Slashdot Mirror
Looking Back At Windows Security In 2003
thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."
...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?
"What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny"."
Do you think that that giving your user name and password to strangers might be a bit suspect too?
For firewall we kept windows because the software we currently use performs much better on windows than Linux.
What fortune 500 company is using computer based firewalls? Let me know because I'll happily take over as "Cheif Security Officer"
You are in a maze of twisted little posts, all alike.
I think a balanced analysis would agree that they are certainly getting better: both in terms of acknowledging critical issues and issuing patches in a more timely manner.
... ahem.
They have a long way to go, but who doesn't have security problems these days? Only OpenBSD, which ships with virtually everything switched off so that it can claim "no hole in over 7 years in the default install"
AC
Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure.
Windows "out of the box" is as wide open as the goatse.cx guy.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I'm sorry, but we've been told to disable preview-pane at work because yet another round of virii struck that used our internal servers as spam relays.
For Outlook issues alone (forget about slammer - though how could you!) Microsoft earns the big security rasberry of the year. PPHbth!!!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's interesting to read the comments from external parties, as they tend to be very reasoned
-SNIP-
Yeah, and if I poke you in the eye with a sharp stick every morning, you'll get used to it. It might even appear "reasoned".
2004 will likely prove to be just as wormy as 2003.
I also predict that Linux will truely come into its own in 2004 as the first serious Linux worm/virus rock the open source world.
There's a new worm out there that exploits a security hole still in Windows 2k/XP from when it was released.
It has the capability to shut down applications, goes right through anti-virus software (even the latest patches!!!), and gives total control of the victim computer to the creator of the worm.
An attempt by the powers that be to shut down it's source of updates was thwarted by various government agencies and the worm itself.
Unfortunately there is no patch to get rid of the W32.MS.AutoUpdateRequired worm.
It sucked!
<bows>
It is pitch black. You are likely to be eaten by a grue.
at Windows security, one thought comes to mind - eeeek.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
I hate liberals. If you are a liberal, do not reply.
What company is going to use Linux for there primary domain controller but run everything else on Windows, I don't believe this poster knows what he is talking about.
j00 w3r3 h4xx0r3d!!!!!!
I'm amazing. You aren't. SUCK IT
All systems are vulnerable to security issues; however it's important to note that Linux uses the same security model as the original UNIX implementations--a model that was not designed from the ground up to be secure.
Perhaps you've heard of a company called Cisco, they make a thing called a Pix, which is probably the most popular hardware firewall product.
As opposed to what exactly?
Firebased computer walls? (In soviet russia?)
Windows Security is an oxymoron. Just like the French fish who cleaned everything from Finding Nemo.
Samba-TNG or Samba 3.0 work great as domain controllers.
Looks like it's been slashdotted...
Also I am willing to bet every Fortune 500 company(except microsoft) has at least some Unix servers wether they be Sun, IBM, HP, or some other brand. I even heard that msft has some freebsd servers in there backend
A hole in Windows was announced today. Thats great, as soon as Windows Update tells me there is a fix available, I'll click and reboot to apply it.
/me, goes to website, they list some long inexplicable explanation of the hole. Link to some .tar.zip.gz.bz2 file (this saves bandwidth). Just run it through tar -xvzjf and it will automagically extract. Run make clean; make superclean; make reallyfuckingsureyourclean; make install; (whoops, su; make install) and boom! its installed.
A hole in Linux was announced today. Developers released a patch in 34.36 minutes flat after hearing the news. Download and update today!
it says: The site www.net-security.org is running Apache/1.3.28 (Unix) PHP/4.3.3 on Linux.
I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
You are in a maze of twisted little posts, all alike.
What I'm saying is if a fortune 500 company is using Windows for every other server, I don't think they will use a different platform for the domain controller.
What's inside of it? Magic packet-smashing Gnomes?
It basically says it all when an exploit that had been patched for months succeeds in bringing the internet to a crawl.
An In-Depth look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.
When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.
The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).
It's January and things don't look good
Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.
This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.
Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."
Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."
"Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine
Slashdot: The antidote to well reasoned comments.
Hello, new sig.
Windows Security. That's like... Military Intelligence? Jumbo Shrimp? Microsoft Works?
Free your ecomony and enact the FairTax
Why would you use a PDC on linux in a winnt 4 enviroment when it's the BDC's that handle the logons and most of the work? The PDC accepts changes to the database and replicates it to the BDC's.
which is probably the most popular hardware firewall product.
And that hardware is... wait for it... a computer!
For anything "based (o)n silicone", I'd accept Pamela Anderson.
For anything "based in silicon", I'd take a hardware firewall and a software firewall.
Belt and suspenders, what better fasion for a true geek?
Apart from the existing sections, I wish I could filter 'Section of things slashdot repeats ad nauseum.'
Could someone please begin implementation?
And what is that hardware tough guy? IT'S A COMPUTER!!!
I hate liberals. If you are a liberal, do not reply.
"Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has..."
Hello? What alternate universe are you living in? We spent a good chunk of our summer and fall chasing MS-BLAST infected computers. We had to detach computers from the network before upgrading them to XP, because if we didn't they'd get hit before we could patch them.
Perhaps you are playing semantic games - perhaps in absolute numbers there haven't been "that many" Windows exploits. But in terms of wasted IT time; in terms of network downtime; in terms of severity of attack there is just NO comparison. Our Linux, Solaris, and OS X boxes have required almost none of our time.
#DeleteChrome
I'm not a Windows user, but I could've sworn that MS no longer support NT4. This is very clearly a troll; as previous posters noted, it is filled with other nonsense and contradictions.
okay AC, there is a plethora of reasons that windows is on 90% of all desktops.
- apple screwed the pooch by being overly proprietary back in the early 80's. they were just too damn expensive for mass penetration.
- compaq cloned the PC, got its bios to boot, etc...
- lotus 1-2-3 (any one remember when your spreadsheet program fit on a floppy!!) this program alone accounted for the mass igration to the PC architecture.
- ibm being dipshits about ms-dos. they could have had the rights for chump change.
- os/2 was the defacto desktop. ibm wanted a shitload of money (something like $200+ in the early 80's) microsoft came in with windows for 1/10 the price.
- microsoft did thing like give faulty errors with dr-dos when you tried to run windows on top of it. (keep in mind, windows ran on top of dos as late as ME) this has been long since documented.
- microsoft played the bundling game, gave away its office suite for next to nothing compared to others. remember when wordperfect and lotus were the standards? (remember, in word97, you can map every keystroke in wordperfect AND lotus123.)
- monoplistic practices...covered a time or two
- piracy. i, and probably everyone i kow got a "free" copy of office. don't think for a second that microsoft really cared that joe and jane homeowner were somehow "pirating" (giggle, giggle) office. well, if business knew you could get it at home "free", they knew they HAD TO pay for it, so, well, if you use office at work, you can bet employees can get it at home, and that eliminates any others from competition
technological merit does not always, or even often, win out. there are numerous reasons. hell, in 1949, we had a state fo the art bomber, the YB-49. it could fly farther, faster, stealthier, etc. and, check this out, it was a flying wing. based on a design from the horten bros. in germany. discovered after the war, and developed by jack northrup. but, stu symington (sec of defense) was buddy buddy with convair guys, and we ended up with B-36. then the B-47, then the B-52. 36 was a piece of shit, 47 almost as bad, and the 52 is a workhorse. long story short, when B-2 rolls out, who is there to receive a LONG overdue praise. jack northrup. oh yeah, the VHS vs. Beta thing too.My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
1. With Microsoft's OS it is the ONLY OS known to fall by the millions by a one line script virus, lets see a Linux based virus or worm that can knock down millions of Linux boxes like can happen with Windows...
2. As far as comparing apt-get to windows update, with Windows update you HAVE to have Internet Explorer installed to use it, why does Microsoft make a update tool that is not tied to a particular web browser, maybe something that is "stand alone". Same with a lot of software that mysteriously requires Internet Exploiter to be installed in order to run- (kind of fishy to me)
apt-get does not require any browser installed or even a particular GUI and can be run from the command line...
As far as security goes I would trust Linux a LOT more for critical mission deployments than I would the kludge from Microsoft...
How many worms did you have to clean off your Linux systems last year?
Linux may not be much more secure than Windows but at least my Linux boxes don't go spreading malicious code around my office faster than I can patch 'em. In fact, I don't remember ever patching in Linux box in 2003. Hrmmm, I wonder why that is..
At least with Linux I don't have to worry about security unless I put it in a production environment. Then I only need to worry about keeping up-to-date with patches.
My Linux desktop doesn't get viruses, send viruses, or take out office routers. I wish I could say the same for my Microsoft products.
Well as for apt-get or yum you cant compare those to windows update at all. First of all apt-get/yum updates every single application installed while windowsupdate doesnt even update Microsofts own products outside IE or MS-Windows. Had it covered atleast MS own products but it really is limited. Tried running windowsupdate from a script? Apt-get/yum is way ahead of windowsupdate in any way i can think of. And it doesnt cost you more than hardware to put your own apt repository up.
Why would anyone need exchange? Did you want a mail server or did you want Exchange in specific? You do realize that what you are saying is that you want the brand and not the function in itself? There are tons of ways to accomplish the same things Exchange does and most often much better and with cheaper hardware. If its one thing exchange does it is eating cpu cycles.
"For firewall we kept windows because the software we currently use performs much better on windows than Linux"
Well, duh? Sygate runs pretty lousy on linux too.
HTTP/1.1 400
But how many Linux boxes have Apache (with or without PHP) and/or sendmail? None of my boxes have sendmail, and only one has Apache--which is kept updated.
The Linux environment is much more diverse than the Windows environment. Not to mention that--from my observations--Linux admins tend to do a better job of keeping their systems patched. Not necessarily just because they're Linux admins, mind you. Just because at this point in time, people running Linux tend to be more technologically adept. Obviously this will change as more people move to Linux and unskilled admins are put in charge of "that Linux server thing" instead of "that Windows server thing".
I don't doubt it would be possible to create an effective virus for Linux. My only dispute is that I believe the effect of such a virus (at this point in time) would be limited in impact to something less than even a minor Windows virus.
Yes, they may have. But unlike Windows, all of the linux software had patched versions out within a matter of hours. You are correct, however, in that it's up to the admins to apply the patches, but in my experience, linux admins are a lot more vigilant about this sort of thing.
Also, no linux "virus" ever filled my inbox with hundreds of huge attachments claiming that I needed to update Windows or see the latest cool screensaver.
Oh, and if you're using firewall "software" in linux, you're doing something wrong. All you need is a little knowhow and iptables (or even ipchains), and you'll see that machine FAR outperform any non-kernel-based solutions.
Do you really need reason for beer? Wingman Brewers
In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.
Except that neither sendmail nor apache are common enough to rock a significant portion of linux systems either.
Sendmail is for the most part replaced by Postfix and other varients. Apache... well, although quite a large portion of web servers run apache, a very small portion of linux systems are web servers.
Only a few months ago was the OpenSSH vulnerablity, and for maybe eight hours then I was open to that. Back in 2000 I ran a small net cafe through an unpatched RH6.0 box that all the time I thought was secure enough, though now it's know to have _hundreds_ of holes.
I know you're just some anonymous troll, but even though Windows security does suck very much, plenty of Linux setup get hacked. Mainly the ones that serve web pages 24hrs a day etc, not your home desktop machine that's probably not even open to ssh.
printf("%s@yahoo.co.uk\n", uid[569754].name);
Planned obsolescence.
This user account is inactive account replaced by the PDA
Yes obviously, because 90% of desktop users not only are still struggling with the concept of right click and mouse and run as the equivelent of root users.
But they also became security experts qualified to evaluate whether or not their operating system is safe to be unleashing on public networks.
As I said, we got a message from corporate HQ telling us to turn off Preview and also not to click on stuff that does not come from people we know (more likely the outbreaks were from people clicking on things they should not). They had to get themselves off a few blacklists it seems as a result...
This is not a small company either, around 3000 people. Yes, we do have admins that know what the hell they are doing. Sometimes, stupid users click on links or bring in laptops and that is it.
The thing is, even if a UNIX admin is doing a poor job you aren't as likely to see a "wildfire" spread of infection, more like a slow burn.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just hope that in the next few weeks we won't see a disaster like the Slammer worm.
That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers. Any vendor that instills so much lack of confidence in their products doesn't deserve the benefit of the doubt.
You should really keep your Linux box up to date even if it's only your home machine. Modern distributions such as Debian, RedHat (Fedora) and others make it very easy for you.
If you don't sooner or later you'll be hacked, you might or might not notice it, but other people will use your machine for purposes you did not intend (such as share software or copyrighted material, or relay spam).
I don't doubt it would be possible to create an effective virus for Linux.
I agree with everything you stated. It's the diversity that makes Linux (and other operating systems) less vulnerable to such massive attacks. But everyone learns from their mistakes, even Microsoft (albeit slowly sometimes).
Currently, if you purchase a copy of XP and install it with neworking capabilities (even dialup), there is a good chance you won't get as far as Windows Update before you're rooted. I went through that a couple of months ago -- got the "Windows is Shutting Down" dialog before the Windows Update page could load. I knew how to abort the shutdown and patch the problem, and I really should have enabled the firewall first -- but joe average doesn't (and shouldn't have to) know this.
However, I also recall the Honeypot project having similar experiences with RedHat 6.2; because of a remote-root exploit (I think), the machine was hardly online a few minutes before being rooted. If I remember correctly (it was a long time ago), 6.2 was the latest retail RedHat release at the time.
Jump to now: RedHat now enables less services by default (but still has a record number of suid-root binaries...), and really pushes you to enable iptables at install time before any network interface is brought up. Likewise, SP2 for XP will be doing some things right, and I'm sure this will carry over to Longhorn and future versions.
I say: bravo on both sides. Firewalls enabled by default (like "opt-in" instead of "opt-out"), and taking security into consideration with every decision (as RedHat and Microsoft both are learning to do, though many others *cough*OpenBSD*cough* have known this for a while)...
NGWave - Fast Sound Editor for Windows
Sendmail is for the most part replaced by Postfix and other varients. Apache... well, although quite a large portion of web servers run apache, a very small portion of linux systems are web servers.
While I personally don't use SendMail (I love Qmail), I believe the vast majority of Linux (and other Unix) machines offering mail services are using Sendmail. Just think of how many Cobalt RAQ machines administered by idiots are out there...
Apache has always had a pretty strong focus on security, though everyone makes mistakes from time to time. It does certainly have a better record than Sendmail or Bind, and I trust it quite a bit myself.
Sure, not every single Linux box is running Apache, but an attack that is targetted only at web server machines can still cause quite a bit of havoc; just think of Code Red and it's decendants.
Just because you aren't targetting *every* single machine out there doesn't mean an attack can't be effective. You comprimise a few thousand unpached Linux/Apache machines, or *nix/Sendmail, or whatever -- you still have plenty of power to (for example) attack an anti-spam site, or cause other, similar dammage.
Yes, an exploitable Windows -- especially when it's exploitable in its default configuration -- is a helluva target; but that doesn't mean all exploits need a hundred million exploitable machines to have an effective target.
NGWave - Fast Sound Editor for Windows
You mean that apple wouldn't let anyone else screw the pooch?? (OTOH, the pooch would be looking like the goatse guy).
ibm being dipshits about ms-dos. they could have had the rights for chump change.
Ummm, no. When MS got the rights to 86-DOS, Seattle Computer got rights to MS-DOS, OTOH, if IBM dealt directly with SCP, then...
in 1949, we had a state fo the art bomber, the YB-49. it could fly farther, faster, stealthier, etc. and, check this out, it was a flying wing. based on a design from the horten bros. in germany. discovered after the war, and developed by jack northrup.
Ummm, no again. The YB-49 was the XB-35 with 8 jet engines replacing the 4 Wasp Majors + contra-rotating props. The XB-35 was a scale-up of the Northrop (note "o" not "u") N9M which was flying in the early 40's. The B-35 and B-36 were both results of an RFP for a bomber with a 10,000 mile range and a 10,000 pound bombload that came out in early 1941. The USAAF wanted a plane capable of bombing Berlin from the NE US.
It is interesting to note that the B-2 has a wingspan almost identical to that of the B-35/49.
The Horten aircraft was specifically designed with low radar cross section in mind, the low RCS of the B-49 was a happy accident. There was an incident where the B-49 was being tested off the coast of Calif and it frequently disappeared from the radar screens.
The first US stealth aircraft was the Lockheed A-12/F-12/SR-71. The Blackbird was often called the A-11 because LBJ read AMI as A-11, and the recce bird was originally the R/S-71 (following the R/S-70 nee XB-70), but LBJ screwed that up again.
Of course, that has absolutely nothing to do with security.
Only those who dream can grasp reality.
Last I heard, they finally got them moved over to Windows 2000, and now to Windows Server 2003. It was the Hotmail servers.
nah personally i enjoy the comment about them using windows as the firewall.
..... We use Pix here. most of our customers use netscreen or pix .....
no sane company with any valuable data on their intranet should use anything other than a hardware based REAL firewall with custom OS, not a consumer/server OS
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Well, I dont disagree with the parent to this post being modded down to flamebait... It isnt really an accurate moderation...
Cliche'd or Lame or Boring would be much better was to moderate such posts!!!
http://news.netcraft.com/archives/2003/12/19/sun_d iscontinuing_cobalt_linux_servers.html
according to that link, quite a few cobalts out there. And since i work for sun i can attest that most people running them are fairly clueless. and they arent exactly up-to-date either.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
My guess is that when such a worm comes about, it will be done in the same manner as most Outlook worms - tricking the end user into executing malicious code from an email attachment.
Does anyone *seriously* believe someone naive enough to run those "Naked Kournikova pictures" attachments won't be similarly naive and type "chmod a+x ~/nastyprogram; ~/nastyprogram" into a console because some email tells them that doing it will give them "INSTANT ACCESS TO CO-ED AND THEIR NASTY AFTER HOURS LEARNING !!!!!" ?
Good points, but I have to point out the VHS vs Betamax thing isn't all that clear cut... Betamax suffered from short tape lengths, which may well be what killed it.
I know me on the other hand, I set up a mirror to see what's behind me and I see my ass. Then I realize what they mean by looking back... When you look back you see your ass, and what does your ass produce? Shit... Simple Geek Zen ... Microsoft Security is shit... Get it now?
MoFscker
I do not see any security. As Gates/Balmer have said "it would be far too expensive to fix Windows" Besides by fixing Windows, the forced $upgrade$ incentive would go away. The problem with the MS software model is that if you make it too good no one will upgrade. Like banks and OS2, IBM focused on getting the security right, look what happened!
OH THE SHAME I fell off the wagon and use sigs again!
Microsoft puts itself in a catch-22 with this one.
Microsoft released a patch, yes. There are two people who wouldn't install it: those who don't have a clue about being a sysadmin (MCSE) and those who know MS's history of distributing broken patches.
The first group (mostly made of MCSE-only admins) are either too ignorant to install patches timely or are too stupid to know that your SQL server has no need to be internet-accesible. IIRC the only way to get slammer was to have your unpatched SQL server live to the world, something that anyone even slightly security concious wouldn't have done. Unfortunately, MS markets themselves as the easy delpoyment/any idiot can admin. So, they market themselves to idiots, then blame the idiots for not taking care of their servers. Umm... sure.
Secondly is the smart group who knows better than to deploy ANY MS patch without testing it. Having a patch 2 months before the worm hits is fine and good, but often times testing a patch takes that long. In the case of slammer these are the guys who know to keep their SQL servers behind the firewall. Slammer was mostly due to group #1. In the case of IIS and other internet services, however, a patch may not be deployed in a timely manner.
Combine MS's past of releasing broken patches with their careful marketing to idiots and you see how easily this crap happens.
There is no reasonable defense against an idiot with an agenda
:wq
Believe it or not, I have not had to clean up any worms from my Windows machines last year.
Why? Because my network has a firewall. Then my machine has a firewall. And I run a virus checker. And I keep reasonably up to date with patches. And no, it's really not a big deal.
In our last audit, guess what we found. Windows 2000 servers on the audited networks were patched. Linux machines were not patched for recent holes. Why? The metality that Linux is secure out of the box. We showed how the audited network's firewall (running Linux, because it's k00l and the admin was a linux zealot) was rooted in 15 seconds using a familiar recent exploit.
"Why would anyone need exchange? "
What is a good open source alternative for centralized information sharing (workgroup planning, email, address book, etc) ? Yes, email can be done by anyone... On the other hand most POP3 implementations out of the box are significantly less secure than exchange because the data -- and especially the authentication -- is transfered in cleartext.
and p.s. it does not cost you anything more than hardware to set up a windows update-like service either. We cache all QFEs on our server, then generate recommended updates based on the xml catalog published by MS (see hfnetchk). This list is processed on every machine in the logon script.
hey man, isnt December pretty much effectively over? You know, what with that little obscure Christmas/New Year thing going on?
Manipulate the moderator system! Mod someone as "overrated" today.
The SR-71 (R/S-71) was an all black aircraft, hence blackbird. The YF-12A variant, often just called the A-12 or F-12, wasn't black, but usually got a two tone silver gray and smoke gray paint job. Operational fighters always get an agressive nickname, like falcon, by the time they go to full production. That's two reasons why the "Blackbird" is really only for the recon version.
Neat plane anyways.
Who is John Cabal?
"piracy. i, and probably everyone i kow got a "free" copy of office. don't think for a second that microsoft really cared that joe and jane homeowner were somehow "pirating" (giggle, giggle) office."
Microsoft didn't care???? Microsoft encouraged it!!! When Microsoft still had proprietary competition, there was a clause that if you had near exclusive use of your work computer Microsoft *allowed* you to have a copy on your home machine.
They knew they were in a battle for mindshare, and that giving away some product was good for business. Sometime about when Windows 95 came out (IIRC) they ended the practice. I believe because they calculated they didn't need it anymore.
What do they mean "looking back" on 2003? The date is December 23, 2003. An accurate annual analysis would require waiting until at least January 1, 2004. Who's to say that there might not be another Windows security hole discovered between now and 2004?
Finding new vulnerabilities isn't hard. Remember ntcrash? Variations on that theme should discover new holes automatically over time.
Computer based firewalls -- Layer 7 Hardware or Hardened Firewalls -- Layer 3
And it's connected to the internet.
Since it's unique, it's never been successfully attacked. Does that make it the most secure system in existence?
It seems like you're advocating security by obscurity.
Set up 3000 desktops with any ports open that could be used like slammer used Windows boxes?
With Windows you can't avoid it, with Linux (or OS X) you have a fighting chance of deploying a lot of systems that virii won't spread through like a fire through a forest in July.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Add to that people had to work with fractions when calculating how many programs would fit on a betamax tape.
When I was a teenager, I worked at some video/vcr/tv stores when Betamax and VHS both had a strong market share. When it came to VCR's, the #1 question I heard was 'how many shows & movies will fit on a tape?'.
Explaining betamax record speeds did tend to confuse people much more than explaining the 2-4-6 hour speeds of VHS.
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
Everyone in the IT community already knows what a poor reputation that company has actively worked hard to earn. Articles like the above serve only to provide free marketing and distract from active development rather than pump-n-dump.
Rather than doing free security and sysadmin work for Chairman Bill this holiday season, and rather than providing free publicity for his portfolio, could we please give it a rest and have a MS free week, weekend or at least just a MS free friday? i.e. no articles or press releases about the lastest vaporware, thneed, fud or spin, inlcuding news relays via MS-owned sources like slate, msn, msnbc, msnpr, newseek, etc. It seems every day there is a shameless, uneccesary plug or two. Now that international investors have divested and even their own emloyees have offloaded it is as irrelevant to the stock market as it is for the IT sector. The pyramid scheme has maxed out, if you weren't already bailing, then it's too late.
As far as security goes, businesses and home users alike are finding Gnome and KDE easy to use and the plaforms (Darwin, OpenBSD, Linux, QNX, etc.) more secure, more stable, and easier to maintain. So looking back at MS-Window [lack of] security in 2003, we can say good bye to the terminally insecure and hello to modern technology.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Or perhaps we should be "Looking Back at Litigation Ethics in 2003"
To understand recursion, you must first understand recursion.
Actually, yes.
Before MacOS X, there was simply no meaningful built-in remote access, and therefore no remote exploits.
Now, MacOS X comes with all services disabled by default. You can hook a MacOS X system to the Internet and you are not instantly vunerable.
By striking comparison, I hooked a Windows XP system to the Internet and it was almost immediately infected by Blaster.
There are no known worms or viruses for MacOS X. Part of this is because MacOS X is not common enough for a worm or virus to spread. But MacOS X also doesn't have things like RPC and Windows Messenger Service enabled by default.
D
But MacOS X also doesn't have things like RPC and Windows Messenger Service enabled by default.
... we plugged one into our network to see what we could get it to do, and gave up after a couple of hours of failing to find out how to turn on the DHCP client. Not going to waste time on one of those ever again.
Macs also don't seem to have DHCP client enabled by default
Except those that run OpenBSD.
See my journal, I write things there
And we're talking about Fortune 500 companies, not SMB's, although all buisnesses computers really ought to have something in place if they are exposed to the internet.
But really, good job defeating arguements that nobody was making. Have you looked into a career in politics?
You are in a maze of twisted little posts, all alike.
But one of the big things IPtables can't do to my knowledge is route packets at near wirespeed. Though I'm sure with todays machines they are pretty darned fast, they don't have the "route once, switch many" architecture of a good hardware based product.
You are in a maze of twisted little posts, all alike.
Except that Blaster was patched two months before the vulnerability hit, and the government warned you TWICE to patch. It takes you two months to plug a tiny little hole in RPC? Your fault, not Microsoft's. They had the problem solved.
If you want to talk about security in 2003, where are the mentions of the two breaches at GNU, and the breaches at GNOME, Debian, and Gentoo? Those are pretty embarrassing security lapses for the Linux community that--not surprisingly--are never brought up, as if they never happened.
"Sufferin' succotash."
If there are no ports open for an exploit?
Imagine a default desktop with no ports open. Spread a virus. How does that work? With Windows you are going to have a lot of ports open no matter what.
Now let's say you'd like to remotely administer a box. As just an example of some way this could be done, you do not have sshd running as root (so a buffer overflow gets you nothing) and keep what it can do to a minimum without further work on someone logging in. Now how are you going to spread an exploit?
There are a number of ways to approach setting up a linux or OS X desktop that can basically halt the spread of anything, even with the same configuration everywhere. By design the same is not true of Windows as you just don't have the options. Many governments and other entities are waking up to the fact that you seem blinded to.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You avoid it in Windows the same way you avoid it in Linux.
By praying that users never run anything, or that the next vulnerability that affects a port you can't close doesn't arise?
The whole point is that Windows is insecure by design, and basically impossible to secure to the level a Linux box can be. If the apple is rotten it doesn't matter how hard you work at baking the pie.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Some ditros make keeping your system up2date easy. Some distros, like Fedora, seem to only patch security problems or minor revisions instead of updating entire subsystems.
Redhat changed their ftp daemon from wu-ftpd to the very secure ftpd between RedHat 7.x and 9, but none of those types of changes are propogated by their up2date system.
Linux can keep itself up2date when its properly built, but on a home or office network as a desktop install it shouldn't need a firewall or virus scanning software. It should be secure enough by default to prevent any automated attacks. And I think it is.
I won't be hacked because I won't invite a cracker into my apartment to play with my network. Sorry I had to get all racial on ya there.
Now in a production environment that's different. Whenever you put something live on the internet with an IP address you need protection. Protection usually comes in the form of a firewall or NAT router. Usually you would put any systems that serve the web on a DMZ with very fine holes poked through your firewall for specific IPs/MACs/ports, etc.
You would craft your network in such a way that an attacker would only be able to break in through a limited set of ports. You would keep a list of all ports that run on your DMZ and monitor when security exploits are released so you can patch everything ASAP, before an attacker has the ability to crack anything.
However, if you have an insane person monitoring your servers and the security boards 24/7 they may be able to hack their way in before you could patch your systems even if you do everything right. God forbid anyone walk into your building and gain physical access to the servers. Security is always going to be an illusion, but there is a comfort zone we can easy put ourselves in to feel relatively secure from automated attacks. Which is really all anyone wants. Else they become paranoid.
it's not diversity what makes linux less vulnarable, that's may be a reason but i don't think is the major one.
The major one is user behaviour, almost anyone use linux as root, just use it when need to make changes in the system.
But in windows almost every one uses it as admin (or some login that belongs to the admin group), so if you run a virus on windows your hole system is compromissed, on linux just your data and some binaries you may have.
Granted, almost anything based in silicone could be considered a "computer"...
How about a Beowulf cluster of Pamela Andersons?
--
My other computer is your IIS server.
no sorry you lose. openBSD is not as secure as people think. the only reason there are very few problems with it is because only 4 people use it.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
It won't run any of my old DOS games. :)
No, OpenBSD isn't as secure as people think but I have some stripped down OpenBSD boxes at one end of the DMZ and Linux at the other end.The DMZ contains a mixture of Unix type boxes (Solaris and Linux). Windows is only permitted on the intranet. The main issue is keeping the portable Windows PCs segregated off because of worms like Blaster being imported. The combo is fairly good. Yes, the CISCO routers connecting to the net are also locked down but they are not the primary firewall.
See my journal, I write things there