[Reader-list] Re: WB Govt ties up with MSFT

Menso Heus menso at r4k.net
Mon Aug 6 00:20:13 IST 2001 

On Sun, Aug 05, 2001 at 08:37:58PM +0530, Raju Mathur wrote:
> Hi Menso,
> 
> I agree that security is the user/administrator's responsibility and
> it doesn't matter how many patches MS releases unless the admins are
> clued in enough to download and install them.  OTOH, we must also
> consider the following:
> 
> 1.  MS seems to have perennial problems with buffer overflows.  One
> would have thought that after the first 100 or so they'd have the
> decency to sit down and audit their complete code base and remove all
> the buffer overflows they can find, but their attitude seems to be
> (and it's valid, from a twisted perspective) that if they deploy the
> same engineers in creating new code they can get (buggy) products to
> market faster and make more money.  I have nothing against buggy
> software.  I /am/ strongly against a corporation which puts the
> security and stability of its users and clients second to anything at
> all.

I agree with this, yet it is fact that it does not happen. So far I have
not seen any major consequences of situations like these where a patch 
was not made readily available. 
 
> 2.  The Code Red worm was caught early, but there have been other ones
> (and will continue to be more) which have slipped in before anyone in
> the MS or security communities saw them.  These will continue to wreak
> havoc with the world's computing infrastructure.

I have not yet seen them. I think persons who write these worms get their
info from the mainstream security lists, I find it quite unlikely that a
person would find a new hole and then write a worm for it. 
The people that have the brains to do this usually also have the ethics 
to not do these things yet I agree that this does not mean it will never 
happen.

> 3.  MS' own policies deter a propagation of equally effective,
> competing products.  Make a Pine/Mutt/Elm/VM/GNUS/Kmail worm and you
> hit maybe 10% of the Linux community. 

How do you come up with this figure? If it has to do with the fact that
there is more manual work for the user to launch an actual virus than I
would say it is correct. If 'viewing' a file in these mailers would be 
equal to executing them however, the percentage would be as high as on 
any operating system.
The 'error' is in the fact that the default behaviour for a .vbs file is
"Execute" instead of "Edit" in Windows. This is, however, nothing that a
little registry editting script can't fix :)

> Make an Outlook Express bug and
> you hit 99% of Windows users.  Similarly, due to the open nature of
> the environment there are many competing browsers on Linux but only
> one feasible one on Windows. 

Hahaha, although this is an entirely different discussion I would argue 
that currently there *is* only one browser, being Internet Explorer. The 
rest crashes to often, isn't up to date, doesn't support standards, doesn't
show HTML but translates it to console (like lynx) etc. 

I am speaking from experience with browsers on a wide variety of platforms 
being Windows, FreeBSD, Macintoshes and Linux. Netscape 'sometimes' works 
but in my opinion, too often does not. Also, it is a bitch to code for (no,
not because we don't write nice code but because the parser is fucked up as
any webdesigner/programmer can tell you). Lynx is nice if you do not have 
more requirements (such as graphics, duh!) 

> Thus MS' policy of stifling competition
> indirectly contributes to the ease with which virii and worms
> propagate on MS platforms.

It is not so much sitfling competition. I would also not argue that because 
programs such as Outlook and IE come with the OS the user doens't try anything
else. Windows Media Player comes with my OS but I prefer Winamp, as do most 
people I know. 
Where are the windows versions of the earlier mentioned programs? Why would I 
want to install an entire unix environment on my machine (cygwin) before I can
run one simple mail program? 

What makes a program succesful or not is a measurement for the user between 
the ease of use and the features a program offers. When one compares the ease
of use between GUI programs such as Outlook and of say, mutt, it becomes quite
an easy choice, especially if the user is used to working in a graphical 
environment in the first place. 

Now, when the requirements of these users grow, such as mine did, they might
consider using screen and running all there stuff on one dedicated machine so 
that they can check their email always and from everywhere. 

However, the problem might lie in this ease of use too, since it becomes very 
easy to run malicious code :) This is, again, the job of the sysadmin imho. 

Menso

-- 
---------------------------------------------------------------------
Anyway, the :// part is an 'emoticon' representing a man with a strip 
of sticky tape across his mouth.   -R. Douglas, alt.sysadmin.recovery
---------------------------------------------------------------------

More information about the reader-list mailing list