitly prohibited by hardware.

(I'm quoting from memory.) The "protections" of the C family of languages are meant to prevent accidents, not fraud. Y'all might check out something like libsafe, originally from Bell Labs, and released under the LGPL.

Re:Most Secure Language

[opus]

I'm personally a big admirer of perl's taint-checking feature. When you run perl with the -T flag, it marks data from external sources as "tainted", which will produce a fatal error if that data is used for certain operations deemed insecure, such as shelling out or opening a file for writing. If you want to use external data to open a file for writing, or shell out, you have to first "lauder" the data by matching it against a regular expression you've constructe.

It would be nice if there were more granular control over what operations are deemed insecure. E.g. so you could deem opening a file for reading insecure, or execution of SQL statements in a database.

Re:Most Secure Language

[scrytch]

This is why you shouldn't use an MS designed languages like VB or C#.

Show me a buffer overflow attack on the VB VM. Just one. Attacks on the system? Watch me write "rm -rf $HOME /" in perl, python, and ruby. MS ships IIS in a bloody awful configuration for security, and it may not be possible to totally secure it, but the herring you're waving around is redder than Kruschev (there's a dated joke).

script to stop this new @!#%#@! bug

[Micah]

Anyone know if something like this might be possible or easy:?

Have a script that reads the Apache log in realtime. Whenever something gets cmd.exe or XXXX or NNNN or something like that, immediately block all communication with their IP with iptables?

This is getting annoying...

Re:script to stop this new @!#%#@! bug

[WasterDave]

You run the danger of blocking a request that's coming via a transparent proxy. Blocking it would block everyone behind that proxy.

Comments?
Dave

*nix admins are different

[lowflying]

In a previous lifestyle, I flew helicopters for the Army. As a newbie admin, other admins have seemed impressed by how paranoid I am that some box I am responsible for is going to get cracked. This has always been my explanation:

The thing is, helicopters are different from planes. An airplane by it's nature wants to fly, and if not interfered with too strongly by unusual events or by a deliberately incompetent pilot, it will fly. A helicopter does not want to fly. It is maintained in the air by a variety of forces and controls working in opposition to each other, and if there is any disturbance in this delicate balance the helicopter stops flying; immediately and disastrously. There is no such thing as a gliding helicopter.

This is why being a helicopter pilot is so different from being an airplane pilot, and why in generality, airplane pilots are open, clear-eyed, buoyant extroverts and helicopter pilots are brooding introspective anticipators of trouble. They know if something bad has not happened it is about to.
-Harry Reasoner, February 16, 1971

I just wonder what is different about the training of *nix admins that makes them recognize that vigilance must be eternal, while the admins of other OSes seem to assume everything will go right when that is clearly not the case.

Dave

Re:*nix admins are different

Unix admins may have had a grasp of multiuser systemffor decades, but they were blissfully unaware of Internet security issues until relatively recently. Protocols like NFS and NIS belie a far more trusting attitude than even MS's stuff from the late 80s, not to mention Novell. Standard demons like sendmail were essentially unmaintained until recently. It took an enormous amount of work for some people (including those who started BugTraq) to change the lazy security culture bred into the fat academic maintainers of Unix. You might like to believe that Unix has a 20 year headstart over Microsoft, but it's more like a 5 year headstart. They'll catch up.

Re:*nix admins are different

[(void*)]

Sorry. Since the Morris worm happened in the 1980's, it is a 20 year headstart.

Re:This is about as bogus as it gets ....

[erroneus]

Apparently Aleph1 never heard of lint, bounds checker, and the like. Changing languages to make your apps more secure just shows your not much of a programmer to begin with. The right tool for the right job. C is often the right tool. Whether you shoot yourself in the foot with a Smith & Wesson or C, don't complain about the quality of the gun. Next time, stop pointing at your foot and you will be fine.

I think Aleph1's approach is a bit more sound. Your approach preaches that all programmers should collectively change their [bad] programming habits and methods. While I agree with you that it's the "best" solution, I have to remind you and anyone else in your camp that it's also the least likely to occur.

IMO, improvements in gcc that help compensate for such buffer overflows (read: improvements in the compiler/language) would go a lot further in clearing up all of these problems.

Again, asking the world to change their methods is about as likely as asking the world to stop smoking cigarettes. The useless slobs ALREADY KNOW it's bad for them and all those around them. They simply do no care.

Hacking Exposed & hacking methodology

[Nate+Fox]

One of the most interesting reads I've ever come across was the PC Week crack. Just cool to see what he went through, his thoughts/ideas, and especially his thought process.

Buffer Overflows in VB

[MarkusQ]

I did not know it was possable to cause a buffer overflow in VB

It was, at least about two years ago. We reported the problem to MS, so it may well be fixed by now. IIRC, by giving a long string to GetHostByName (e.g., working with an e-mail address like "Bob@NoneOfYourDaaaaaaaaaaaaa[lots more "a"s]aaaaamnBeeswax.edu"--I think this was the actual address that did it) you could make it go south for the winter. So far south under Win98 that your screen turned blue. Under NT it just got a belly ache.

It turned out to be a limit of 384 characters or so (don't depend on my memory at this level of detail--I don't), which was easy enough to check for, once we knew about it.

-- MarkusQ

Re:patching bugs & pumping gas

[el_nino]

Now, I realize that if
they did the OpenBSD and shipped with everything turned off their users would scream

If they can't even start the web server service on the machine then perhaps they shouldn't be running a web server in the first place?

Re:EROS? Vapour? Solutions without a problem?

[Peaker]

This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage .
You are missing the point. Sure there are tricks and trickery to make your webserver limit access to things, but there are fundumental problems in the *nix approach to such limitations:
A) You trust the webserver to correctly limit access (fail-open), whereas in EROS you only give the webserver the access it requires (a capability to the specific port/etc).
Even if the webserver is malicious, in EROS its not a problem.
EROS does NOT require a superuser or has such fail-open facility.
B) In *nix boxen, the restrictions are placed and implemented as a chains of if-conditionals (ACL-type security), which are very error-prone (as we all know by reading bugtraq) and very hard to debug, and about 15 if's in a chain are required if you want to get close to correspondence to the principle of least privelege. In EROS, keys identifying objects and the rights to access them are held by processes, and a single test is required for every activation of a facility (if(key-is-valid) ...).

This is because a web server has to have access to sockets...or how would it communicate via a network? Of course, from what you say EROS has the capability to restrict access to communication facilities. Of coure, it is possible for a webserver to drop root priviliedges after binging to port 80. At this point it is restricted to accessing only those sockets which ALL applications/processes have access to. EROS may be able to go further and explicitly allow access to individual sockets, but that may be a disdavantage .
In EROS/Vapour/pure cap. systems, each process has a pool of capabilities it can use. A capability is a reference to an object, that allows accessing this object. The only test for an operation's execution is that the capability to operate it is valid. This is very safe, and can be mathematically proven. Try to mathematically prove *nix boxen if-conditional chains.

And none of these systems are proven as the original AC commenter was trying to suggest. While some things are proveable secure (as in theory can show that it is secure e.g. some encryption algorithms), sometimes the IMPLEMENTATION is flawed. Now since these systems were written by people in academia and are not in widespread use, no one knows how well implemented they are, even if there are SECURE CONCEPTUALLY.
These systems are so much simpler, that implementing them correctly is much much easier.
Making flaws in the security implementation of capability protection is much more difficult than flaws in the if-chains of *nix, and even if the implementation is flawed, it shall be fixed in a constant amount of time, as the security system is of a small constant size (the code implementing capabilities, that is), whereas in *nix, security is an ever-lasting huge pile of code that grows with the rest of the code, with new if-chains written for every new piece of code.

One question I DO have is this: how does EROS have such fine grained control over EVERY SINGLE thing a process may do WITHOUT lots and lots of overhead? With thousands of processes in a system, ACLs could potentially grow to enormous sizes and incur long delays while verify that the process has access to certain priviledges. Nothing is for free. This is why the UNIX model is simplistic: because security cannot make the system unusable. If the system is too SLOW there is no point in having it at all. Getting rid of said system would be the ultimate security: nothing to break into...but would there be a point?
This is exactly what you're missing! EROS does NOT use ACL's. ACL's are what EROS is fighting against and trying to replace. EROS uses the capability model, which is of HIGHER performance, of mathamatically provable security, AND much more flexibility!

And what about systems more archaic like: OS/390, OS/400, VMS? Don't they have the same ACL stuff as EROS (wasn't EROS designed as an improvement with os/390 in mind)?
NO. Eros does NOT use ACL's. ACL's are the root of all security problems.

too late?

[slashkitty]

Wouldn't that be too late? Apache logs the request after it is successful. Some request for /path/to/shell/sh?rm+-rf+/ would only need one request, were that a real hole. Your log analysis would detect it, if the log file was even still there.

Instead, your script would have to be a module or proxy that filters all incoming requests. And stops them before the trouble.

For once, I agree with a paid MS troll.

[twitter]

mindstrm, it's been a while. I thought you had suffered a Slashdot death penalty or something.

Win2k is not hard to secure; neither is any other MS system.

OK, I agree all you have to do is remove the modem, network card and keyboard. That is easy, cheap too!

Otherwise, MSJVM, VB and other trash that has full access to your file system as root will trash you. Duh. M$ designed their OS around marketing, so they can shove whatever software they want onto and extract whatever info they want from their users. This is not going to change, ever, and M$ will always be impossible to secure.

Re:For once, I agree with a paid MS troll.

[mindstrm]

Sorry, I was busy changing continents yet again....

That wasn't a troll. I dispute being called a paid MS troll. I avoid using MS wherever possible, and I dislike them in general.

But having run many, many systems... I'll grant that MS is slightly harder to secure.. in that it's harder to get the information you need.... and that it may not come 'as secure' out of the box....but any sufficiently busy or large server has the same problem. You install software, you have to be aware of what the impact is on the system.

Yes, lots of people are talking about how MS is 'marketed to a different audience'. Or about how the presence of these new 'worms' shows that it's harder to secure... blah blah blah.

To the guy talking about MSDOS and Win98 being 'insecure locally'.. get a grip. That's not the discussion here.

Running windows boxes securely is no harder than running unix boxes securely, I'm sorry. You have to take different factors into account, and you have to get your information from different sources, yes...
And yes, MS policy on publishing patches for exploits might be bad....

But still: blaming home users for not having secure web servers? It's because they were ignorant of how to properly run them, in most cases. Saying that is because it's supposed to be 'easy' to use.. well.. why did the user pick it in the first place?

I've *never* had a problem with any of my boxes.

Re:patching bugs & pumping gas

[WNight]

1) Microsoft could easily turn services off by default. No user needs a webserver unless they have content to serve. If they don't know where the content goes, they don't need the server. They could have put a 'Web Server' config pluggin in the control panel. People are capable to using the control panel (or the shortcuts) to change the screen background, or at least don't raise hell when they can't. They'd be able to turn on a webserver, or wouldn't realize that it was there...

2) MS's patches are often worse than the hole. Service pack 2(?) for NT was called the SP-of-death. SP6 rendered Lotus Notes unusable (maybe just the notes server...) No admin worth the title would blindly install MS patches without waiting a month or so to see if any problems were reported. Patches released as the result of an exploit are worse... MS code is unstable at best, when rushed, you're trusting your server to alpha-level code.

MS could learn a lot from IBM, or other mainframe makers, before trying to enter the server market. IBM had mainframes with decade-long uptimes, they didn't do that by rushing untested code onto client machines.

I really think someone needs to sue MS for incompotence. Some of their blunders are so bad it's amazing they went through testing. (I don't think MS should be ruined for it, but if they had to pay out anything in this kind of case, they might be more careful to avoid a larger settlement in the future.)

Wow. Nice logic.

[mindstrm]

None of my machines have been infected. I follow standard, easy to find methods for securing my systems. Hmmm.....

Many, many people who run the OS have not done *anything, whatsoever* to secure their system out of the box. THey haven't even TRIED.

The presence of this worm is indicative of the average knowledge and aptitude of those running the infected systems... and NOT an indicator of the quality of the OS.

Oh.. I'll agree that it's easier to find information about how to secure unix systems... and the admin generally has a better knowledge of how a new application affects his security.. but in general, this is the case with windows too.

Wow..

[mindstrm]

You got me there. I should clarify, for people like you, that we obviously aren't talking about MS DOS here. Or WinCE. I'd imagine you are just in a bad mood or something?
I'd think most readers would find it obvious what we were discussing. Apparently you need some assistance.

Win2k can't hide anything from the administrator if you set it correctly. Neither will it lie about file extensions if you set them correclty. Neither of those has anything to do with network security, either.

And when I say 'system'.. what the hell did you think I meant? I meant a system involving Microsoft products. You can quabble over the exact definition all you like. NT is a product, so is Windows 2000. NT is also a kernel. Linux is a kernel, and also a product. Blah blah blah..