On Sun, 2004-11-21 at 21:19, jeff wrote:
> I would just love to hear him explain why there are so many security breaches
> in their software if that is true. :)
Inter-subsystem/service integration, MS IE distribution of new,
Win32-ignorant features, etc...
But ultimately it was the first "Chicago" influenced version of NT, 3.51
"Daytona," and the eventual destruction of "Cairo" ("Consumer NT").
Win32 wasn't a bad API, and _far_better_ than OS/2 from a security
standpoint.
One could even argue that .NET has an _excellent_ security model. I
will _never_ fault Microsoft OS designers for not coming up with good
APIs. The problem is that not even Microsoft's own application division
adopts them! E.g., Microsoft modified the requirements of the "Designed
for NT" logo 3 years after its introduction because Office 95 _failed_
to pass even the _basic_ portions of it. And that was just
Internet-ignorant Win32 to start.
Now with .NET, Microsoft isn't using it at all -- surprise, surprise.
So we have the continuing, sprawling "Win32 bastard" (that is nothing of
what Win32 should have been). NT6/Longhorn is 100% Win32, with
exception of Indigo, a .NET sandbox of Internet services atop of Win32
(yes, this nothing more than what the JVM did 10 years ago! ;-).
In fact, what is XP SP2? It's merely Microsoft closing all the "hacks"
in the NT5.1 kernel/subsystems that were opened from NT5.0/2000 for
compatibility. Surprise, surprise, all of the sudden, even many of
Microsoft's own capabilities don't work because they were not written
for Win32 either (hence why NT5.1/XP was "hacked" in the first place)!
> There were six SP's for NT4, 3 (or is it 4) for Win2K,
No, that's not a good argument at all. The product was out for several
years. These are expected. Even RHEL and SLES have several, formal
updates -- largely to emulate the "expected update model" of a
traditional, shrink wrapped OS.
> at least 2 for XP.
Actually, the significant one is SP2 for XP. Again, as I mentioned
above, SP2 for XP basically "re-closes" all the "hacks" made in NT5.1/XP
for application compatibility versus NT5.0/2000.
> Considering that a large proportion of the patches in those SP's were
> for critical security issues,
Actually, it's deeper than that. Unless it is in a SP, many "point
patches" are _conflicting_. The biggest and most problematic one to
date (that goes _underreported_) were the 2 that _silently_ uninstalled
the patch that would have prevented SQL Slammer.
At the Fortune 100 company I was at, a lot of people's "bocks were on
clock" because management thought they weren't "keeping current." Thank
God for the release notes (as well as one article, from IDG I believe?)
that showed it wasn't because of "lack of patching."
I think there is a lot to be said when Microsoft blamed SQL Slammer on
"lack of patching" and did not even take responsibility in their
conference call and follow-up press releases -- when they _knew_ their
lack of "patch detail" caused it. Why? Because even their own
departments with SUS/SMS were hit, and hit hard! Those running 3rd
party patching solutions typically avoided getting hit.
My #1 question to _any_ prospective Microsoft Solutions Provider is what
patch management solution they deploy. Typically, the bigger they are
(e.g., MS Gold Partners), the more they push SUS/SMS. Finding that
rare, smaller integrator is _crucial_, because they know when to use the
"Microsoft answer" and when not to -- just for 100% _Windows_ networks.
;->
> I don't see how their software could be considered secure. To quote
> Bugs Bunny, "What a maroon"!
Pushing DLLs and new features through MS IE, features written for
"Chicago" and not NT, from '96 until '02 -- that's their Achillies Heel
right now. All those features, all _required_ by _any_ software written
in Visual Studio 5 through even 7+ (2000+) products -- all totally
_ignorant_ of the NT/Win32 security model.
And .NET is virtually _no_where_ to be found. Except in, ironically,
current GNOME 3 development. Yes, GNOME 3 is most likely going to be
the most advanced .NET desktop when NT6/Longhorn client is released.
-- Bryan J. Smith b.j.smith@ieee.org -------------------------------------------------------------------- Subtotal Cost of Ownership (SCO) for Windows being less than Linux Total Cost of Ownership (TCO) assumes experts for the former, costly retraining for the latter, omitted "software assurance" costs in compatible desktop OS/apps for the former, no free/legacy reuse for latter, and no basic security, patch or downtime comparison at all.----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:55:42 EDT