OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: Win 2000 any better?

RE: Win 2000 any better?

Russ (Russ.Cooperrc.on.ca)
Sun, 7 Nov 1999 03:18:16 -0500

-----BEGIN PGP SIGNED MESSAGE-----

>I'd just like to point out a couple of things regarding security
>here...

Based on what?

>1. Win2000 might have more nifty security policies and editors in
>place, but that does not constitute security in and of itself.

Neither does the way it pops up windows. NOTHING "constitutes security
in and of itself".

>2. Most attacks that we see today have NOTHING to do with setting
>object-based security in operating systems.

All attacks have to do with setting object-based security. They're
either exploiting the lack of, incorrect, or bug in...setting
object-based security.

>3. Most attacks today are based on BUGS in the operating systems
>and applications.

Well, I'd disagree. Most attacks today are based on the fact that
their virtually invisible on Win9x OS'. Because they go undetected
(while being effected), they have an "effect" and are therefore
"enjoyable". Denial of Service attacks are typically exploiting BUGS
in the OS. Defacements and Intrusions to NT, lately, have been
effected via the RDS vulnerability. That wasn't a "bug", but a stupid
capability built into a component. A "fix" is available that still
allows you to "exploit" this "stupid capability".

But you're probably referring to Buffer Overflows, which are more
often found in applications than they are in the OS itself (but
obviously not exclusively).

>4. The average programmer goofs up (causes a bug) on average in
>1-3 places per 1000 lines of code.

Gee, can I get a link to that research?

>5. Win2000 introduces some 15 million (more? little less?) lines
>of new code.

As with every version of every 30 year old tried and tested variant of
Unix, virtually every line in Windows 2000 should be considered "new
code".

If you have to review code to trust it, don't touch Windows 2000,
since you won't be able to review it...duh. The number of lines only
matters to reviewers. If a person is intelligent enough to understand
why lots of code means potentially lots of security risks, they're
also likely intelligent enough to come up with some more tangible
reasons to be afraid of Windows 2000.

Fact is, a C2-like review is likely going to be more impressive under
Windows 2000 than any earlier version of NT...but then there's no code
review there (and they probably never ask how many lines of code there
are either).

>6. Go figure what's secure or not until it's been running for a
>while and a couploe of one hundred new bugs have been found and
>corrected.

Well, with between 15,000 and 84,000 bugs, maybe you might want to
wait a little longer???

Come on folks, we getting security patches after SP6 for NT 4.0, and
there's no reason to believe they're going to stop after SP7. We're
fixing things in Unix applications that have been in use for eons (and
have gone through far more revisions than NT has).

You gotta base your evaluations on far more tangible things than these
sorts of throw-away statements that really don't address your needs,
or consider your risks based on your implementations.

The other thing to remember is that the line in a component which
represented a security vulnerability is written anew when the bug fix
is released. i.e., the newest line of code you're likely running is
the one that supposedly fixed your security vulnerability...think
about that for a second...;-]

Cheers,
Russ - NTBugtraq Editor
http://ntbugtraq.ntadvice.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQCVAwUBOCU2PBBh2Kw/l7p5AQG9rwP/VDGHo6+rjX6A9Dyu5fm2r7wXby5J67kO
bFs3VbXvJ72Q+h0wZxpAFCzbzt1j5jbvw1VJJleXeRLk0OBz+YTfxn47Ury6jYzG
DccDWot1mi3mpEmtRcNgHY8ZwcQAJCtwVTZd7nEUmlyrLBGehos6roPw4PTMapac
s4WC48JcGzU=
=yzGO
-----END PGP SIGNATURE-----

This archive was generated by hypermail 2.0b3 on Sun Nov 07 1999 - 22:39:15 CST