After reading the article, I agreed with everything until I saw the ratings given to the various vulnerabilities. First of all, browser holes should not be counted (or at least counted equally) on the various platforms. Just because Microsoft emphasizes their interface doesn't mean they tell you to fire up your browser and download the patches from the server.
Second, I agree with Microsoft(gasp!) when they lower the severity of the vulnerability on win2003 because it has more secure defaults. He argues that IE and Outlook are useless with the defaults on win2003. He's right, they are useless because you don't(tm) use IE or Outlook on a server! If you are using the server as a desktop at the same time and you aren't very careful (only use the Admin account when required and etc) then you are screwed anyway and all assumptions about security go out the window.
Third, several DoS (RHSA-2004:413-07, RHSA-2004:255-10), samba (RHSA-2004:064-11) and especially the complete control (RHSA-2004:259-23) had their severity lowered (in some cases to "low"!) because they required a valid login account. There are valid business scenarios that require creation of accounts for non-employees. The first two that come to mind are vendor relationships with b2b software and remote shell/web/ftp accounts. Also many protocols are used that transmit passwords in the clear over the internet and this is a stupidly easy (and unfortunately common) way to give a password out like that.
Yes those two scenarios can be argued about, but with the trend to have single signon systems that refer to one password, any single system that sends the password hash in the clear is the weak link. And you know the ones in control who don't know crap about computers will push you to get something working "now!" and you will have to open a weak link -- security in the face of something taking longer to get working is not an option in the minds of the typical business person -- for the most part (I'm sure there are exceptions -- I'd love to hear about them). Not to mention that most sucessful break-ins are said to be from people on the inside.
Don't forget "real" application servers that provide the power for thin clients. Be that Linux and VNC/NX or Windows and Citrix/TS it is another scenario where all of the assumptions about servers are stood up on their head -- finally a valid reason to run IE and Outlook on the server! Or not -- Go Firefox, Thunderbird, Open Office, Evolution, Kontact (and soon Sunbird!), Gimp, Sodipodi, Inkscape and Scribus!
"Part of the Windows operating system's underlying design involves its file locking symantics. Files in-use by the operating system, providing needed functionality, can't be easily replaced while the system is running. Windows solution? The in-use-file replacement tool is able to change the bits on disk, but not the memory addresses they map to. So, the copy in memory doesn't match the copy on disk -- and the copy in memory is the old (flawed) copy. This is rectified by...you guessed it...refreshing the copy in memory. And what's the easiest way to do this? Reboot the server and reload it from the disk, if the module you're talking about happens to be, say, the Local Security Authority or the Windows Kernel."
This is actually using the unix unlink semantics. It allows you to delete a file while it is open, and then put a different file there with the same name (but a different inode).
The reason why you have to reboot is because you can't just restart the affected service because the different parts are too integrated. Another point in the article.
The fact is, the only thing that requires a reboot in the unix world is a kernel upgrade. That could be done on windows, but microsoft already has a design that makes it very hard to do that.
Actually you are right. NT's kernel is very competitive with unix, and can provide what is available in the unix kernels.
The problem is everything else added on top of the kernel, and the fact that graphics drivers have been integrated with the kernel instead of seperated out. Though XP has made progress by moving sound drivers out of the kernel -- in contrast to Linux which has sound drivers in the kernel, and graphics drivers in userland (with two notable exceptions -- Nvidia and Ati's 3d drivers).
Even with the RPCs, if they were each seperated into seperate user accounts with access rights to only allow what is needed for each service, security would be vastly improved.
And while NT may have a more feature rich access rights model, it hasn't been exercised very well.
Also you would be more convincing if "Don't run as Administrator" was as popular a phrase in the windows world as "Don't run as root" is in the Unix world.
"Either it's teaching gross consumerism, or setting kids up for behavior that, in the business world, results in anti-competitive monopolistic corporations"
Well, look at what it did for Billy Gates -- he was a master at monopoly.
In any reasonably complex windows environment you can't switch cold turkey (or completely) to a Linux desktop.
Here is an part of a report I made on the subject:
Linux Desktop Server I have been running Linux on my desktop for the last two years and have enjoyed the added flexibility ever since. It combines the features you're familiar with on Windows and Macintosh as well as adding several of its own to the mix. Check the "Linux Desktop Features" sidebar for details.
You will get the power of the Linux Desktop as well as keep the application availability of Windows.
The Linux desktop includes all of the benefits available with the Citrix Windows Application Server with some additional features mentioned below.
I've been using an OSS program called VNC (Virtual Network Computing) that allows you to control a computer remotely over the network. It runs on Windows, Macintosh and Linux. On Windows and Macintosh, VNC only allows you to remotely control one desktop per machine. But on Linux, you can remote control one or several separate desktops over the network and easily handle one desktop for each user from one or several servers.
VNC also allows users to move from one computer to another, open their Linux Desktop on the network and use the same programs right where they left off.
Upgrades only needing to be performed on the server. This reduces costs in new equipment, and time required to manage the software installed.
With all of these advantages, there are some disadvantages. The Linux Desktop runs Linux programs best (running Windows programs on the Linux Desktop is best left to a future project).
There are programs that do not have replacements yet under Linux. So far the list is small: Filemaker, Mas90 and Attendance Enterprise. There is a solution though - continue running them under windows!
Linux Desktop Features
All of the Linux features mentioned below are included standard, are absolutely free and open source.
Linux can have multiple desktops (each with their own applications) on the same screen and switch between them with the click of a mouse or press of a keyboard combination. You can also move application windows between the desktops or put one on all desktops at once.
OpenOffice fully supports Word and Excel files. It has most of the features available in Word and Excel, and some additional features such as "Type Ahead" and standard "Export to PDF". The only hindrance is the current minimal support for RTF, which excludes it from Letter Art work..
The GIMP has most of the features of Photoshop (including all that are needed by Match Mail) and supports PSD, TIFF, JPEG, PNG, GIF and several other formats.
PostScript and PDF are native formats on the Linux platform. The PDF format is an Open Standard like PostScript and there are replacements for Acrobat under Linux.
Linux supports Windows TrueType, Macintosh Type1 and Postscript Fonts.
There are several development languages available such as C, C++, Perl, Python, Borne Shell, and many others that can be used for data processing, database integration, graphical programs and more. Also, there are several command line and graphical development environments available.
Upgrade Linux applications while they're still running. To use the new version, simply close the program and open it again. You can't do that under Windows, and that is one of the reasons why you have to restart a Windows machine after running some upgrades. Though, that isn't the only reason.
There are very few reasons to reboot a Linux server. Here are a few situations where a Linux server would not need to be rebooted: Install Software, Uninstall Software, Change network settings, add network services, install application security updates. All of these would require rebooting under windows. This means less downtime and higher up times. Basically, unless there is a problem in the kernel (the heart of
Slashdot Mirror
After reading the article, I agreed with everything until I saw the ratings given to the various vulnerabilities. First of all, browser holes should not be counted (or at least counted equally) on the various platforms. Just because Microsoft emphasizes their interface doesn't mean they tell you to fire up your browser and download the patches from the server.
Second, I agree with Microsoft(gasp!) when they lower the severity of the vulnerability on win2003 because it has more secure defaults. He argues that IE and Outlook are useless with the defaults on win2003. He's right, they are useless because you don't(tm) use IE or Outlook on a server! If you are using the server as a desktop at the same time and you aren't very careful (only use the Admin account when required and etc) then you are screwed anyway and all assumptions about security go out the window.
Third, several DoS (RHSA-2004:413-07, RHSA-2004:255-10), samba (RHSA-2004:064-11) and especially the complete control (RHSA-2004:259-23) had their severity lowered (in some cases to "low"!) because they required a valid login account. There are valid business scenarios that require creation of accounts for non-employees. The first two that come to mind are vendor relationships with b2b software and remote shell/web/ftp accounts. Also many protocols are used that transmit passwords in the clear over the internet and this is a stupidly easy (and unfortunately common) way to give a password out like that.
Yes those two scenarios can be argued about, but with the trend to have single signon systems that refer to one password, any single system that sends the password hash in the clear is the weak link. And you know the ones in control who don't know crap about computers will push you to get something working "now!" and you will have to open a weak link -- security in the face of something taking longer to get working is not an option in the minds of the typical business person -- for the most part (I'm sure there are exceptions -- I'd love to hear about them). Not to mention that most sucessful break-ins are said to be from people on the inside.
Don't forget "real" application servers that provide the power for thin clients. Be that Linux and VNC/NX or Windows and Citrix/TS it is another scenario where all of the assumptions about servers are stood up on their head -- finally a valid reason to run IE and Outlook on the server! Or not -- Go Firefox, Thunderbird, Open Office, Evolution, Kontact (and soon Sunbird!), Gimp, Sodipodi, Inkscape and Scribus!
"Part of the Windows operating system's underlying design involves its file locking symantics. Files in-use by the operating system, providing needed functionality, can't be easily replaced while the system is running. Windows solution? The in-use-file replacement tool is able to change the bits on disk, but not the memory addresses they map to. So, the copy in memory doesn't match the copy on disk -- and the copy in memory is the old (flawed) copy. This is rectified by...you guessed it...refreshing the copy in memory. And what's the easiest way to do this? Reboot the server and reload it from the disk, if the module you're talking about happens to be, say, the Local Security Authority or the Windows Kernel."
This is actually using the unix unlink semantics. It allows you to delete a file while it is open, and then put a different file there with the same name (but a different inode).
The reason why you have to reboot is because you can't just restart the affected service because the different parts are too integrated. Another point in the article.
The fact is, the only thing that requires a reboot in the unix world is a kernel upgrade. That could be done on windows, but microsoft already has a design that makes it very hard to do that.
I am pretty sure you can change the registry to put the profiles on another drive...
Yes, why don't we get a nice big class action law suit that charges Microsoft with false advertising?
I don't care if I only get $13, I want all those billions lost in the economy to be paid by the one selling the snake oil.
Actually you are right. NT's kernel is very competitive with unix, and can provide what is available in the unix kernels.
The problem is everything else added on top of the kernel, and the fact that graphics drivers have been integrated with the kernel instead of seperated out. Though XP has made progress by moving sound drivers out of the kernel -- in contrast to Linux which has sound drivers in the kernel, and graphics drivers in userland (with two notable exceptions -- Nvidia and Ati's 3d drivers).
Even with the RPCs, if they were each seperated into seperate user accounts with access rights to only allow what is needed for each service, security would be vastly improved.
And while NT may have a more feature rich access rights model, it hasn't been exercised very well.
Also you would be more convincing if "Don't run as Administrator" was as popular a phrase in the windows world as "Don't run as root" is in the Unix world.
I think you meant: ECHELON
FAX?!
I surely hope you meant "scanned with high end imaging equipment and then sent digitally..."
If that were true, we wouldn't see all of those "Made in China" tags all over the place...
The question is where to you go instead?
Ever since 1914, the entirity first world nations have been subsumed.
One can only hope...
Why raise taxes?
What to you tell someone who reuglarly fills their credit cards to the max?
Do you give them more money? No! You tell them to keep paying, pay a little faster and spend less.
Doesn't this remind anyone of the typical response time of an open source mailing list?
This one can not be missed!
Only problem is... the female of the species is even rarer than a secure Windows box.
"And usually about as sexually attractive as one, too."
Ditto for males in the species.
"Either it's teaching gross consumerism, or setting kids up for behavior that, in the business world, results in anti-competitive monopolistic corporations"
Well, look at what it did for Billy Gates -- he was a master at monopoly.
Yes, but what about non-systems programming?
Yeah, I saw her but I'm not sure who was uglier...
Win2k is up to SP4.
It's WinXP where the latest service pack is SP2
Did you actually read the data off the drive, or just give up after you found it didn't have a standard dos partition table?
I'm sure the data is there, it probably just had a raid header format instead of a partition table.
Now if you had timeout errors, then you were right, you couldn't read from the drive on a different controller, but then that's another issue...
Don't forget OpenAFS.
You can have the volumes shared across several servers with no problems.
In any reasonably complex windows environment you can't switch cold turkey (or completely) to a Linux desktop.
Here is an part of a report I made on the subject:
Linux Desktop Server
I have been running Linux on my desktop for the last two years and have enjoyed the added flexibility ever since. It combines the features you're familiar with on Windows and Macintosh as well as adding several of its own to the mix. Check the "Linux Desktop Features" sidebar for details.
You will get the power of the Linux Desktop as well as keep the application availability of Windows.
The Linux desktop includes all of the benefits available with the Citrix Windows Application Server with some additional features mentioned below.
I've been using an OSS program called VNC (Virtual Network Computing) that allows you to control a computer remotely over the network. It runs on Windows, Macintosh and Linux. On Windows and Macintosh, VNC only allows you to remotely control one desktop per machine. But on Linux, you can remote control one or several separate desktops over the network and easily handle one desktop for each user from one or several servers.
VNC also allows users to move from one computer to another, open their Linux Desktop on the network and use the same programs right where they left off.
Upgrades only needing to be performed on the server. This reduces costs in new equipment, and time required to manage the software installed.
With all of these advantages, there are some disadvantages. The Linux Desktop runs Linux programs best (running Windows programs on the Linux Desktop is best left to a future project).
There are programs that do not have replacements yet under Linux. So far the list is small: Filemaker, Mas90 and Attendance Enterprise. There is a solution though - continue running them under windows!
Linux Desktop Features
All of the Linux features mentioned below are included standard, are absolutely free and open source.
Linux can have multiple desktops (each with their own applications) on the same screen and switch between them with the click of a mouse or press of a keyboard combination. You can also move application windows between the desktops or put one on all desktops at once.
OpenOffice fully supports Word and Excel files. It has most of the features available in Word and Excel, and some additional features such as "Type Ahead" and standard "Export to PDF". The only hindrance is the current minimal support for RTF, which excludes it from Letter Art work..
The GIMP has most of the features of Photoshop (including all that are needed by Match Mail) and supports PSD, TIFF, JPEG, PNG, GIF and several other formats.
PostScript and PDF are native formats on the Linux platform. The PDF format is an Open Standard like PostScript and there are replacements for Acrobat under Linux.
Linux supports Windows TrueType, Macintosh Type1 and Postscript Fonts.
There are several development languages available such as C, C++, Perl, Python, Borne Shell, and many others that can be used for data processing, database integration, graphical programs and more. Also, there are several command line and graphical development environments available.
Upgrade Linux applications while they're still running. To use the new version, simply close the program and open it again. You can't do that under Windows, and that is one of the reasons why you have to restart a Windows machine after running some upgrades. Though, that isn't the only reason.
There are very few reasons to reboot a Linux server. Here are a few situations where a Linux server would not need to be rebooted: Install Software, Uninstall Software, Change network settings, add network services, install application security updates. All of these would require rebooting under windows. This means less downtime and higher up times. Basically, unless there is a problem in the kernel (the heart of
Yes, I know it was a joke. But...
All of those versions listed have threading.
If you missed your chance in the early 20th century, now you ladies have a second chance to have a Date with Darwen.
That's what you get for using a closed source brain.
Mine is open source and didn't even notice the error. Oh, wait...
What part mentions patents in the GPLv2?