Full Disclosure mailing list archives
Re: Support the Sasser-author fund started
From: "Shane C. Hage" <shage () optonline net>
Date: Mon, 17 May 2004 16:27:28 -0400
Bill, I agree with most of your statements below. However, with competing operating systems such as those you mentioned below plus OS/2 and Apple Macintosh in the 1980's, the business leaders and consumers chose Windows. I think people forget that Microsoft must have filled a gap that these other operating systems didn't. How can we blame Microsoft for capitalizing on the need at the time? When the Internet revolution started, there was no way to predict the magnitude that a malicious program could have across the world. Sure, Microsoft is playing catch-up with security. They are just filling the gap in their own products now. -Shane ----- Original Message ----- From: "Bill Royds" <full-disclosure () royds net> To: <full-disclosure () lists netsys com> Sent: Sunday, May 16, 2004 10:51 PM Subject: RE: [Full-disclosure] Support the Sasser-author fund started
The real problem is the MS Operating Systems are toys that are trying to grow up. They still have code and design decisions that were part of the
DOS
operating systems of the early 80's. All the features required of mature operating systems were added as an afterthought and not designed in. Such things as memory management and
file
access control have been grafted on a single user/single
process/non-network
OS. To maintain backward compatibility with DOS and Windows 95, key OS
data
structures have many assumptions about things like buffer size that lead
to
buffer overflows. Witness the assumption about machine names that led to Slammer. The whole Microsoft OS effort has been to grow from a system designed for minimal size machines such as the 640K PC to something that
can
be used as a system for commerce. Features have been bolted on as they are deemed sellable to make a profit. It wasn't until NT that the file system even had the concept of access control and backward compatibility has
meant
that the default ACL is give everyone full control. Unix, by contrast, has always been designed as a
multi-user/multi-process
system so things like file security and separation of processes are inherent. The Unix security model is actually much simpler than the NT
one,
so Unix/Linux users are able to apply it. The NT one, despite its great power and flexibility, creates such complexity that most administrators
give
up and drop real security because they are not sure of the consequences of strong security. This complexity in the security model leads to
complexity
in the code that implements it, so things like LSASS.EXE need to be complicated (and therefore buggy) to implement it. The whole patchwork
that
is Active-X/COM/COM+/OLE/DLL etc. is a sign that they don't have an overarching design and just try to add new systems to add to flawed
designs
rather than biting the bullet and fixing their mistakes. Unix has a consistency in design (single hierarchy for files and
devices,
separation of files from their names etc.) that shows its elegant
beginning.
Microsoft OS show that design by sales droid that leads to a real
quagmire.
True professional systems run using non-Microsoft OS, like Solaris and other Unix, MVS, VMS, QNX. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of scosol () scosol org Sent: May 16, 2004 3:19 PM To: Seth Alan Woolley Cc: Shane C. Hage; Georgi Guninski; Tobias Weisserth; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Support the Sasser-author fund started Seth Alan Woolley wrote:On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote:Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft,havetaken all of the appropriate steps to provide security within their products.Keep your head in the sand, then. The design from the very beginning was put together without security in mind. Their OS revolutionized the anti-virus industry. There are numerous alternative operating systems and cases where worms and viruses have been created for them (cf. the Morris worm, slapper, etc), and most of the bandwidth in the world sits on non-Microsoft software, mind you.Isn't that more of a very gray area? Yes, MS operating systems weren't really designed with security in mind until (IMO) NT4, and then- that security wasn't really pushed to the consumer until Win2k- but- that was *5 years ago* that it was. Win2k and WinXP aren't that different from OSX or most popular Linux distros from the "number of network servers enabled" perspective- The MS operating systems are the main source of problems for really only 2 reasons: 1) their popularity makes them the most valuable targets 2) people don't update All of us on this list know that if all consumers ran auto-update properly and had it install stuff automatically, these worms would become very rare occurences. (while admittedly creating an interesting new set of problems) I don't really see what more MS can be expected to do, short of shoving auto-update down everyone's throats whether they like it or not (which will bring the tinfoil-hat crowd out in force) It is very seldom that a worm is out before the fix for the exploited vulnerability- it's just a matter of diligence. Also- your argument of "most of the bandwidth in the world sits on non-Microsoft software" is IMO invalid- these machines that you speak of are not operated by consumers- people are paid to keep them updated and secure. -- AIM: IMFDUP http://www.scosol.org/ RIP Red-Boy - 1998-2004 - "jupiter accepts your offer" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Support the Sasser-author fund started, (continued)
- Re: Support the Sasser-author fund started Shane C. Hage (May 15)
- Re: Support the Sasser-author fund started Mike Roetto (May 15)
- Re: Support the Sasser-author fund started James Bliss (May 15)
- Re: Support the Sasser-author fund started Ron DuFresne (May 16)
- Re: Support the Sasser-author fund started fd (May 16)
- Re: Support the Sasser-author fund started Seth Alan Woolley (May 16)
- Re: Support the Sasser-author fund started scosol () scosol org (May 16)
- Re: Support the Sasser-author fund started Georgi Guninski (May 16)
- Re: Support the Sasser-author fund started scosol () scosol org (May 17)
- RE: Support the Sasser-author fund started Bill Royds (May 16)
- Re: Support the Sasser-author fund started Shane C. Hage (May 17)
- Re: Support the Sasser-author fund started James Riden (May 17)
- Re: Support the Sasser-author fund started Stormwalker (May 17)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 17)
- Re: Support the Sasser-author fund started Nick FitzGerald (May 17)
- Re: Support the Sasser-author fund started Valdis . Kletnieks (May 17)
- Re: Support the Sasser-author fund started Nick FitzGerald (May 18)
- Re: Support the Sasser-author fund started Alexander Schreiber (May 17)
- Re: Support the Sasser-author fund started Nick FitzGerald (May 18)
- Re: Support the Sasser-author fund started Alexander Schreiber (May 18)
- RE: Support the Sasser-author fund started Bill Royds (May 17)