Slashdot Mirror


Looking Back At Windows Security In 2003

thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."

7 of 327 comments (clear)

  1. Does anyone know... by biendamon · · Score: 5, Interesting

    ...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?

  2. Should I patch? by SharpFang · · Score: 4, Interesting

    I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  3. Re:Its crap but just as crap as anyone else by 93+Escort+Wagon · · Score: 5, Interesting

    "Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has..."

    Hello? What alternate universe are you living in? We spent a good chunk of our summer and fall chasing MS-BLAST infected computers. We had to detach computers from the network before upgrading them to XP, because if we didn't they'd get hit before we could patch them.

    Perhaps you are playing semantic games - perhaps in absolute numbers there haven't been "that many" Windows exploits. But in terms of wasted IT time; in terms of network downtime; in terms of severity of attack there is just NO comparison. Our Linux, Solaris, and OS X boxes have required almost none of our time.

    --
    #DeleteChrome
  4. Re:you know by b17bmbr · · Score: 4, Interesting
    if windows really was as bad as you say it is, it wouldnt' be in NINETY PERCENT of all desktops.

    okay AC, there is a plethora of reasons that windows is on 90% of all desktops.
    1. apple screwed the pooch by being overly proprietary back in the early 80's. they were just too damn expensive for mass penetration.
    2. compaq cloned the PC, got its bios to boot, etc...
    3. lotus 1-2-3 (any one remember when your spreadsheet program fit on a floppy!!) this program alone accounted for the mass igration to the PC architecture.
    4. ibm being dipshits about ms-dos. they could have had the rights for chump change.
    5. os/2 was the defacto desktop. ibm wanted a shitload of money (something like $200+ in the early 80's) microsoft came in with windows for 1/10 the price.
    6. microsoft did thing like give faulty errors with dr-dos when you tried to run windows on top of it. (keep in mind, windows ran on top of dos as late as ME) this has been long since documented.
    7. microsoft played the bundling game, gave away its office suite for next to nothing compared to others. remember when wordperfect and lotus were the standards? (remember, in word97, you can map every keystroke in wordperfect AND lotus123.)
    8. monoplistic practices...covered a time or two
    9. piracy. i, and probably everyone i kow got a "free" copy of office. don't think for a second that microsoft really cared that joe and jane homeowner were somehow "pirating" (giggle, giggle) office. well, if business knew you could get it at home "free", they knew they HAD TO pay for it, so, well, if you use office at work, you can bet employees can get it at home, and that eliminates any others from competition
    technological merit does not always, or even often, win out. there are numerous reasons. hell, in 1949, we had a state fo the art bomber, the YB-49. it could fly farther, faster, stealthier, etc. and, check this out, it was a flying wing. based on a design from the horten bros. in germany. discovered after the war, and developed by jack northrup. but, stu symington (sec of defense) was buddy buddy with convair guys, and we ended up with B-36. then the B-47, then the B-52. 36 was a piece of shit, 47 almost as bad, and the 52 is a workhorse. long story short, when B-2 rolls out, who is there to receive a LONG overdue praise. jack northrup. oh yeah, the VHS vs. Beta thing too.
    --
    My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
  5. Need to look at Security Holistically by randall_burns · · Score: 4, Interesting
    Organizational Security is typically only as strong as the weakest link. If you have an organization that doesn't do proper background checks on its personnel or uses negative management techniques, the risk imposed by those practices can swamp stuff like the risk associated with a particular version of software.


    In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.

  6. Re:Myth: Linux is more secure than Windows NT. by shaitand · · Score: 4, Interesting

    "requires an administrator to be an expert in the intricacies of the operating system and how components interact"

    Yes, someone who is NOT an expert is hardly qualified to be an administrator now are they?

    "Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate. Linux security is all-or-nothing. Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices. In contrast, Windows NT allows an administrator to delegate privileges at an exceptionally fine-grained level."

    Are you on crack? EVERYTHING is a file or directory on a linux system. There ISN'T a registry to hack. The most powerful and popular solutions for all tasks on linux also have built in ACL's for fine tuning access. Not to mention iptables which is a one stop kernel level firewalling and routing solution with flexibility windows never dreamed of with even 3rd party tools.

    There is only ONE full administrator on a linux system, root. Any other service and it's configuration files will be owned by a group, members of said group can administrate it. Since EVERYTHING including hardware devices is a file on linux you can fine grain control access to every piece of software and/or hardware you like on the system. By setting permissions on the correct file you can even deny a user the ability to move an icon on their linux desktop.

    "Linux has not supported key security accreditation standards. Every member of the Windows NT family since Windows NT 3.5 has been evaluated at either a C2 level under the U.S. Government's evaluation process or at a C2-equivalent level under the British Government's ITSEC process. In contrast, no Linux products are listed on the U.S. Government's evaluated product list."

    Government accredits are meaningless, microsoft had to hack minimal posix compliance into windows before they could bribe their way in. The only reason it was allowed at all was that windows was already being used widely (at least in the US, don't follow the brits) and it's VERY expensive to go through the process.

    "Linux system administrators must spend huge amounts of time understanding the latest Linux bugs and determining what to do about them. This is made complex due to the fact that there isn't a central location for security issues to be reported and fixed. In contrast, Microsoft provides a single security repository for notification and fixes of security related issues."

    And yet somehow with a single command line I have all the fixes for the bugs that were discovered this morning. And windows update only has the bugs that were discovered 3 months ago with a couple exceptions.

  7. Re:My guess. by sfe_software · · Score: 4, Interesting

    I don't doubt it would be possible to create an effective virus for Linux.

    I agree with everything you stated. It's the diversity that makes Linux (and other operating systems) less vulnerable to such massive attacks. But everyone learns from their mistakes, even Microsoft (albeit slowly sometimes).

    Currently, if you purchase a copy of XP and install it with neworking capabilities (even dialup), there is a good chance you won't get as far as Windows Update before you're rooted. I went through that a couple of months ago -- got the "Windows is Shutting Down" dialog before the Windows Update page could load. I knew how to abort the shutdown and patch the problem, and I really should have enabled the firewall first -- but joe average doesn't (and shouldn't have to) know this.

    However, I also recall the Honeypot project having similar experiences with RedHat 6.2; because of a remote-root exploit (I think), the machine was hardly online a few minutes before being rooted. If I remember correctly (it was a long time ago), 6.2 was the latest retail RedHat release at the time.

    Jump to now: RedHat now enables less services by default (but still has a record number of suid-root binaries...), and really pushes you to enable iptables at install time before any network interface is brought up. Likewise, SP2 for XP will be doing some things right, and I'm sure this will carry over to Longhorn and future versions.

    I say: bravo on both sides. Firewalls enabled by default (like "opt-in" instead of "opt-out"), and taking security into consideration with every decision (as RedHat and Microsoft both are learning to do, though many others *cough*OpenBSD*cough* have known this for a while)...

    --
    NGWave - Fast Sound Editor for Windows