On Sun, 13 Jun 1999, Jean Morissette wrote:
> Date: Sun, 13 Jun 1999 20:36:07 -0400
> From: Jean Morissette <[EMAIL PROTECTED]>
> To: Jason Axley <[EMAIL PROTECTED]>
> Subject: RE: Why not NT?
>
> Hi Jason,
>
> Could you elaborate on :
>
>
> C2 certification really means nothing when, for example, there are about 5
> ways of becoming Administrator on an NT4 system _with SP4_.
Certainly. If you could elaborate on which area you don't understand I
can give a more targeted response but I'll take a stab at it anyhow :-)
Many people see C2 certification as some great measure of an operating
system's security. However, it is not the only, or the best, measure of
platform security. For example, it is worthless if the OS that has been
certified has egregious security flaws in it. e.g. there are several
widely-known security flaws in NT4 w/ SP4 that allow users to become
Administrator. If any user can take over the machine, does your 'C2
inside' sticker protect you?
-Jason
>
>
> Thank you!
>
> Jean Morissette
> Senior network architect
> MCSE
> MCNE
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Axley
> > Sent: Wednesday, June 09, 1999 11:21 AM
> > To: Ryan Russell
> > Cc: Brian Steele; [EMAIL PROTECTED]
> > Subject: RE: Why not NT?
> >
> >
> > On Mon, 7 Jun 1999, Ryan Russell wrote:
> >
> > > Date: Mon, 7 Jun 1999 22:52:50 -0700
> > > From: Ryan Russell <[EMAIL PROTECTED]>
> > > To: Brian Steele <[EMAIL PROTECTED]>
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: Why not NT?
> > >
> > >
> > >
> > >
> > > >Care to elaborate on this "buggy and insecure" RPC thingy?
> > > >
> > > >I thought the security problems with RPC were hotfixed ages ago.
> > >
> > > That nicely elaborates the point of this whole discussion...
> > >
> > > ONE rpc hole was found and patched.
> > >
> > > The NT security optimist believes that that was the only
> > > hole, and all is fixed now.
> > >
> > > The NT security pessimist believes that that was only the first
> > > in a long line, and if only one has been found so far, we have
> > > many, many more to go before we have a mojrity of them fixed.
> > >
> >
> > This is a good point. Remember security as a moving target (it's a
> > process, not an end state).
> >
> > The thing about the RPC service is that at least _two_ denial of service
> > bugs were found because the RPC service can't deal with arbitrary data
> > spouted to its port. Do you _really_ think that MS has completely
> > rewritten the RPC service to sanity check all user-inputted data?
> > That's the only way to truly fix this kind of problem. If you
> > think that, then why was a second bug of the same nature found long after
> > the first fix? Because they didn't fix the real problem--only that
> > particular _symptom_. The fixes are superficial bandaids + bubble gum +
> > duct tape + baling wire. If you think this is an isolated incident, look
> > at some of the IE bugs that get "fixed" but then a variant comes out that
> > works just as well as the original.
> >
> > Deep Thought: Just think of all of the bugs that have been found in NT
> > _without_ source code. Now imagine if anyone ever looked the source how
> > many bugs would be found... Now add 30 million lines of code and think
> > about this again (win2k)... Complexity is the enemy of security.
> >
> > C2 certification really means nothing when, for example, there are about 5
> > ways of becoming Administrator on an NT4 system _with SP4_.
> >
> > -Jason
> >
> > AT&T Wireless Services
> > IT Security
> > UNIX Security Operations Specialist
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
