Date: Thu, 06 May 2004 01:24:48 -0300 From: Dexter J <lamealameadingdongnospamlamelame.org> Subject: Re: OT- Heads Up - Sasser plug
Salutations: On Wed, 05 May 2004 19:04:30 GMT, -Bob- <uctraingNOSPAMMEnospamanet.com> wrote: > On Tue, 4 May 2004 16:50:19 GMT, hohnospamlid.invalid (Goran Larsson) > wrote: > > >> The amazing thing about MS Windows is that it seems that every security >> issue results in exploits that totaly opens up the system. I have never >> seen the same "openness" in other operating systems. MS Windows >> security is like a house of cards, a small disturbance and everything >> comes falling down. > > The basic problem is driven architecturally by the Microsoft > *Business* model. It is a strategic problem, not tactical. > > The issue is Microsoft's integration of the desktop into the > world. That is, they want to eliminate the lines, between application, > desktop, server, and the Internet. This is their goal, vision, > direction and purpose. It is in fact their entire software strategy > and the key to their architectural design. They want to allow any > application to call any application from anywhere. Total integration > of the desktop to the file system to the Internet. No walls, and > (eventually) no user knowledge that there is even a difference in > opening a document that is on the Internet, on the local hard drive, > or on a server. OS, network, and applications merge in one homogeneous > mass. Good for simple minded users, good for selling an integrated > environment to the corporate clients, bad for the world. > > This strategy leads to their inappropriate blending of the OS with > the applications. Applications do not run in isolated spaces as they > should, they run in shared spaces with no real boundaries. Security > is always a patch because their architecture is not secure. The > lawsuit bought against them for browser integration was correct in > it's goal - separate the applications from the OS - but unfortunately > not only did the Judge have no insight into the vision (above) neither > did those bringing the lawsuit. An excellent and perfectly correct observation - however is it the correct conclusion? On the mainframe planet there is but one central job processor and data repository and an almost limitless number of login shells in which user and system accounts share services and resources across a processor board grid as completely self contained session bubbles. Upon creation/login/job call - security group policy assignment determines the resources, data access and services which can be impacted by the bubble (be it machine or wetware) - which then secures the greater installation resources to the extent that the actual administrator does his or her job carefully and correctly. 'Zone security' is not as important because operational check and balance parameters allow that all currently operating sessions and data environments can be recreated in real time (literally re-inflate the bubble mold from last, or any previous, action). Anything being executed or read is subject to the approval of administrative job rules and recorded in exacting detail. Everything else can only executed from the hollow floor room with video camera running. In the unix universe there is no true central authority governing internode OS, processor or services security access. The router system (which works like the phone company) mostly just passes stuff around. Each node to a greater or lessor extent is either slaved to a more central administrative workstation - or more often these days - allowed to share specific resources and services remotely as dedicated machines on a filament grid. The vision being to specialize single or limited purpose workstations and processors to a given task to distribute and protect the wealth.. man.. Grid security is determined by each workstation's group inclusion and exclusion policy. More important or central workstations on the grid *should usually* maintain extremely strict policy so that it mimics MVS security modeling in effective operation. Actually - it is sometimes argued that true grid UNIX is more secure than MVS and Windows given that it's distributed nature can mean that security breeches are limited to single or single groups of machines and their resources. However - where the MVS system has an almost infinite and unbelievably granular 'back & undo' function at an administrative and operator level it is sometimes argued that despite UNIX zone distribution - Unix breech is not quickly repairable and data loss is much more operationally impactful. Given that it is for all practical purposes impossible to ghost entire infrastructures across the fiber grid in real time - the grid hits the throughput physics wall. The MicroSoft dimension - at least in my opinion because who the heck really knows - operates somewhere in between in that each diecast workstation on the network is designed to be a familiar port of call onto itself and/or a member of a federation of shared resources on a fiber grid - Mc-MicroSoft if you will. It's cheap desktop *AND* network processing for the price, no matter where in the world you are - the bath room is always on the side near the door, the food is usually identically bland and staff is bargoon until they set the service manual alight in the fryer from the boredom. Anyway this compromise has it's own upsides and downsides as befits the compromise. But thusly, it is often treated as 'cheap' by managers and owners who have been repeatedly assured that they don't have to pay real experienced System Admins to configure and maintain their systems. Mostly - 'everybody knows how to use Word' - particularly in the executive wing. Breaking into a mainframe may let you read something you shouldn't - but they know what and you can't damage anything unless you are actually in the hollow floored room - in which case they know who you should be. Breaking into a Unix workstation the right way will allow you to read stuff you shouldn't and do damage to whatever extent the victim has rights on it's grid and however creatively the grid is administered and created. Breaking into an average MicroSoft workstation allows you to break into most other MicroSoft workstations so configured and as each service or process is another diecut from either MicroSoft or any other vendor who sells commercially compatible MicroSoft software - you can effect damage, read stuff you shouldn't *and* change a lot of things while you are in there. Then repeat the process on almost any other similar installation worldwide. The same may be said of MAC-OS/Redhat one day - to the extent system administrators/home owners/teenagers really open the gates on the stack - for mostly the same reason. But is this the fault of the Operating System or the System Administrator blithely following the approved cook book and software licensing model? My workstation server has sailed through all the plagues including Code Red. I've run my W2K workstation as a permanent IP on the public Internet without resorting to a firewall for almost four years now. Radio Free Dexterdyne is really and entirely just a set of small background services on the very computer I'm sending this missive out on. I use it all day long to build for clients and shop around for a used 9000 with a pooched engine and flog my basement crap and drone on here at alt.autos.saab. It hasn't fallen over dead yet - though some of my brother SAAB flagellants have no doubt done so by now. Quick - someone poke Grunff before he drowns snoring in the soup touraine!.. :) .. Anyway - I have made a point of investing the time to really understand exactly what W2K was doing on the network and what the network was trying to do to it - and then revised and/or replaced things that made me nervous before they became a problem - and it all works just great actually. It lets me know if something isn't right long before it blue screens so I can check around to see what happening and fix it. If you ask me, my take is that the basic Windows 2000 Operating System isn't a pig at all and the idea that people should be empowered to directly share data and resources on the open network is a really good thing - but it requires someone give a enough of a crap to look after it like any other OS. Or more rarely these silly days - actually pay someone to look after it for them. Blaster MyDoom and Sasser Virus variants take advantage of just that. netBios over Tcpip is specifically in place so that free automated system administration works and thusly - you get what you are willing to pay for. But because most people and businesses don't care a single fig about their computers until they flatline and take out the customer and/or tax records with them - they flip on the cruise control and dose off at the wheel while the APNIC nodes pimp out their SMTP ports and the script kiddies pillage their registry keys. That's why everyone still feels the need to 'print stuff off' and file it brother bob. How's that for a rant!.. :) .. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Mr Louis Jordan - Let The Good Times Roll http://www.dexterdyne.org/888/190.RAM
 |
 |
 |
 |
 |
