We all like to bash MS from time to time


Sure we do, caus its their software that the vast majority of people all over the world is using nowadays. If it where Linux on top, believe then we'd all be bashing Linux.

Why? Well the answer is simple: its not because MSFT software has more bugs than other software, it's only because it's really the more used and explored.
Take this example: if you have a new software and wanna find bugs shouldnt you put has much people for beta tester has you could? You would be more likely to find those nasty bugs and take a shot on squashing them. Well in all software ( and especialy big software like OS'es ) even the comercial version has some problems and we get stuck with them... However Microsofts position on this is quite positive, because they are constantly developing patches, and fixes. So we are getting support to the programs we all use and like.

In this case it prooved to be otherwise, but it also prooved that there is a strong commitment between people at MSFT and us the common users.

Nuno Luz
Portugal

If it where Linux on top, believe then we'd all be bashing Linux.

That's my theory too. That's why, in a twisted way, I'd like to see Linux on top just for 1 year so that they can get a different perspective on the world. Everybody would be blaming them, criticizing them, exploiting known vulnerabilities, and writing viruses for the OS. It doesn't have as much to do with MS as most people think, it's who's on top and what they've had to do to get there.

I have a feeling us normal users wouldn't get the same treatment about what ended up to be bad HTML code.

And there ARE fundamental security differences between Linux and Windows that would make it more secure when accessed from the net, but that's for a different day.

If it where Linux on top, believe then we'd all be bashing Linux.

That's my theory too. That's why, in a twisted way, I'd like to see Linux on top just for 1 year so that they can get a different perspective on the world. Everybody would be blaming them, criticizing them, exploiting known vulnerabilities, and writing viruses for the OS. It doesn't have as much to do with MS as most people think, it's who's on top and what they've had to do to get there.

Uh-No. I forgot who, had a competition to award $20,000 to anyone with a Linux box who can crack, break into, or even infect it with a virus. The contest has gone with many tries for 2 years now-still no one can do it.

Can we avoid yet another Windows vs. Linux debate, please? Making comparisons like these are not very useful -- as sponge implies, the two OSes are architected quite differently and "popularity"-based security comparisons don't actually work.

--janak

Can we avoid yet another Windows vs. Linux debate, please? Making comparisons like these are not very useful -- as sponge implies, the two OSes are architected quite differently and "popularity"-based security comparisons don't actually work.

--janak

Indeed, I'm sick of all those OS flame threads....and you guys all remember : yellow is the best color ! :mrgreen:

I will challenge anyone to break into this rock I have on my desk. Anyone who can hax0r this rock gets $50,000. I declare this rock to be the most secure rock ever made.

That's my theory too. That's why, in a twisted way, I'd like to see Linux on top just for 1 year so that they can get a different perspective on the world. Everybody would be blaming them, criticizing them, exploiting known vulnerabilities, and writing viruses for the OS. It doesn't have as much to do with MS as most people think, it's who's on top and what they've had to do to get there.
Sorry about drifting further off topic, but.. Such a statement shows that you don't know much about UNIX / Linux. ;) It is pretty much IMPOSSIBLE to write to system configuration files or do anything potentially damaging to the system as a normal user. "known vulnerabilities", bah.

FYI, this was split off from here (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=17707).

In any case, qmrq is somewhat correct. His point is that any normal Linux user never runs with Administrative privileges; in fact, many programs will refuse to run if you're root.

On the other hand, Windows NT/2k/XP do let you set up nonprivileged users. However, a lot of people use legacy Windows software that makes it difficult for this to work in corporate environments; and, at home, XP makes it too easy to be an Administrator by default. I'd like to see default behavior go towards nonprivileged setups, as it will be a tremendous boost in Windows security (95%+ of email-based worms will be stopped by this one single maneuver). I'm baffled why Microsoft hasn't moved in this direction already. :? Maybe Longhorn?

And this doesn't address remote vulnerabilities at all, which both OSes suffer from.

And, most importantly, in all of these cases, popularity is not really the cause. User privileges has nothing to do with popularity, and as for remote vulnerabilities, UNIX-based servers are extremely popular; there are more servers running Apache, for instance, than IIS. Popularity more concerns the spread of the worm once it's in the wild, not the intrinsic security of an OS.

--janak

Uh-No. I forgot who, had a competition to award $20,000 to anyone with a Linux box who can crack, break into, or even infect it with a virus. The contest has gone with many tries for 2 years now-still no one can do it.
Unfortunately, these contests are not usually very useful. If I set up a Linux box and shut down all services, there isn't a vulnerability in the world I can use to crack into the box, unless there's a bug in the TCP/IP stack; however, such bugs are extraordinarily rare in most every OS today. Ditto for Windows, although shutting all the services down in Windows is quite a bit more difficult.

--janak

Actually, Apache is used far more than IIS, and which one of these two are constantly having hole after hole exposed?

Actually, Apache is used far more than IIS, and which one of these two are constantly having hole after hole exposed?
Well, yes, IIS5 wins that "contest". :lol: Apache isn't without flaws, though; 1.3.28 was only recently released, as 1.3.27 has DoS bugs. But let's compare, say, sendmail and Exchange. Or even WU-FTPD and the FTP service that comes with IIS. gnu.org's FTP server was just hacked...

That said, yes, open-source software generally has better turn-around time on patches, and they've built a much better webserver; although, IIS6's track record may end up being better than IIS5, since it's locked down much more heavily and finally introduces privilege separation.

Frankly, what annoys me more than anything else are buffer overflows. There's no excuse for them today, for whoever they appear. And they still appear too darn much. :evil:

--janak

I'd like to see default behavior go towards nonprivileged setups, as it will be a tremendous boost in Windows security (95%+ of email-based worms will be stopped by this one single maneuver).

Hmm, while I agree it's a very good thing to run as a non-privileged user I wouldn't claim that it's going to stop 95% of email-based worms.

Look at SoBig, supposedly the fastest propogating to date.

It didn't exploit any specific flaw in Outlook etc. It was purely an executable attachment that users had to decide to run.

Then when is was run it would scan .html, .txt, .mbx files etc. looking for email addresses. So running as a non-privileged user makes no difference, it will still be able to read all YOUR files.

It then emailed itself, using it's own SMTP code, and again a non-privileged user account isn't going to prevent code running under your account from connecting to an SMTP server to send email.

So in SoBig's case I don't see how running as a non-priviliged user would've made any difference.

Look at SoBig, supposedly the fastest propogating to date.
Hrmmmm. Well, it would mitigate things somewhat in that it couldn't install itself in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. OTOH, if this were the default, worms could just install themselves into HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

I guess it would be more accurate to say a set of policies enforcing unprivileged users and the inability to run on startup would help.

On the other hand, it would be trivial to craft a Linux shell script or shell archive that, when run, installs itself into the end-user's crontab and runs every 5 minutes. Again, policies would have to be set to lock this functionality down.

The one key difference, as you may point out, is that many UNIX mailers don't run executable attachments by default, and it's possible to ensure that saved attachments don't trivially have the executable bit set. OTOH, there are enough people that do "tar xvfz; ./configure; make; make install" blindly that one could make life... interesting. ;)

--janak

Indeed, I'm sick of all those OS flame threads....and you guys all remember : yellow is the best color ! :mrgreen:

Yellow... BeOS how I love thee! :ppclove:

"tar xvfz; ./configure; make; make install" blindly that one could make life... interesting. ;)
Hmm, I dunno. There aren't many UNIX utilities that come in source form that claim to 'give you lots of cool games in your browser after quick 30 second download!'

Hmm, I dunno. There aren't many UNIX utilities that come in source form that claim to 'give you lots of cool games in your browser after quick 30 second download!'
You're assuming that all of your favorite tools don't have a backdoor, of course. ;) I know it's unlikely, but remember Kernighan's paper about Reflections on Trusting Trust (http://www.acm.org/classics/sep95/)? The one that suggests if the compiler has a backdoor, you'll never know, even if you compile new compilers?

--janak