Posted on 07/15/2003 2:58:40 PM PDT by TopDog2
True for NT 3.51. Not true for NT 4.0.
I thought that was true as well until I saw this release. It would appear that NT 4.0 got the C2 rating a little over three years ago.
-Jay
The sound we just heard was that of a hammer striking a nail square on the head.
;)
-Jay
Not that I've ever hacked a system, but have you noticed how many companies leave the default passwords in place?
You are correct, sir. The vast majority of attacks, around 90% or so, are perpetrated by skript kiddeez that get their attacking tools from the next 9%. Those guys are the ones performing zero-day exploits, doing black-box penetration testing and publishing the results along with tools for others to take advantage of the exploit.
And the top 1% you'll never hear from or about. They are in and out of lots of systems, secured and not secured.
It's that 9% that worries me. They find exploits for Microsoft software daily. Most of them don't have much love for Microsoft or the government and by advertising this unholy union, they now have been given an irresistable target.
Most breaches are due to poor security practices (lousy passwords, abandoned logins, use of cleartext protocols, and so on), but an equal problem are the poor coding practices which make the simple-technique hacks (to which you refer) possible. Buffer overflows are the bane of all systems, even though we've known of their impact for years.
The only seriously secure systems I've seen are those that are in a secure situation (only people who are supposed to can even get to the keyboard), and are also part of a closed system, meaning the computers are only hooked to each other and NONE of them are hooked to the net, and all wiring is in a secure area with no wireless transmission.
While it's true that there's no such thing as total security, there is reasonable security that can be accomplished while a system is networked. There are a great many excellent books on firewalls and network architecture that focus on granularity of host and network access and robust risk identification, mitigation and incident response.
There are even more excellent papers on configuring bastion hosts that are extremely effective at performing their work while keeping hostile outsiders (and, if done right, hostile insiders) from inflicting their own brand of mischief on the systems and their network. I've also dabbled in bastion workstations, which has been a fine balancing act between convenience and security.
Not that I've ever hacked a system, but have you noticed how many companies leave the default passwords in place?
I've hacked loads of systems in my work* as a penetration tester and you'd be stunned at the sorts of high-risk things that a lot of large companies do. Default passwords are just the tip of that iceberg...
-Jay
* - All legal and under written contract with the firm in question. :)
Well, whatcha know 'bout dat...
Mmmm-boy! The Department of Homeland Security is in for a real ride!
-Jay
Whether that is your true experience at work or not, that is an unbelievably uninformed and subjective opinion. Pick up a copy of the latest MicroWarehouse or CDW catalog. Take a look at all the latest peripherals and applications for sale. Then check into compatibility with Unix or Linux.
What you will find is there are MANY things Windows can do that Unix/Linux cannot. The closest alternative out there close to matching Windows capability is Apple software, and is the only alternative operating system I would recommend to others.
Not near as much as you would like us to believe. They both originate with the same basic kernel, produced by the same foreigner. They both offer unrestricted access to their source code. When discussing US Government security, confidentiallity is essential.
Whether that is your true experience at work or not, that is an unbelievably uninformed and subjective opinion.
So the inconvenient fact that what I say is true is irrelevant?
Oh. Boy.
Pick up a copy of the latest MicroWarehouse or CDW catalog. Take a look at all the latest peripherals and applications for sale. Then check into compatibility with Unix or Linux.
Bah. I've picked up the latest hardware and it's worked fine with Linux. In fact, look on most hardware packages these days and it will actually spell out that it is compatible with Linux!
If there's any uninformed, subjective opinion going on in this discussion, it isn't mine, sport.
What you will find is there are MANY things Windows can do that Unix/Linux cannot.
...Like bring the 'net to a crawl (thanks to the SQL slammer worm), bloat everyone's web logs (thanks to Code Red) and assure that EVERYONE gets a copy of ILOVEYOU, Melissa and the e-mail arm of Nimda.
The closest alternative out there close to matching Windows capability is Apple software, and is the only alternative operating system I would recommend to others
Congratulations. You just recommended BSD as an alternative to Windows. (Yep, that's right...MacOS X is a BSD derivative.)
-Jay
Not near as much as they would be if they were stuck waiting on the self-titled "loosely knit group of hackers from across the net" to patch their software. Not to mention the complete source code of the fix (which explains exactly how they fixed the vulnerability) is released along with the fix, making it even easier for holes to found in the patches themselves.
Not near as much as you would like us to believe. They both originate with the same basic kernel, produced by the same foreigner. They both offer unrestricted access to their source code. When discussing US Government security, confidentiallity is essential.
Yet you offer no objection to the coding done for Microsoft by foreign nationals. How interesting.
As for your Great Bugaboo about who created the Linux kernel, then I suppose you think the National Security Agency (NSA) (which happened to release their own hardened Linux) is part of the 3v1l k0n5p1r4cy?
Please. If you're going to argue, at least have a point to make.
-Jay
Extrapolating, one can only imagine that OS software is the least of Homeland Security's problems. They have to unite several disparate departments fast, and the current lingua franca of all non-technical bureaucrats is Windoze.
They'll just have to live with rebooting their systems every few hours or days to flush the memory leak problems and get used to "I love you" messages from their peers every month or two.
When they're all thoroughly sick of that, and/or they need some real OS tweaks, they'll get serious (and maybe that's the time to invest in IBM and/or RedHat).
Not near as much as they would be if they were stuck waiting on the self-titled "loosely knit group of hackers from across the net" to patch their software.
Bah. The turnaround time from report-to-patch with Open Source is normally 24 hours or less.
The turnaround time from report-to-patch with Microsoft is normally THREE WEEKS.
Please. If you're going to make an argument, at least make an effort to know what you're talking about.
Not to mention the complete source code of the fix (which explains exactly how they fixed the vulnerability) is released along with the fix, making it even easier for holes to found in the patches themselves.
Which is fine, actually. And when you get down to it, closed source offers absolutely NO security benefit. If it did, then Microsoft wouldn't be the scriptkiddy whipping boy it is.
-Jay
No, if true, where you work is irrelevant.
Bah. I've picked up the latest hardware and it's worked fine with Linux.
Again, using your limited experiences alone to make overall judgements is poor. There are countless MFD's, PDA's, camera's etc that only work with Windows.
...bring the 'net to a crawl (thanks to the SQL slammer worm), bloat everyone's web logs (thanks to Code Red) and assure that EVERYONE gets a copy of ILOVEYOU, Melissa and the e-mail arm of Nimda...
Mostly blackmail attempts by the Linux hacks, they've yet to cause us any major damage or extort a change in our business practice.
Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. There is still much work needed to develop a complete security solution. In addition, due to resource limitations, we have not yet been able to evaluate and optimize the performance of the security mechanisms.
Government (Homeland Security) issues second warning on Microsoft security flaw
LOS ANGELES - The Department of Homeland Security has issued an unprecedented second warning to Internet users about a security flaw in Microsoft Corp. software that could leave about 75 percent of the country's computers vulnerable to hacker attacks.The latest warning comes two weeks after Microsoft issued a bulletin notifying computer users it had discovered a critical flaw in its most common Windows operating systems, including its newest versions, Windows XP and Windows Server 2003.
The flaw can let hackers use the Internet to seize control of users' machines to steal files, read e-mails and launch wide-scale computer virus and ``worm'' attacks that could seriously damage the Internet.
FR posting, September 25, 2003, by E. Pluribus Unum
Reliance on Microsoft called risk to U.S. security
SEATTLE, Sept 24 (Reuters) - Computer security experts issued a joint report on Wednesday saying that the ubiquitous reach of Microsoft Corp.'s software on desktops worldwide has made computer networks a national security risk susceptible to "massive, cascading failures."The report, unveiled at the Computer & Communications Industry Association's meeting of industry leaders and government officials in Washington, D.C., saying that Microsoft is now the number one target for malicious computer virus writers. The report's authors told CCIA -- which is funded by Microsoft rivals -- that the software's complexity has made it particularly vulnerable to attacks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.