On Wed, 4 Dec 1996, BVE wrote:
> creates the exploit code, and a fix to prevent the problem (if the fix wasn't
> already provided by the discoverer). This is good. There is also an extensive
> reporting system for Unix bugs, and Unix vendors have been trained to respond
> quickly.
hehe, CERT? Not HP obviously if you look at what the SOD did to them.
> disseminate bug fixes. They certainly don't like to tell you what problems
> exist. For other reasons, they don't release their source (except at high
> cost). This prevents the easy discovery of theoretical problems, which would
> otherwise be corrected. Don't be fooled by security through obscurity! The
> hackers find the holes -- we might as well, too!
They don't release their sources, not normally. I believe you can get
educational licenses, and once a university get's those it's out.
Regardless there are people with NT source code scouring it for exploits
and not releasing them, we just dont get a chance to fix them until MS
finds out or we get bit by them. The first thing I do with any OS
install is check all suid program, turn off ones I don't want and then
the ones I leave on, I either replace with my own versions which I put
together myself and trust, or get them from a friend.
> Remember, the MS coders are human, too. Their code contains bugs, just like
> Unix. It's just a matter of finding them, so the decision is about the
> difficulties in finding and fixing them....
It depends on your threat horizon IMO. A small lan internal to your
company can be protected by NT, I would trust NT to do that, I would also
trust NT to gaurd a publicly accesable network with no real sensitive
data on it. But for the clients I've worked with who have very sensitive
data, brokers, developers, etc... I usually use a commercial firewall
product liek Gauntlet(which i like) or MilkyWay Blackhole which is pretty
kickin, and then replace alot of the system software with my own.
References:
|
|
