From: Greg Small (gts_at_uclink.berkeley.edu)
Date: Mon Aug 25 2003 - 14:09:16 PDT
Aron,
The "biggest target" argument for Windows is still the dominate reason
for the number of attacks against Windows. You can endlessly argue
details pro and con but "biggest target" is still the main reason.
You rob banks because that's where the money is.
A little discussed cause of Microsoft's apparent slowness in adopting
"out of the box" locked-down systems is the huge third party software
market for Windows. A locked-down system would break a large number
of applications and cause a firestorm of customer complaints. It took
Microsoft years to bring along their third-party developers to the point
where they would accept a protected operating system such as XP Home.
Even in the business market they could barely drag customers and developers
into the protected NT and 2000 version of Windows (and here at UCB too).
IBM fell on its sword with OS/2. Customers did not want the hassles of
a protected system. We, the customers, have gotten just what we insisted
upon! Now that the inevitable attacks have come, we scream that Microsoft
should have protected us and is not moving fast enough (even though most
customers are still dragging their feet).
We are facing a similar problem with email. We have enjoyed the convenience
of email and resisted every effort to make it secure and authenticated.
Now we have storms of junk mail from non-secured, unauthenticated sources.
Forged email will become an ever increasing problem. Are we prepared to
take on the task? Or just to look for someone else to blame?
greg small On networks paranoia is
Security Infrastructure Project just good thinking!
WSSG/WSS/IST Systems programmer for 36
University of California, Berkeley and it is still fun.
---------1---------2---------3---------4---------5---------6---------7--
https://software.berkeley.edu/SecurityInfrastructure/
https://software.berkeley.edu/WSS_Security_Officer/
---------1---------2---------3---------4---------5---------6---------7--
P.S. The problem with most of the quantitative kinds of analysis such as
what Aron cited, is that they do not distinguish between severely obsolete
versions of Windows such as Windows 95/98/NT and more recent versions.
If such very obsolete versions are eliminated, Linux might move to the
top of the problems list.
At 12:17 PM 8/25/2003 -0700, Aron Roberts wrote:
> A perspective in the aftermath of Slammer, Zlez, Blaster, SoBig, and
> others, which have resulted in long hours for departmental computing
> support staff, as well as for the hard-working SNS and CNS folks ...
>
> On November 5, 2002, our campus security officer, Craig Lant, wrote (as
> appended below):
>
>>... the reason I don't recommend deploying services on Windows is
>>precisely because so many more vulnerabilities are found in Windows than
>>in any other platform.
>
> However, Craig tempered this by stating that Windows' market dominance
> is the reason that so many Windows vulnerabilities have been found,
> rather than any design characteristics intrinsic to this operating system.
>
> Here's an interesting article, in direct contrast to Craig's assessment:
>
> Rob Pegoraro
> "Microsoft Windows: Insecure by Design"
> Washington Post, August 24, 2003, p. F07
> http://www.washingtonpost.com/ac2/wp-dyn/A34978-2003Aug23?language=printer
>
> Some excerpts, with certain individual points annotated with bracketed
> numbers ("[1]"):
>
>>In its default setup, Windows XP on the Internet amounts to a car parked
>>in a bad part of town, with the doors unlocked, the key in the ignition
>>and a Post-It note on the dashboard saying, "Please don't steal this." ...
>>
>>[1] Windows XP Home Edition ... ships with five ports open, behind which
>>run "services" that serve no purpose except on a computer network.
>>
>>"Messenger Service," for instance, is designed to listen for alerts sent
>>out by a network's owner, but on a home computer all it does is receive
>>ads broadcast by spammers. The "Remote Procedure Call" feature exploited
>>by Blaster is, to quote a Microsoft advisory, "not intended to be used in
>>hostile environments such as the Internet."
>>
>>Jeff Jones, Microsoft's senior director for "trustworthy computing," said
>>the company was heeding user requests when XP was designed: "What
>>customers were demanding was network compatibility, application
>>compatibility." ... Now, Jones said, Microsoft believes it's better to
>>leave ports shut until users open the ones they need. But any change to
>>this dangerous default configuration will only come in some future update.
>>
>>In comparison, Mac OS X ships with zero ports open to the Internet.
>>
>>[2] Windows XP, by default, provides unrestricted, "administrator" access
>>to a computer. This sounds like a good thing but is not, because any
>>program, worms and viruses included, also has unrestricted access.
>>
>>Yet administrator mode is the only realistic choice: XP Home's "limited
>>account," the only other option, doesn't even let you adjust a PC's clock.
>>
>>Mac OS X and Linux get this right: Users get broad rights, but critical
>>system tasks require entering a password. If, for instance, a virus wants
>>to install a "backdoor" for further intrusions, you'll have to authorize
>>it. This fail-safe isn't immune to user gullibility and still allows the
>>total loss or theft of your data, but it beats Windows' anything-goes approach.
>>
>>[3] Windows XP includes basic firewall software (it doesn't monitor
>>outgoing connections), but it's inactive unless you use its "wizard"
>>software to set up a broadband connection. Turning it on is a five-step
>>task in Microsoft's directions (www.microsoft.com/protect) that must be
>>repeated for every Internet connection [e.g. broadband or dial-up - Aron]
>>on a PC.
>>
>>Mac OS X's firewall isn't enabled by default either, but it's much
>>simpler to enable. Red Hat Linux is better yet: Its firewall is on from
>>the start.
>
> To Microsoft's credit, some of the vulnerabilities in the default
> configurations of Windows 2000 and XP have been reported to have been
> removed in the company's latest OS, Windows Server 2003. Several of
> these reports have attributed these changes to Microsoft's much touted
> "Trustworthy Computing" initiative, as discussed on the company's
> one-year anniversary page,
> <http://www.microsoft.com/presspass/features/2003/Jan03/01-15twcanniversary.asp>.
> Another reflection of Microsoft's newfound security consciousness is its
> recent, blanket recommendation that customers enable XP's integral
> firewall <http://www.microsoft.com/security/protect/default.asp>.
>
> We can expect to see more changes in this direction from Microsoft over
> time, although they might seem slow in coming to beleaguered campus
> support providers, at least after the last several weeks :-(. An outside
> evaluation of the "Trustworthy Computing" initiative at the one year mark
> frankly identifies the long-term nature of this effort:
>
> Robert Lemos
> One year on, is Microsoft 'trustworthy'?
> CNET News, January 16, 2003
> http://news.com.com/2100-1001_3-981015.html?tag=rn
>
>>"We said that Trustworthy Computing is a 10-year project, sort of like
>>(President) Kennedy sending people to the moon," said Scott Charney,
>>chief security strategist for Microsoft. "We're (only) a year into it. ..."
>
>FYI,
>
>Aron Roberts
>Workstation Software Support Group
>
>---------------------------------------------------------------
>
>Date: Tue, 05 Nov 2002 14:18:13 -0800
>From: Craig Lant <craig_at_ack.berkeley.edu>
>CC: ucb-security list <ucb-security_at_uclink.berkeley.edu>
>Subject: Re: [Security] PR regarding attacks, vulnerabilities of various
>platforms
>
>Thanks Aron,
> This is a very interesting report and can, I think, be useful. I don't
> agree with the conclusions drawn in the report. Clearly the numbers
> simply reflect the number deployed systems for each platform. The more
> systems there are of a particular type out there, the more attacks you'll
> see and the more vulnerabilities will be found. Duh! I certainly don't
> think it's valid to conclude that SCO Unix and Mac OS are less vulnerable
> than the others. It's not that they don't have as many
> vulnerabilities. It's just that fewer people are looking for those
> vulnerabilities. So, they just aren't found (yet). On the other hand,
> the reason I don't recommend deploying services on Windows is precisely
> because so many more vulnerabilities are found in Windows than in any
> other platform.
>
> Thanks,
> Craig
>
>Aron Roberts wrote:
>> No flames, please -- just some food for thought regarding the security
>> vulnerability of various computing platforms ...
>>
>> mi2g, a private computer security tools, services, and consulting firm
>> in the UK, issued a press release last week
>> <http://mi2g.com/cgi/mi2g/press/311002.php> (full text below),
>> identifying the numbers of 'overt attacks' and 'known software
>> vulnerabilities announced' for various software platforms, ostensibly
>> for a ten-month or twelve-month period ending at the date of the release
>> (October 31, 2002):
>>
>> Overt Attacks Known Software Vulnerabilities
>>Platform (in 2002) Announced (in 2002)
>>-------- ---------- ------------------------------
>>Microsoft Windows 54% 44%
>>Linux 30% 19%
>>BSD Unix 6% 9%
>>Solaris 5% 7%
>>SCO Unix 0.2% 0.5%
>>Compaq Tru64 0.02% 1.9%
>>Mac OS 0.005% 1.9%
>>
>> As a rough first approximation, perhaps these numbers might be of some
>> value in at least retroactively assessing the risk profiles of various
>> OS platforms. (As noted in mutual fund literature: "past performance is
>> no guarantee of future returns." ;-)
>>
>> However, it is very difficult to know how much credence, if any, to
>> grant to these or any similar such set of figures (as noted in a
>> discussion of some apparent flaws in this press release, below), and how
>> any such numbers -- even more credible ones that might be available from
>> other sources -- might best be used to inform computing policy discussions.
>>
>>[Long discussion in the original omitted here ...]
>>
>>Aron Roberts
>>Workstation Software Support Group
>
>...
>
>-------------------------------------
>Sent via the ucb-security mailing list.
>
>------------------------------------------------------------------------
>The following was automatically added to this message by the list server:
>
>For information about Micronet, including subscribing to
>or unsubscribing from its mailing list and finding out
>about upcoming meetings, please visit the Micronet Web site:
><http://micronet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 25 2003 - 15:03:42 PDT