Full Disclosure mailing list archives
RE: M$ Getting Better?
From: "joe" <mvp () joeware net>
Date: Tue, 22 Jun 2004 10:33:29 -0400
Nah. I don't advertise *nix because I don't want to work that space right now and haven't for quite a while. I want it to settle down and penetrate the market a little better, right now in the corporate world that space is a bunch of infighting and political positioning if it is talked about at all. Also it still doesn't make sense for mass large deployments unless they are very centralized like say a university or a company with one site. Microsoft still wins in the very large distributed enterprise space. By a landslide. Show me a centrally managed decentrally WAN located fully replicating authentication/authorization system with the power of Active Directory in the UNIX world and keep in mind I have had serious exposure to iPlanet, OpenLDAP, and the two kerb dists and know what they act like once you start to distribute them. I thought Sun was going to come out of the gates with a good implementation as they were talking about a specialized MIT/OpenLDAP configuration about 2-3 years ago and were promising to fix the kerb change password issues and poor LDAP replication issues but that seems to have died on the vine. Also MS is where serious corporate money is sitting and again, this isn't religion, these are tools and this is a job. I could have picked some good cash on an AIX position a few years back but who wants to pigeonhole themselves into that? Work on something that has 15 instances in a Fortune 100 company or something that has hundreds of thousands of instances... Which one needs knowledgeable people more? I actually slipped on a couple of my pages and people have picked up on it. I worked on *nix before I started on anything from MS. I was doing *nix on PDP-11's and Sparc's back in the 80's and actually learned c and several assembler languages when on them. I just recently threw out an old VI manual and Motorola 68000 Assembler Manual from back then when stripping down my library (too much junk). It is handy to be understanding of a product and capabilities without others being aware of it. I don't tell people I can speak *nix in meetings just like I don't say I can speak Windows API. You let people go as far as they want with the rope. I happen to agree that there are niches that *nix makes more sense. Most of my posts indicate that if you can read them without thinking, oh my god he likes MS. Again, these are tools. This isn't religion. People get like this about cars too, "I wouldn't drive that, it is a POS Chrysler!". Same deal, the products get you from one point to another. They have different focus points and do different things well. Choose the one that makes the most sense for the application. My issue with this list isn't that people are about security, I love that as I personally think it is extremely important. It is that many people don't seem to want to think and look. Once bad, always bad or more specifically once MS, always bad. This is silly and makes the whole industry look like a bunch of boneheads. Mostly because people do it because it makes them look cool or something I guess, I am not sure, I don't understand them. Sort of like the boneheads who stand outside of a US embassy throwing rocks and dancing back and forth knowing full well that there is no real danger of doing it but acting like there is. MS did what customers wanted. It brought us what it did, this falls in line with be careful what you ask for. I don't think it is a good thing, I think it is good now though that customers want security and that is what MS is working towards. If people had always wanted security either MS would have been dumped long ago or more likely would have started working on it long ago. MS has a long difficult journey ahead correcting years of issues without burning bridges it has built. IMO, the *nix flavors have the best chance now than any time before of having mass appeal. Not because anyone thinks they are more secure, but because people will get and are getting pissed that MS is changing. As another poster said, there are tens of millions of lines of code, this isn't something you turn around in a night and MS hasn't stopped all dev work and put everyone to working on the old stuff to correct it. That wouldn't make sense, period. The correct answer is to move forward and rewrite and correct the sections causing the most pain. This is exactly what they are doing. The whole standdown and we are reviewing everything was kind of silly from one standpoint. Anyone with a sense of what they were tackling knew that they wouldn't fix all of the security holes. However what it did do, is show the folks internally that there was serious consideration for security now. It changed the focus. It empowered the people who have been inside that have always been pushing for security over functionality and have been overruled by marketing or customer demands. I think this list would be much better served if the people with OS religion would simply type their response and wait 5 or 6 days before posting. Security is not an OS. It is a state of being. It is process. It is being intelligent about what you do. It is about using the right tools in the right place. It is about keeping your eyes and mind open to possibilities that you may not know about. It is above all being proficient with the systems you are working on. Could I secure a *nix system? Yes. Could I secure it better than someone who uses it daily and exclusively? Nope. I can openly admit that. A lot of people won't answer that way. Neither for Windows nor *nix. But the ease of use of Windows has made it such that more people *think* they can secure or use it than *nix. How hard could it be, you point and click. Again, this is the fault of MS and the whole MCSE program and quite frankly making the Server GUI look and feel like the workstation GUI. Anyone who has ever logged onto a workstation thinks they are a server expert. This has, unfortunately helped MS get to where it is at though, #1 in the market. It is unfortunate because these bonehead admins are also the cause of things like slammer or blaster eating corporate networks up. Finally I am giving people a hard time for bashing MS without thinking or when doing it in wholly unproductive whining type way. I bash MS on a regular basis but understand what I am bashing and give them specific examples of what is wrong, what they should consider (other than saying do it the UNIX way or redesign from scratch both of which are silly), and what the impact is. The company is seriously working on correcting things because that is what corporate customers and home users are asking for now. So if you are serious about making things better for security with Windows, this is the time to be heard. However doing it in a whiney way that seems paramount here and among other places that are frequented by OS Fanatics, doesn't help anything and to those people I say, be positive, tell people the great things your OS does, don't try to make it look good by beating on the other OS. You are actually hurting the image of your favorite OS when you do that. My hope is that if people want to beat MS, beat it productively, stop the whining. If that is all you got, go away. You aren't helping security one whit. joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of marklist () comcast net Sent: Monday, June 21, 2004 7:09 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] M$ Getting Better? This guy is the king of trolls... His resume shows no experience with any flavor of unix, yet he feels compelled to come into a security ML and try to convice people that MS products are the most secure products around. I for one, DO have experience in both Windows and Unix system administration, and everyone of our internet facing machines is running Linux. Why? Because for me they are easier to secure. I can turn off any services that I don't need, I have a fully-functional firewall on every box, and I don't have to reboot once a month to stay secure(all updates are currently automated, only kernel vulns need a reboot). Yes, you may be able to do most of that on a windows box, but probably not without purchasing 3rd party software. You are giving people a hard time for bashing Microsoft, but face it: this is a security mailing list, and MS is not known for having a stellar history as far as security goes. You might as well call into Air America and start pushing how great a person Ann Coulter is. Wrong venue... Go vent at microsoft.public.we.love.what.billy.tells.us.to.love. -Shub _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: M$ - so what should they do?, (continued)
- Re: M$ - so what should they do? Valdis . Kletnieks (Jun 21)
- RE: M$ Getting Better? joe (Jun 21)
- RE: M$ Getting Better? Eric Paynter (Jun 21)
- RE: M$ Getting Better? joe (Jun 21)
- RE: M$ Getting Better? Eric Paynter (Jun 21)
- Re: M$ Getting Better? Nasir Ghaznavi (Jun 21)
- RE: M$ Getting Better? Todd Burroughs (Jun 22)
- RE: M$ Getting Better? joe (Jun 22)