Slashdot Mirror
SecurityFocus On MS Security "Hole"
friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.
.. but he is right about the physical security. Not long ago I walked a client several hundred km away through an OpenBSD boot via floppy so he could change his forgotten root password. I don't hear the masses screaming for Theo's head because this is possible.
Trolling is a art,
Once the general populace knows about a problem, the media has to say something, because how would it look if they didn't report on a new trend? Suddenly everybody "knows" about the problem, even though it does not exist.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I'm with the author on this one. I dislike MS as much as the next guy, but I'd WANT a recovery disc to dump me at a prompt if the data files were corrupt. If the files on the drive are THAT important, they should have been encrypted anyway...and if I was the admin of the box, they would already be encrypted.
I have nothing to worry about.
News flash: this is expected, and desirable, behavior. The Win2k RC can't read the XP registry, so it thinks it is a corrupted Win2k installation. When it can't verify the SAM, it bails out to the console. Administrators want this behavior. If you have an installation on which some third-party driver has hosed the registry, the Recovery Console will allow you to attempt to fix it. That's what "Recovery Console" means.
No recovery console does not mean to bypass the password set by the administrator. It means to recover data that has been lost due to reason "foo".
While I don't see it as being that big of a deal, you could do it w/any OSs bootdisk I suppose (or even a LILO prompt on a Linux machine) I think it is an odd bit of information that should be known.
Media organizations know they get eyeballs when their audience is afraid.
Ignorant and afraid of terrorists? Watch Fox News.
Ignorant and afraid of hackers? Read Wired, or WinInformant.
Maybe we should be afraid of ignorance, instead.
Laugh at my Lisp and I keeell you.
In contrast, I know SQL Slammer was reported day-of. In this case, a free patch was available six months prior to the worm. And let's face it: if the patch is available but not applied, it's not Microsoft's, Oracle's, Linus's, or any other vendor's fault--only the SysAdmin in question.
One major difference was that SQL Slammer took out several networks, where Oracle did not have such impact.
To \.'s credit (and I'm going mostly off memory), but big critique was on the DB admins, not on Microsoft.
I totally agree on this - I've been doing Win2k installs for a few years now, and I'd have had to totally scrap god knows how many systems if it weren't for the recovery console.
And the fact that you can use the Win2k boot CD to log in without a password isn't a bug, or even a security hole, it's simply the fact that MS didn't require a password to use the Console in Win2k.
What do the critics want MS to do? Recall and patch every single Win2k boot CD?
sig:- (wit >= sarcasm)
Perhaps you missed the point he was trying to make. While the "its a feature, not a bug" argument is valid in many cases, this is not one of them. The whole argument can be ended with the simple fact that you need physical access for this "exploit". As mentioned in the article, and as anyone who follows computer security knows, once an attacker has physical access to a machine its game over. With that as a given, administrators WANT tools that allow them access to a system like this, its been included in systems back to the VMS days that I know of, and probably older.
I believe the rational way to view these types of articles is to look at what they're saying and actually stop to think about it, rather than flying off on blind tangents about bias. While it may be true that the author often defends Microsoft for whatever reason, this particular article is based on solid points that make a very compelling point on this specific issue.
PHYSICAL SECURITY. This is the first tenet of network security. Prevent the box from being accessed by those who should have no access. This tenet, however well implemented, is absolutely useless if the baddies that mean your network harm are INDSIDE the network, which in 75% of cases is true. It's a sad-assed day indeed when your own employees are the evil that is supposedly lurking outside the firewall.
I've just found a huge bug in Linux security! If you boot from a Linux boot disk, then you can mount the hard disk and read files off it! Linux security all over the world is compromised! No server in the world will ever be safe again!
Oh, and anyone who disagrees with this, or tries to use some kind of 'logic' or 'rational argument' to disagree is a Linux apologist.
Actually, this 'hole' is worse the one in Windows. Windows config data is stored in the registry, which is binary and so is much harder to manually edit than the plain-text files in /etc/ on a Linux box.
I am TheRaven on Soylent News
Yea a stupid error was made and several sites reported on it. I am supposed to feel bad to bill or do what Tim Mullen says and "Give Bill a Break"? No I won't be giving Bill G. a break. Maybe if more articles are written which say how bad MS software is MS might actually have to be accountable one day.
So you're all for more articles making a big deal out "security holes" that aren't "security holes" at all?
Ever heard the fable about the boy who cried wolf? You should not support Microsoft-bashing for the sake of Microsoft-bashing when there's nothing behind it, it only lowers your own credibility. Focus on Microsoft's real problems.
NO CARRIER
Indeed. And not only featureset but usability and user-friendliness factor are also placed above security issues. :)
As a result we have a dominant OS that's insecure and a secure OS that's mostly unusable by anyone who is not a third generation sysadmin. In all that rush no one had the time to write an OS that's is BOTH secure and user-friendly. Flame away
well, I'll let you pick which end
/. that server.......
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
I wonder if we could