Full Disclosure mailing list archives
RE: M$ - so what should they do?
From: "Edge, Ronald D" <edge () indiana edu>
Date: Tue, 22 Jun 2004 08:28:45 -0500
Message: 1 From: "joe" <mvp () joeware net> To: <full-disclosure () lists netsys com> Subject: RE: [Full-disclosure] M$ - so what should they do? Date: Mon, 21 Jun 2004 12:29:00 -0400 Anything specific? Obviously this isn't going to happen in the short term and even long term your statement doesn't say the specific issue you feel
is in the "basic
windows design" that you think is wrong? Is it virtualization of memory? >Support of GUI interfaces? What? At the very least what is the top hitter you think needs to be addressed in technical specifics not something like IE sucks and which
btw,
isn't a basic windows design piece. When I think basic windows design I
think core pieces, api level and lower, not interfaces that makes your
britches itch.
I ask this because there are a lot of people who go around complaining that Windows Sucks and that it is obvious why yet can't
state one
solid concrete thing let alone a solid concrete basic core Windows
thing and
how they think it should be redone.... joe
I would say let me count the ways, but I do not have time to write a book. So a few specifics. 1. Windows was designed form the ground up to be insecure and trusting. That was the first mistake by its designers. It is almost impossible to achieve the correct balance of permissions one easily sets up in UNIX or LINUX, wherein the average users does not run as root, with privileges adequate to blast the OS to pieces or compromise the machine. Even the stabs at correcting this since Windows 2000 into XP have been half-assed and flawed. I can only assure that we have gone through years of pain trying to configure a workstation for our users that limits their privileges so that that are not constantly either installing software themselves, or getting their machines loaded with adware and spyware until they simply stop function. This is such a familiar phenomenon anymore I am shocked I have to even explain it to you. So there is a very specific starting point: to make stuff work, you have to run with too many privileges, and that is taken advantage of again and again and again and again by those willing to write code to compromise Windows machines. 2. MS programmers never met a buffer overrun they did not like. The point of this little bon mot is that despite all the vaunted PR from M$ about safe computing initiative, the designers of Windows and components like the browser still clearly know diddly-sqaut about designing software to prevent casual compromises. The recent spat of absolutely fatal flaws in IE browser stand as just another in a long chain. Here, let me quote from an article this week at securityfocus.com, in which the author advises everyone to as fast as they can tell their co-workers, friends, and relatives, to quit using IE web browser to connect to the Internet: "I could go on and on. Look, let's be honest with each other. We all know this is true: IE is a buggy, insecure, dangerous piece of software, and the source of many of the headaches that security pros have to endure (I'm not even going to go into its poor support for Web standards; let that be a rant for another day). Yes, I know Microsoft patches holes as they are found. Great. But far too many are found. And yes, I know that Microsoft has promised that it has changed its ways, and that it will now focus on "Trustworthy Computing." But I've heard too many of Microsoft's promises and seen the results too many times. You know, fool me once, shame on you; fool me twice, shame on me. Who's shamed when it's "fool me the 432nd time"? Who's the fool? " http://www.securityfocus.com/columnists/249 3. MS is really responsible for introducing the paradigm that is at the heart of the problem of machines connected to the Internet, thanks to their introduction of ActiveX. This turned out to be not a solution to an interface and proramming problem, but a dagger aimed at local machines and a key to the machine for everyone on the Internet who wants to hack a machine. The entire paradigm of trusting remotely introduced code from a zillion posible places on the Internet to run on your machine is absolute insanity to begin with, and was the absolute wrong path to take as the Internet evolved. But it evolved parallel with the MS model of insecurity being ignored, and user interface and user friendliness always at the fore, any thoughts of the flawed nature of the code and insecurities behind the screen being ignored at every step. As far as I am concerned, no web site or remote connection should be allowed to execute any code on my machine. Any and everything that can be done should be done on the server end, and a final static page delivered to my desktop. Will this mean it is harder to right the kind of rich GUI interfaces Windows is capable of at the client level? Yes. Do I care? No. Why do I not care? Because taking the direction we have taken has turned computing support, use, and the Internet environment into a living hell of criminal activity and rampant abuse, and made my job as an administrator in charge of a staff trying to keep operations running into a constant cycle of attacks and security patches. God forbid we should find time to actually do anything productive with our machines. Half our time is spent trying to roll out MS patches to hundreds of machines, and desparately trying to hide our Windows server from the leering eyes of crackers who would gladly go for them in a heartbeat if we let our defenses down for a second. 4. As a final example of what a pain in the ass MS software support can become, I got a not from a fellow computer support and program designer this week with his remarks on the coming XP SP2. He said he had found buried in the notes some remarks to the effect that you better have all the components you want installed before you install SP2, because after you install it, you may not be able install them AT ALL. Here was my replay to that revelation: "Ah, a return to the heady days of NT 4.0 post SP4, when you had to have a bible script that you followed line by line to do a new installation and get all the components including the web service to actually WORK, because if you did NOT follow the script carefully, things would, well, not work." 5. I won't even go into the corporate sins of Microsoft, although a book could and should be written on that two. They successfully elude conviction for monopolistic and anti-trust practices, which they should not have been allowed to do. And know the argument that was at the core of that case, the embedding of the browser, is obviously moot, since they have announced it will be, well, embedded in the operating system in Longhorn. Ron. Ronald D. Edge Director of Information Systems Indiana University Intercollegiate Athletics edge () indiana edu (812)855-9010 http://iuhoosiers.com "Patriotism is not short, frenzied outbursts of emotion, but the tranquil and steady dedication of a lifetime." - Adlai Stevenson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: M$ - so what should they do?, (continued)
- Re: M$ - so what should they do? Valdis . Kletnieks (Jun 22)
- Re: M$ - so what should they do? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 22)
- Re: M$ - so what should they do? Duncan Hill (Jun 22)
- Re: M$ - so what should they do? Mohit Muthanna (Jun 22)
- Re: M$ - so what should they do? Ciro Spider-Man (Jun 24)
- RE: M$ - so what should they do? Stuart Fox (DSL AK) (Jun 21)
- RE: M$ - so what should they do? Stuart Fox (DSL AK) (Jun 21)
- RE: M$ - so what should they do? Eric Paynter (Jun 21)
- Re: M$ - so what should they do? tcleary2 (Jun 21)
- Re: M$ - so what should they do? Eric Paynter (Jun 21)
- RE: M$ - so what should they do? Edge, Ronald D (Jun 22)
- RE: M$ - so what should they do? Edge, Ronald D (Jun 22)
- RE: RE: M$ - so what should they do? joe (Jun 22)
- RE: RE: M$ - so what should they do? ktabic (Jun 22)
- Re: RE: M$ - so what should they do? scosol () scosol org (Jun 22)
- RE: RE: M$ - so what should they do? Jonathan Rickman (Jun 22)
- RE: RE: M$ - so what should they do? Frank Knobbe (Jun 22)
- Re: RE: M$ - so what should they do? Georgi Guninski (Jun 23)
- RE: RE: M$ - so what should they do? joe (Jun 23)
- RE: RE: M$ - so what should they do? joe (Jun 22)
- RE: RE: M$ - so what should they do? joe (Jun 23)