Forgot your password?
typodupeerror
Security Programming IT Technology

A Taste Of Computer Security 192

Posted by michael
from the where-there's-a-whip-there's-a-way dept.
andrew_ps writes "Amit Singh has published on his KernelThread.com a paper (mini book really) on computer security. A Taste of Computer Security is a VERY comprehensive paper in what it covers, but is remarkably easy to read. This is not some list of "sploits" though! Topics covered include popular notions about security, types of mal-ware, viruses & worms, memory attacks/defences, intrusion, sandboxing, review of Solaris 10 security and plenty of others. Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."
This discussion has been archived. No new comments can be posted.

A Taste Of Computer Security

Comments Filter:
  • by mindhaze (40009) on Thursday July 29, 2004 @10:05AM (#9831087) Homepage Journal
    Looks like an interesting read, and if nothing else, something we should be slipping onto our PHB's desks!
  • by CharAznable (702598) on Thursday July 29, 2004 @10:05AM (#9831088)
    Kernelthread is by far the best source of information about OS X, barring Apple itself.
  • by plover (150551) * on Thursday July 29, 2004 @10:11AM (#9831134) Homepage Journal
    I specifically was looking for one of the biggest problems with Windows -- Administrator authority is too easily doled out (by default, every home user is also an administrator.) This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority.

    For example, the bottom of this page [microsoft.com] shows a list of games that require Administrator authority to play. Why should administrator authority need to be granted to play a game? And to suggest granting Administrator access to people just so they can play them?

    I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

    • by musikit (716987) on Thursday July 29, 2004 @10:13AM (#9831159)
      i like how all the games listed are microsoft games
    • Funny how the games listed there are all microsoft games. You'd think that MS would know how to get a game to run without Admin access... Well, I'd like to think anyhow :)

      • by gfecyk (117430) on Thursday July 29, 2004 @12:31PM (#9832750) Homepage Journal
        Quake II XP? [pan-am.ca] You better believe it.

        All I did was change where Q2 stored its saved games, downloads and configs. The result not only works just fine as a non-admin, but supports different settings for each user.

        Game developers, in fact all developers, have no excuses.

      • by Tony-A (29931) on Thursday July 29, 2004 @12:34PM (#9832786)
        Well, I'd like to think anyhow :)

        Yesterdays article on "Phish" scams links to a "test". One of the examples has the marks of a scam but is considered "legitimate". It is from MSN.

        I think a lot has to do with expectations and attitudes. I would expect many if not most games on Unix to just refuse to run as root. An intentional segfault is even more fun. NT may have more elaborate security mechanisms but they are too hard to get at. With Unix you tend to get a mess of rwx in your face. Anybody know how to put group permissions to their limits?

        Hiding file extensions probably does much more damage than administrator access.

        Unix has an unfair advantage with the name "root". "Administrator", just by the name, makes a much more attractive target. I was smart enough to rename the domain admin to "root". If I leave some user's machine logged on as root their natural reaction is to get their stuff back as fast as possible.

        Unix software tends to be as informative as it can as to where the problem resides. Microsoft software tends to try to shift the blame elsewhere if at all possible. The latest XP did not allow me to assign LPT1 to a remote printer. Kept coming with login prompt for the remote resource which never works. Finally disabled the hardware port in the bios. If you can confuse your enemy as to what the problem is, seems like you've got a considerable advantage.
    • by Klar (522420) <curchin@g m a il.com> on Thursday July 29, 2004 @10:16AM (#9831195) Homepage Journal
      Isn't it the game writers fault, not M$'s? From what I've heard(not sure how valid I am on this though) the reason they need admin rights is because the program stores info in the admin parts of the registry. Perhaps they should start enforcing software companies to keep away from doing this, and make it easier to run windows while not being an admin user.
      • by peragrin (659227) on Thursday July 29, 2004 @10:42AM (#9831446)
        Of the Games Listed the Bulk are Microsoft made games. So it is the game writers fault, but since MS is the game writer you can just skip a step and blame MS.

        for you who didn't click on the link

        * Microsoft Age of Mythology
        * Microsoft Age of Mythology: The Titans
        * Microsoft Age of Empires II: The Age of Kings 2.0
        * Microsoft Age of Empires II Expansion: The Conquerors
        * Microsoft Age of Empires II Gold Edition
        * Microsoft Baseball 2001
        * Microsoft Casino
        * Microsoft Classic Board Games
        * Microsoft Combat Flight Simulator 2: WWII Pacific Theater 1.0
        * Microsoft Combat Flight Simulator 3: Battle for Europe
        * Microsoft Crimson Skies
        * Microsoft Dungeon Siege 1.0
        * Microsoft Flight Simulator 2004 - Century of Flight
        * Microsoft Flight Simulator 2002
        * Microsoft Flight Simulator 2002 Professional Edition
        * Microsoft Flight Simulator 2000
        * Microsoft Flight Simulator 2000 Professional Edition
        * Microsoft Freelancer
        * Microsoft Golf 2001 Edition
        * Microsoft Halo: Combat Evolved
        * Microsoft Impossible Creatures
        * Microsoft Links LS 2000
        * Microsoft Links 2001
        * Microsoft MechCommander 2.0 1.0
        * Microsoft MechWarrior 4: Vengeance
        * Microsoft MechWarrior 4: Mercenaries
        * Microsoft Metal Gear Solid
        * Microsoft Midtown Madness 1.0
        * Microsoft Midtown Madness 2 2.0
        * Microsoft Motocross Madness 2 2.0
        * Microsoft NBA Inside Drive 2000 1.0
        * Microsoft NFL Fever 2000 1.0
        * Microsoft Pandora's Box 1.0
        * Microsoft Rise of Nations
        * Microsoft StarLancer 1.0
        * Microsoft Train Simulator 1.0
        * Microsoft Zoo Tycoon
        * Microsoft Zoo Tycoon: Complete Collection
        * Microsoft Zoo Tycoon: Dinosaur Digs Expansion Pack
        * Microsoft Zoo Tycoon: Marine Mania Expansion Pack
        • by jafomatic (738417) on Thursday July 29, 2004 @11:24AM (#9831908) Homepage
          I may be mistaken, but I believe that these games were published or distributed by microsoft. Not "written" or "made by" microsoft. Age of Empires (II) was made by uh, Ensemble Studios or something.

          That said, you'd still hope they'd find a more-secure spot to write down the user's config. Wasn't there a branch on the root of the registry that was writeable without administrator permission? Is an ini-file impossible to consider as the settings store of a freakin' game?

      • by Tony-A (29931) on Thursday July 29, 2004 @12:48PM (#9832941)
        Isn't it the game writers fault, not M$'s?

        It's always someone else's fault.

        But seriously, the OS does a lot to implicitly set the tone for everything that will be run under. If game developers have admin access, their games will require admin access. To the extent that game developers think they need admin access, it is Microsoft's fault.
    • by abb3w (696381) on Thursday July 29, 2004 @10:21AM (#9831245) Journal
      Why should administrator authority need to be granted to play a game?

      Obviously, to make low level system calls for direct hardware access in a copy protection scheme.

      I have found no more powerful example of Microsoft's lack of commitment to security than this.

      While some blame attaches to Microsoft, since they choose to use such a copy protection method with their games, the real culprit is Macromedia, who made the SafeDisc copy protection system at fault.

      So, what do you think will happen if it can be proven that the copy-protection methods the Content lobbies (RIAA/MPAA/BSA) are using are a threat to Homeland Security?

      • by Anonymous Coward on Thursday July 29, 2004 @10:27AM (#9831313)
        ...the real culprit is Macromedia, who made the SafeDisc copy protection system at fault.

        Minor knitpick, but Macrovision makes SafeDisc, not Macromedia...Macromedia is the company that gave us that other monstrosity (aka, Flash).
      • by schon (31600) on Thursday July 29, 2004 @10:37AM (#9831400)
        Obviously, to make low level system calls for direct hardware access in a copy protection scheme.

        Sounds like a cop-out to me. 'low-level' system calls are just that - *system* calls, and the system should have a way to allow processes run under non-admin accounts.

        At the very least, why can't the installer put a 'setuid' (or whatever the windows equivalent is) program that does the bit-banging? Does the 'system' not allow it? (If not, then the system is indeed broken.)
        • by abb3w (696381) on Thursday July 29, 2004 @12:11PM (#9832511) Journal
          At the very least, why can't the installer put a 'setuid' (or whatever the windows equivalent is) program that does the bit-banging?

          Even in UNIX, SUID files are one of the things you need to watch closely [busan.edu]. As a non-random example, a superuser-SUID copy of [insert cracker's favorite shell] is a nicely unsubtle way to help widen a security pinhole into an aircraft hanger door.

          Your proposed technique does definitely reduce the ability of the user to accidentally shoot themselves in the foot, but any weakness in third-party SUID programs still effectively translates into an operating system weakness.

          • Even in UNIX, SUID files are one of the things you need to watch closely.

            No doubt. But if the alternatives are running a large untrusted game as Admin or running a smaller untrusted helper program as Admin, at least the latter reduces the sheer size of code that the untrusted party could have gaping security holes in (as well as the window of time for an exploit).

            Obviously if the untrusted party is malicious (rather than just a source of potentially unaudited, insecure code) then either option is going to give them Admin power full stop.
            • by abb3w (696381) on Thursday July 29, 2004 @02:00PM (#9834132) Journal
              Obviously if the untrusted party is malicious (rather than just a source of potentially unaudited, insecure code) then either option is going to give them Admin power full stop.

              Given that you should "never attribute to malice what may be adequately explained by stupidity", and given everything I've heard about production code "going gold" while still rough polished brass, that's going to be a lot of third party SUID security holes. I'd say that the difference in protection quality amounts only to guarding against local user ignorance/stupidity [slashdot.org]... which, mind you, is not a bad thing, but is not the same thing as protection against remote cracker malice.

              • given everything I've heard about production code "going gold" while still rough polished brass, that's going to be a lot of third party SUID security holes. I'd say that the difference in protection quality amounts only to guarding against local user ignorance/stupidity...

                I disagree, strongly. Limiting the window of time when root code is running and its exposure to inputs from malicious sources can be extremely important in general, and in many cases may be "good enough". Imagine the common case of a game that requires Admin privs to implement some copy protection scheme, where the game is a multiplayer networked game.

                If the game is run as Administrator, then any remote exploit in the game elevates to Admin privs on the local machine.

                If the game uses a small suid helper to do some copy protection stuff at startup, the suid helper can exit before any network code is started. Remote exploits are limited to the privs of the user.

                The suid program may even be buggy as heck itself, but if it never takes input that might be from a malicious source then a fairly class of exploits are protected against.
      • So, what do you think will happen if it can be proven that the copy-protection methods the Content lobbies (RIAA/MPAA/BSA) are using are a threat to Homeland Security?

        heh, beautiful. I've been looking for a good excuse to tell clients not to use Intuit Quickbooks - that thing requires Power User access just for its copy protection scheme. "It's a terrorist threat by Intuit to force you to compute insecurely!"

        Their competition, Simply Accounting, works just fine as a limited user.

        And DirectX, OpenGL work fine as a Restricted User. See Pan-Am's testing page [pan-am.ca] for an example.

    • by Proaxiom (544639) on Thursday July 29, 2004 @10:21AM (#9831256)
      I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

      This is not a fair criticism. The 'security initiative' thing is still relatively new, and they are burdened by a large number of legacy security problems from the many years of development with any regard for security problems.

      Most of the games in that list, for instance, were originally intended to be played in the 9x series of OS's, which had no notion of anything that was not administrator access (actually, 95/98/ME users had more access than NT admins do!).

      There are certainly areas where Microsoft's commitment has been lacking, but the least privilege principle is one of the better areas. Michael Howard et al have been pushing hard for this within Microsoft, and more importantly, pushing for better developer education on how to write code that adheres to least privilege.

      Because when you get down to it, if an application requires administrator access to run, it is not the fault of the Operating System.

      • by plover (150551) * on Thursday July 29, 2004 @12:00PM (#9832383) Homepage Journal
        The security initiatives have been going on a lot longer than just their "global security mobilization" of October 2003. For example, this "Secure Platform" document [microsoft.com] was authored in December 2002. And since they seem to be able to put out the "hot fix of the week" to handle the "virus of the previous week," I should think they have had plenty of opportunities to get OS patches released, driver patches, or whatever is required to the computers that need it.

        Given that, explain why "Microsoft Flight Simulator 2004 - Century of Flight" should still make the list? If software they've released years after they've been aware of these problems still demands bad security practices, who is to blame? The application programmers or the environment in which they must work?

        You said, "if an application requires administrator access to run, it is not the fault of the Operating System." Explain how a train simulator could possibly require admin authority except in a poorly architected environment? Then answer, 'who provided that poor architecture?'

        This is Microsoft -- author of both these applications as well as the OS. They've had the chance to address it, they've had the incentive to address it, but they have not done so. I stand by my comment.

        • by Proaxiom (544639) on Thursday July 29, 2004 @01:33PM (#9833680)
          The security initiatives have been going on a lot longer than just their "global security mobilization" of October 2003.

          Indeed. I was referring to their 'Trustworthy Computing Initiative', which was announced about 2 and a half years ago. That is still a relatively short period of time to be working at it, considering that the had put about 17 years worth of 'untrustworthy computing' tools into the field already.

          Explain how a train simulator could possibly require admin authority except in a poorly architected environment?

          Easy. It is protected by SafeDisc, which may have problems when being used by someone who is not an administrator. Did you even read the link you posted?

          The administrator access problem is not a symptom of a poorly architected environment. The NT architecture uses a more or less standard discretionary access control model, and cannot be faulted for the fact that most app developers don't pay attention to it. In this case it's not even the application developers who are at fault, its the authors of the copy-protection technology, who probably didn't test their software under NT with reduced privileges.

          I'm not generally a defender of Microsoft's security efforts, and I'll agree that there is a lot to be desired from their approach to security, but you're barking up the wrong tree with these complaints.

    • by fireduck (197000) on Thursday July 29, 2004 @10:22AM (#9831259)
      I second this complaint. As I recall, one of the recent Blizzard games (fairly sure it has to be Warcraft 3, but it might have been Diablo 2) required admin rights in order to play online through battle.net. Took me a while to figure out why online wasn't working for me, until I switched to admin account, and then voila. I complained in their forums about this (with the predictable response from other players, "why don't you just switch your setting?"); few patches later Blizzard made the game playable with normal user setting. So, it's good that some companies get it, althought it would have been nice if they had gotten it from the start.
    • Why should administrator authority be needed to play a game? Pfff. I see you didn't read the article very well. Nearly all, if not all, games are designed to run on Windows 95 and up. To summarise, by virtue of NT's choice to backwardly support 95/98/ME, it has to give root access to the games by virtue of the shared win32 api/registry access and other functions between 95 derived and NT derived systems. Read the article again.

      - Oisin
      • by Minna Kirai (624281) on Thursday July 29, 2004 @12:01PM (#9832394)
        Why should administrator authority be needed to play a game?

        So the game can have "root"-level control over your machine, to ensure that you're not cheating with 3rd-party apps running on the same machine. It must be able to inspect all applications and drivers in memory, comparing them against a list of "cheat signatures" rather like a virus-scanner does.

        Seriously. This is exactly what's happening. Evenbalance.com licenses cheat-prevention software modules to several major game publishers, and they've started disallowing players on XP machines unless they're running under the "administrator" account.

        Just read the FAQ here [evenbalance.com]:
        1. Why does PunkBuster now require players to run the game as an administrator under WinXP/2K?

          Because some cheats/hacks cannot be detected otherwise

        The reason you give is obselete- mistrust of the end user is the new, upcoming explanation.
    • by Kristoffer Lunden (800757) on Thursday July 29, 2004 @10:31AM (#9831348) Homepage
      I'm not so sure. Here, at home, I am running my Linux box as a normal user, firewalled and everything setup according to the rules. Still, what would malware want with my root access for? If I would execute something malicious, the virus/trojan/whatever would already have access to what is important: the desktop user.

      Ok, so it can't erase the *whole* HD or meddle too much with the system, but it can do everything I have the right to do, such as finding and using mail clients and start spreading if that is what it is about.

      It could also simply sit idle and log keystrokes until I enter my root pw if that is needed, or just any banking info, or whatever. What it can't do would be stuff like opening a spam mail relay. Until it gets the root pw, that is. Or maybe it is enough to capture your normal pw and use sudo? Did you set it up without restrictions?

      Other possibilities include invading lots of local config scripts that are run when starting applications, and oh, when was the last time you checked what was in your KDE autostart? Or any of all the other files that are usually run?

      Most things don't matter if root/Administrator access is available - that is for servers.

      Actually, I could have something like this running since a long time ago, maybe some russian is watching me type this. After all, I've allowed outgoing connections and I don't do real security audits. After all, this is my home desktop user system. I think it is lots better of than most, but it is not a server.
      • by meringuoid (568297) on Thursday July 29, 2004 @11:34AM (#9832070)
        What it can't do would be stuff like opening a spam mail relay. Until it gets the root pw, that is.

        Couldn't it just open up port umpteen-thousand-and-twelve and run its spam relay there?

      • by Tony-A (29931) on Thursday July 29, 2004 @01:01PM (#9833134)
        Good insight. The root/administrator bit is mostly a red herring.

        You still tend to put a bit better protection around the small amount of root-stuff, primarily because it's relatively simple to do.

        The fat non-root stuff, even on servers, is really the important stuff.
        The stuff that actually helps with security is that Unix things tend to think that it's a good idea if the user is aware of what is going on, and will go to a bit of extra trouble to be informative whenever and wherever possible.

        [ ] Always trust Microsoft
        [ ] Always trust Red Hat
        [ ] Always trust OpenBSD
        Reactions?
      • There's no reason to run every program under the same account; in particular, programs that deal with potentially malicious data a lot can benefit greatly from running as their own user.

        On my machine at home, I run my email client, web browser, newsreader as seperate users (if I'm "joe", they'd run as "joe-mail", "joe-news", and "joe-www"). The mail and news are almost completely isolated in chroot jails; I have links to their data in my home dir (and I have full read/write access to them, but not vice-versa). So viruses in email could clobber my mail, but couldn't touch anything else.

        The browser account is similar, but it has X11 access which has a lot more potential for havoc. I used to run the browser on vncserver, with a vncclient for that. That proved to be a bit too much of a pain for me.

        Once the setup was done, the whole thing is transparent to the user (clicking the launch icons does the appropriate magic behind the scenes to run things as the other users).

        You can even set up per-user firewall rules that (for instance) only allow the joe-mail account to connect to selected IMAP/POP/SMTP servers.
    • For example, the bottom of this page shows a list of games that require Administrator authority to play.

      Eh, no. If you bothered to read the whole page, you'd see that the list pertains to games that require administrator access to _install_, not neccessarily play, which is entirely sensible.

      -Oisin

      • by Minna Kirai (624281) on Thursday July 29, 2004 @12:10PM (#9832505)
        administrator access to _install_, not neccessarily play, which is entirely sensible.

        No it isn't. If a person has authority to run programs on a machine, and to place files on the machine, then he should be able to install and run a game off CD. (It should show up only in his own Programs menu, not globally, of course)

        This user can undoubtedly install some games, such as a standalone "tetris.exe" or similar, so there's no good reason to prohibit more elaborate installers (unless if that OS doesn't provide a good way to install things in non-global positions, in which case the blame returns to Microsoft)
        • Eh, I respectfully disagree. As an administrator, I admin the machine, ergo I decide what gets installed and what doesn't: that's the whole point. Software -- including games -- may elect to install or update system level DLLs which logically requires root level access to the machine. Not everything is a statically linked monolithic binary. Directx exists as a global level service. Cheat detection software needs full access to the machine. CD protection software also may require admin access. Remember, we're talking Windows here, not *nix. So stop comparing the two in such a simplistic manner. Software on *nix is generally compiled by the user before install and dynamically linked to whatever glibc etc is on the machine. Windows does not work like that, as you know.

          Now, at this point, we could argue what constitutes an install: copying a single file tetris.exe, as per your example, and running it from your own home directory. Does that qualify as "installation?" It really depends on how you define it. Anyhow, it's not as simple defined as you imply.

          - Oisin
          • by Minna Kirai (624281) on Thursday July 29, 2004 @03:54PM (#9835846)
            , I admin the machine, ergo I decide what gets installed and what doesn't:

            Do you decide when the user may copy individual *.DOC files to the hard-drive? Those are being "installed"- why, they may even contain executable code...

            may elect to install or update system level DLLs which logically requires root level access to the machine

            It is a shortcoming of the OS design that the game cannot use the DLLs it needs without installing them in a system-global location. (Alternatively, you could label it a shortcoming of the installer system- but that should be part of the OS)

            The fact that games need to run at "root" level is what's being complained about here- but the excuse was made "they don't really need priviledges to run, only to install". Well, that doesn't hold water if the game includes system-level DLLs- effectively, if it's using those DLLs, it is "running as root".

            Does that qualify as "installation?"

            Yes, by any concievably sane definition of "installation".
            • Right, you clearly are a very confused person:

              The fact that games need to run at "root" level is what's being complained about here- but the excuse was made "they don't really need priviledges to run, only to install". Well, that doesn't hold water if the game includes system-level DLLs- effectively, if it's using those DLLs, it is "running as root".

              Two problems with this paragraph: Firstly, my conversation with you does not concern the point that games shouldn't need root to run, I agree; However, I offered the idea that games that require admin rights to install seem perfectly reasonable to me. This is the point you are refuting in your prior replies, and is the point I'm trying to adhere to. Secondly, to say that a user-space game program executing which happens to load a global system level DLL is "running as root" is complete nonsense. A game that is dynamically linked, for example, to the MSVCRT C++ runtime does not run as "root". There is *NO* concept of setuid behaviour in Windows, you are clearly confused.


              - Oisin

              • by Minna Kirai (624281) on Thursday July 29, 2004 @09:54PM (#9839501)
                Secondly, to say that a user-space game program executing which happens to load a global system level DLL is "running as root" is complete nonsense.

                If the DLL was included with the game, it is part of the game. (And if the DLL wasn't included, then why's the game need administrator to install again?)

                Sure, maybe the DLL in question was written by Microsoft as a redistributable Visual Studio or DirectX component... but maybe not.

                For any executable code delivered with a game, you must trust the game publisher as to what it contains. For all security purposes, at least, it is an extension of the game.

                A game that is dynamically linked, for example, to the MSVCRT C++ runtime does not run as "root".

                I'm not talking about games loading DLLs installed as part of the OS, or some systemwide upgrade patch- but DLLs which the game itself provided.

                If it's genuinely IMPOSSIBLE to install a DLL without administrator rights, then that DLL must have some special priviledges when executing. And if it does, and the DLL came with the game, then the game could be using it to do anything; "run as root". On the other hand, if the DLL when executing does not have any special privs, then it should've been possible to install without admin privs, and we've come back to a different flaw of the OS.

                Videogames are frivolous. As amusing diversions, they should not demand a security audit before install. From the "sanely paranoid" perspective, if a game needs to be given admin rights at any time, then it's a risk to the other data on your PC.

                It is not secure system design to accept games requiring admin privs to install; for all you know, it could be abusing that priv to modify core system DLLs, meaning it will essentially keep those privs forever.
    • by badriram (699489) on Thursday July 29, 2004 @11:11AM (#9831785)
      The words over there when you read the games list were "you may experience". It does not happen for all users. I run halo all the time with a unprivildged user account, and trust me it works.

      Also if you look at every major application made by MS, all of them run in user space, I run enough machines in my university to know what application do and what do not work in Windows user space. The one major problem we do run into is Visual Studio, but that is because of the debugging features, which can also be granted easily.

      There are enough opensource apps in windows that have this problem.
      • Firefox, first run after installation requires Admin to run it, otherwise crashes over and over again
      • MySQL, if you enable innoDB, Which is by default, it likes to crash in user space

      But yes this problem is more pronounced with other third party windows applications.
    • I have found no more powerful example of Microsoft's lack of commitment to security than this [common requirement that the user have Administrator privilages]. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

      You know, you have pointed out one of the two major failings of Windows security-wise. The other is at least as bad, however.

      People often think of UNIX being a nightmare of dependencies, but from a security perspective, the dependency nightmare is actually far worse on Windows. Some of this I can understand, but some I cannot. For example, it is true that copy and paste in Windows depend on RPC. This is understandable (in Gnome, they depend on CORBA). But last time I tried to secure a Windows box by turning off RPC on the PPPoE interface, it would not authenticate until I re-enabled it. Apparently the PPP authentication mechanisms require that RPC is running (works if firewalled) on the same network interface, or at least that is what I was told when I finally called technical support (Microsoft). Granted this was Windows 2000 and I was using a third-party PPPoE extension, but still...

      At least with GNOME, I don't have to have CORBA listening on my network interfaces....

      If I am securing Linux or UNIX, there is generally it is usually clear what can be turned off whithout adverse results to the rest of the software. This is NOT true with Windows, and I have generally found disabling unnecessary services to be extremely difficuly on Windows because it is difficult to determine what is actually necessary.

      I find Windows security to be a complicated headache compared to UNIX security.

      Of course, real security depends on the admin, not the OS.
    • by Ytsejam-03 (720340) on Thursday July 29, 2004 @11:40AM (#9832156)
      I specifically was looking for one of the biggest problems with Windows -- Administrator authority is too easily doled out (by default, every home user is also an administrator.) This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority.
      Application developers deserve just as much blame for this as Microsoft. It's a catch-22: practically everyone who uses Windows logs on as Administrator, so making sure non-administrative users can run your app is generally not a requirement.

      To make matters worse, Windows allows developers to store global variables in a shared memory segment, which IIRC is located in the dataseg of a given .exe or .dll. This provides an easy way to do IPC. IIRC, usage of shared memory segments is the reason that Office 97 and other apps require write(!) access to the System32 directory. Of course when I've seen shared memory segments mentioned in the MSDN documentation, I've never seen any mention of the security implications.

    • by Beryllium Sphere(tm) (193358) on Thursday July 29, 2004 @11:43AM (#9832198) Homepage Journal
      >Administrator authority is too easily doled out

      I'd argue that that's a symptom and not a cause. Behind all the technical errors there's a mindset that causes them.

      For example, somebody thought it was a good idea to have web server plugins run in the address space of the web server. It's only a good idea if you place more value on speed than on reliability and security. Somebody thought it was a good idea to speed up the system by moving more and more functionality into Ring 0. Somebody thought it was a good idea to have Turing-equivalent programs execute when you open an Office document, placing features above security. Somebody thought Javascript in email was a good idea.

      The same mindset, until recently, valued rapid code development over security.

      Everthing came together in Slammer. The philosophy of feature-richness put a SQL database into products whose buyers didn't even know they had it. The philosophy of convenience had it listening on the network by default. And so on.

      By now the old Microsoft attitudes and assumptions have been baked into the foundations and built on by ISV's. Change will be slow and painful even with firm commitment by Microsoft.
    • by Minna Kirai (624281) on Thursday July 29, 2004 @12:06PM (#9832460)
      I specifically was looking for one of the biggest problems with Windows

      It also lacks in other areas. For one thing, it ignores the common argument that "Windows only attacked so much because it's the biggest target, not because it's more vulnerable".

      And elsewhere it lies, claiming that DOS/Windows has a history of virus-writing that UNIX lacks. That is plainly false, as rtm demonstrated epidemic UNIX infections decades ago.
    • by cicho (45472) on Thursday July 29, 2004 @04:06PM (#9836012) Homepage
      This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority"

      Isn't the same true on Linux? I remember reading (three years ago or so) that 3D shooters required superuser privilege to access video devices. It may no longer be the case these days, I don't know.

  • Sure.. (Score:4, Interesting)

    by stratjakt (596332) on Thursday July 29, 2004 @10:15AM (#9831178) Journal
    Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."

    Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is this guy on crack?

    There are too many "knobs." The exposed interfaces are either too complicated, even with documentation, or too weak and limited. Security on Windows is hard to configure correctly (try setting up IPSEC).

    This guy can't seriously expect me to buy his argument that properly configuring a unix box is "easier", can he?

    This isn't a fair analysis, it's just more "MS is teh gay linucks is awwwwsome!!!!!11!" tripe.

    It's really not hard at all to secure Windows, and you can lock it down every bit as tight as any Unix if that's what you want to do. Just because people don't doesn't make it the OS's fault.

    How about all the newbies running their X sessions as root because it's the only way they can get the soundcard/dvd-r/tv-tuner/misc hardware to work?

    Is it Linux's fault that once you start piling OSS layers onto ALSA and jam the whole pile of shit into Gentoo's default devfsd setup, that it's a huge pain in the ass to get a non-root user to be able to play sounds? Cuz it is. Don't give me the bullshit about "all you have to do is add the user to the audio group" stuff.

    What about lazy fucks like me who quit trying to have their daemons chroot and su to another user, because every fucking time they type emerge -u world portage decides to change all the file permissions and ownerships around, so now all of a sudden slapd cant read or write it's data directory, hosts.allow and hosts.deny are no longer world-readable, etc, etc.. Fuck it, the only way to guarantee my LDAP server stays up is to have it run as root. And, of course, it has to stay up, else noone could log in.

    I can't remember which distro now, but it shipped with a single * in the xdm's Xaccess file - ie; anyone anywhere could get a local X session on it.

    What about every app that uses svgalib having to be suid root, or run as root. Those mythTV boxes and advanceMAME cabs are just big fat fuckin backdoor waiting to be exploited.

    The only point I'm trying to make is, any PC out there is no more secure as it's user/owner/admin and the apps they run. Most normal people dont enjoy spending 8 hours a day doing nothing but configuring their systems.
    • Re:Sure.. (Score:5, Insightful)

      by wwest4 (183559) on Thursday July 29, 2004 @10:41AM (#9831431)
      > Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is
      > this guy on crack?
      > This isn't a fair analysis, it's just more "MS is teh gay linucks is
      > awwwwsome!!!!!11!" tripe.

      His thesis is actually more along the lines of (and I'm quoting from the Win v Unix section of the article):

      "Current Windows systems have some of the highest security ratings (as compared to other systems)... However, the number of documented security issues and the real-life rampant insecurity of Windows are not speculations either! The problems are real, both for Microsoft, and for Windows users."

      Nowhere here is he saying that MS sucks, or that linux r0x0rs. Again, from the sam part of the article:

      "We stated earlier that UNIX was not even designed with security in mind. Several technologies that originated on Unix, such as NFS and the X Window System, were woefully inadequate in their security."

      The argument that explains the paradox is along the lines of what many of us already know - that MS is more prevalent, has a wider spectrum of users (inexperienced to experienced) and exists in a wider range of vulnerable environments - not just cozy, isolated research labs.

      So while your arguments are valid, they don't really go against the overall opinion of the article.

      • by Tim C (15259) on Thursday July 29, 2004 @12:08PM (#9832482)
        Well, I have a hard time arguing that it's a "fair and balanced" opinion, given that one of his opening paragraph headings is "How Did Windows Become So Insecure?"

        Unless I've missed something on a previous page (which I admit is entirely possible), he's started from his conclusion ("Windows is not secure") and at best worked backwards.
        • by mangu (126918) on Thursday July 29, 2004 @12:20PM (#9832616)
          Imagine an article about the sun (the star, not the company). It starts with "how did the sun become so bright?". Would you say it's a biased article? The author was simply commenting on a fact: Windows *is* insecure, there are tons of viruses and worms out there to prove it. One may ponder on the reasons for this, and maybe arrive to biased conclusions. One may discuss how to make Windows more secure, and the relative ease of the process may be debated. But just saying what everybody knows, that there are many Windows security exploits, shouldn't be considered an evidence of bias.
    • by CyberKnet (184349) <slashdot AT cyberknet DOT net> on Thursday July 29, 2004 @11:00AM (#9831677) Homepage Journal
      What about every app that uses svgalib having to be suid root, or run as root. Those mythTV boxes and advanceMAME cabs are just big fat fuckin backdoor waiting to be exploited.

      Contrary to what your post implied, MythTV does not use svgalib, nor does it require to run as root/suid root.

      It is quite possible to setup MythTV to run as its own unprivileged user that only has access to QT libs, X, the tv tuner, video out and some form of large scale storage.

      In fact, that is the most common way to set it up, because that is how the very verbose documentation instructs you to set it up.

      I freely acknowledge that it is time consuming to set MythTV up; but I would heatedly dispute that it has to be insecure because of any reason issued in your post.

    • by jedidiah (1196) on Thursday July 29, 2004 @11:00AM (#9831683) Homepage
      > Is it Linux's fault that once you start piling
      > OSS layers onto ALSA and jam the whole pile of
      > shit into Gentoo's default devfsd setup, that
      > it's a huge pain in the ass to get a non-root
      > user to be able to play sounds? Cuz it is.
      > Don't give me the bullshit about "all you
      > have to do is add the user to the audio group"
      > stuff.

      Nope. It's Gentoo's fault. Unix in general has suitable authorization and automation facilities such that this should not be a problem for ANY user running anything newer than Slackware '96.

      The packager dropped the ball.

      The root user shouldn't even be able to touch the multimedia devices.
    • Re:Sure.. (Score:5, Insightful)

      by Amoeba (55277) on Thursday July 29, 2004 @11:02AM (#9831696)
      Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is this guy on crack?

      There are too many "knobs." The exposed interfaces are either too complicated, even with documentation, or too weak and limited. Security on Windows is hard to configure correctly (try setting up IPSEC).

      This guy can't seriously expect me to buy his argument that properly configuring a unix box is "easier", can he?

      You are purposefully misunderstanding his point. He was not stating that Windows is "harder" than unix to secure, merely that the "average" unix user will generally have a deeper understanding of how the underlying OS works as opposed to an "average" Windows user. Think about it.

      Unix has a larger barrier of entry in terms of learning the OS and understanding how it works until you get to a point where it is "usable". Windows on the other hand has a much lower barrier of entry and a deep understanding of the underlying actions of the OS are not required in order to utilize the system. As a result the complexity of securing unix systems is not as complex to the average unix user since they already have overcome that initial large barrier whereas Windows is more complex to the average windows user because they are faced with a magnitude of complexity they normally do not see.

      I do agree with you that Windows can be locked down thoroughly and be just as secure as a unix machine.

      • by Prince Vegeta SSJ4 (718736) on Thursday July 29, 2004 @11:33AM (#9832060)
        He was not stating that Windows is "harder" than unix to secure, merely that the "average" unix user will generally have a deeper understanding of how the underlying OS works as opposed to an "average" Windows user. Think about it. The difference between Windows users and Unix (Linux) users, (and the reason Linux boxes tend to be more secure) is that Winodws users install drivers - Linux users write their own drivers. This was true at his company, at least. (he manages routers, etc at a fortune 500 securities trading company).
    • by Hatta (162192) on Thursday July 29, 2004 @01:01PM (#9833140) Journal
      Is it Linux's fault that once you start piling OSS layers onto ALSA and jam the whole pile of shit into Gentoo's default devfsd setup, that it's a huge pain in the ass to get a non-root user to be able to play sounds? Cuz it is. Don't give me the bullshit about "all you have to do is add the user to the audio group" stuff.
      What bullshit? It is just that easy. Change one line in an easy to understand config file, and you're good to go. No "huge pain in the ass" You don't have to "spend 8 hours a day doing nothing but configuring your system".

      What about every app that uses svgalib having to be suid root, or run as root. Those mythTV boxes and advanceMAME cabs are just big fat fuckin backdoor waiting to be exploited.

      If you're giving out shell accounts on your MAME cabinet, you deserve to be rooted. Ignoring the fact that you don't need to use SVGAlib to run either of those programs.
  • Summary (Score:3, Insightful)

    by Anonymous Coward on Thursday July 29, 2004 @10:19AM (#9831224)
    Windows enables things by default that enable exploits. This is done for ease of use. Users can make Windows secure.

    *NIX disables things by default. This is done for security. Users could make *NIX insecure.

    The number of different *NIXs makes it tedious to create viable exploits.

    In spite of what the guy says, I think most of us already knew this stuff. Have I missed anything?

  • The core security problem with Windows is that Microsoft has been unable or unwilling to take advantage of the core security capabilities of Windows.

    It's more than just the fact that there are existing applications that expect to have write access to system directories and do other dengerous things, it's that Microsoft doesn't seem to be able to respond appropriately. For example, our early Citrix-based server showed the path to solving the problem of writing to system directories... it mapped system write access into the user's profile, and you had to switch to an explicit "installer" mode to actually modify things in the system.

    Microsoft owns that code now, it's surely in Terminal Server, but instead of implementing it they created a high level workaround... the sort ofthing you'd expect to see coming from a third party... that monitors the system and puts files back when they change. This not only breaks more applications than the old Citrix-style code did, but it provides another hiding place for viruses that manage to infect the repository or trick the system into backing them up.

    Similarly, the whole protocol/handler problem in Internet Explorer... or rather the Microsoft HTML control... (and being inexplicably copied by Apple and the KDE people) could be almost completely prevented by simply making the protocol and helper application binding the responsibility of the application calling the control instead of making the control guess whether the application it's calling is hardened for use by untrusted pages, and if not then it has to guess whether the page it's displaying is trustable or not.
  • by sczimme (603413) on Thursday July 29, 2004 @10:29AM (#9831328)

    is here [securityfocus.com].

    As an aside, items like ASET and RBAC are not new for S10; IIRC they have been included since S8.

    Or instead of reading about these things, individuals can download the Solaris 10 Beta 5 ISOs and try them out. Go to this page [sun.com] and scroll to the bottom to Solaris Express.
  • by winchester (265873) on Thursday July 29, 2004 @10:30AM (#9831338)
    I more or less disagree with him on his treatment of the Windows adherence to the CC and Orange book standards.

    Even though Windows 2000 is EAL 4+ certified, that doesn't mean it is a secure system. On the contrary, the protection profile Microsoft chose to use specifically states that the threats Win2k should guard against do not include either malicious outsiders or malicious users.

    A more or less similar situation exists when we regard the C2 certification for Windows NT. That certification is obtained only when using a NT 4 system with several subsystems removed and no network access.

    Both certifications sare the facts that a very specific hardware-software combination has been audited. This is so extreme that EAL 4+ is only valid for a Windows 2000 system with a very specific set of patches applied (SP2 and 1 patch IIRC). In other words, totally useless for any serious real-world application.
    • by arivanov (12034) on Thursday July 29, 2004 @10:49AM (#9831550) Homepage
      These evaluations are evaluations on procedures in handling data. They are not evaluations on system breakability and security against unauthorized break-in as such. They are evaluations on suitability of a system to handle confidential data according to some predefined requirements.

      Basically a EAL or Orange book certified system will not allow casual transfer of data from a higher security level to a lower security level. That is the core of the qualification concept. All the stuff about admin roles, etc is just fluff oriented towards managing the concept and the granularity to which it is managed.

      After the wave of buffer overrun hacks that followed the publishing of Alef1's paper "Smashing the Stack for Fun and Profit" in 1996 I had a conversation with the security head of a bank-to-bank transfer house head of security. We were discussing what can we do about intrusions like this. His first suggestion was to raise the security level to B1 or higher. At which point I had to point to him that all intrusions were circumventing the security mechanisms, not breaking through a problem in them so the Orange Book level of security did not bloody matter at all.

      On a similar note, Old SCO OpenServer 3.x which had C2 certification was quite hard to hack in its normal mode of operation. Raising the system to C2 and the enabling of roles required to do so made the system a walkthrough. It took me around 5 minutes to get root on it by doing casual operations, no real hacking involved.

      • by randombit (87792) on Thursday July 29, 2004 @01:08PM (#9833236) Homepage
        Basically a EAL or Orange book certified system will not allow casual transfer of data from a higher security level to a lower security level. That is the core of the qualification concept. All the stuff about admin roles, etc is just fluff oriented towards managing the concept and the granularity to which it is managed.

        Ummmmmm... no. Multilevel security was only a requirement in the Orange Book of level B1 or higher. C1/C2 evaluated systems did not need any sort of MLS. There are Unix-based MLS systems (Trusted IRIX was evaulated at either B1 or B2, IIRC), but they are not common, and generally pretty painful (an attribute shared with all other MLS systems). In normal Windows or Unix systems, there is no labeling of data, there are nwhich would be kind of a waste of money, but hey.o controls preventing you from sharing information with other users, none of that. And for good reason - MLS is about information control, while people generally get work done by *sharing* information. The only people who want MLS are the military/intel groups, and from what I've heard, most of the people using it there don't like it much either.

        As for CC, there is absolutely no requirements whatsoever in terms of protection. With the right proection profile, you could probably get MS-DOS to EAL2 at least. In this case the profile would say "this OS doesn't do anything security-wise", and then the evaulation would prove that this protection profile was correct.

        Also, it's Aleph1, not Alef1. Hebrew letter (or, in this case, a Hebrew letter + number, specifying a transfinite number). /tangent
    • by scruffyMark (115082) on Thursday July 29, 2004 @02:41PM (#9834773)
      His equation of assurance levels to orange book certification levels is just silly. Am I the only one to be bothered by this?

      The orange book certification level describes a set of security properties - the CC equivalent is a protection profile (PP). The assurance level describes the depth of testing that went into confirming that the particular protection profile is met by a product.

      Controlled Access Protection Profile (CAPP) corresponds pretty much to C2. Whether a product is evaluated against CAPP to EAL 1 or 7, it will always correspond to C2 - just that the evaluators are stating more or less certainty in the results.

      So, Win2k got evaluated against CAPP to EAL 4 - that corresponds to C2, not B1, no matter what the EAL was.

  • by chegosaurus (98703) on Thursday July 29, 2004 @10:34AM (#9831377) Homepage
    I'm very impressed with zones, the resource control and monitoring are even better than in 9, dtrace is just about the coolest thing I've ever seen on Unix, and zfs and the souped-up NFS look great too. (Though I haven't had the chance to play with those yet,)

    Nice to see Sun can still innovate.
  • by spoonyfork (23307) <spoonyfork@nOspAm.gmail.com> on Thursday July 29, 2004 @10:51AM (#9831574) Journal
    I'm still getting MyDoom.o [mcafee.com] emails. It spread like wildfire inside the company I work at. No update pushed to McAfee on workstations until the next day after the infection. After... the barn door is already open and horses are gone. Be sure to shut that barn door after everything is compromised.

    On this Windows box at work I'm protected from thousands upon thousands of viruses except the one that gets written tomorrow and the idiot that opens its brilliantly socially-engineered email attachment.

    This is rhetorical and wishful: when are we going to get some anti-virus software that protects us before an outbreak?


    (please don't say don't run Windows, it is realistic but not realistic today right here)

    • by t1m0r4n (310230) on Thursday July 29, 2004 @11:37AM (#9832108) Homepage Journal

      I'm still getting MyDoom.o emails. It spread like wildfire inside the company I work at....
      This is rhetorical and wishful: when are we going to get some anti-virus software that protects us before an outbreak?
      (please don't say don't run Windows, it is realistic but not realistic today right here)

      When you say, "don't run Windows", do you mean on the mail server? Off the top of my head, I know of this procmail tweak [impsec.org] which can do wonders to stop new virus type threats when set up wisely. I've seen it put to good use at a few places that use Windows desktops. I would imagine that if one was a bit clever, there should be a similar solution on Windows servers also.

    • by mrroach (164090) on Thursday July 29, 2004 @12:03PM (#9832430)
      One tactic that I have used successfully for some time is to "sanitize"[0] potentialy destructive attachments on incoming emails.

      This means that .exe files get renamed to whatever.exe.bin and the content type gets changed to application/binary. This way a user has to really want to run that executable, and know how. I also have it dig into zip and tnef files and do the same there.

      Now that I think of it, this is sort of a poor-man's executable bit. It doesn't actually prevent execution, it just adds another step (that isn't just an "are you sure?" dialog) to the process.

      -Mark

      [0] http://www.impsec.org/email-tools/procmail-securit y.html [impsec.org]
    • by Anonymous Coward on Thursday July 29, 2004 @01:22PM (#9833486)
      We were a McAfee shop for years and it only worked half-assed most of the time, despite what you read in all the trade rags about who's got the best antivirus software. Last year we ran out of patience, and obtained eval copies of all the big name antivirus suites (email, fileserver, desktop, web filter, the usual corporate antivirus bundles), and set up a test lab with a Windows Server and 10 workstations in our training room to serve as a clean test bed to throw about 1000 different virii we'd collected at the test network and see how it handled it. We're actually a govt organization with 35 servers and 500 workstations, but the test setup was sufficient to prove what we wanted to find out. The top four products were: McAfee, Symantec, Trend Micro and Sophos.

      McAfee exhibited all the issues and problems we'd already known in our live environment.

      Symantec/Norton had so many install problems that we could even install it successfully. This was on plain vanilla, fresh installs of Windows 2000 Server and XP workstations. Their tech support expected us to go thru a bunch of troubleshooting nonsense, but when the damn installer keeps crashing, that speaks volumes about what kind of quality control (or lack thereof) that this company's products go thru. No thanks! Norton goes in the trash.

      Sophos seemed to work alright except for lack of support for all our email platforms, but their licensing practices and costs are complete bullcrap. Literally double the purchase and annual maintenance of the others. Not worth it.

      Trend Micro's "NeatSuite" bundle just simply worked. Correctly. The first time. Right out of the box. Plopped the cdrom in, clicked thru the default setup configs, and whammo -- smooth running antivirus solution with easy browser-based management of the server, "push" install to all the clients, that detected and uninstalled pre-exisiting McAfee and Norton, auto-updating that's invisible to the end users. Over-the-Internet updates of the scan engines and virus definition files to the local server, and then pushed out to the desktops works perfectly. We bought Trend and have been running it for almost 2 years now. Not one single virus has ever gotten thru since. Annual maintenance is a small bit pricier than McAfee or Norton, but not too bad. With the latest updates we even got a new feature that adds powerful attachment filtering capabilities, and spam and porn blocking to the email system. I wish we would have changed to Trend much sooner. Oh, and by the way, their stuff is available for Linux severs too. We can get updates for virus definitions scheduled every hour too, Trend's record for getting updated definition files published is exemplary, compared to what we had with McAfee.
  • by Anonymous Coward on Thursday July 29, 2004 @11:23AM (#9831903)
    The security "philosophy" of the Mac platform, and of the Mac community, is immature yet. While Mac OS X has a good amount of circumstantial immunity against malware, it is significantly lacking in its security paraphernalia as compared to the cutting edge feature-set found in its competitors. The difference is more stark on the server side, where the competition is stiffer.

    Isn't this argument sort of like saying that Macs are only secure because they are obscure?

    I have read [theregister.co.uk] OS penetration has little to do with security. Additionally, with Mac OS X there is a BSD underpinning that utilizes ipfw. OS X is shipping with a strong firewall built in, that doesn't seem circumstantial to me. Does this mean the the BSD's are also circumstantially secure?

    I am not saying OS X is completely secure, I have seen the recent exploits, but certainly Mac OS X security is methodical and planned since its roots are from a relatively secure BSD.

    Maybe I am reading too far into the above statement. I am not more educated in this subject than the author, but it certainly seems like an unfair treatment of a relatively secure OS.
  • by kevin_conaway (585204) on Thursday July 29, 2004 @12:00PM (#9832386) Homepage
    The material on his site is good but his layout has way too much eye candy. To me, its very visually distracting and hard to focus on the content of his article...thats just me though :)
  • by Idarubicin (579475) <(allsquiet) (at) (hotmail.com)> on Thursday July 29, 2004 @12:22PM (#9832649) Journal
    There are too many "knobs." The exposed interfaces are either too complicated, even with documentation, or too weak and limited. Security on Windows is hard to configure correctly (try setting up IPSEC).

    You really shouldn't call Windows users that. They can't help it.

    And don't make me do a Beavis and Butthead laugh for following a comment about 'knobs' with one about 'exposed interfaces'.

  • to not have a private opinion on windows. The page is down, was that a joke or was there something up once that got hastily removed?

  • by MECC (8478) on Thursday July 29, 2004 @12:36PM (#9832817)
    In the "Unix .vs. MS Windows" part, all I saw was a re-hashing of common miscomceptions, and little substantive on interesting info, and some revealing logic stumbles.

    "Windows is supposed to be an easy-to-use platform, while Unix is supposed to be cryptic and hard-to-use." - good grief. An ad-hoc conclusion like this pretty much points to a lack of actual logical analysis.

    "Microsoft's success, as reflected in their incredible market share, amplifies their security problems". So, giving an email client the ability to infect a system has nothing to do with it? The article seems to gloss over MS's efforts to graft its applications into its OS as part of the problem. By this logic, killing turkeys causes winter.

    "A potentially relevant issue is the phenomenal amount of resentment against Microsoft and Microsoft products that is seen in many circles." So, Microsoft's security issues are because people hate them. Get my violin.

    "'Security' is hard to formalize, hard to design (and design for), hard to implement, hard to verify, hard to configure, and hard to use. It is particularly hard to use on a platform such as Windows, which is evolving, security-wise, along with its representative user-base." ! He seems to be saying that windows security is evolving and its users are also 'security-evolving', and as as a result, windows security is getting worse. Well, wait a minute. Maybe he's right on that one...

    • by Tony-A (29931) on Thursday July 29, 2004 @01:28PM (#9833580)
      "'Security' is hard to formalize, hard to design (and design for), hard to implement, hard to verify, hard to configure, and hard to use. It is particularly hard to use on a platform such as Windows, which is evolving, security-wise, along with its representative user-base." !
      Security is hard to bolt on to an existing design. It's not that difficult to design at the beginning.

      He seems to be saying that windows security is evolving and its users are also 'security-evolving', and as as a result, windows security is getting worse. Well, wait a minute. Maybe he's right on that one...
      Build a security fence around your property by evolving.
      Evolution will sometimes add a bit to cope with problems, but the general trend is for evolution to add more and more holes.
      You make a seive by punching holes in a container.
      You do not make a container by plugging holes in a seive.

  • by gillbates (106458) on Thursday July 29, 2004 @05:06PM (#9836862) Homepage Journal

    In this context, a rule-of-thumb definition of security is often cited: a system is considered secure if its "secure-time" is greater than its "insecure-time." Secure time is simply the time during which a system is protected, that is, free of "incidents". Insecure time is the sum of the time it takes to detect an incident and the time it takes to react to the incident (summed over all incidents in a given interval):

    I've never heard such a naive definition of security. Apparently, regardless of how many security holes my system has, or how many times I get hacked, I can call it secure as long as it can be recovered quickly.

    So, by this definition, my system is still secure even when:

    • A hacker exploits IIS and downloads all my customer names and CC numbers.
    • A hacker destroys all of my data from the last backup; as long as I can recover it quickly, data loss doesn't matter, right?
    • A hacker DDOS' our server and we lose several days worth of business. Our system is still up, so obviously it's not secure.
    • A hacker installs a rootkit on our server. You see, it doesn't matter if the box is owned, as long as its up and running, right?
    • A hacker zombies the machine and uses it to send SPAM, or worse, host illegal content.
    Need I go on?

    I don't think I could come up with a better explanation of why Microsoft will never design secure software than this one: they're definition of what constitutes a secure system is simply out of touch with the requirements of running a business.

  • Like most security-related rants, this article fails to first scope what it intends to mean by security.

    I personally like to scope security as end-user security for someone using their computer as a client machine, NOT a server. Opening a shiny new box, plugging it on the network, and do very basic things most people do: check email and surf pr0n, sign-up for "free stuff".

    Right now, by plugging a brand new installation of XP onto an unprotected network, you get owned by Sasser within seconds. There were many before Sasser, among a few that come to mind are CodeRed and Nimda.

    How did those worms spread so fast? One easy answer: Services that users did not need were running on a default installation of the operating system. You woulda thought microsoft would have learned to turn all services off by default since 2001 for client machines. Nah. They've kept many open.

    Apple has been smart about this. It provides two very distinct operating systems: An end-user operating system, the mainstream Mac OS X, and a server operating system, aka Mac OS X Server. Apple knows to be humble about the network services it offers, even if most of 'em are open-source and quite mature, and KEEP THEM TURNED OFF on end-user, client machines. That's what regular Mac OS X is for. You can buy a new end-user Mac, plug it in a network, run nmap against it, and you'll get zero hits. Not one. Not a single network service is running by default.

    Virulent and devastating Worms and Viruses don't spread thru server machines, those tend to live in pretty-heavily firewalled networks. No. They spread thru END-USER machines.

    SP2 had better do one thing and do it real well to the average end-user client machine: TURN OFF ALL SERVICES.

    Beyond that, musing about security is mostly beating a very dead horse. Every single time you turn a network service on, you are opening yourself to infection risks. The OS architecture ought to mitigate those risks. A sysadmin with a clue or two will keep his server secure, regardless of what OS it runs, because that sysadmin knows security is about constant vigilance and works in many many layers.

    Again, when talking about security, people should scope the discussion within the distinction of end-user usage and server usage.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...