[ale] your new administrator, bill gates

Transam transam at cavu.com
Mon Jul 8 16:10:13 EDT 2002 

> Date: Tue, 02 Jul 2002 17:37:48 -0400
> From: Dow Hurst <dhurst at kennesaw.edu>
> To: Josh Freeman <josh.freeman at arch.gatech.edu>, ale at ale.org
> References: <3D1F7561.2060000 at 3times25.net>  <3D21D525.2030408 at hopnet.net> <1025628385.13274.1.camel at reddwarf>
> Subject: Re: [ale] your new administrator, bill gates

> I am beginning to see how the big guys may have smart ideas once in a 
> while that could really help them such as Palladium, however, in their 
> hurry they make poor decisions based on trying to get control of the 
> market.  So they just don't get nearly as far as they could.  If 
> Microsoft tried to have a servant attitude toward the market things 
> would be quite different, except the quality would definitely have to 
> come up!!

... and, in theory, one could attach a compact nuclear reactor-powered
airplane to every pig in the world and make them fly.

> Dow

> Josh Freeman wrote:

> >Every time I am convinced that something has come along to really hurt
> >the Linux crowd (Palladium), M$ does something so mind-bogglingly stupid
> >as this to make it that much easier for me to make a case from taking my
> >office from a Windows shop to a Mac shop or, preferrably, an all-Unix
> >shop.

> >While Palladium is still could be a Bad Thing(tm) for the Open Source
> >Community, this sort of silliness hurts Microsoft. A lot.

One cannot fix thousands of bugs in millions of lines of code with a magic
bullet.  Palladium's promise of "we'll put magic in the hardware to fix this"
simply is a demonstration of the stupidity of the public and the laziness of
the media in not investigating absurd claims and M$'s policy of providing
lies instead of solutions to security.

To be specific, at thousands of points in M$ code decisions are made as to
whether to allow a certain privileged operation based on the credentials of
the process requesting the operation.  Due to its lack of "Rings of Security"
(sometimes called "Security In Depth") M$ has many more points where such
decisions are made than Linux, Unix, VMS, and other well-designed (in my
opinion) operating systems.

There is no way to "magically" intercept all of these thousands of points
of access from hardware and ensure the correct decision.  There is no way
to magically prevent buffer overflows either.  Nor is there any way from
hardware to modify the policy of some applications to run programs sent from
random users on the Internet.

Thus, Palladium is not technically valid, in my professional opinion.
It might be effective in slowing down the rush to Linux by current Windows
users who do not have the technical ability to accept or understand this.

The reason why Linux, Unix, VMS, etc. have substantially better security
than Windows (IMH) is that they carefully limit privileges to the root
user and the few other processes that root grants its access to.  Also,
generally, programs from the Internet are not trusted.  Improper configuration
of mail and browser tools can break this "not trusted" relationship, though.


Six months ago M$ promised they would fix the company's security bugs.
Two years ago M$ promised to provide Biometric solutions that would
magically fix its security bugs.

The rate of security bugs in M$ products in the first half of 2002 is almost
the exact same rate as was seen in 2001.

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at verysecurelinux.com                [Please use for email to me]
http://www.verysecurelinux.com         [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

> >Josh
> >
> >On Tue, 2002-07-02 at 12:30, Keith Hopkins wrote:
> >  
> >
> >>Geoffrey wrote:
> >>    
> >>
> >>>http://www.theregister.co.uk/content/4/25956.html
> >>>      
> >>>
> >>[snip]
> >>    
> >>
> >>>"You agree that in order to protect the integrity of content and 
> >>>software protected by digital rights management ('Secure Content'), 
> >>>Microsoft may provide security related updates to the OS Components that 
> >>>will be automatically downloaded onto your computer. These security 
> >>>related updates may disable your ability to copy and/or play Secure 
> >>>Content and use other software on your computer. If we provide such a 
> >>>security update, we will use reasonable efforts to post notices on a web 
> >>>site explaining the update."
> >>>
> >>>      
> >>>
> >>Where is Nancy R. when you need her... "JUST SAY NO!"
> >>
> >>-- 
> >>Lost in Tokyo,
> >>   Keith
> >>
> >>
> >>
> >>---
> >>This message has been sent through the ALE general discussion list.
> >>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> >>sent to listmaster at ale dot org.
> >>
> >>
> >>    
> >>


> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list