Date: Thu, 06 May 2004 12:21:21 -0300 From: Dexter J <lamealameadingdongnospamlamelame.org> Subject: Re: OT- Heads Up - Sasser plug
Salutations: On Thu, 06 May 2004 13:30:12 GMT, -Bob- <uctraingNOSPAMMEnospamanet.com> wrote: > On Thu, 06 May 2004 01:24:48 -0300, Dexter J > <lamealameadingdongnospamlamelame.org> wrote: >> >> How's that for a rant!.. :) .. > > Pretty good. I agree with much of what you say. > > In summary, my complaint is not that the MS is can't be made > moderately secure, but they do have some serious architectural issues > with their model. WNT security was modeled on VMS - a seriously > secure OS. However, MS chose to discard some vital pieces in the > interest of freewheeling -witness the repeated "buffer overrun" > issues. It should not be possible for this to happen in a "real" > OS, but it does on all MS platforms. > > Because of this freewheeling > approach, MS security becomes a band aid, a front door, not an > integral > part of the OS's operation. This "once they're in, let 'em go wild" > strategy is the root of nearly every MS security issue. I defy anyone > to tell me what specific privileges to what specific modules > a piece of software like (e.g. SQL Server) needs to run on my server > (or even MS-word on my desktop). It isn't documented and it's too > malignant to determine. You have to give it that "OK, you're in the > front door, prowl the house" authority. Not good. > > Oh, and, I admire your ability and dedication to running a win-server > without a firewall. But, if it were me (and it is), I'd > run the firewall too. The firewall has duties beyond simply trying to > plug MS gaps, oversights, and intentional mis-steps. Well thank you kindly brother bob - I agree with your assessment of the 'by the book' system as well. As to my own experiment here at radio free dexterdyne - it is the concerns your assessment raises exactly that I am prototyping. I say again - I use my prototype thin server model here to secure the system itself - it is simply an added benefit that my workstation can then be operated as a complete registered domain service without as a result. Thusly - while it is always possible that I (or anyone) may be cracked (on any OS) - my prototype provides a professional measure of control and real time reporting so a given probe doesn't go rogue. As you say, 'you're in the door' - but - you can't really prowl the house openly on a dexterdyne build. Then it is simply a matter of responsible and ongoing deny/allow and creative configuration administration exactly like 'real infrastructure' - which is actually what sets most Unix/MVS installs apart from most MicroSoft infrastructures. I do not basically trust hardware appliances like firewalls on the network - because in the end they eventually become unmonitored in real world operation and they do nothing in the event someone behind the firewall opens 'something new'. As to software fire walls, they are as subject to compromise as anything in a given OS service stack. Check this out on both counts: http://securityresponse.symantec.com/avcenter/security/Content/10183.html There is simply no real substitute for honest, life suckingly boring, real time system administration and supporting intuitive wetware talent. Much like owning a SAAB actually. Where MicroSoft (as well as more and more traditionally higher level operating systems) are screwing the pooch - is in the very heavily marketed premise that you can automate system administration and cost save in the HR budget by 'letting the vendor look after it' and/or hiring cheap based on Certification rather than experience. Basically - you are rewarded or boned based entirely on what custodial expertise you actually pay for regardless of what the marketing droids of all stripes would have people believe. And that, in a nutshell, is why MicroSoft infrastructures are more often the victim of plagues. It is made to be ready and well understood prey by cost cutting in combination with cheap administrative talent. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Mr Louis Jordan - Let The Good Times Roll http://www.dexterdyne.org/888/190.RAM
 |
 |
 |
 |
 |
