*nix vs. MS security
Christopher Lu
instructor mentioned that *nices are less reliable and less secure than
Microsoft OS's. His reasoning is that because *nices (espeically linux) is
free and everyone has access to it, it's less secure. Random people can
hack into a *nix system easier because they can figure out the interrupts
and stuff, since it's a free OS.
I questioned the fact that the majority of servers on the internet use some
flavor or *nix. He answered saying that only small size companies use *nix.
Everyone else uses something more secure (he meant MS I'm assuming).
I wanted to know what everyone here thinks about this. I'm a firm believer
thatn *nix is a very stable, secure system. Granted I haven't had a whole
lot of experience dealing with *nix but everything I've seen/read/heard has
led me to that conclusion. But being naive when it came to *nix I was
unable to counter my instructor with anything substantial.
Thanks!
Andre Kostur
<T1Eu3.4862$Rn....@news.rdc2.occa.home.com>:
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Off-Topic: Ask Microsoft what they're running Hotmail off of.
Fallacy: Having access to the source code makes the system less secure.
By this reasoning, RSA (and PGP, and IDEA, and RC5, and...) are all
inherently less secure than say ASES (Andre's Secret Encryption System).
After all, you can get the algorithms for RSA pretty easily, but the ASES
algorithm is only known to me.
To be quite honest, RSA is many, many orders of magnitude more secure
than ASES, _because_ everybody can examine the algoritms. I'm no
cryptanalyst, so my encryption system will suck.
But, back to operating systems.... given that the source is available, it
actually makes it easier to locate and fix security holes in the system
since there are so many people (and a lot of them are altruistic and will
report security holes rather than exploit them) examining the system.
Heck, you have to trust Microsoft (and those designated by Microsoft)
that Windows NT is secure, where with Open Source projects (Linux, and
others) you don't have to trust Linus Torvalds when he says (note I'm not
saying that he has said, this is only an example) that Linux is secure
(or can be made so with the correct administration). You can choose to
trust Alan Cox. Or any one of a few thousand people who have examined
the source code.
In my experience, Unix systems have been a lot more stable than NT boxes.
Heck, my desktop NT box routinely crashes EXPLORER.EXE!
Note that I'm not claiming any of the above people have made any claims
about the security of Linux, I'm only using their names as examples
(mostly since they are very high-profile names in the Linux community).
As for "only small companies use Unix".... here's a transcript of a short
ftp session with a company I'm sure many people will recognize as a
company that can hardly be called small....
Connected to FTP.NIKE.COM.
220-
220- Unauthorized Access Prohibited
220-
220-
220 barb FTP server (Version wu-2.4.2-academ[BETA-17](1) Tue May 19
11:39:59 PDT
1998) ready.
User (FTP.NIKE.COM:(none)): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> literal syst
215 UNIX Type: L8
ftp>
Oystein Viggen
> I'm taking a class on operating systems. During the last class, the
> instructor mentioned that *nices are less reliable and less secure than
> Microsoft OS's. His reasoning is that because *nices (espeically linux) is
> free and everyone has access to it, it's less secure. Random people can
> hack into a *nix system easier because they can figure out the interrupts
> and stuff, since it's a free OS.
Your instructor is totally bullshitting you. The type of "security"
that he seems to prefer is known as "Security through obscurity". It
means that the programmers figure that nobody will ever be able to
reverse engineer their code, so it doesn't really have to be that
secure.
Open source programs have to implement real security meaning that even
though one has access to the code, one cannot use that to circumvent
the system, because the security is made that way. (I'm no expert
either... :)
A good example is file-sharing in NT. Since NT was released,
everybody assumed that you would need a username and a password to
access a share, and since the source was closed, nobody bothered to
check. But when other people were starting to reverse engineer it,
they discovered that they didn't really need the username and pass,
because much of the security was implemented in the client instead of
in the server. This was a year or two after the first release of
NT4. If the code and protocol for file sharing in NT had been open
source, somebody would have been bound to discover the obvious a lot
sooner.
Tell your instructor that real security is implemented in a way so
that having access to the code, doesn't help unless you find a
bug.
The fact that bugs in code is discovered every day, does in no way
mean that UNIX-like systems are inherently more buggy than NT. It's
just a result of that the bugs are easier to track down when one has
access to the source, and they are also easier to fix.
Microsoft, on the other hand, doesn't even bother with fixing their
bugs fast. The oh-so-great Bill Gates actually once said something
along the lines of that "fixing bugs doesn't sell software. Adding
features does." How is a company with a pilosophy like that supposed
to be able to create a secure system?
Ignore your instructor! You _know_ you're right!
This was my rant. Thanks for listening... :)
Oystein
--
"But you know what they say - The world wasn't built in a day"
Oystein Viggen
> Off-Topic: Ask Microsoft what they're running Hotmail off of.
Heck, ask them what they were running some of their bigger web-servers
off of before people discovered... :)
cbrink
check out
http://www.idg.net/crd_security_9-68221.html
Christopher Lu <christo...@yahoo.com> wrote in message
news:T1Eu3.4862$Rn....@news.rdc2.occa.home.com...
> I'm taking a class on operating systems. During the last class, the
> instructor mentioned that *nices are less reliable and less secure than
> Microsoft OS's. His reasoning is that because *nices (espeically linux)
is
> free and everyone has access to it, it's less secure. Random people can
> hack into a *nix system easier because they can figure out the interrupts
> and stuff, since it's a free OS.
>
Roger
>
> I'm taking a class on operating systems. During the last class, the
> instructor mentioned that *nices are less reliable and less secure than
> Microsoft OS's. His reasoning is that because *nices (espeically linux) is
> free and everyone has access to it, it's less secure. Random people can
> hack into a *nix system easier because they can figure out the interrupts
> and stuff, since it's a free OS.
>
> I questioned the fact that the majority of servers on the internet use some
> flavor or *nix. He answered saying that only small size companies use *nix.
> Everyone else uses something more secure (he meant MS I'm assuming).
>
> I wanted to know what everyone here thinks about this. I'm a firm believer
> thatn *nix is a very stable, secure system. Granted I haven't had a whole
> lot of experience dealing with *nix but everything I've seen/read/heard has
> led me to that conclusion. But being naive when it came to *nix I was
> unable to counter my instructor with anything substantial.
NT is reasonably easy to crack - NTFSDOS.EXE will get you into any file
on the HDD if you boot from a floppy - most sys admins don't bother
setting the BIOS to boot from C only. There are other stupid holes like
caching of dial-up passwords, plus earlier versions of NT can be
disabled with the Ping Of Death (a very large IP packet). From my
experience with NT4 Workstation, it needs a state-of-the-art PC (PII, at
least 64MB) for decent performance and falls over more often than Win98
(which is fine if you avoid using IE4 - if Netscape crashes it doesn't
drag the whole OS down with it).
I haven't had much experience of Unix/Linux yet but NT is certainly not
a perfect system. Besides stability, people run half the Internet on
Apache because it's free or very cheap - NT costs hundreds and you
normally have to licence each box.
--
Roger
Web: http://freespace.virgin.net/roger.cantwell
ICQ: 40038278
*** Vital! Please remove 'removethis.' from the Reply address ***
Roger
>
> Ask your prof about BackOrifice 2000
Forgot to mention - there are thousands of NT viruses but, AFAIK, no
Unix viruses at all. Unix file permissions make it very difficult for
any unauthorised code to be run, unless some careless sysadmin is
surfing the Net as root.
Aaron Ginn
If your instructor really believes these things, then I have to question
his credentials. The fact that UNIX is 30 years old means that almost all
the security holes have already been found and fixed. Also, the notion
that access to the source code makes the OS less secure is hogwash. The
more eyes that can see the code, the easier it is to find security holes
which can be fixed. Ask your instructor to provide you with a specific
example of how access to the source has compromised security. Odds are
he won't be able to provide you with anything other than theoretical B.S.
> I questioned the fact that the majority of servers on the internet use some
> flavor or *nix. He answered saying that only small size companies use *nix.
> Everyone else uses something more secure (he meant MS I'm assuming).
This is also false. Go to http://www.netcraft.com and start entering URLs
for "big" companies and you'll see what they are running: FreeBSD, Solaris,
HP-UX, IRIX, Digital UNIX, etc.
>
> I wanted to know what everyone here thinks about this. I'm a firm believer
> thatn *nix is a very stable, secure system. Granted I haven't had a whole
> lot of experience dealing with *nix but everything I've seen/read/heard has
> led me to that conclusion. But being naive when it came to *nix I was
> unable to counter my instructor with anything substantial.
Go to http://www.unix-vs-nt.org/kirch/ and you'll have _more_ than enough
ammunition for your next discussion.
As an aside, there is a little-known deal that Microsoft has with some
instructors at institutions of higher learning that the instructors receive
$200 "awards" when they mention Microsoft products in a positive light.
This makes me wonder if your instructor is a participant or merely ignorant!
Happy debating!
Aaron
you...@magpage.com
>
> I'm taking a class on operating systems. During the last class, the
> instructor mentioned that *nices are less reliable and less secure than
> Microsoft OS's. His reasoning is that because *nices (espeically linux) is
> free and everyone has access to it, it's less secure. Random people can
> hack into a *nix system easier because they can figure out the interrupts
> and stuff, since it's a free OS.
>
> flavor or *nix. He answered saying that only small size companies use *nix.
> Everyone else uses something more secure (he meant MS I'm assuming).
>
> thatn *nix is a very stable, secure system. Granted I haven't had a whole
> lot of experience dealing with *nix but everything I've seen/read/heard has
> led me to that conclusion. But being naive when it came to *nix I was
> unable to counter my instructor with anything substantial.
>
Your instructor must be trying to put one over on you. I work for a
rather large company (Fortune 10). We do use some NT, but not for anything
really critical. Mission critical and big is reserved for mainframes and
UNIX. It's not so much a security issue as a reliability one.
I would trust Linux over NT any day. More eyes have looked it over for
potential security holes. Many have been found and fixed. And the fixes
are *fast* when new holes are discovered. This is demonstrably *not* the
case with Microsoft.
Also, the Microsoft crowd is paid, the Linux crowd does it for love, fame,
recognition. Kind of like a mercenary army vs. the home folks. The home
folks will win every time all else being equal. Only in this case it isn't
equal, the home folks seem to have more and better minds working on the
problems (IMHO)...
John Girash
: I'm taking a class on operating systems. During the last class, the
: instructor mentioned that *nices are less reliable and less secure than
: Microsoft OS's. His reasoning is that because *nices (espeically linux) is
: free and everyone has access to it, it's less secure. Random people can
: hack into a *nix system easier because they can figure out the interrupts
: and stuff, since it's a free OS.
No offence, but unless he's worked at one of the closed shops (MS's Windows
division, DEC's VMS etc) and seen the code, how can an OS prof make any
statement about that OS, or deal with it in an academic environment? It'd
be like teaching biology without ever having studied internal anatomy,
neurology, endocrinology etc, and going on nothing but behavioural and
clinical drug studies, i.e. all you have to go on are surface phenomena.
So, unless he's worked at MS and seen the source code, your prof doesn't know
anything more about WindowsXX than anyone else and has no business making
such statements. (Now, if he had actual research to back up an empirically-
based claim, that'd be one thing. But he's making a logical statement with
just plain not enough information.) My recommendation: try to take the
course in a different term (it's probably too late), with a different prof.
IIRC, Minix was created *specifically* so that people studying operating
systems academically _had_one_ whose internals they could get they grubby
hands into, *because without the source all you can do is guess* about what's
going on inside. & Linux can trace itself (at least conceptually) to Minix.
jg
p.s. note: I'm not making any statement here about the relative merits of one
OS v. another in practice. But in an _academic_ teaching environment (as
opposed to a technical one) there's no choice: an OS w/o source is useless.
--
"don't listen when you're told about the best days in your life Spirit of
a useless old expression, it means passing time until you die." the West
/\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\/
-- John Girash -- girash @ cfa.harvard.edu - http://skyron.harvard.edu/ --
jen...@homacjen.ab.ca
: I'm taking a class on operating systems. During the last class, the
: instructor mentioned that *nices are less reliable and less secure than
: Microsoft OS's. His reasoning is that because *nices (espeically linux) is
: free and everyone has access to it, it's less secure. Random people can
: hack into a *nix system easier because they can figure out the interrupts
: and stuff, since it's a free OS.
I take it your instructor is a firm believer in security through
ignorance.
Just because he doesn't know how to hack into a system doesn't mean
its secure.
Best regards,
Stephen Jenuth
(jen...@homacjen.ab.ca)
Quidquid latine dictum sit, altum viditur.
Alan Sparks
back. College profs are more useful and educational when they've seen the
real world.
Read the trade press. Many of the largest companies rely on UNIX.
-Alan
>Christopher Lu <christo...@yahoo.com> wrote in message
>news:T1Eu3.4862$Rn....@news.rdc2.occa.home.com...
yan seiner
you this: I've administered both Win32 and *nix xystems. Win32 is
incredibly insecure. As a trivial example, NT does not close the
connection to your hoem directory. Period. Check it out (with linux,
of course). Log in, log out, log in as another user - there it is - the
previous user's home directory. If the file permissions allow it, you
can trash it. Piss poor security. Yet MS engineers have "not been able
to reproduce teh problem" for something like 2 years....
Win32 relies on security through single users, ignorant users, and
frequent reboots. Ask anyone who administers a Win32 system in an
academic environment. It's a nightmare.
Linux, on the other can _can_ be made secure. Not that is out of the
box. But it can be secured, because it's open source. Anyone can post
a fix to a bug. And they do. Authors are pressured to fix code. And
modern encryption algorithms employ trap door functions - ask your
instructor what that is. A well written trap door function is secure,
even if yo have the source code and teh public key.
Enough of my soap box. Your instructor is full of shit.
Yan Seiner
Another CS instructor
Christopher Lu wrote:
>
> I'm taking a class on operating systems. During the last class, the
> instructor mentioned that *nices are less reliable and less secure than
> Microsoft OS's. His reasoning is that because *nices (espeically linux) is
> free and everyone has access to it, it's less secure. Random people can
> hack into a *nix system easier because they can figure out the interrupts
> and stuff, since it's a free OS.
>
Cameron L. Spitzer
>In comp.os.linux.misc Christopher Lu <christo...@yahoo.com> wrote:
>: free and everyone has access to it, it's less secure.
> your prof [...] has no business making
>such statements. My recommendation: try to take the
>course in a different term (it's probably too late), with a different prof.
I took a computer architecture course where the tenured professor
gave a handwaving mathematical proof by notation that it is impossible
to build a CPU supporting nested interrupts in a way that the ISRs
are oblivious to one another. (I.e., all CPUs must be like Intel's, where
each ISR must save processor state before doing any useful work.)
I'd just come back from an internship where I'd implemented a CPU
where, at the machine language level, each interrupt level had a register
set to itself. We'd done what the learned professor had proved impossible.
I made the mistake of arguing with this phony expert
in class. Aced all the exams and got a C in the course.
Don't argue when your professor teaches bullshit; graduate and make
more money than he does by your second year out.
ObLinux: Andrew Tanenbaum said he'd give Linus a lousy grade for Linux 1.0.
Cameron
Christopher Browne
<christo...@yahoo.com> wrote:
>I'm taking a class on operating systems. During the last class, the
>instructor mentioned that *nices are less reliable and less secure than
>Microsoft OS's. His reasoning is that because *nices (espeically linux) is
>free and everyone has access to it, it's less secure. Random people can
>hack into a *nix system easier because they can figure out the interrupts
>and stuff, since it's a free OS.
>
>I questioned the fact that the majority of servers on the internet use some
>flavor or *nix. He answered saying that only small size companies use *nix.
>Everyone else uses something more secure (he meant MS I'm assuming).
>
>I wanted to know what everyone here thinks about this. I'm a firm believer
>thatn *nix is a very stable, secure system. Granted I haven't had a whole
>lot of experience dealing with *nix but everything I've seen/read/heard has
>led me to that conclusion. But being naive when it came to *nix I was
>unable to counter my instructor with anything substantial.
Your instructor is evidently the naive one.
a) In terms of reliability, it's not UNIXes that have to be taken down
weekly to reboot because the system probably will go down if you
don't.
The main box that I connect to currently has 11 days of uptime; the
downtime resulted from a hardware upgrade.
The major UNIX vendors (IBM, Sun, HP) are offering "more 9's" worth of
uptime than NT does.
b) In terms of security, I suggest you think again.
If you want to talk about formal security certifications, there are
UNIX systems rated as high as B1 by the NSA/NIST. NT is only rated
C2, and that is only true for version 3.51, with *networking turned
off.*
<http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html>
c) In terms of "unreliability as a result of open source," your
instructor obviously is unfamiliar with the way *serious* security
systems work.
Apparently he believes in the notion of "security through ignorance."
This only works when deploying systems in environments where attackers
are all effectively morons, and does not resist serious attacks.
Operating systems are small potatoes compared to cryptographic
systems, and the experts have repeatedly documented situations where
the utter *lack* of documentation and the *lack* of ability to attack
systems has resulted in systems that are insecure *because they are
not documented.*
The only competent way of validating that a system is resistant to
attack is to document its implementation, and allow experts to try to
find attacks. That's how cryptoanalysis works, and that's how
security holes get plugged in operating systems.
Note that by the above criteria, UNIX systems aren't usually
configured to be secure, much as NT systems aren't usually configured
to be secure.
In both cases, *typical* configurations tend only to use discretionary
security protection. Mandatory access control represents a B1
requirement that most UNIX systems do not satisfy, and which NT does
not satisfy.
And if the instructor actually did use phrasing involving the word
"interrupts," this probably indicates that he's been very well
brainwashed by someone that emitted convincing bafflegab about NT
being "more secure." That seems vastly more likely than that he knows
anything about TPEP or the Orange Book or about computer security in
general.
Ask the instructor about capabilities-based systems. Neither UNIX nor
NT represent such; that seems to be the area of greatest interest in
recent research work on highly-securable OSes.
d) I work at Sabre, the folks that do airline reservations. Our big
systems run UNIX. The big web servers run UNIX. Our *really* big
systems run on MVS mainframes (rumor is that we have 17 of 'em);
neither UNIX nor NT are as of yet options for something as big as a
travel reservation system. There are some systems running NT; nothing
of nearly as great importance, as far as I can tell.
Note that if you want to get "disagreeable" with the instructor, the
Right Approach to correct the instructor is not to blabber at him
about how "YOu're Worng! UNIX is much more securable than Windows
NT!"
The Right Approach is to suggest/volunteer to have your term paper (or
some such assignment) be written on the area of Operating System
Security. You "bias" the material to deal with some of the recent
research on things like capabilities-based OSes, tempered with a
presentation of TPEP and the EC (European Community) material on
secure computing system certifications.
The "UNIX-is-pretty-good" thing that will fall out particularly from
the latter search will be that there are vastly more Officially
Extremely Secure UNIXes than there are Officially "Vaguely Secure" NT
versions.
A useful thing to have fall out of it might be to do an analysis of
some portion of the capabilities of NT ACLs as well as an attempt to
see to what degree it is isomorphic with UNIX GIDs.
The research should be interesting; there's lots of good paper-writing
material out there; you'll learn lots that should even include the
idea that UNIX isn't the last word in security.
The big "win" is if you get a good learning experience, despite some
lack of knowledge on the part of the instructor.
--
"The idea that Bill Gates has appeared like a knight in shining armour to
lead all customers out of a mire of technological chaos neatly ignores the
fact that it was he who, by peddling second-rate technology, led them into
it in the first place." - Douglas Adams in Guardian, 25-Aug-95
cbbr...@ntlug.org- <http://www.hex.net/~cbbrowne/security.html>
<http://www.hex.net/~cbbrowne/oses.html>
Duy D.
> I'm taking a class on operating systems. During the last class, the
> instructor mentioned that *nices are less reliable and less secure than
> Microsoft OS's. His reasoning is that because *nices (espeically linux) is
> free and everyone has access to it, it's less secure. Random people can
> hack into a *nix system easier because they can figure out the interrupts
> and stuff, since it's a free OS.
>
> I questioned the fact that the majority of servers on the internet use some
> flavor or *nix. He answered saying that only small size companies use *nix.
> Everyone else uses something more secure (he meant MS I'm assuming).
>
> I wanted to know what everyone here thinks about this. I'm a firm believer
> thatn *nix is a very stable, secure system. Granted I haven't had a whole
> lot of experience dealing with *nix but everything I've seen/read/heard has
> led me to that conclusion. But being naive when it came to *nix I was
> unable to counter my instructor with anything substantial.
>
> Thanks!
MS OSes are more secure than Linux. Huh???
Does your prof knows what BackOrifice 2000 (and thousands viruses) can do to MS
OSes???
Is he being paid by MS???
Mike Dowling
>I'm taking a class on operating systems. During the last class, the
>instructor mentioned that *nices are less reliable and less secure than
>Microsoft OS's. His reasoning is that because *nices (espeically linux) is
>free and everyone has access to it, it's less secure. Random people can
>hack into a *nix system easier because they can figure out the interrupts
>and stuff, since it's a free OS.
He does have a point. Many of the well known security breaches, such as the
mountd problem, were almost certainly found in the first place by inspecting
the source code. With a commercial product released withour sources, this
cannot happen. On the other hand, when vulnerabilities are found, they are
usually promptly fixed, and the fixes made public. Does Microsoft do this?
Another problem with Unices is that they offer far more network services,
and the more services there are to be cracked, the more opportunity crackers
have to find vulnerabilities. On the other hand, it would take a very
perverted logic to argue that, because Windows 98 does not provide FTP, WWW,
SMTP, TELNET,.... daemons, it is therefore better, beacuse these services
cannot then be abused.
Oh, and somebody has already pointed out, there is the issue of viruses...
Cheers,
Mike Dowling
>I questioned the fact that the majority of servers on the internet use some
>flavor or *nix. He answered saying that only small size companies use *nix.
>Everyone else uses something more secure (he meant MS I'm assuming).
>
>I wanted to know what everyone here thinks about this. I'm a firm believer
>thatn *nix is a very stable, secure system. Granted I haven't had a whole
>lot of experience dealing with *nix but everything I've seen/read/heard has
>led me to that conclusion. But being naive when it came to *nix I was
>unable to counter my instructor with anything substantial.
>
>Thanks!
>
>
--
My email address mi...@moocow.math.tu-bs.de above is a valid email address.
It is, in fact, a sendmail alias; the digit 'N' is incremented regularly.
Spammed aliases will be deleted. Currently, mike[5,7-9,12,13,16] have been
deleted. If email to mikeN bounces, try mikeN+1.
DanH
<christo...@yahoo.com> wrote:
>I'm taking a class on operating systems. During the last class, the
>instructor mentioned that *nices are less reliable and less secure than
>Microsoft OS's. His reasoning is that because *nices (espeically linux) is
>free and everyone has access to it, it's less secure. Random people can
>hack into a *nix system easier because they can figure out the interrupts
>and stuff, since it's a free OS.
>
>I questioned the fact that the majority of servers on the internet use some
>flavor or *nix. He answered saying that only small size companies use *nix.
>Everyone else uses something more secure (he meant MS I'm assuming).
>
>I wanted to know what everyone here thinks about this. I'm a firm believer
>thatn *nix is a very stable, secure system. Granted I haven't had a whole
>lot of experience dealing with *nix but everything I've seen/read/heard has
>led me to that conclusion. But being naive when it came to *nix I was
>unable to counter my instructor with anything substantial.
This person is TEACHING cs courses? Oh my God.
Almost ALL critical machines are *NIX for most of the 'net for a reason.
Here's on to ask your professor. "If we have a classified LAN to do
research or contracts for the Government, the inspectors will come in
and do a site survey to ensure the computers and other equipment will
not pose a risk of leak. What OS will they require us use?" The answer
will not be any version of WIN(anything).
You cannot get any security certificates with any version of WIN on a
machine that has a network card or modem. Ask you professor why that
is.
It's because everyone sees the code that make *NIX more secure. Do you
turn in a term paper with no one proof-reading it? I hope not. Why
not? Because you're likely to overlook your own mistakes and keep
overlooking them. Now if you let the whole world proof-read your term
paper, there may be some discussion on exact wording, but do you think
you'd have a better or worse paper for it?
Also ask him why MS did not put basic security precautions into Office.
Melissa is not a *NIX phenomona. Do you think that would have gone out
if a couple hundred more people had looked over the code? Why are all
the viruii for WIN? There's like two viruses for *NIX and they're
pretty feeble.
Does he think virus attacks are not to be classified as a security
risk?
Here are some URLs for reference:
http://xforce.iss.net/library/bill_stout/ntexploits.htm
http://www.ntsecurity.net/
http://www.flash.net/~kahanek/platform_security.htm
http://www.deter.com/unix/
http://www.fish.com/
http://www.cert.org/
Dan
--
UNIX - Not just for vestal virgins anymore
Linux - Choice of a GNU generation
Jim Chaney
> NT is reasonably easy to crack - NTFSDOS.EXE will get you into any file
> on the HDD if you boot from a floppy - most sys admins don't bother
> setting the BIOS to boot from C only.
Well, what stops you going over to a *nix box, booting from a kernel on a floppy
disk and mounting the HDD... nothing.
> There are other stupid holes like
> caching of dial-up passwords, plus earlier versions of NT can be
> disabled with the Ping Of Death (a very large IP packet). From my
> experience with NT4 Workstation, it needs a state-of-the-art PC (PII, at
> least 64MB) for decent performance and falls over more often than Win98
> (which is fine if you avoid using IE4 - if Netscape crashes it doesn't
> drag the whole OS down with it).
I refuse to believe that NT crashes anywhere near as often as Win 9x. The crashes
in 9x are often fatal, but 95% of the time NT can bring up the task manager (Ctrl
Alt Del) and end the process.
I use Linux as my home gateway to work and the internet, but I have to use NT or
Win95 for development as that is what my users have. Both OS's have their
strengths, but time will tell if Linux really takes off on the desktop.
Jim Chaney
----------------------------------------------------------------------
jchaney AT nortelnetworks DOT com The views of this post are not
necessarily those of Nortel Networks
----------------------------------------------------------------------
Casey Schaufler
> If you want to talk about formal security certifications, there are
> UNIX systems rated as high as B1 by the NSA/NIST. NT is only rated
> C2, and that is only true for version 3.51, with *networking turned
> off.*
Actually, there's a B2 UNIX (Trusted Xenix), but I don't think
TIS is selling it any more. NT's C2 evaluation-in-progress will
include homogenous networking (or so I'm told) as SGI's B1 did
in 1995. Be careful casting the networking stone as only two of
the UNIX evaluations (SGI and Cray) include networking.
--
Casey Schaufler voice: (650) 933-1634
ca...@sgi.com fax: (650) 933-0170
Jeffrey C. Dege
>I'm taking a class on operating systems. During the last class, the
>instructor mentioned that *nices are less reliable and less secure than
>Microsoft OS's. His reasoning is that because *nices (espeically linux) is
>free and everyone has access to it, it's less secure. Random people can
>hack into a *nix system easier because they can figure out the interrupts
>and stuff, since it's a free OS.
>
>I questioned the fact that the majority of servers on the internet use some
>flavor or *nix. He answered saying that only small size companies use *nix.
>Everyone else uses something more secure (he meant MS I'm assuming).
I think you're assuming wrong, here.
Unix has always been a mid-range phenomenom. Fifteen years ago, Unix
ran only on relatively small machines, compared to the IBM mainframes
that ran most of the computing world. If your prof believes that
Unix is only used at smaller sites, it's probably because he thinks
that larger sites are running mainframes. And this is true, to an
extent. Mainframes still run the majority of large business computing,
though the Unix vendors have been moving upscale and have started to
challenge them, lately.
Of course, on the internet, Unix dominates, and while there are a number
of large sites using mainframes, high-end Unix clusters are more common.
Microsoft is a Johnny-come-lately to the enterprise ball, and NT has been
chasing Unix only at the low end, while Unix has been chasing the
mainframes into the high end. Now that we've added Linux at an even
lower price-point than NT's, we've got a very interesting race.
--
The Windows API has done more to retard skill development
than anything since COBOL maintenance.
--Larry O'Brien
Lee Sharp
|I'm taking a class on operating systems. During the last class, the
|instructor mentioned that *nices are less reliable and less secure than
|Microsoft OS's. His reasoning is that because *nices (espeically linux) is
|free and everyone has access to it, it's less secure. Random people can
|hack into a *nix system easier because they can figure out the interrupts
|and stuff, since it's a free OS.
|I questioned the fact that the majority of servers on the internet use some
|flavor or *nix. He answered saying that only small size companies use
*nix.
|Everyone else uses something more secure (he meant MS I'm assuming).
|I wanted to know what everyone here thinks about this. I'm a firm believer
|thatn *nix is a very stable, secure system. Granted I haven't had a whole
|lot of experience dealing with *nix but everything I've seen/read/heard has
|led me to that conclusion. But being naive when it came to *nix I was
|unable to counter my instructor with anything substantial.
A great example of "Those who can not do, teach." Of companies using
Unix, Ford, IBM, Microsoft, Sun, NASA, Burlington, BMC, Computer
Associates... Of course, these are small companies, so they do not count.
Lee
--
SCSI is *NOT* magic. There are *fundamental technical reasons* why it is
necessary to sacrifice a young goat to your SCSI chain now and then. * Black
holes are where God divided by zero. - I am speaking as an individual, not
as a representative of any company, organization or other entity. I am
solely responsible for my words.
evil
>Andre Kostur wrote:
>
>> Off-Topic: Ask Microsoft what they're running Hotmail off of.
>
>Heck, ask them what they were running some of their bigger web-servers
>off of before people discovered... :)
Heh.. they TRIED to run Hotmail on NT, but it couldn't handle it...
lol
>
>Oystein
>--
>"But you know what they say - The world wasn't built in a day"
----------
martin
.
evil
evil
>frequent reboots. Ask anyone who administers a Win32 system in an
>academic environment. It's a nightmare.
Aha, so that's why Win32 crashes so often. It's part of their
security. ;)
----------
martin
.
evil
David C.
>
> Forgot to mention - there are thousands of NT viruses but, AFAIK, no
> Unix viruses at all. Unix file permissions make it very difficult for
> any unauthorised code to be run, unless some careless sysadmin is
> surfing the Net as root.
Ummmm.... AFAIK, most of the early virusses (like Morris's Internet
Worm) were invented on UNIX and attacked UNIX systems. They just used a
different mechanism from what PC and Mac virusses use.
And virusses that require user intervention (like happy99 and macro
virusses) can spread on any OS.
That having been said, UNIX is probably safer, because:
- It's less popular. Virus writers usually want to hit the biggest
audience they can. No point to attacking a very small audience. This
is also why there are few (if any) OS/2 virusses, and why there are
far fewer Mac virusses running around than there used to be.
- There's no binary standard. While Linux is popular, other UNIX
varieties (Solaris, HP-UX, AIX, OSF-1, etc.) are not binary
compatible. There are different executable file formats, different
sets of system calls and different processor architectures involved.
So binary-executable virusses will tend not to spread as far. (This
doesn't prevent virusses written in script-languages, however.)
- Many of the network-security holes that allowed the early "worm" type
programs to spread have been plugged, thanks to years of experience.
- Any well-managed system will have most of the executable files stored
with permissions that make them non-writable to normal users.
Programs that a user compiles for himself might still be attacked, but
there probably won't be many such files in any individual account.
(You can set up NT this way, but it's not often done. And some
popular programs, like Word, really don't like having their install
directories made read-only.)
-- David
Vilmos Soti
When did the first NT come out? How usable was Linux at that time? Who
had better access to resources? Linux got there where it is now through
words from friends and not through multi million (if not billion) dollar
marketing machines.
Vilmos
--
Looking for a job in British Columbia.
http://members.home.net/vilmossoti/resume.html
Oystein Viggen
> > "But you know what they say - The world wasn't built in a day"
>
> When did the first NT come out? How usable was Linux at that time? Who
> had better access to resources? Linux got there where it is now through
> words from friends and not through multi million (if not billion) dollar
> marketing machines.
>
Just a question - Are you arguing with my .signature here?
A vcard, would be worth bitching about, but a NoMeansNo quote, is
not...
Oystein
--
:)
Michael David Jones
>Roger <roger.c...@removethis.virgin.net> writes:
>> Forgot to mention - there are thousands of NT viruses but, AFAIK, no
>> Unix viruses at all. Unix file permissions make it very difficult for
>> any unauthorised code to be run, unless some careless sysadmin is
>> surfing the Net as root.
>Ummmm.... AFAIK, most of the early virusses (like Morris's Internet
>Worm) were invented on UNIX and attacked UNIX systems. They just used a
>different mechanism from what PC and Mac virusses use.
First half-truth: Morris' worm wasn't a virus. It was a worm.
>And virusses that require user intervention (like happy99 and macro
>virusses) can spread on any OS.
Second half-truth: On Unix, these viruses are limited to damaging a
single user (unless you can con somebody into using them as root).
Viruses hitting users are quite unlikely to be able to damage the
system.
...snip...
>- Any well-managed system will have most of the executable files stored
> with permissions that make them non-writable to normal users.
> Programs that a user compiles for himself might still be attacked, but
> there probably won't be many such files in any individual account.
> (You can set up NT this way, but it's not often done. And some
> popular programs, like Word, really don't like having their install
> directories made read-only.)
Any system that hasn't been badly mangled will have system executables
stored read only to normal users. "Well-managed" is a major
exaggeration. And yes, you *can* set up NT that way, but virtually
*all* software won't run that way. You make it sound like a minor
inconvenience.
Mike Jones | jon...@rpi.edu
It's a beautiful day for a night game.
- Announcer Frankie Frisch
Collin W. Hitchcock
It sounds like your professor is making a lot of assumptions and
drawing some overly general conclusions instead of giving you all the
facts that you need to make a decision on your own. Since you are
taking courses at the college level your professor should expect you
to be able to think for yourself.
Here are my thoughts:
All the security holes in any piece of software will eventually be
found. The only alternative to this is that the software will
eventually become obsolete -- nobody will use it so it won't matter if
it still has security holes. But people hugely underestimate the
lifetime of most pieces of software. Huge numbers of people have been
employed recently sifting through 1960's code with 2 digit dates
because not even in their wildest dreams did 1960's programmers
believe that their software would last 3+ decades. Writing software
to last forever is the only responsible thing to do.
So your software will last forever and all the bugs will eventually be
found. Do you want them found fairly quickly at the beginning of the
software's life or more gradually? The Linux approach results in
quick discoveries and fixes. The Microsoft approach results in a more
gradual discovery. I submit that the quick fix approach is better.
After the initial flurry of security problems the product becomes
stable and secure.
The Microsoft camp might argue that Microsoft is more likely to
discover and fix problems in its software itself so that they will
never be exploited. However, Microsoft has no compelling reason to
devote large amounts of resources to the task. From a corporate point
of view, spending money on something must be justified by an expected
payoff and spending money on security testing is no exception. The
expected payoff (the possibility of avoiding a public relations hit)
is small for all but the most serious bugs. Announcing a fix for a
bug that is unknown to the public and not likely to be discovered for
some time produces bad publicity for no good corporate reason. When
is the last time that Microsoft announced a patch for a security hole
which was not brought to the public attention by someone outside
Microsoft? If any holes are discovered internally, the fixes are
presumably included in in the "Service Packs", but between the time
that the hole is discovered and the service pack is released, systems
are running with a security hole that Microsoft knows about but for
which it hasn't provided a fix or even notification.
The Linux quick fix results in security after an unsecure but fairly
short shakedown period. The Microsoft approach results in a long
drawn out debugging with lots of possible ethical problems.
Collin
Wine Development
>
> Ask your prof about BackOrifice 2000
> http://www.idg.net/crd_security_9-68221.html
>
Or why MS seem to think that allowing ActiveX downloaded via a browser
to completely bypass the NT user security is a good idea.
--
Keith Matthews Spam trap - my real account at this
node is keith_m
Frequentous Consultants - Linux Services,
Oracle development & database administration
Raphael Mankin
: instructor mentioned that *nices are less reliable and less secure than
: Microsoft OS's. His reasoning is that because *nices (espeically linux) is
: free and everyone has access to it, it's less secure. Random people can
: hack into a *nix system easier because they can figure out the interrupts
: and stuff, since it's a free OS.
I suggest you find yourself a better informed instructor.
So far as this ng is concerned, you have just started a flame war.
--
Politics: The conduct of public affairs for private advantage
Ambrose Bierce
Raphael Mankin
E-Mail: ra...@panache.demon.co.uk
----------------------------------
Scott MacDonald
and stable. Just because you can see the code doesn't mean it is easier to
circumvent security. If I was you I would stand up and call your instructor
a dolt, then find a better school. If he asks you why you think Unix is
better you could wow him with the technical reasons (which I won't go into
because your instructor probably wouldn't understand them anyway) or you
could simply shut him up by asking him why the majority of Banks (I know
many banks run on OS/2, please don't flame me for it),
Universities/Colleges, "big businesses", etc., hell even many of Microsoft
servers run on Unix flavors and see what his response is.
Raphael Mankin <ra...@panache.demon.co.uk> wrote in message
news:7pgcuk$1n3$1...@panache.demon.co.uk...
L. Friedman
Raphael Mankin wrote in message <7pgcuk$1n3$1...@panache.demon.co.uk>...
>In comp.os.linux.misc Christopher Lu <christo...@yahoo.com>
wrote:
>: I'm taking a class on operating systems. During the last class,
the
>: instructor mentioned that *nices are less reliable and less secure
than
>: Microsoft OS's. His reasoning is that because *nices (espeically
linux) is
>: free and everyone has access to it, it's less secure. Random
people can
>: hack into a *nix system easier because they can figure out the
interrupts
>: and stuff, since it's a free OS.
>
>I suggest you find yourself a better informed instructor.
>
>So far as this ng is concerned, you have just started a flame war.
Huh??? So far i haven't seen a single post that could be construed as
a flame in this thread. In fact, its one of the more interesting
linux vs. NT threads that i've read in a while, simply because it has
not degenerated into a flame war, and remained civil and informative.
-L
Christopher B. Browne
>Don't argue when your professor teaches bullshit; graduate and make
>more money than he does by your second year out.
The nearest to "arguing" would be to do a Really Good Paper on
security that panders neither to NT nor to UNIX, but that rather
concentrates on more "cutting edge" research OSes.
In that context, the context for any "jabs" against NT could occur
indirectly, the result of indicating the natures of inadequcies in
both UNIX and NT.
--
NIHIL EX NIHIL -- DON'T SETQ NIL.
cbbr...@ntlug.org- <http://www.hex.net/~cbbrowne/lsf.html>
Jim Chaney
> >virusses) can spread on any OS.
>
> Second half-truth: On Unix, these viruses are limited to damaging a
> single user (unless you can con somebody into using them as root).
> Viruses hitting users are quite unlikely to be able to damage the
> system.
>
> ...snip...
A virus doesn't have to 'damage the system' in order to do damage. a system
is there to provide a service, hence all the time that a virus is consuming
resources that level of service reduces... hence the term Denial Of Service
Attack. These can be done at user level, by spawning enough threads on the
host to slow it down, using the entire available network BW, etc.
If we are going to be pedantic, let us be correct.
Jim
Jeffrey C. Dege
>> >And virusses that require user intervention (like happy99 and macro
>> >virusses) can spread on any OS.
>>
>> Second half-truth: On Unix, these viruses are limited to damaging a
>> single user (unless you can con somebody into using them as root).
>> Viruses hitting users are quite unlikely to be able to damage the
>> system.
>>
>> ...snip...
>
>A virus doesn't have to 'damage the system' in order to do damage. a system
>is there to provide a service, hence all the time that a virus is consuming
>resources that level of service reduces... hence the term Denial Of Service
>Attack. These can be done at user level, by spawning enough threads on the
>host to slow it down, using the entire available network BW, etc.
True enough. The old-fashioned fork bomb will bring any Unix to its knees
if the sysadmin hasn't set user permissions to prevent it.
Fortunately, Unix does have per-user quotas that can prevent most of
these sorts of attacks.
NT is vulnerable to all of the same problems, and lacks any sort of
quota mechanism.
>If we are going to be pedantic, let us be correct.
--
It is a profoundly erroneous truism, repeated by all copy-books and
by eminent people when they are making speeches, that we should cultivate
the habit of thinking about what we are doing. The precise opposite is the
case. Civilization advances by extending the numbers of important operations
which we can perform without thinking about them. Operations of thought are
like cavalry charges in battle -- they are strictly limited in number, they
require fresh horses, and must only be made at decisive moments.
-- Alfred North Whitehead
Rod Smith
oli...@writeme.com (Cameron L. Spitzer) writes:
>
> Don't argue when your professor teaches bullshit; graduate and make
> more money than he does by your second year out.
Professors, like most groups of human beings, vary a lot in how well they
take criticism. The better ones often encourage debate and don't mind
being shown to be wrong about something. They may even reward students
who can do this by offering them research opportunities, one-on-one
instruction, etc. Of course, that doesn't do you a whole lot of good if
the professor you're showing up is one of the BAD ones, but I'd hate to
see students as a whole stop thinking critically and raising those points
in class. That'd be the death of higher learning, IMHO.
(BTW, I'm speaking not just as a former student but as a former
professor, though not in the computer field and only for a brief period.)
--
Rod Smith
smit...@bellatlantic.net
http://members.bellatlantic.net/~smithrod
Author of _Special Edition Using Corel WordPerfect 8 for Linux_, from Que
Tim Izod
> Roger wrote:
>
> > NT is reasonably easy to crack - NTFSDOS.EXE will get you into any file
> > on the HDD if you boot from a floppy - most sys admins don't bother
> > setting the BIOS to boot from C only.
>
> Well, what stops you going over to a *nix box, booting from a kernel on a floppy
> disk and mounting the HDD... nothing.
Wasn't there a thread about this a week ago? ;)
> > There are other stupid holes like
> > caching of dial-up passwords, plus earlier versions of NT can be
> > disabled with the Ping Of Death (a very large IP packet). From my
> > experience with NT4 Workstation, it needs a state-of-the-art PC (PII, at
> > least 64MB) for decent performance and falls over more often than Win98
> > (which is fine if you avoid using IE4 - if Netscape crashes it doesn't
> > drag the whole OS down with it).
>
> I refuse to believe that NT crashes anywhere near as often as Win 9x. The crashes
> in 9x are often fatal, but 95% of the time NT can bring up the task manager (Ctrl
> Alt Del) and end the process.
It doesn't. But when we used NT as a desktop it still fell
over _very_ easily without any obvious cause. Not infrequently the
only recourse we had was to the power switch.
> I use Linux as my home gateway to work and the internet, but I have
> to use NT or Win95 for development as that is what my users have.
> Both OS's have their strengths, but time will tell if Linux really
> takes off on the desktop.
KDE 2 and GNOME 2 should do a lot to change this froma
productivity point of view. What is less needed than the "killer apps"
are killer games which run at least as fast and more stable than with
The Other OSs. This brings "pester power" into play. And all the
little monsters wanting to play Quake 9 or whatever will hassle their
parents into running a linux box.
--
Tim.
Lee Doolan
[. . .]
David> processor architectures involved. So binary-executable
David> virusses will tend not to spread as far. (This doesn't
David> prevent virusses written in script-languages, however.)
[. . .]
prediction: it won't be long before someone writes an
_ass kicking_ java based virus.
David C.
> sham...@usa.net (David C.) writes:
> >Roger <roger.c...@removethis.virgin.net> writes:
> >> Forgot to mention - there are thousands of NT viruses but, AFAIK, no
> >> Unix viruses at all. Unix file permissions make it very difficult for
> >> any unauthorised code to be run, unless some careless sysadmin is
> >> surfing the Net as root.
> >Ummmm.... AFAIK, most of the early virusses (like Morris's Internet
> >Worm) were invented on UNIX and attacked UNIX systems. They just used a
> >different mechanism from what PC and Mac virusses use.
>
> First half-truth: Morris' worm wasn't a virus. It was a worm.
I should have guessed that this subject would attract someone looking
for a flame war.....
Whatever you want to call it, it was a program that spread from system
to system on its own. Whether the mechanism used involved altering
executables or something else doesn't change that fact.
> >And virusses that require user intervention (like happy99 and macro
> >virusses) can spread on any OS.
>
> Second half-truth: On Unix, these viruses are limited to damaging a
> single user (unless you can con somebody into using them as root).
> Viruses hitting users are quite unlikely to be able to damage the
> system.
E-mail virusses of this nature spread by reading users' addressbooks,
and e-mailing themselves around the network. They don't have to alter
any files to spread. They have only to be executed by a user, then they
run and spread themselves. They don't need to write anything to the
file system.
> And yes, you *can* set up NT that way, but virtually *all* software
> won't run that way. You make it sound like a minor inconvenience.
I _have_ set up NT systems that way, and only MS-Office had a problem
with it. Everything else ran perfectly well from directories that only
the administrator account had write-access to.
Yes, very few admins will ever set it up this way, but security doesn't
help a clueless admin in the first place.
-- David
Oystein Viggen
> could simply shut him up by asking him why the majority of Banks (I know
> many banks run on OS/2, please don't flame me for it),
> Universities/Colleges, "big businesses", etc., hell even many of Microsoft
> servers run on Unix flavors and see what his response is.
I actually worked in a bank this summer, and they use OpenVMS on their
servers.... :)
Oystein
--
"Speak softly but carry a big stick"
- Theodore Roosevelt
pga...@omega.heresy
clue. Microsoft OSes are buggy and crash-vulnerable, which makes them
very insecure. Everyone knows that it takes months for M$ to patch
holes in their software. OTOH, open source software can be fixed by
anyone who knows how to program (and who knows what the bug is), so
patches are often available within days. And as far as the size of
the company goes, that's irrelevant, but I'm almost positive he's
wrong. Small size companies don't have the money to hire a really
good sysadmin, so they hire a 2-bit MCSE wannabe, and install Windoze
on all their stuff. Big companies would want to use Unix, because
it's MUCH more scalable, and is actually made for multiple
simultaneous users, unlike NT.
Pete
In article <T1Eu3.4862$Rn....@news.rdc2.occa.home.com>, Christopher Lu wrote:
>I'm taking a class on operating systems. During the last class, the
>instructor mentioned that *nices are less reliable and less secure than
>Microsoft OS's. His reasoning is that because *nices (espeically linux) is
>free and everyone has access to it, it's less secure. Random people can
>hack into a *nix system easier because they can figure out the interrupts
>and stuff, since it's a free OS.
>
>I questioned the fact that the majority of servers on the internet use some
>flavor or *nix. He answered saying that only small size companies use *nix.
>Everyone else uses something more secure (he meant MS I'm assuming).
>
>I wanted to know what everyone here thinks about this. I'm a firm believer
>thatn *nix is a very stable, secure system. Granted I haven't had a whole
>lot of experience dealing with *nix but everything I've seen/read/heard has
>led me to that conclusion. But being naive when it came to *nix I was
>unable to counter my instructor with anything substantial.
>
>Thanks!
>
>
Efraim Mostrom
Oystein Viggen <oyst...@tihlde.org> skrev i
diskussionsgruppsmeddelandet:033dxe4...@colargol.tihlde.hist.no...
> I actually worked in a bank this summer, and they use OpenVMS on their
> servers.... :)
>
are NT-server. Netware server is among the best, its uptime
is great!
/Efraim
Lew Pitcher
A while ago, Microsoft defined to us the meaning of "heterogenous network".
To them, it meant networking MS Windows 3.1, MS Windows/95 and MS Windows/98
and MS Windows NT 4.0 together.
I wonder what they'd call MS Windows (anything) networked to an IBM OS/390
system?
--
Lew Pitcher
Master Codewright and JOAT-in-training
Richard Steiner
spake unto us, saying:
>I'm taking a class on operating systems. During the last class, the
>instructor mentioned that *nices are less reliable and less secure than
>Microsoft OS's. His reasoning is that because *nices (espeically linux)
>is free and everyone has access to it, it's less secure.
Strange reasoning, since most commercial Unix flavors (Solaris, AIX,
UnixWare, etc.) are just as proprietary (at least in terms of source
availability) as Windows NT is.
I work for a major airline. The "serious enterprise server" stuff is
all running on IBM-compatible mainframe hardware or Unisys 2200-series
mainframe hardware. Smaller database and mail/news servers are Solaris
or AIX boxes. PC file servers are using Novell. We don't use NT as a
server at all (at least to my knowledge) except for a couple of WinDD
servers which are intended to serve Windows software.
To be kind, your instructor may not be as aware of the business world
(and what we actually use) as he thinks he is.
--
-Rich Steiner >>>---> rste...@visi.com >>>---> Bloomington, MN
OS/2 + Linux + BeOS + FreeBSD + Solaris + WinNT4 + Win95 + DOS
+ VMWare + Fusion + vMac + Executor = PC Hobbyist Heaven! :-)
New Op Code: RD (Rewind Disk)
Tim Smith
>No offence, but unless he's worked at one of the closed shops (MS's Windows
>division, DEC's VMS etc) and seen the code, how can an OS prof make any
>statement about that OS, or deal with it in an academic environment? It'd
>be like teaching biology without ever having studied internal anatomy,
>neurology, endocrinology etc, and going on nothing but behavioural and
>clinical drug studies, i.e. all you have to go on are surface phenomena.
>
>So, unless he's worked at MS and seen the source code, your prof doesn't know
>anything more about WindowsXX than anyone else and has no business making
>such statements. (Now, if he had actual research to back up an empirically-
Why do you assume his school doesn't have an NT source license?
--Tim Smith
Tim Smith
>NT is reasonably easy to crack - NTFSDOS.EXE will get you into any file
>on the HDD if you boot from a floppy - most sys admins don't bother
The same thing works with Linux and most Unix systems.
Tim Smith
>Forgot to mention - there are thousands of NT viruses but, AFAIK, no
>Unix viruses at all. Unix file permissions make it very difficult for
Name five.
Thomas L|fgren
>>>>> "David" == David C <sham...@usa.net> writes:
Lee> [. . .]
David> processor architectures involved. So binary-executable
David> virusses will tend not to spread as far. (This doesn't
David> prevent virusses written in script-languages, however.)
Lee> [. . .]
Lee> prediction: it won't be long before someone writes an _ass
Lee> kicking_ java based virus.
Preditcion: No ass-kicking virus will do much damage on a
well-administered UNIX system.
Tom
--
T. Lofgren - Wherever I lay my .emacs, that's my ${HOME}
These opinions are mine, not yours. Get your own damn opinions.
pga...@omega.heresy
B. Browne wrote:
>On Fri, 20 Aug 1999 20:17:24 -0400, pga...@omega.heresy
><pga...@omega.heresy> posted:
>>clue.
>
>
Yeah, I know. Sorry, I guess I should have warned y'all.. Excuse my
rant :)
><yoda-voice>
>"Confrontation leads to anger... Anger leads to fear... Fear leads
>to using Windows NT in mission-critical combat systems... And this is
>how the ancients fell...
></yoda-voice>
>
>>Microsoft OSes are buggy and crash-vulnerable, which makes them
>>very insecure. Everyone knows that it takes months for M$ to patch
>>holes in their software.
>
>Describing things in such a "bull-in-the-china-shop" manner is just
>going to get the poor student a failing grade.
>
>After all, even if the instructor is a severe ignoramus, the
>instructor is still the authority responsible for giving out grades.
Yeah, I know. :)
>--
>...you could spend *all day* customizing the title bar. Believe me. I
>speak from experience." -- Matt Welsh
>cbbr...@hex.net- <http://www.hex.net/~cbbrowne/lsf.html>
Christopher B. Browne
<pga...@omega.heresy> posted:
>Tell this instructor to pull Bill Gates' c*ck out of his ass and get a
>clue.
This is more-or-less exactly the *wrong* thing to do.
<yoda-voice>
"Confrontation leads to anger... Anger leads to fear... Fear leads
to using Windows NT in mission-critical combat systems... And this is
how the ancients fell...
</yoda-voice>
>Microsoft OSes are buggy and crash-vulnerable, which makes them
>very insecure. Everyone knows that it takes months for M$ to patch
>holes in their software.
Describing things in such a "bull-in-the-china-shop" manner is just
going to get the poor student a failing grade.
After all, even if the instructor is a severe ignoramus, the
instructor is still the authority responsible for giving out grades.
--
John Girash
: John Girash <gir...@skyron.harvard.edu> wrote:
:>So, unless he's worked at MS and seen the source code, your prof doesn't know
:>anything more about WindowsXX than anyone else and has no business making
:>such statements. (Now, if he had actual research to back up an empirically-
: Why do you assume his school doesn't have an NT source license?
I don't assume it -- I forgot it was possible ;-) My first post wasn't as
clear on the point as it should have been though: in addition to it being
required that the prof have seen the source in order to credibly make that
statement, in order for it to mean anything to the students in an academic
setting, *they* have to have access to the source as well, so that they
can verify and learn the reasoning being the statement for themselves.
That's why I said that in academics, an OS w/o source is useless. And I
seriously doubt an educational NT source licence lets you distribute it to
students in a general-admission class (as opposed to a research setting).
Of course, I've been exactly wrong on this sort of thing before :-)
cheers
jg
--
"don't listen when you're told about the best days in your life Spirit of
a useless old expression, it means passing time until you die." the West
/\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\/
-- John Girash -- girash @ cfa.harvard.edu - http://skyron.harvard.edu/ --
Casey Schaufler
>
> Casey Schaufler wrote:
> A while ago, Microsoft defined to us the meaning of "heterogenous network".
> To them, it meant networking MS Windows 3.1, MS Windows/95 and MS Windows/98
> and MS Windows NT 4.0 together.
Um, that's not what I said. First, Microsoft didn't invent that
definition, SGI (i.e. I) did. Second, networking together all of
the listed products would produce a homogenous, not a heterogenous,
network. A homogenous network is composed of a set of identical
systems. For an evaluated configuration, that would mean the same
version of the C2 OS on all the machines.
> I wonder what they'd call MS Windows (anything) networked to an IBM OS/390
> system?
A homogeneous network. Or have I blown past your point completely?
patman
troj_boserver,stupid1,suicide,sucker,sunday,sundevil,stunning blow
Oh.. I'm sorry you said 5 didn't you?
Tim Smith <t...@halcyon.com> wrote in message
news:7pm0mp$fut$1...@52-a-usw.rb1.blv.nwnexus.net...
Adam C. Emerson
How easy is it to set up a Cryptographic FS under NT?
--
Adam C. Emerson aeme...@atdot.org
http://www.calvin.edu/~aemers19
"Remember - if all you have is an axe, every problem looks like hours
of fun." -- Frossie in a.s.r
Ralf Hildebrandt
>troj_boserver,stupid1,suicide,sucker,sunday,sundevil,stunning blow
>Oh.. I'm sorry you said 5 didn't you?
Uh, I don't think they're native NT...
Native NT viruses are really rare (I think there only two)
But since "normal" Windows viruses do the job just as well...
--
<Ralf.Hil...@gmx.de> http://www.stahl.bau.tu-bs.de/~hildeb
"Those who do not understand UNIX are condemned to reinvent it -- badly."
-- Henry Spencer
patman
Ralf Hildebrandt <hil...@fmi.uni-passau.de> wrote in message
news:slrn7s4r7g...@ravel.fmi.uni-passau.de...
> >Melissa, happy99, cih, troj_boclient,
> >troj_boserver,stupid1,suicide,sucker,sunday,sundevil,stunning blow
> >Oh.. I'm sorry you said 5 didn't you?
>
> Uh, I don't think they're native NT...
> Native NT viruses are really rare (I think there only two)
> But since "normal" Windows viruses do the job just as well...
> --
Patrick
Ralf Hildebrandt
>> But since "normal" Windows viruses do the job just as well...
>Oops... I guess I read that to be anything Windows :-).
I don't mind. Looking at the right places (symantec et al.) I could
only find two. But since an NT system is already fucked up enough with
"Office" and other viruses there's really no need.
I'm subscribed to the M$ security mailing list. It's incredible. Every
week I get security bulletins (of course unsigned) -- if I had more
than a few NT boxes to administer I'd go crazy. There are more bugs
than features, and even the fixes have bugs...
--
Ralf Hildebrandt http://www.stahl.bau.tu-bs.de/~hildeb (0)531/391-3366
Institute for Steel-Structures, Technic. Univers. of Braunschweig, Germany
David C.
> Lew Pitcher wrote:
>>
>> A while ago, Microsoft defined to us the meaning of "heterogenous
>> network". To them, it meant networking MS Windows 3.1, MS Windows/95
>> and MS Windows/98 and MS Windows NT 4.0 together.
>
> Um, that's not what I said. First, Microsoft didn't invent that
> definition, SGI (i.e. I) did. Second, networking together all of the
> listed products would produce a homogenous, not a heterogenous,
> network. A homogenous network is composed of a set of identical
> systems. For an evaluated configuration, that would mean the same
> version of the C2 OS on all the machines.
You missed the sarcasm, I think.
Everybody knows the actual definition of a "homogeneous" and a
"heterogeneous" network.
Microsoft, in their literature, likes to claim that a network populated
with nothing but different kinds of Windows boxes is "heterogeneous".
They're wrong, as you said.
By Microsoft's standard, you could say that a network containing nothing
but identically-configured Sun workstations running different versions
of SunOS 4.1.x is heterogeneous. This may be true, under a strict
pedantic understanding of the term, but it's not useful as a functional
description of the network. Software and security strategies that are
proven reliable under that configuration may blow up as soon as the
first non-Sun box is attached to the network.
-- David
Heeeeeeeez back!
(What is it with people these days? Laziness or stupidity?)
patman <notreally...@nospam.com> wrote:
> Tim Smith <t...@halcyon.com> wrote in message
> news:7pm0mp$fut$1...@52-a-usw.rb1.blv.nwnexus.net...
>> Roger <roger.c...@removethis.virgin.net> wrote:
>> >Forgot to mention - there are thousands of NT viruses but, AFAIK, no
>> >Unix viruses at all. Unix file permissions make it very difficult for
>>
>> Name five.
> Melissa, happy99, cih, troj_boclient,
> troj_boserver,stupid1,suicide,sucker,sunday,sundevil,stunning blow
> Oh.. I'm sorry you said 5 didn't you?
Ahem.... Unix? Melissa? Happy99? They aren't Unix! They're shitty windross
and Turd viruses... I'll assume the others are as well, seeing as I've never
heard of 'em...
--
______________________________________________________________________________
| spi...@mail.freenet.co.uk | "I'm alive!!! I can touch! I can taste! |
| Andrew Halliwell BSc | I can SMELL!!! KRYTEN!!! Unpack Rachel |
| in | and get out the puncture repair kit!" |
| Computer Science | Arnold Judas Rimmer- Red Dwarf |
------------------------------------------------------------------------------
|GCv3.12 GCS>$ d-(dpu) s+/- a C++ US++ P L/L+ E-- W+ N++ o+ K PS+ w-- M+/++ |
|PS+++ PE- Y t+ 5++ X+/X++ R+ tv+ b+ DI+ D+ G e++ h/h+ !r!| Space for hire |
------------------------------------------------------------------------------
patman
Heeeeeeeez back! <spi...@news.freenet.co.uk> wrote in message
news:6spup7...@bursar.freenet.co.uk...
> Reformatted to make the thing understandable...
> (What is it with people these days? Laziness or stupidity?)
>
> patman <notreally...@nospam.com> wrote:
> > Tim Smith <t...@halcyon.com> wrote in message
> > news:7pm0mp$fut$1...@52-a-usw.rb1.blv.nwnexus.net...
> >> Roger <roger.c...@removethis.virgin.net> wrote:
> >> >Forgot to mention - there are thousands of NT viruses but, AFAIK, no
> >> >Unix viruses at all. Unix file permissions make it very difficult for
> >>
> >> Name five.
I named Win95,98 virii....
BTW you say the formating is wrong... I see no difference here than before.
;-)
Patrick
patman
Matthew Kirkcaldie <Matthew.K...@utas.edu.au> wrote in message
news:Matthew.Kirkcaldi...@honourspb.healthsci.utas.edu.au...
> spi...@news.freenet.co.uk wrote:
>
> >patman <notreally...@nospam.com> wrote:
> >> Tim Smith <t...@halcyon.com> wrote in message
> >> news:7pm0mp$fut$1...@52-a-usw.rb1.blv.nwnexus.net...
> >>> Roger <roger.c...@removethis.virgin.net> wrote:
> >>> >Forgot to mention - there are thousands of NT viruses but, AFAIK, no
> >>> >Unix viruses at all. Unix file permissions make it very difficult
for
> >>>
> >>> Name five.
> >
> >> troj_boserver,stupid1,suicide,sucker,sunday,sundevil,stunning blow
> >> Oh.. I'm sorry you said 5 didn't you?
> >
> >Ahem.... Unix? Melissa? Happy99? They aren't Unix! They're shitty
windross
> >and Turd viruses... I'll assume the others are as well, seeing as I've
never
> >heard of 'em...
>
> hence the Windows viruses cited. If someone says "there are no Unix
> viruses at all", there's not much point in asking for five examples of
> none at all.
>
> Matthew.
Matthew Kirkcaldie
David C.
> In comp.os.linux.misc Tim Smith <t...@halcyon.com> wrote:
>> Roger <roger.c...@removethis.virgin.net> wrote:
>>>
>>> NT is reasonably easy to crack - NTFSDOS.EXE will get you into any
>>> file on the HDD if you boot from a floppy - most sys admins don't
>>> bother setting the BIOS to boot from C only. There are other stupid
>>> holes like
>
>> The same thing works with Linux and most Unix systems.
>
> How easy is it to set up a Cryptographic FS under NT?
I think Win2K has an option to encrypt volumes. At least I remember
seeing it in one of the early "NT5" betas. I don't know if it will wind
up in the release or not.
NT4 doesn't include anything for doing this, although a third-party
product might exist.
-- David
Robert Komar
: Christopher B. Browne wrote:
:>
:> After all, even if the instructor is a severe ignoramus, the
:> instructor is still the authority responsible for giving out grades.
: Tell me, how proud would you be to get a good grade in
: a situation such as this? Is that all that matters - get
: a good grade, bow to The Man, etc.? Never mind that
: they are *wrong*?
: Now I know where all the butt kissing corporate "yes men"
: come from... students who knew in their heart that they
: were right, but crushed their own instincts in order
: to get through with a decent grade and a sheepskin,
: only to be evaluated by some stuffed shirt that doesn't
: know his ass from a hole in the ground.
: What a waste.
What a waste of good advice! I think that no one was suggesting
that the student pretend that the instructor was right and kiss
butt, rather that there are better ways of dealing with this
situation than acting like a shithead and trying to embarrass
The Man in public. As was suggested, the most good could be
achieved by approaching the teacher in private and discussing
the matter civilly. Otherwise, what a wasted chance to
educate someone else, and what a waste to get a failing
mark when the course work is well and truly understood.
And finally, crappy teachers often spur on a healthy disrespect
of authority and, whether they like it or not, can stimulate
self-reliance. What a waste to go through your entire school
years and never that learn those in authority can be ignoramuses,
too! Thankfully, I was blessed with a few whoppers and am probably
a better man for it. I'd shake their hands gratefully if I met
them in the streets today because that lesson ranks up there
right alongside the times tables.
Cheers,
Rob Komar
Christopher Browne
>Christopher B. Browne wrote:
>>
>> After all, even if the instructor is a severe ignoramus, the
>> instructor is still the authority responsible for giving out
>> grades.
>
>Tell me, how proud would you be to get a good grade in
>a situation such as this? Is that all that matters - get
>a good grade, bow to The Man, etc.? Never mind that
>they are *wrong*?
Would I be proud of the grade I got in such a course? Certainly not.
I would regard the course as being one of the Worthless Ones. Any
degree is likely to have some such courses.
The point is that there are fights worth fighting, and there are
fights not worth fighting. If the plan is to fight the battle
necessary to "fix" the problem, you have to be prepared for all the
ensuing consequences.
It is not at all obvious that, in a reasonably traditional academic
bureaucracy, there is *any* opportunity for a student to take on this
conflict and have any expectation of an outcome that could be regarded
as "winning."
Your implication that I'm suggesting merely being a toady is one that
I find extremely offensive, and would not reasonably arrived at by
reading the posting that I wrote.
I added the supplemental suggestion of volunteering to research
computer security with a view to a syllabus that would favor neither
UNIX nor NT, as neither OS should be the focus of the research.
That suggestion represents the academic equivalent to guerrilla
warfare, also known as "Low Intensity Conflict."
--
"We believe Windows 95 is a walking antitrust violation" -- Bryan Sparks
cbbr...@ntlug.org- <http://www.ntlug.org/~cbbrowne/security.html>
Clifton T. Sharp Jr.
> What a waste of good advice! I think that no one was suggesting
> that the student pretend that the instructor was right and kiss
> butt, rather that there are better ways of dealing with this
> situation than acting like a shithead and trying to embarrass
> The Man in public. As was suggested, the most good could be
> achieved by approaching the teacher in private and discussing
> the matter civilly.
We who have tried that know that you haven't.
--
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cliff Sharp | "Speech isn't free when it comes postage-due." |
| WA9PDM | -- Jim Nitchals, founder, FREE |
+-+-+-+-+-+-+-+-+-+- http://www.spamfree.org/ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Bryan
> > >frequent reboots. Ask anyone who administers a Win32 system in an
> > >academic environment. It's a nightmare.
> >
> > Aha, so that's why Win32 crashes so often. It's part of their
> > security. ;)
> >
> > ----------
> > martin
> > .
> > evil
>
> LOL ....well Hell then ... my system must REALLY be secure! :)
>
> nb
Well, you know, it *is* the most "secure" non-OS on the market.
And I have some of the most secure machines in my house. ;)
-- Bryan
Philip Brown
>reading the posting that I wrote.
>
>I added the supplemental suggestion of volunteering to research
>computer security with a view to a syllabus that would favor neither
>UNIX nor NT, as neither OS should be the focus of the research.
it is almost impossible to do research on "security", without reference to a
specific OS. the results would be almost completely meaningless.
--
[Trim the no-bots from my address to reply to me by email!]
[ Do NOT email-CC me on posts. Pick one or the other.]
--------------------------------------------------
The word of the day is mispergitude
Christopher Browne
<phi...@bolthole.no-bots.com> wrote:
>On 28 Aug 1999 18:07:26 GMT, cbbr...@news.hex.net wrote:
>>I added the supplemental suggestion of volunteering to research
>>computer security with a view to a syllabus that would favor neither
>>UNIX nor NT, as neither OS should be the focus of the research.
>
>it is almost impossible to do research on "security", without
>reference to a specific OS. the results would be almost completely
>meaningless.
You are quite correct that reference would need to be made to one or
more specific operating systems. I was certainly implying such.
The phrase that you quoted there merely provides the suggestion that
neither UNIX nor Windows NT be the focal points of the research.
--
Perhaps there should be a new 'quantum' datatype; you would be able to take
its address or value, but not both simultaneously.
-- Michael Shields
cbbr...@ntlug.org- <http://www.hex.net/~cbbrowne/security.html>
PST
>>> I'm taking a class on operating systems. During the last class, the
>>> instructor mentioned that *nices are less reliable and less secure than
>>> Microsoft OS's. His reasoning is that because *nices (espeically linux) is
>>> free and everyone has access to it, it's less secure. Random people can
>>> hack into a *nix system easier because they can figure out the interrupts
>>> and stuff, since it's a free OS.
>
>> Your instructor is totally bullshitting you. The type of "security"
>> that he seems to prefer is known as "Security through obscurity". It
>> means that the programmers figure that nobody will ever be able to
>> reverse engineer their code, so it doesn't really have to be that
>> secure.
>
>> Open source programs have to implement real security meaning that even
>> though one has access to the code, one cannot use that to circumvent
>> the system, because the security is made that way. (I'm no expert
>> either... :)
>
>....
plus...cause linux is MADE by the people ur instructor fears...now why would
they want 2 program sth. thats not secure...and since they know all the
tricks...
Matthew Kirkcaldie
>>> though one has access to the code, one cannot use that to circumvent
>>> the system, because the security is made that way.
... otherwise, the people who *do* have access to the code at Microsoft
could breach your security. Do you trust every single employee there who
might have access to the source code? To whom are *they* accountable?
Matthew.
Johannes Nix
Here is a cite which explains this very well. Actually, Microsoft's
cryptographic software seems to be hacked by NSA.
http://www.heise.de/tp/english/inhalt/te/5263/1.html