Announcement

**Solver** · September 4, 2003, 11:52

Although when 90% of the stupid users will have their password as a date, a short sequence of consecutive numbers, the word "password" or their own name it will have very limited effectiveness.

At least an automated scan of network computers for unprotected accounts won't work.

No, no and no. As Asher pointed out, other OS'es have just as many flaws. They just don't have as many users, so it doesn't get as much publicity.

Will someone point me to a Linux flaw as dangerous as DCOM RPC one?

They have the difficult task of creating an easy-to-use OS that at the same time is complex enough to satisfy experienced users.

True, a very difficult task. But sometimes, I just get the feeling that parts of their software are poorly coded - not just regular flaws. Of course, I can't exactly judge it...

**Asher** · September 4, 2003, 11:53

Originally posted by Solver
Asher,

While the media love to critcize MS more, Linux doesn't have as many security issues.

This is a common misconception. Linux accounts for more corporate compromises every year than Windows, and Linux is on a small fraction of the number of machines. Further, on my Mandrake 9 box I was downloading no less than a dozen security updates for various packages every week.

True, but software such as Visual Studio, which is very compliciated, has no such issues.

And does this surprise you?
Visual Studio is a development studio and compiler, and is used by people who know what the hell they're doing. So is it any wonder why it doesn't have security issues, compared to an OS which manages an entire computer (network, disks, etc) with 90% of the users being totally clueless?

VS isn't a target. There's probably loads of potential security vulnerabilities, but it'd be a ***** to get any of them used since the users are computer literate, and they don't run all of the time.

May I remind you about the Shatter vulnerability, though. The hole has been there for what, 10 years? And they say it can't be even fixed...

Shatter vulnerability? Please.

The "vulnerability" is it allows you to use VPN software remotely to log into accounts which you granted remote access, and have full access to the computer.

I wonder why it's unpatched...maybe because people want that "hole"?

**MikeH** · September 4, 2003, 11:54

What do you mean No? That's exactly my point. People see computers as tools like televisions or food processors and expect them to work like that. It might be obvious to you (and me) that that isn't the case but a very high proportion of home PC users know next to nothing about computers, and don't want to know either. They just want it to work.

Microsoft have actively promoted the idea that their OSes are easy enough for anyone to use which isn't quite true because you do need some knowledge to maintain a windows system.

I didn't say it was easy, of course it isn't.

**Asher** · September 4, 2003, 11:57

Originally posted by Solver
Will someone point me to a Linux flaw as dangerous as DCOM RPC one?

สล็อตเว็บตรง ฝากถอน ไม่มีขั้นต่ำ เว็บสล็อต ระบบ AI อัปเดตใหม่ 2025

http://www.ciac.org/ciac/bulletins/l-067.shtml

จัดหนักด้วยระบบออโต้สุดล้ำ กดปุ่มครั้งเดียวนั่งรอรับเงินได้เลย สะดวกสบายแบบสุด ๆ เล่นกับ สล็อตเว็บตรง ได้ตลอด 24 ชม. แถมมือใหม่ก็เล่นง่าย

**Solver** · September 4, 2003, 11:58

VS isn't a target. There's probably loads of potential security vulnerabilities, but it'd be a ***** to get any of them used since the users are computer literate, and they don't run all of the time.

While it's obvious that 99% of people who use VS are very advanced users, I'm not sure if there actually are any possibly holes in it.

The "vulnerability" is it allows you to use VPN software remotely to log into accounts which you granted remote access, and have full access to the computer.

The vulnerability is that, if you can attach a debugger to a service running as localsystem, you can execute shellcode with localsystem rights.

**spartak** · September 4, 2003, 12:00

Hoe did I know Asher would have posted in this thread?

**Asmodean** · September 4, 2003, 12:00

But you did blame MS for their marketing, no.

When you install windows, it's default settings should be enough to keep everyone out of trouble, what with automatic updates and (for XP) firewall turned on. It's when people tinker with what they don't know about that things go wrong. And then, after they have tinkered with what they don't know about, they go blaming MS. That, frankly, p_isses me off

Asmodean

**Whaleboy** · September 4, 2003, 12:01

WHO CARES?!?!?!?!

There are more important things to worry about than a few megabytes of code!!

I have a new pragmatic attitude with such things which are of no significance to me. I dont care about windows and linux. I use the best system for me. If there are problems with windows, i'll patch it and use a firewall!

Its nothing to get psycho about. I'll let microsoft lose sleep over it, I dont really give a damn.

**Solver** · September 4, 2003, 12:03

When you install windows, it's default settings should be enough to keep everyone out of trouble, what with automatic updates and (for XP) firewall turned on.

Not exactly. As you know, with default setup, the first user created has admin rights. There's the "Administrator" user, but the next one also has admin. Now, what does this mean? This means that a malicious program can modify the registry and do anything, if ran.

I don't care, though, if anyone would run a malicious program on a Linux box. Worst they can do is erase all of their folder, but not kill the system.

**Asher** · September 4, 2003, 12:03

Originally posted by Solver
While it's obvious that 99% of people who use VS are very advanced users, I'm not sure if there actually are any possibly holes in it.

And what do you base that off of?

The vulnerability is that, if you can attach a debugger to a service running as localsystem, you can execute shellcode with localsystem rights.

Oh, that one. Fixed years ago.

Vulnerability Security Testing & DAST | Fortra's Beyond Security

http://www.securiteam.com/windowsntfocus/5EP0L0U75S.html

Secure your applications and networks with the industry's only network vulnerability scanner to combine SAST, DAST and mobile security.

**Solver** · September 4, 2003, 12:06

And what do you base that off of?

Never had to patch my VS because of my computer restarting if I add a new class to my program

.

Do you keep a database of all flaws and their solutions, or what?

**Asher** · September 4, 2003, 12:07

Originally posted by Solver

Not exactly. As you know, with default setup, the first user created has admin rights. There's the "Administrator" user, but the next one also has admin. Now, what does this mean? This means that a malicious program can modify the registry and do anything, if ran.

I don't care, though, if anyone would run a malicious program on a Linux box. Worst they can do is erase all of their folder, but not kill the system.

That's another thing that amazes me about most Linux users -- they don't understand that this is one of the main reasons Linux is such a pain in the ass to use.

Windows is easier to use, by default. Windows is not incapable of the same stuff Linux does by restricting accounts (actually, Windows has more advanced ACLs, but we won't go there...), but customers simply don't want that. Then they *****.

But if MS made you a limited user by default, a lot of people would be confused and calling tech support, and end up making their account Admin anyway for ease of use...

**Solver** · September 4, 2003, 12:09

That's another thing that amazes me about most Linux users -- they don't understand that this is one of the main reasons Linux is such a pain in the ass to use.

As a Linux user, I don't care if it's a pain in the ass to use

. For whenever I need to install a new program, it's not a pain for me to type su in console

.

In Windows, they could simplify it... for limited users, instead of simple "You need admin privileges" message, show up a prompt for admin password...

**Asher** · September 4, 2003, 12:09

Originally posted by Solver
Never had to patch my VS because of my computer restarting if I add a new class to my program

.

So somehow this means it doesn't have potential security vulnerabilities? Fascinating logic, Solver.

Do you keep a database of all flaws and their solutions, or what?

Yes, I call it "Google".

**Solver** · September 4, 2003, 12:10

So somehow this means it doesn't have potential security vulnerabilities? Fascinating logic, Solver.

I know

.

Yes, I call it "Google".

Thought so

.

Announcement

Microsoft screw up again

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment