SEO

Microsoft security - no longer an oxymoron?

George Heuston Mar 04 2004 http://tinyurl.com/25ayx

... Windows 95 was designed to be totally open to let users connect to
other systems. The security kernel of the Windows NT server software was
written before the internet, and the Windows Server 2003 software was
written before buffer overflows became a frequent target of recent attacks"

"almost all the Net-based attacks on Microsoft's software focus on
portions of the operating system that can talk to older versions of its
software -- so-called "legacy" attacks"

".. only once has its distributed product suffered a cyber attack in
which an unknown and unpatched vulnerability was exploited"

http://www.oregonlive.com/news/argus...9610219680.xml

In article <c2ft2g$1t2ogn$2@ID-168140.news.uni-berlin.de>,
Daeron <daeron@demon.net> wrote:
>Microsoft security - no longer an oxymoron?

>George Heuston Mar 04 2004 http://tinyurl.com/25ayx

>.. Windows 95 was designed to be totally open to let users
>connect to other systems. The security kernel of the Windows NT
>server software was written before the internet, and the Windows
>Server 2003 software was written before buffer overflows became a
>frequent target of recent attacks"

Since David Cutler - from DEC - was the prinicpal architect of NT
and he came to Microsoft in the fall of 1988 - and I first started
using the 'net back in 1986 flies in the face of that statement.

Maybe he mean the 'new' internet, after the typical backbones of
seismo et al went away, and after the restrictions against
adverstising went away, and after registration was turned of
the NSI.

I was actually using Usenet about the time what Window 1.x came
out. My Microsoft Windows/386 disk show 1985-1988 copyrights and
Windows was originally supposed to be shipping when the '286 was
released, but missed that dealine by 2 years.

And Windows 95 was NOT designed to let users connect to other
systems EXCEPT the internal Netbios. To get on the 'net you had
to get a 3rd party stack for TCP/IP - ask anyone who remember
getting 'trumpet'.


--
Bill Vermillion - bv @ wjv . com

On Sun, Mar 07, 2004, Daeron wrote:
>Microsoft security - no longer an oxymoron?
>
>George Heuston Mar 04 2004 http://tinyurl.com/25ayx
>
>.. Windows 95 was designed to be totally open to let users connect to
>other systems. The security kernel of the Windows NT server software was
>written before the internet, and the Windows Server 2003 software was
>written before buffer overflows became a frequent target of recent attacks"
>
>"almost all the Net-based attacks on Microsoft's software focus on
>portions of the operating system that can talk to older versions of its
>software -- so-called "legacy" attacks"

Mr Heuston displays his ignorance.

Such as the attacks on vulnerabilities in SQL server? How about the recent
flood of worms exploiting zip files in e-mail (WinXP is the only version of
Windows that automatically opens zip files, previous versions required
positive action by the user, usually with WinZIP which BillyG doesn't own,
and probably couldn't buy)?

Buffer overflows have been around for a long time. Wasn't the Morris worm
a buffer overflow exploit of sendmail (one of the few *ix worms)?

>".. only once has its distributed product suffered a cyber attack in
>which an unknown and unpatched vulnerability was exploited"

On the surface that sounds totally ridiculous.

Bill
--
INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

Many companies that have made themselves dependent on [the equipment of a
certain major manufacturer] (and in doing so have sold their soul to the
devil) will collapse under the sheer weight of the unmastered complexity of
their data processing systems.
-- Edsger W. Dijkstra, SIGPLAN Notices, Volume 17, Number 5

On Sun, 7 Mar 2004 13:05:34 -0800, Bill Campbell <bill@celestial.com>
wrote:

>
>Buffer overflows have been around for a long time. Wasn't the Morris worm
>a buffer overflow exploit of sendmail (one of the few *ix worms)?

Not quite. It had 3 attack methods, including invoking the "debug" mode
in sendmail and a buffer overflow in fingerd.

The debug mode in sendmail implies to me that, at that time, people
trusted other Internet users.

On Sun, Mar 07, 2004, Joe Dunning wrote:
>On Sun, 7 Mar 2004 13:05:34 -0800, Bill Campbell <bill@celestial.com>
>wrote:
>
>>
>>Buffer overflows have been around for a long time. Wasn't the Morris worm
>>a buffer overflow exploit of sendmail (one of the few *ix worms)?
>
>Not quite. It had 3 attack methods, including invoking the "debug" mode
>in sendmail and a buffer overflow in fingerd.

The point is that buffer overflow vulnerabilities aren't new, at least to
anybody with a bit of experience, and knowledge of systems other than
Redmond's.

I've always thought that one of Microsoft's main weaknesses has been a lack
of experienced software people. They've had a long history of hiring
people right out of college, or even those who've never graduated. These
people grew up thinking that DOS and Windows are Operating Systems, and
that BASIC is a programming language. They grew up on single user, single
tasking systems where every program owned the entire system so never
learned about things like memory protection, multiple processes accessing
devices and files, or user security.

Computer systems security is much more than firewalls, packet filter, and
similar technology, it's an attitude and an underlying awareness of
security issues. DOS and Windows started out life as a BDPL (Brain Damaged
Program Loader) for hobbyist hardware in the early '80s, and not as a
networked system subject to outside attack. No amount of bandaids tacked
on can overcome the basic lack of security (e.g. any running program can
read/write anything on the system. Add to this Microsoft's desire to make
their systems easy to use by the technically clueless to who security makes
things less convenient, and you have a recipe for disaster.

Bill
--
INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``People from East Germany have found the West so confusing. It's so much
easier when you have only one party.'' -- Linus Torvalde, Linux Expo Canada
when asked about confusion over many Linux distributions.

Daeron <daeron@demon.net> wrote in message news:<c2ft2g$1t2ogn$2@ID-168140.news.uni-berlin.de>...
> Microsoft security - no longer an oxymoron?
>
> George Heuston Mar 04 2004 http://tinyurl.com/25ayx
>
> .. Windows 95 was designed to be totally open to let users connect to
> other systems. The security kernel of the Windows NT server software was
> written before the internet, and the Windows Server 2003 software was
> written before buffer overflows became a frequent target of recent attacks"
>
> "almost all the Net-based attacks on Microsoft's software focus on
> portions of the operating system that can talk to older versions of its
> software -- so-called "legacy" attacks"
>
> ".. only once has its distributed product suffered a cyber attack in
> which an unknown and unpatched vulnerability was exploited"
>
> http://www.oregonlive.com/news/argus...9610219680.xml

Did you just say MS Windows was created as an insecure OS and has not been
made secure yet?
I thought so.
Regards...Dan.