On Wed, Oct 07, 1998 at 10:25:32AM -0400, Brett Lorenzen wrote:
> http://www4.zdnet.com/pccomp/features/fea0797/nt/welcome.html
It's generally well written, but completely misses the mark on
the security issue.
For example, it cites the number of CERT advisories (and even gives
a graph) as an indicator of Unix's security/insecurity. Those of us
who have been around since before CERT was even formed are painfully
aware that it has never fulfilled its mission -- mostly because the
bureaucracy that runs it has stymied the effective flow of information.
Significant security issues (in Unix and other OSs and applications)
often go unreported by CERT for long periods of time as they engage in
full-blown CYA maneuvering instead of propagating information.
Additionally, there is great uneveness in CERT's coverage: given that
it was formed in wake of the Internet worm of 11/3/88, its primary
focus was (and still is) Unix-based systems -- so it's no wonder that
the bulk of its advisories apply to Unix.
So using CERT as a barometer doesn't really yield any useful information.
The article *does* make the correct point that any OS can be rendered
insecure by incompetent administration. What it misses, and this is
a major point, is that "black box" OSs whose source code is not available
are inherently less secure than those whose source code is available,
and therefore subject to critical review, attack, and revision.
It also misses the mark by not separating the issue of secure/insecure
applications from secure/insecure OSs. If the Apache web server turns
out to have a hole in it, is that a Unix problem, an NT problem, or
an Apache problem? (I vote for the last.) If the applications themselves
are stripped away and the basic OS *only* is tested, than NT loses big-time,
especially in the area of denial-of-service and resource exhaustion
attacks, to which it's notoriously vulnerable.
Finally, one of the basic tradeoffs in any security assessment is
security vs. functionality. Systems which offer more of the latter
usually suffer from more of the former -- the question then becomes
whether or not the risk/reward balance is favorable. Unix systems
are multi-user and multi-tasking (and always have been); they've
also been built to support MIMD architectures (Sequent, Solbourne, Sun)
and realtime control (DMERT, Masscomp). Some of the security problems
we've seen over the years are the result of these attempts to provide
functionality -- most of which NT is just starting to reach for.
My guess would be that as it does so, like any OS, it too will suffer
through growing pains which include major security holes.
---Rsk
Rich Kulawiec
[EMAIL PROTECTED]
____________________________________________________________________
--------------------------------------------------------------------
Join The Web Consultants Association : Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------
