Date: Wed, 04 Dec 1996 14:33:51 +1000
From: Steven Herod <sherod @
William Beem wrote:
> More likely that most folks don't know about the security holes in NT yet
> UNIX holes receive a fair amount of attention, which often causes a furor
> and a fix. Microsoft remains rather tight-lipped about holes in Windows
I'd have to disagree with that, a hole in NT would cause just as large a
as one in Solaris or Netware for that matter. After all it's Microsofts
OS. "The way of the future...". I'd certainly yell loudly.
The problem, IMHO, is finding the bugs, and then advertising their existence,
and their fix. MS doesn't let you see the source; Unix does. While you or I
may not care to look at it, there are many who do. If you watch some other
security lists (like Bugtraq), you will find that people regularly scour the
various Unix sources for buffer-overruns, etc. They then report on a
"weakness, which may or may not be exploitable." Often, someone else then
creates the exploit code, and a fix to prevent the problem (if the fix wasn't
already provided by the discoverer). This is good. There is also an extensive
reporting system for Unix bugs, and Unix vendors have been trained to respond
My perception is that MS, on the other hand, does not work quite so hard to
disseminate bug fixes. They certainly don't like to tell you what problems
exist. For other reasons, they don't release their source (except at high
cost). This prevents the easy discovery of theoretical problems, which would
otherwise be corrected. Don't be fooled by security through obscurity! The
hackers find the holes -- we might as well, too!
Remember, the MS coders are human, too. Their code contains bugs, just like
Unix. It's just a matter of finding them, so the decision is about the
difficulties in finding and fixing them....
-- Bill Van Emburg
Phone: 908-235-2335 Quadrix Solutions, Inc.
Fax: 908-235-2336 (bve @
Check out http://yourtown.com! (http://quadrix.com)
"You do what you want, and if you didn't, you don't"