computer clocks

You need to think a little bigger!

What would be the most reliable way of wiping a corporate web site from the `net; DDoSing it with an army of zombies, or completely isolating it by hacking the core routers?

How much could you extort from a major telcoms company if you could take out a slice of their VoIP traffic?

What would you rather do, phish somones online banking details, or get a backdoor into the bank's web server instead?

Imagine the extortion potential if you had hacked a router to duplicate and deliver a complete copy of all of a multinational's external email and VoIP traffic to you as well?

the source for IOS has already been leaked... there was also at e last one competitor accused (but never proven since they settled out of court) of using something very like it on their own range of routers.

Another example of marketing triumphing over engineering. In the case of NT the core OS was originally designed by Dave Cutler and his team (the same people who built the rock solid VMS system for DEC). It was well partitioned with isolation between kernel and other core parts of the system. This made it well suited to being a server OS.

Alas the desire to get better performance on the desktop has resulted in conflicting requirements as MS try to make windows all things to all men. With ever more functionality being moved into the kernel space (Win32 API, Graphics sub-system etc), to get a better "user experience".

Not to the extent they used to. NT3.51 excluded the APIs (Win32, Posix, OS/2) from the kernel along with things like the GDI. Alas these boundaries have been further eroded with each subsequent release as more and more of these have moved into kernel space to get more performance from them. The fact the things like large lumps of the GDI have evolved from the Win9x codebase, and has then been artificially welded to bits of IE should also be cause for concern.

That's an acceptable way of putting the point.

And less irritating to the reader. I can't understand why senders use it, even MS users have the option. You're never going to see me doing it and when I reply to a friend who does use it I always convert to text.

Mary

So you do this every time you look at a file? It would make web browsing rather laborious in my opinion.

I don't use Windows for any web activities though.

Betamax and V2000 buyers looked for quality over commonality. This tends NOT to describe the IE/OE/MS brigade.

Ah, but how do I know you are who you claim to be.

You might be a mad hacker/axe murderer/IMM sitting outside of geoffs house having hacked his wireless network...

Darren

Well the things relating to setup and choice of software are fit and forget one off operations. The latter steps would only come into play if I had doubts about the site I was visiting. Since most of the time I am going to recomended sites, or ones I regularly visit however, it is not usualy an issue.

Come to think about it isn't this rather tautological! :-)

Every link you follow is effectively a new site, there is no guarantee at all that it is as 'safe' as the site from which it's linked.

I doubt if 1% of the sites I visit are ones I've visited before.

Surely you use Google to research things like holidays etc.

I've recently been looking for gîtes in morocco, I can just about guarantee that all the sites I visit as a result of a Google search for accomodation in Morocco I will never have visited before.

An 'alternative browser' is already doing quite well, even the somewhat biased statistics from sites which simply log the browser ID indicate that Mozilla/Firefox now have a significant and increasing share of the browser 'market'. IE has dropped below 90% and the trend is continuing.

I believe this is for a number of reasons:-

Peopler *are* listening to discussions like this which air the vulnerabilites of IE.

The BBC has been recommending FireFox for a while.

Firefox's pop-up blocking is a wonderful feature, when I used IE recently I realised how much I was 'missing' by using FireFox most of the time.

FireFox and Mozilla's tabbed browsing is something I really can't live without now. I suspect quite a few other people feel the same way.

Not just them:

Ah - a challenge! Let's see if I can do it in under 30 lines. No, this line doesn't count. Nor does this one.

The roots of Windows are in providing a graphical user interface layer on top of a small, single-user machine. That single user is/was assumed to have full authority to do anything at all on the machine - access all memory, all disks/files, perform arbitrary input-output operations on all devices. This absence of "privilege separation" was total for all versions of Windows before NT: so, the ol' Windows 3.1 on top of DOS, Win95, Win98, WinME. Importantly, the business model that MS pursued on top of this technology was to offer terms to PC builders which made it financially lunatic for them to offer any other opearting system (OS) alongside Windows, to attract as many third-party developers of hardware and software products to their OS, and to keep the interface specs for Windows technologies changing just fast enough to make it possible to keep up but not to also track other OSes. During this critical market-acqusition phase, stuff which made it harder to develop for Windows or harder to use was *right* *out* - and that included security.

The Unix world - where Linux lives - started from a very different place. Its roots are as an OS to let a number of "unprivileged" users share an expensive, well-administered mainframe, while still allowing those individual users to do their own software development. By default, there's little an "ordinary" user running an "ordinary" program under Unix/Linux can do to najjer the whole system or other users on the same machine. Throughout the initial growth period of the PC (1980s/early90s) Unix-on-PC scarcely existed; and the software packages which ran on Unix were specialised "big-iron" things - "serious" databases, and some specialised scientific/engineering stuff. It kept a place in university Computer Science departments because of relatively open licensing conditions for those users.

By the early 90s, MS had ambitions for a "grown-up" OS. They devloped the core - the "kernel" - of NT around then. (At least they ripped off a good design - they bought in Dave Cutler and others from DEC, who were shown in a subsequent legal action and settlement to have incorporated chunks of design and actual code from their earlier employer in NT.) NT

- on which Win2000, WinXP, and future MS OSes are based - does have "privilege separation". However, it isn't necessarily *used* widely. For concrete examples: in their older 3.51 release of NT, MS left the graphical user interface stuff "outside" the kernel, running at a less privileged level. But this slowed things down too much - made a PC running NT 3.51 fell really sluggish next to a W95 box. So, they yanked all of that code into the kernel - improving performance, but making it a lot easier for poorly-written or malicious software to do Bad Things to the whole system. Similarly, XP "Home Edition" means all the software you run (both "deliberately" and that's run on your behalf) does so as "Administrator", with effectively unlimited rights. Only in the last couple of years have MS started to act to make security be of the same order of importance as ease-of-use.

This business of "privilege separation" is the technical heart of why viruses, worms, and the whole clan of malicious software has a significantly easier time spreading under Windows than under Linux or the other Unix-derived OSes (OpenBSD, NetBSD, FreeBSD, and Mac OSX): under the Unix model, the user environment in which some piece of unwanted code gets to run is restricted; under the Windows model, it's significantly less restriced.

What's massively frustrating about this to computer professionals is that it's all blindingly obvious and inevitable, and was being warned about throughout the last 15 years and more. And much as it's been economic pressures which have led MS to rationally prioritise features over security, many believe it's only a change in the imposed economic climate - making software producers liable for the foreseeable damage their design decisions cause - which will change the industry's behaviour.

Damn, over the 30 line mark. Ah well. Hope it helps someone... Stefek

Spyware Blaster includes protection for Mozilla/Firefox, so that cannot be free from vulnerabilities either.

There are plenty of third party applications, including freeware, to stop them in IE too.

Colin Bignell

I was comparing MS to VHS, not to Betamax and the point is that there is a lot more to a successful product than simply being the best.

Colin Bignell

Maybe, but the types of vulnerabilities the Morris worm exploited are still around - a buffer overflow in fingerd and a privileged debug mode in sendmail, AFAIR. Buffer overflows are still a common method of attack, and sendmail's had 10+ years of after-the-fact "hardening" but still isn't seen as "safe our of the box" by many. The cautious commentator therefore uses words like "significantly harder" when comparing damage and propagation prospects for malicious software under

*nix to its prospects under Windows, rather'n "impossible".

Unless, of course, they're in marketing ;-)

I run it on Linux so that's not really relevant to me.

Yes, but for 'out of the box' usability FireFox wins. As everyone has been saying your average 'man in the street' doesn't want to have to add things on to their basic applications to make them work well.

Sorry - but either you read wrong, or you read "Windows Developer" ;-) Month-by-month server surveys are over at

As webserver software goes, Apache dominates IIS by over 2:1. Some of that Apache runs on Windows, but more often it's on a *nix - a Linux, Solaris, or BSD most usually.

The "by volume of bytes served" surveys I've seen - rather than the "by number of sites" - show an even greater dominance for the non-MS OSes. Of the "top 50 by traffic" Websites, I seem to recall the MS-powered ones being in the single digits.

Where MS websites do dominate is in "business enthusiast" sites - SMEs who are either putting their company brochure and "email us!!!" on the free webspace provided by their ISP, or are paying a web-hosting company to do some Web Presence for them. Since most of these companies run MS in the office, it's a more familiar environment for their (possible part-time) IT people to prepare and share content in - FrontPage Is Your Friend.

HTH - Stefek

Not on anything like the same scale! Yes, there's been at least one documented failure in the *implementation* of the Java sandbox. Contrast that with ActiveX - "sandbox? wot sandbox? you wanna run on my machine? go ahead!". It's almost as if *design* matters, as well as implementation ;-)

Well, it's roots were actually to let two or three unprivileged users play a space war game, on a small minicomputer...!

It's interesting that the earlier design was VMS (developed in the mid

1970s). Go to the next letter in the alphabet in each case.....

Shades of HAL, the computer in '2001'. In both cases the derived initials are said to be an accident, though.