Slashdot Mirror
SecurityFocus On MS Security "Hole"
friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.
If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.
That's patently untrue. It's a well-known fact that Microsoft's security problems are not due to exposure alone.
Microsoft's development model is fundamentally flawed from a security perspective, because it squarely places featureset additions above security. The corporate culture at Microsoft is and always has been more about gaining marketshare than about anything else.
It seems that there are differences in security, above and beyond the monopoly domination Microsoft enjoys. How many ISPs use FreeBSD to run their servers? Hmm.. I wonder if there's more to it than just speed and the fact that FreeBSD is Open Source.
I'm not alone in my assesment. There's this security guru named Bruce Schneier. Perhaps his name has crossed your desktop at some point. He's contemplating getting a Mac, because he is tired of hassling with security problems on his Windows machines.
Read the EFF's Fair Use FAQ
I do!
...ad infinatum...
(boot sequence)
Windows has detected an error in the system registry and is now restoring a previous backup.
Registry fixed. The computer will now reboot.
(boot sequence)
Windows has detected an error in the system registry and is now restoring a previous backup.
Registry fixed. The computer will now reboot.
(boot sequence)
Windows has detected an error in the system registry and is now restoring a previous backup.
Registry fixed. The computer will now reboot.
Any sufficiently advanced influence is indistinguishable from control.
The answer is yes since you could transfer your program to the system where it would be run at system start... though this still doesn't make it much of an issue. The key to the article is physical security! Say it with me, physical security. If someone can walk right up to your machine then they can do pretty much whatever they want if they are technically sophisticated enough.
Fnord.sig
Not even MS keeps up with their patches so who are they to fault sysadmins for not doing the same..
I have subscribed to Security Focus mailing lists and read their site for about 2 years, and by default I ignore anything Tim Mullen writes. To me it appears his role as a writer at Security Focus is the resident Loyal Microsoft Lackey. Check for yourself, I bet every single article he has written talks about how good MS is, or how they have been wronged, or how he is tired of people bashing Microsoft, or how the latest MS security flaw 'isn't that bad.'
MAN I wish I caught this story earlier, so I could have posted earlier =\
You got the joke wrong.
They get Halloween and Christmas confused, because 31 OCT is 25 DEC.
(31 OCT would be 19 HEX)
slashdot!=valid HTML
"But couldn't one just boot off a CD-Linux distro and run regedit under wine? (does regedit work under wine?) Or is there perhaps a console version of regedit that would run under the win2k console?"
No, I don't think so. I had the registry in Windows 2000 go corrupt once because I had a power failure while it was in the process of shutting down. Basically, the Registry was being edited and I guess the file didn't finish writing. I installed another instance of 2k in order to try to recover what I could, but I couldn't get Regedit to do anything but work on that installation's own Registry. What you're suggesting might work if somebody wrote their own Registry editing app.
"Unless the registry is actually encrypted, I don't see any real advantage to having it in a non-human-readable format."
It's in binary format, not in 'non-human readable' format. To be honest, I'm not sure why MS does it either. I would guess that there's an advantage of using a binary format over text format. Space maybe? If the registry is big, Windows is slow. Wish I could figure out how to compress the registry.
Anyhoo, this is all besides the point. If you have physical access to my computer, all you need to do is install another instance of Windows 2k or Xp and you have all you need to mess around with the files on it. You might even be able to recover passwords etc that way, not sure. It *would* be detectable though, unlike a CD boot.
In any case, this doesn't seeem like a huge security hole to me.
Your choices after that boil down to - restoring from a backup registry and praying that it works, or reinstalling. The recovery console is a joke and a last ditch effort. The only times I've required it are when I foolishly marked my temp folder as encrypted and a service pack used it before peppering my system32 dir with encrypted files and during recent filesystem data corruption. On neither occasion was it particularly useful and I was sorely pushed each time to recover to a working system.
At least Unix gives you a fighting chance since configuration files are all individually named and occupy different places on the disk. It is quite possible to identify the precise problem and fix it if necessary. Those files might be messier, but at least its easy to back them up (since they're not 'live') and *much* easier to restore them. It is my opinion that the registry is quite possibly the most awful things about Windows, even before considering the mess of registry keys it actually contains.
---But the whole problem is the history of MS patches, I fell perfectly comfortable patching a test *nix computer and going to prod within a few hours. With windows I will have to start at the dev level because 7/10 time it will break something else and the developers need to fix it, then to test and god willing to prod the next day.
Well, that all comes down to the basic tenants of unix.
1: Use text files. Easier to manipulate and edit.
2: Make evry program simpele minded so the next stupid program can take over..
Chances are if something actually does break, you can easily regress because you know that programs dont squash each others' feet. You just back up the new configs, replace the old configs, and replace the old program. All in all, it isnt that hard at all.
In the MS world, things bumble over each other, configs are kept in a hard to control place (registry), and regressing certain server software is darn near impossible, without backups. Things are almost guaranteed to break in patches cause they usually add stuff in patches. Then the new+old stuff breaks. MS software is made easy for a limited set of users. Any user who "doesnt want it that way" has to hunt on Microsoft.com or call them up (heh). And chances are, there's bugs to prevent "that way".
It doesn't matter how many users it has because they users won't be looking for security holes in the first place. So if you put 10 Windows users in a room, none of them would know much about these things. Putting 10 Linux users in a room, and you increase the chance that you'll find a real hacker. I'm a Windows user myself, so I'm not trying to sound like an elitist bastard. I haven't even uncovered any security holes in my life.
But it is difficult to determine this case, as there are a lot of questions and too few answers.
Let us instead look at a piece of software where the numbers are reversed - where Microsoft's product has only a small part of the market.
I am talking about the open-source Apache HTTP server, vs. Microsoft's IIS.
Apache has 60-70 per cent of the web server market. IIS has less than 30 at the moment. Yet, despite these figures, Apache has had far fewer known security issues than ISS. How does this fit with your question? Obviously, there are a lot more eyes on Apache due to its large market share?
So how does IIS come out so crappy when it comes to security?
I think we can come to the conclusion that your "it's not as frequently used so very few are looking for security holes"-like statement simply does not make sense. It is a myth. FUD?
Clever signature text goes here.
"Tim Mullen is probably the most notorious apologist for Microsoft in the security community."
In other words...
"Since his comments are not anti-Microsoft enough you shouldn't listen to him, because it's more important to blame Microsoft than be right."
This is why I post to slashdot, to correct morons like this, and for that I am called an astro-turfer.
What does that article say? It says "Based on the number of vulnerabilities announced in 2002 that affect operating systems..."
Now, either I'm an idiot or that article is basing its results on REPORTED VULNERABILITIES. Might the number of reported vulnerabilities have something to do with how hard people ARE LOOKING FOR VULNERABILITIES?
The ONLY way to test the relative vulnerability of an OS is to do a thorough code review of each, or send experts on each into a room and ask them to find exploits (and both approaches won't even be that accurate).
It's great that we have security. Most people won't mind security. Even Joe Sixpack seems to understand that security is generally good. Now, people are starting to get that Open Source is secure, stable, blah blah blah..
The thing with Linux (and probably BSD's though I don't have much experience there) is that most people that know what is a server, can set up a linux server. Even most of those people can keep their server relatively secure with security.debian.org and shutting down redundant stuff and such. But even many of those people are not willing to switch to Open Source on desktop.
As I see it. Linux IS decent desktop OS too. If you pre-install Gnome or KDE or pretty much anything else for someone, they will be able to use it. My girl-friend has no trouble at all with my wmx-based desktop, after about 2 minutes of briefing. But the thing is, once things get nasty on Linux desktop they often need even MORE experience with the OS than when running a server.
Once you have to touch the command-line, it can be a pain before you get used to it, but finding the relationships between the nice GUI and all the scripting and configs and stuff, is even more so.
No flames though, this is getting better all the time, I think, but the fundamental nature of UNIX as opposed to Windows seems to make UNIX easier for someone who knows what he's doing (like sysadmin or developer) while Windows is still easier for my mother, which unfortunately might have to mess with the network settings to read her mail, even if somebody assisted her by phone.
I'm currently doing a toy desktop OS with the idea of trying to combine the ease of use, even when going to system levels, with easy to develop with API, and strong security.. then again, don't hold your breath =)
Software should be free as in speech, but if we also get some free beer, all the better.
Not long ago I walked a client several hundred km away through an OpenBSD boot via floppy so he could change his forgotten root password.
Somewhat longer ago, maybe 10 years back, I was part of a small team running a booth at a trade show. The booth next to us had a couple of guys who had puzzled looks on their faces, so two of us walked over and asked if there was a problem. They had a Sun workstation that they couldn't get to work because nobody knew any passwords. I reached over, rebooted it into single-user mode, changed the root password to something they knew, then did a full boot, and handed it back to them.
The first thing one of their guys did was to change the root password again. And he didn't want us to watch the keyboard while he did it, so we couldn't see the password. We just looked at each other and walked off, trying not to laugh in their faces. "Uh, dudes; you just missed something important."
A couple of years later, Sun added the ability to have a single-user password, so our neighborly helpfulness no longer works. I wonder what a Sun customer does now if the only person who knows a machine's password is squished by a semi? Junk the machine?
There are some pretty silly "security" discussions going on.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I realise that the sysadmin comment was facetious, but you *did* say flame away ;)
Yes, realistically, linux *IS* harder to learn than windows (learn, not neccesarily use). However, if you will settle for *only* using a windows-like interface, mandrake and lycoris are pretty damn accessible. Windows (in the easy-peasy sense of the word) is a *user's* operating system. Sysadmining isn't just point-and-sneeze in windows either.
Free Java games for your phone: Tontie, Sokoban