Great Circle Associates Firewalls
(December 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Firewalls over NT vs. UNIX
From: bve @ yourtown . com (BVE)
Date: Wed, 4 Dec 96 10:21:53 EST
To: firewalls @ greatcircle . com 
    Date: Wed, 04 Dec 1996 14:33:51 +1000
    From: Steven Herod <sherod @
 medeserv .
 com .
 au>

    William Beem wrote:
    > More likely that most folks don't know about the security holes in NT yet
    > UNIX holes receive a fair amount of attention, which often causes a furor
    > and a fix. Microsoft remains rather tight-lipped about holes in Windows
	> NT.

    I'd have to disagree with that, a hole in NT would cause just as large a
    furor
    as one in Solaris or Netware for that matter.  After all it's Microsofts
    flagship
    OS.  "The way of the future...".  I'd certainly yell loudly.

The problem, IMHO, is finding the bugs, and then advertising their existence,
and their fix.  MS doesn't let you see the source; Unix does.  While you or I
may not care to look at it, there are many who do.  If you watch some other
security lists (like Bugtraq), you will find that people regularly scour the
various Unix sources for buffer-overruns, etc.  They then report on a
"weakness, which may or may not be exploitable."  Often, someone else then
creates the exploit code, and a fix to prevent the problem (if the fix wasn't
already provided by the discoverer).  This is good.  There is also an extensive
reporting system for Unix bugs, and Unix vendors have been trained to respond
quickly.

My perception is that MS, on the other hand, does not work quite so hard to
disseminate bug fixes.  They certainly don't like to tell you what problems
exist.  For other reasons, they don't release their source (except at high
cost).  This prevents the easy discovery of theoretical problems, which would
otherwise be corrected.  Don't be fooled by security through obscurity!  The
hackers find the holes -- we might as well, too!

Remember, the MS coders are human, too.  Their code contains bugs, just like
Unix.  It's just a matter of finding them, so the decision is about the
difficulties in finding and fixing them....


				     -- Bill Van Emburg
Phone: 908-235-2335			Quadrix Solutions, Inc.
Fax:   908-235-2336			(bve @
 quadrix .
 com)
Check out http://yourtown.com!		(http://quadrix.com)
	"You do what you want, and if you didn't, you don't"
Follow-Ups:
Indexed By Date Previous: Re: Sockd on TIS
From: Gilbert Soueidy <gsoueidy @ kleline . fr>
Next: Re: Firewalls over NT vs. UNIX
From: Andy Howard <achowar @ erenj . com>
Indexed By Thread Previous: Re: Firewalls over NT vs. UNIX
From: Andy Howard <achowar @ erenj . com>
Next: Re: Firewalls over NT vs. UNIX
From: Craig Brozefsky <cosmo @ ebs . net>
Google
 
Search Internet Search www.greatcircle.com