Re: NT was written before the Internet says security expert

From: Bill Campbell (bill_at_celestial.com)
Date: 03/07/04 

Date: Sun, 7 Mar 2004 13:50:00 -0800

On Sun, Mar 07, 2004, Joe Dunning wrote:
>On Sun, 7 Mar 2004 13:05:34 -0800, Bill Campbell <bill@celestial.com>
>wrote:
>
>>
>>Buffer overflows have been around for a long time. Wasn't the Morris worm
>>a buffer overflow exploit of sendmail (one of the few *ix worms)?
>
>Not quite. It had 3 attack methods, including invoking the "debug" mode
>in sendmail and a buffer overflow in fingerd.

The point is that buffer overflow vulnerabilities aren't new, at least to
anybody with a bit of experience, and knowledge of systems other than
Redmond's.

I've always thought that one of Microsoft's main weaknesses has been a lack
of experienced software people. They've had a long history of hiring
people right out of college, or even those who've never graduated. These
people grew up thinking that DOS and Windows are Operating Systems, and
that BASIC is a programming language. They grew up on single user, single
tasking systems where every program owned the entire system so never
learned about things like memory protection, multiple processes accessing
devices and files, or user security.

Computer systems security is much more than firewalls, packet filter, and
similar technology, it's an attitude and an underlying awareness of
security issues. DOS and Windows started out life as a BDPL (Brain Damaged
Program Loader) for hobbyist hardware in the early '80s, and not as a
networked system subject to outside attack. No amount of bandaids tacked
on can overcome the basic lack of security (e.g. any running program can
read/write anything on the system. Add to this Microsoft's desire to make
their systems easy to use by the technically clueless to who security makes
things less convenient, and you have a recipe for disaster.

Bill 

--
INTERNET:   bill@Celestial.COM  Bill Campbell; Celestial Software LLC
UUCP:               camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``People from East Germany have found the West so confusing. It's so much
easier when you have only one party.'' -- Linus Torvalde, Linux Expo Canada
when asked about confusion over many Linux distributions.

Relevant Pages

  • [NEWS] Symantec VERITAS Multiple Buffer Overflows
    ... Get your security news from a reliable source. ... VERITAS NetBackup 6.0 Client ... Volume Manager Buffer Overflow: ... Database Manager Buffer Overflow: ...
    (Securiteam)
  • [NT] Multiple Vulnerabilities in JanaServer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows platform can act as HTTP/FTP/NEWS/SNTP server, ... JanaServer up to 1.46 was freeware, ... HTTP server buffer overflow ...
    (Securiteam)
  • RE: Can we afford full disclosure of security holes?
    ... Can we afford full disclosure of security holes? ... |of the IIS buffer overflow that made the Code Red I and II worms ... Where the hell do you or anyone get off by saying that eEye's advisory made ... CodeRed is based off of another worm that was ...
    (Bugtraq)
  • [UNIX] Monkey HTTP Daemon Remote Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Monkey is a "Web server written in C ... * Monkey HTTPd version 0.6.1 ... A buffer overflow vulnerability exists in Monkey's handling of forms ...
    (Securiteam)
  • Logons container under the storage group
    ... What does logons container log in? ... It is kind of confusing. ... We had some security issues and I was looking into ... Outlook 2000 it does not happen, unless you right click on the busy line. ...
    (microsoft.public.exchange.admin)