Re: Win 2000 any better?

["REID FOX" <reidfox () direct ca>]

most attacks are based on operating system bugs.
Microsoft does not just release a product and hope for the best (well sort
of) without betatests and even after that they have people working on it
full time looking for bugs, holes, vulnerabilities..
they even have live update which automaticaly notifies you when there is a
critical update available (if your online)
of course with such a huge operating system which tries to accomodate other
applications in it's registry (some of whom try to take more control than
they were intended to have) you are going to have bugs.
does anyone think that Microsoft has not kept up with fixing
vulnerabilities?
are there for example numerous vulnerabilities in an up to date properly
configured NT system that are being exploited as we speak?
are NT users just sitting ducks? If they are Im sure Microsoft technical
service would be interested in what these vulnerabilities are.
Microsoft has done a lot for compatability in pc's. Remember Dos 6.22? every
app had its own clutch on memory, Dma, I/O etc. talk about nightmare! every
single program had it,s own interface to figure out.
Now we have Winapps which has actually brought the average houshold to the
computer era. Of course theres lots of bugs, Microsoft has been gradually
fading dos applications out because "Buggy Windows" couldn't police all
these "Buggy Dos programs" now we have hundreds of "Buggy Winapps" but a
least there is one standard for windows programs ( at least theres supposed
to be).
Microsoft has led the way in many areas, did you ever look at the list of
drivers supported by windows right from the box? And now people cry because
win 2000 doesnt work with certain hardware, Microsoft is saying "hey we have
passed MMX  PII etc now we are into PIII , USB , etc.
tell me, does a programmer writing windows apps care what irq the USB is on
?
Does he care what kind of sound card or video card you have? Does he care
what kind or how much ram ? what kind of processor? what kind of printer?
Meanwhile the person will know how to use his program because it will have a
familiar interface , an install/uninstall wizard, it will use the taskbar
and act like a windows app should (hopfully).
and plug and play too for example, can Microsoft help it if a modem insists
on having irq 5? (traditionaly reserved for sound) or if every video card
and game decides it wants to exploit the memory block that should be
reserved for cga? Or if an ethernet card insists on irq 9? (the bridge
between upper and lower irq's) many of these bugs are the fault of the
applications rather than windows. (did you see the first version of corel8?
or hear about Noton utilities 3 which trunctuated your registry for you) a
lot of this is not NT but it will be Win2000. I guess Microsoft figures NT
system is ready for plug and play. this will bring a new level to the
average user ( web servers)
I just wonder from a vulnerability point of view given all these variables
Microsoft is dealing with, have they kept up the pace with bug fixes or are
they sadly lacking?
REID

> I'd just like to point out a couple of things regarding security
> here...
>
> 1. Win2000 might have more nifty security policies and
> editors in place,
> but that does not constitute security in and of itself.
True.

> 2. Most attacks that we see today have NOTHING to do with setting
> object-based security in operating systems.

Really? I don't know, because no one's really keeping track.

> 3. Most attacks today are based on BUGS in the operating systems
> and applications.

No; most vulnerabilities are based on bugs. Most attacks are based on poor
configuration.

> 4. The average programmer goofs up (causes a bug) on average in
> 1-3 places per 1000 lines of code.

Sounds about right.

> 5. Win2000 introduces some 15 million (more? little less?) lines
> of new code.

I'd say more than that.
But it'll take time to find the holes (and people will be looking from
before day one; even a big lumbering giant like MS can learn) and then, what

you are left with are holes which can be exploited only if mistakes are made
in the implementation. If you need it to be better then that, your going to
have to go with custom built unix or linux kernel, adding only the services
you need.

> 6. Go figure what's secure or not until it's been running for a while
> and a couploe of one hundred new bugs have been found and corrected.

The hundred new bugs will have a minimal impact (in terms of actual
exploits) when compared with good old user misconfiguration. Of course,
identifying the best practices for Win2k isn't going to be as easy, but
that's a different issue; you had best believe ports 135-139 (I've never
trusted 138; its choice in company is questionable) is staying blocked at my
router and monitored behind it.
> Phil Cox wrote:
> > On Mon, 1 Nov 1999, REID FOX wrote:
> >
> > > I am getting ready to set up a small LAN w/www access I need
> compatability
> > > and price for an Internet cafe so I decided to start with NT
> > > Has anyone had any experience with WIN2000?
> > > Is it any better/worse/same as NT for security issues?
> >
> > Pure Win2K is much tighter than a corresponding WinNT net,
> BUT as with
> all
> > Windows systems, you mess up just a little bit, and your toast :)
> >
> > I have been running it for a while.
> >
> > Phil
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
> Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
> Mobile: +46-(0)70-248 00 33
> WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se