This should put to rest any notion that for a researcher, it's *MUCH* more profitable to discover vulnerabilities affecting MS software than it is any other software vendor.
This trial by fire is also the reason why it's been quite some time since we've seen a blaster/sapphire-like vulnerability discovered.
There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows. They're merely relying on security through obscurity in a different sense. That sense being that not nearly as many researchers care of devote the time to analysis of codelines that won't be worht their while, either financially or egotistically.
The only people who would dispute the superiority of Visual Studio, C# and ASP.NET would be those who've never spent more than 2 hours in any of them. And that was just.NET 1.x:).NET 2.0 is like stepping into a time machine and move 10 years ahead of anything else out there.
But if looking at the progress between Beta1 and Beta2 I'm thoroughly impressed. The UI concerns I had with Beta1 have all been addressed. I really like where they seem to be going.
OSX was in development for 5 years too. It's not like they could have incorporated it into OS9. The same goes for XP. XP was released, it did not have this functionality and it was not technically possible without essentially rewriting a great portion of the underlying code from scratch. Combined with MANY other security released process enhancements, it makes much more sense to include it in a new OS which leverages a fundamentally different security architecture.
"I feel like Neo effortlessy deflecting the bullets fired at me."
Exactly my point, you aren't. Your false sense of security is your achillies heel. Just because there aren't exploits floating around in the wild doesn't mean there couldn't be. My point was merely that if for some reason the focus completely shifted from Windows to OSX, there would be technical reason why OSX wouldn't suffer the same fate, if not worse.
"And what do you mean by it being 10X more profitable for you to discover a flaw in Windows than OS X?"
What I mean is vulnerability discovery is a free market. If you were to discover a remotely exploitable vulnerability affecting Windows XP SP2 and one affecting Mac OSX 10.4, the XP vulnerability could be sold for 10x as much. Why? Obviously because impact is so much greater.
As long as there's so little research going into OSX vulnerability research by folks like eEye, IIS, etc, that leaves a much broader surface area for a researcher with a more malicious intent to discovery a vulnerability and use it quietly behind the scenes.
The simple fact is, the high value of MS vulnerabilities has probably been the single greatest contributor to it's strengthening security posture.
ChessMaster is still an excellent piece of software for both learning and playing. It's available for many consoles and the PC (in Windows).
Aside from that, you can hire a mentor for relatively cheap. You would only need to pay for 3-4 hours per month to make steady progress (depending on how involved you'd like her to become).
Get her a membership on ICC (www.chessclub.com) and let her play regularly. It's very important to record and analyze your games. Once you've learned the fundamentals of chess tactics, openings, endgames analyzing previous games is your best tutor.
The only operating system I'd come out and say has a superior overall security posture than Windows, Linux, OSX, FreeBSD, Solaris or any other main stream OS is OpenBSD. But who wants to use OBSD for anything other than a server? Not me.
You're missing my point completely but I admire your passion.
The simple fact is far, FAR more research has gone into identifying and exploiting flaws in Microsoft products. As such, yes, there have been vastly more vulnerabilities discovered which affect their software. Btw, Macro viruses do not affect Windows per se, but instead the MS products which are installed on top of it (and yes there were a lot of them back in the day).
Understand, I've already done my tour on the Apple bandwagon. I've since jumped off (at least somewhat). The simple fact is, OSX is doing a piss poor job at security. They built atop of good framework but have made poor decisions, primarly due to lack of expertise in the areas of security at the expense of eye candy and convienence. The best thing they've done all year was hiring FreeBSD security officer (Jacque) to assist in code review and future architecture.
I'm not quite sure why I'm even bothering to respond, but I hate this posting and can't resist. It's like that stupid AOL commercial which says the same thing... "You're actually MORE at risk using Broadband".
Why?
Positives for Dialup:
- If anything, is the fact that you don't typically stay online 24x7. And when you aren't online you're not going to be attacked. At least not remotely. (You can simulate on this Broadband by disabling your NIC when you're done.)
- Malicious payloads take longer to download.:)
Negatives for Dialup:
- Your machine is directly connected to the ISPs network. Inbound connections must be controlled through a host-based firewall.
- There's no DSL or cable modem NATing traffic and/or acting as a network firewall. I can't speak for all broadband providers, but Bellsouth DSL modems don't allow any inbound TCP/UDP connections by default.
- If your machine is compromised, due to the fact there's no NATing/firewall device in front of your machine, the attacker doesn't need to rely on a reverse shell, they can connect as they like.
In the end, there's nothing inherently more secure about dialup.
Slashdot Mirror
Heh... so blind, so sad.
This should put to rest any notion that for a researcher, it's *MUCH* more profitable to discover vulnerabilities affecting MS software than it is any other software vendor.
This trial by fire is also the reason why it's been quite some time since we've seen a blaster/sapphire-like vulnerability discovered.
There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows. They're merely relying on security through obscurity in a different sense. That sense being that not nearly as many researchers care of devote the time to analysis of codelines that won't be worht their while, either financially or egotistically.
It's the sound of a million slashdot reader hearts breaking.
see subject
Don't get so defensive, hippy.
Thanks for your keen insight.
Yeah, a lot of good it's done for Firefox and Linux.
They're owned more times and by more people than the ipod.
Just like everything that uses GTK.
Does anyone actually believe Apple was not aware of this when they made their decision? RISC is dead.
They're *going* to be adding chat functionality to GMail. Currently all they offer is the ability to save GTalk conversations in GMail.
So is nearly every piece of software X11 supports. X11 is holding Linux back.
The only people who would dispute the superiority of Visual Studio, C# and ASP.NET would be those who've never spent more than 2 hours in any of them. And that was just .NET 1.x :) .NET 2.0 is like stepping into a time machine and move 10 years ahead of anything else out there.
He must have never had a chance as a tennis pro.
HOORAY!
Uhm, no. In fact is is a virus, because it isn't self propogating, and the virus installs a trojan.
Good for them.
But if looking at the progress between Beta1 and Beta2 I'm thoroughly impressed. The UI concerns I had with Beta1 have all been addressed. I really like where they seem to be going.
Sure it does, but the OS wasn't designed to allow a user to truely run as a non-admin.
OSX was in development for 5 years too. It's not like they could have incorporated it into OS9. The same goes for XP. XP was released, it did not have this functionality and it was not technically possible without essentially rewriting a great portion of the underlying code from scratch. Combined with MANY other security released process enhancements, it makes much more sense to include it in a new OS which leverages a fundamentally different security architecture.
"I feel like Neo effortlessy deflecting the bullets fired at me."
Exactly my point, you aren't. Your false sense of security is your achillies heel. Just because there aren't exploits floating around in the wild doesn't mean there couldn't be. My point was merely that if for some reason the focus completely shifted from Windows to OSX, there would be technical reason why OSX wouldn't suffer the same fate, if not worse.
"And what do you mean by it being 10X more profitable for you to discover a flaw in Windows than OS X?"
What I mean is vulnerability discovery is a free market. If you were to discover a remotely exploitable vulnerability affecting Windows XP SP2 and one affecting Mac OSX 10.4, the XP vulnerability could be sold for 10x as much. Why? Obviously because impact is so much greater.
As long as there's so little research going into OSX vulnerability research by folks like eEye, IIS, etc, that leaves a much broader surface area for a researcher with a more malicious intent to discovery a vulnerability and use it quietly behind the scenes.
The simple fact is, the high value of MS vulnerabilities has probably been the single greatest contributor to it's strengthening security posture.
ChessMaster is still an excellent piece of software for both learning and playing. It's available for many consoles and the PC (in Windows).
Aside from that, you can hire a mentor for relatively cheap. You would only need to pay for 3-4 hours per month to make steady progress (depending on how involved you'd like her to become).
Get her a membership on ICC (www.chessclub.com) and let her play regularly. It's very important to record and analyze your games. Once you've learned the fundamentals of chess tactics, openings, endgames analyzing previous games is your best tutor.
You're quite defensive. Honestly, I didn't bother to read your entire posting but:
s ories
"See the recent WMF vulnerability for another example of this. "Hey, let's make it so that a picture file can execute code!""
You make it seem like vulnerabilities in image formats are a MS only issue...
See: http://secunia.com/product/3439/?period=2006#advi
The only operating system I'd come out and say has a superior overall security posture than Windows, Linux, OSX, FreeBSD, Solaris or any other main stream OS is OpenBSD. But who wants to use OBSD for anything other than a server? Not me.
You're missing my point completely but I admire your passion.
The simple fact is far, FAR more research has gone into identifying and exploiting flaws in Microsoft products. As such, yes, there have been vastly more vulnerabilities discovered which affect their software. Btw, Macro viruses do not affect Windows per se, but instead the MS products which are installed on top of it (and yes there were a lot of them back in the day).
Understand, I've already done my tour on the Apple bandwagon. I've since jumped off (at least somewhat). The simple fact is, OSX is doing a piss poor job at security. They built atop of good framework but have made poor decisions, primarly due to lack of expertise in the areas of security at the expense of eye candy and convienence. The best thing they've done all year was hiring FreeBSD security officer (Jacque) to assist in code review and future architecture.
I'm not quite sure why I'm even bothering to respond, but I hate this posting and can't resist. It's like that stupid AOL commercial which says the same thing... "You're actually MORE at risk using Broadband".
:)
Why?
Positives for Dialup:
- If anything, is the fact that you don't typically stay online 24x7. And when you aren't online you're not going to be attacked. At least not remotely. (You can simulate on this Broadband by disabling your NIC when you're done.)
- Malicious payloads take longer to download.
Negatives for Dialup:
- Your machine is directly connected to the ISPs network. Inbound connections must be controlled through a host-based firewall.
- There's no DSL or cable modem NATing traffic and/or acting as a network firewall. I can't speak for all broadband providers, but Bellsouth DSL modems don't allow any inbound TCP/UDP connections by default.
- If your machine is compromised, due to the fact there's no NATing/firewall device in front of your machine, the attacker doesn't need to rely on a reverse shell, they can connect as they like.
In the end, there's nothing inherently more secure about dialup.