Paul Thurrott says Linux is most INSECURE


Recommended Posts

sandman45654
On a re-read of the link, it mentions nothing about being multi-user.  As far as I know, you cannot have multiple users logged into a box (real user logins, not networked access to a database or web server) and working independently at the same time.

Nice new feature.  It is about time that Microsoft finally is getting around to setting up their OS in a reasonable matter when it comes to security.  However, why does MS seem to continually cripple these important features and not include them in their lower-end versions (the above Win2k3 Server feature is not available in the XP Home version, which is their current release for home users).  They also seem to prefer (for obvious financial reasons) that people purchase an upgrage to newer releases, rather than fix the older versions (98, Me, NT, Win2k?).

Their actions don't always make sense to me.

584881654[/snapback]

I forgot to mention the article was based on performance, more along the lines of multi-tasking and not on multi-user capability. My mistake, I apologize.

Run-as has been around for a while now, at least since Win2k. Run-as is in Xp Pro and I believe in XP home as well. I do not have an Xp home install disc or I would check.

Windows 95-WinMe were built on the same kernel. The upgrades were supposed to fix the previous versions but didn't. Things only seemed to get worse the more they fiddled. Windows 98 was released to fix Win95, Win98se was released to fix Win98, WinMe was released to fix Win98se. But no matter how much they tried to mold the pile of dung that was the Win9x kernel it always remained a lump of sh!t. MS was making $$$ and at the time there really wasn't much of an alternative so I doubt they cared. Now though I believe they have realized half-assed upgrades will lose them more money and market share than it will gain. They know people will (and do) go to other OS's so they have been forced to get their act together if they want to keep making money. Now that Microsoft has switched to the Nt kernel (thank the lord lol) they do fix old versions. WinNt4 has 6 service packs, Windows 2000 has 4, Xp has 2.

Link to post
Share on other sites
El_Cu_Guy
if the linux insecure why most hosting service based on BSD ??
Got any statical data to back that up. Most hosting companies offer a choice of what OS you'd prefer.
the above Win2k3 Server feature is not available in the XP Home version, which is their current release for home users)

Right click a program and choose Run as... (it's right under Open). Works with XP Home. However, you must switch the program back when you are done. The major problem here is that if you are not currently logged in as admin the option to run it with restricted priveledges is not avalaible. Therefore if you are logged on as a normal user and want to run it under the admin account you must right click it the choose the second option which doesn't allow for restrictions. You must then go through the whole process again to switch it back.

I always laugh when I remember how Bill Gates once said that NT would be a better Unix than Unix. :woot: :p :woot: :p :woot:

Link to post
Share on other sites
Brandon Live

"Nice new feature."

It's not a new feature. RunAs has been around since NT 3.51.

Link to post
Share on other sites
Brandon Live

Posters in this thread have mangled the facts so many times I don't even know where to begin.

First, the "NT is not multi-user" nonsense.

MS-DOS was a single-user operating system. The user interacted directly with the operating system on a one-to-one level, and there was no true "user space."

Windows 95 and the rest of the 9x line (which evolved directly from MS-DOS) were also single-user OSes, but contained features that gave the appearance of limited multi-user functionality. File and directory security on 9x platforms was very, very much an afterthought. But then, 9x was never designed for a high security network environment.

Windows NT was. NT was built with the intention of creating an entirely modular OS that took to heart the concepts of threading, user space, file/directory security, multi-user environments, and a networked infrastructure. Much of NT's foundation was based on ideas and implementations from VMS.

Ironically, it was Linux that began as a single-user OS, with multi-user support patched in as the OS matured. Only in kernel 2.6 did Linux finally achieve competent thread management and user space seperation - a large step in its goal to match traditional Unix (and these days, BSD) as the network platform of choice.

But back to NT...

Everything about NT's design screams multi-user. I don't know how anyone could even begin to claim otherwise.

Unfortunately, Microsoft was forced to make some compromises in NT's development which have hindered its reputation. Specifically, they merged it with the 9x line of products.

The goal was an admirable one... to bring the stability and security of NT to the home. The need for this step only gained importance as the internet grew and especially as the transition to broadband was quickly underway.

Windows 2000 was the second attempt to make that happen. But it didn't, entirely. It wasn't until Windows XP that DOS was finally laid to rest.

But both Windows 2000 and XP faced several issues regarding compatability with Win32 and the rest of the baggage that Windows 9x brought along. One major part of that was the whole "user space" idea. Programs written for Windows 9x had no concept of user space. They were programmed with the assumption that they'd have unlimited reign over the system while they were running.

Part of this was overcome with the Windows On Windows VM. If you weren't aware, Windows 9x applications actually run in a virtual machine on Windows 2000/XP. It's a very, very good one and is generally 100% transparent to the user. But it is there. Without it, Win32 instructions would not be understood by the NT kernel.

Still, even with WOW16 and WOW32, Microsoft couldn't achive the level of compatability that their customers wanted without making even more changes. One of those (a massively unfortunate one, looking back) was to make the default account for home users a member of the Administrators group. This gives Win9x programs the access they expect, for the most part. They also moved certain drivers (mainly display drivers) to run in kernel space. Compatability with older DirectX games required that change.

Link to post
Share on other sites
Brandon Live

Ever since Windows NT 3.5 (the first version), NT has supported multiple users through terminal emulation. Processes themselves are run in user space, specific to the user that executed them.

Windows NT 4.0 brought Terminal Services into the mix. Terminal Server's goal was basically the same as a VNC server or Citrix server. Except that Terminal Server was designed to provide more direct interaction with the OS, as opposed to the traditional "send an image of the screen to the terminal" method.

Windows 2000 Professional and XP Pro include a limited Terminal Server program. It's known as Admin-RCP, and can be enabled in the "System Properties" control panel. It allows one outside connection to the system via RDP (Remote Desktop Protocol - the modern name for the protocol used by Terminal Services).

Windows 2000 Server and Windows Server 2003 allow a virtually unlimited number of simultaneous users depending on your licensing situation.

The same user can even be logged in more than once. Windows treats each login as a completely seperate session, although (with proper privileges) a user can connect their console to another session if needed.

All Windows NT systems also support login through Telnet and other similar services.

The multi-user model in NT is very similar to that of FreeBSD. File/directory permissions, user accounts, groups, and access restrictions are all laid out in an almost identical manner. The main difference is the terminology used.

Link to post
Share on other sites
LaNcom

It's true that NT is a multi-user OS in general. But, in my experience, a limited user account is not suited for 'normal' use (home use, games, multimedia, but also for demanding workstation uses like audio, video or 3D editing). Or maybe you need to be a MCIP (Microsoft Certified Illusion Provider) to set it up correctly. In my company, we had to set up a single Windows workstation some time ago for a single application, and I tried to configure the system to run with limited privileges. The workstation should be used for 3D (Softimage|XSI) and texture editing (Bauhaus Mirage), and both applications _crawled_ on a limited account - I've never seen anything _that_ slow, it was running at about 10% of the usual speed.

It was also not possible to write a CD (to backup data) without becoming root, audio was slow as hell, even WinAMP lagged. Plus, most applications are unable to be installed by a normal user (something very possible with Linux/ UNIX), because the setup insists in root privileges or the application wants to copy stuff to the Windows directory (why should anyone be forced to install an audio player or a web browser system-wide???).

To keep a long story short, two days later I installed Linux on that system, and we're now using Aura for texture editing (XSI is available for Linux, anyway).

So, it's my impression that even if Windows might be securable for servers, for home use it's cumbersome or even impossible to run the system without administrator privileges...

BTW, regarding Linux servers getting 'hacked' more often: it's a fact that hacking Windows servers is considered easy by most hackers, so you'll have to hack Linux or UNIX to prove yourself. Also, most statistics about the security are heavily flawed - I remember an old study MS had on their website that stated that Windows was more secure - but they left out downtime caused by virii, a non issue on Linux and the most important cause for downtimes.

Link to post
Share on other sites
El_Cu_Guy

I just got done reading through some of these posts an I must say that I find it rather amuzing. While having little to do with security or the subtopic of multi-user support, but instead trying to explain away the short-comings of Windows, I'll reply anyway.

Windows 95 and the rest of the 9x line (which evolved directly from MS-DOS) were also single-user OSes but contained features that gave the appearance of limited multi-user functionality.
Windows 9x, Me evolved more directly from the Windows Oprating Environments not DOS. In the eyes of the new crop of computer users yes. They were limited to profiles by which each user could potentially have a customized desktop and start menu. It didn't work properly.
File and directory security on 9x platforms was very, very much an afterthought. But then, 9x was never designed for a high security network environment.

File and directory security is non-existent. Windows was designed to be used in networks as merly a client OS. For any type of security you had to look to the NT workstations.

Windows NT was. NT was built with the intention of creating an entirely modular OS that took to heart the concepts of threading, user space, file/directory security, multi-user environments, and a networked infrastructure. Much of NT's foundation was based on ideas and implementations from VMS.
Yeah yeah we know the story, Mach, VMS, Prism, and Mica, blah blah blah.
Ironically, it was Linux that began as a single-user OS, with multi-user support patched in as the OS matured.

Yes yes we all know the story. I just find it hard to believe that you would think this is somehow different than a number of other developments.

Unfortunately, Microsoft was forced to make some compromises in NT's development which have hindered its reputation. Specifically, they merged it with the 9x line of products.
Oh yes applying the 95 gui was such a disaster. You history is a little fuzzy.
The goal was an admirable one... to bring the stability and security of NT to the home. The need for this step only gained importance as the internet grew and especially as the transition to broadband was quickly underway.

The first major attempt at this was Me and yeah it flopped.

Windows 2000 was the second attempt to make that happen. But it didn't, entirely. It wasn't until Windows XP that DOS was finally laid to rest.
WQindows 2000 was never a consumer OS. Microsoft even attempt to stop OEMs from offering W2K to consumers. It worked briefly until they realized Me sucked donkey balls and offer W2K as an optional upgrade. Sheesh. What's this about DOS? DOS does not exist in any version of NT beyond a virtual machine. DOS is very much alive and still supported. Atleast until Ms finally drops support for Me.
But both Windows 2000 and XP faced several issues regarding compatability with Win32 and the rest of the baggage that Windows 9x brought along.

Amazing when you consider that Win32 was actually written for NT. NT did not suffer from 9x baggage. If it didn't run that because it was developed for the platform.

One major part of that was the whole "user space" idea. Programs written for Windows 9x had no concept of user space. They were programmed with the assumption that they'd have unlimited reign over the system while they were running.
Kernel, applications and everything in user space. Sounds like Windows 95 to me.
Part of this was overcome with the Windows On Windows VM. If you weren't aware, Windows 9x applications actually run in a virtual machine on Windows 2000/XP. It's a very, very good one and is generally 100% transparent to the user. But it is there. Without it, Win32 instructions would not be understood by the NT kernel.

Compatibility mode is an updated Virtual DOS machine not a full an complete virtual machine by any means. Don't get me started on Win32 again.

As for your last argument that the account types is to allow for compatibility it's just laughable.

Edited by El_Cu_Guy
Link to post
Share on other sites
Alex Shenoy
I dont know much bout LINUX but i can say this: Your OS is only as secure as you make it.

584875725[/snapback]

Wow an intelligent windows user. I thank and applaud you for being so smart when others around you are so dumb. And im not being sarcastic. So many people dont understand that they have to make their own system secure.

I hate when people complain about security problems when they dont set up anything to keep them secure.

Comments like this make me wanna live on mars and get away from humans

ripgut, you are wise beyond your years. or wise till them. or something. Your a smart person.

Link to post
Share on other sites
DR_K13

put down the crack-pipe little fella, just because you have a hard time running open source/linux ( or cant run it ) dosent make windows better. Sure windows is easy to run,

you just point and click. Crap i loaded win2000 for my grandma, too bad I have to go patch the OS / update the ant-virus/ update ad-aware/ update spyware blaster/ clean out oldfiles/ after I clean out old files , clean the reg./ then de-frag/ update the firewall/clean adware/clean spyware/ look for viruses/ reboot. ( not in that order ) every 2 weeks for her to keep the so called 1337 Micro$oft thing running. She got sick of it and I loaded a free distro called Linspire for her. you Micro$oft nazis might like it.

Its linux but 99% of it is point and click

here is a link

Linux for rookies

Link to post
Share on other sites
BajiRav
Run-as has been around for a while now, at least since Win2k. Run-as is in Xp Pro and I believe in XP home as well. I do not have an Xp home install disc or I would check.

yea runas is fully functional on XP home and the command line alternative "runas" I use frequently on my xp home desktop (default user is set to guest privileges)

My opinion multi-user might be kinda controversiall, look at the target audience....how many home or office user will care about multi-user functionality ?

agreed..a feature ieven if used by few ppl is always a welcome addition but runas or fast user switching is more or less does the same job...

Link to post
Share on other sites
Rudy

the main advantage of linux right now is the shell, it has an AWESOME shell....now hopefully soon windows will have it too (mSH)

Link to post
Share on other sites
Brandon Live
Windows 9x, Me evolved more directly from the Windows Oprating Environments not DOS. In the eyes of the new crop of computer users yes. They were limited to profiles by which each user could potentially have a customized desktop and start menu. It didn't work properly.
"Windows Operating Environments?" Umm, excuse me?

Windows 95 was the result of combining MS-DOS 7.0 and Windows 4.0 into a single SKU.

Windows 98 and Me were both evolutionary developments upon that platform.

File and directory security is non-existent. Windows was designed to be used in networks as merly a client OS. For any type of security you had to look to the NT workstations.

So you said I'm wrong then agreed with me. Do you have some need to be adversarial in everything you do?

Yeah yeah we know the story, Mach, VMS, Prism, and Mica, blah blah blah.

Clearly many posters here did not know the history of NT.
Yes yes we all know the story. I just find it hard to believe that you would think this is somehow different than a number of other developments.

I don't even know what you're trying to say here.

Unfortunately, Microsoft was forced to make some compromises in NT's development which have hindered its reputation. Specifically, they merged it with the 9x line of products.

Oh yes applying the 95 gui was such a disaster. You history is a little fuzzy.

I was not talking about the 95 gui, which was added in NT 4.0. I was talking about complete compatability with Windows 9x programs.

The first major attempt at this was Me and yeah it flopped.
No. Windows Me was never meant to combine NT and 9x. It was the last iteration of the Windows 9x line, and was released half-way through its development cycle. Believe me, I was there.

Windows Me came about because Windows 2000 didn't meet the goals that had been set for the integration of the NT and "Windows" product lines. Microsoft had planned to merge the two product lines since at least 1996.

WQindows 2000 was never a consumer OS. Microsoft even attempt to stop OEMs from offering W2K to consumers. It worked briefly until they realized Me sucked donkey balls and offer W2K as an optional upgrade. Sheesh.

Umm, that's not how it happened at all. Microsoft originally planned to integrate the Windows and Windows NT lines with the first "cairo" project. It was more or less abandoned and became the Windows NT 5.0 project.

For the beta 2 release of NT 5.0, the name was changed to Windows 2000. At this point, it was believed that Windows 2000 would replace both NT 4 and Windows 98. It was to combine the NT and Windows 9x monikers with a version descriptor of "Windows 5.0"

However, later development of Windows 2000 revealed more compatability problems as I discussed above. It wasn't until Windows 2000 was too near release for a name change that it was decided unfit to be offered as an upgrade to Windows 98... and thus Windows Me was born. Windows Me was designed to be a simple refresh of the Windows 98 line - at one point being called Windows 98 Third Edition. The only major changes involved limiting DOS-level injection of drivers and TSRs - offering a slight hint at the environment programs would soon be thrown into with the advent of NT. A few technologies (System Restore, some interface shell enhancements) were actually back-ported from Windows 2000 elements that were cut from the final release (to be perfected for Windows XP).

What's this about DOS? DOS does not exist in any version of NT beyond a virtual machine. DOS is very much alive and still supported. Atleast until Ms finally drops support for Me.

I never said DOS was ever a part of NT. I said that the DOS and Win9x product lines (not the software itself) were merged with the NT line. That's why the NT moniker was dropped. The idea was to make the paradigm shift from DOS-based Windows to NT-based Windows as easy as possible for consumers.

DOS applications run in a VM on Windows NT 4.0 and later. Windows 9x applications run in an application compatability layer that began in NT 4.0 but developed hugely in 2000/XP.

The Windows NT kernel does NOT natively support Win32 applicatoins. The compatability API allows that.

Link to post
Share on other sites
Brandon Live
Amazing when you consider that Win32 was actually written for NT. NT did not suffer from 9x baggage. If it didn't run that because it was developed for the platform.
Win32 was written as a bridge to allow programs to run on WinNT and Windows 3.1/9x.

However, it sits "atop" the Windows NT kernel which does not process Win32 calls natively.

Kernel, applications and everything in user space. Sounds like Windows 95 to me.

Compatibility mode is an updated Virtual DOS machine not a full an complete virtual machine by any means. Don't get me started on Win32 again.

There are two VMs in Windows XP. One is for 16-bit DOS applications, the other is for Windows 9x applications. Although the latter is more transparent.

As for your last argument that the account types is to allow for compatibility it's just laughable.

I don't care if you think it's laughable. It's true. Windows NT was designed with a concept of least privilege. Hopefully we'll get back to that in the Longhorn era. But it will be hard. The decision to make Administrator-level accounts the default in XP has permitted developers to target that environment. I believe in the least privilege philosophy, as well as keeping as much as possible in the user domain - but I cannot claim to adhere to those practices given the current reality.

Edited by threedaysdwn
Link to post
Share on other sites
Brandon Live
It's true that NT is a multi-user OS in general. But, in my experience, a limited user account is not suited for 'normal' use (home use, games, multimedia, but also for demanding workstation uses like audio, video or 3D editing). Or maybe you need to be a MCIP (Microsoft Certified Illusion Provider) to set it up correctly. In my company, we had to set up a single Windows workstation some time ago for a single application, and I tried to configure the system to run with limited privileges. The workstation should be used for 3D (Softimage|XSI) and texture editing (Bauhaus Mirage), and both applications _crawled_ on a limited account - I've never seen anything _that_ slow, it was running at about 10% of the usual speed.

There are far more user groups than just Administrator and Guest. There are 5 or 6 by default, though you can create as many you like. You assign privileges to groups or users (as well as file access rights and ownership) much in the same way as you would on any Unix system.

Performance is not affected by what user groups you're in. Clearly you're not qualified to set up a workstation if you can't even figure out how user management works.

It was also not possible to write a CD (to backup data) without becoming root, audio was slow as hell, even WinAMP lagged. Plus, most applications are unable to be installed by a normal user (something very possible with Linux/ UNIX), because the setup insists in root privileges or the application wants to copy stuff to the Windows directory (why should anyone be forced to install an audio player or a web browser system-wide???).
A setup program will only ask for higher privileges if the system is set up such that it needs them.

You don't need to be a member of the Administrators group, and far less the Administrator account itself, to burn to a CD.

I'm not sure if a "Limited Account" on XP Home can or not. I've had little experience with that environment.

You say, "audio was slow as hell, even WinAMP lagged."

I think you made that up. Or possibly, are too inept to know what was actually causing the problem on your system.

To keep a long story short, two days later I installed Linux on that system, and we're now using Aura for texture editing (XSI is available for Linux, anyway).

So, it's my impression that even if Windows might be securable for servers, for home use it's cumbersome or even impossible to run the system without administrator privileges...

You mean <gasp> you actually have to know what you're doing to set up a Windows system in a network environment. Jee whiz... what a shock.

BTW, regarding Linux servers getting 'hacked' more often: it's a fact that hacking Windows servers is considered easy by most hackers, so you'll have to hack Linux or UNIX to prove yourself. Also, most statistics about the security are heavily flawed - I remember an old study MS had on their website that stated that Windows was more secure - but they left out downtime caused by virii, a non issue on Linux and the most important cause for downtimes.

584882346[/snapback]

Bull****.

Oh, and "virii" is not a word.

Viruses and other highly publicized exploits over the last few years are not the kind of security issues that administrators should be worrying about. If your network got hit by SoBig, Slammer, Blaster, etc. then it was your IT departments fault. Plain and simple. Regardless of your OS, your network should never be vulnerable to such things.

Properly controlling user privileges (as well as user education) should prevent any threat from e-mail viruses and the like.

What you should be worried about is a concentrated effort to actually breach the security of your specific system.

That's the kind of direct targetted attack that was looked at in this study.

I've personally seen FreeBSD systems hacked in just such a way. My poor evangelical friend took a hit to his pride that day.

For my part, I've yet to have a security breach of any kind affect any of my personal systems, business sytems, or those of my clients. I pride myself on that fact. But I also pride myself on my preparedness for mitigating and recovering from any such problem if one ever does occur. I know that no system is infallible, just as no person is so, including myself.

But I'll bet on my systems against yours any day of the week... regardless of what platform you're running.

Link to post
Share on other sites
LaNcom

threedaysdwn,

sorry, but believe it or not, I'm a Linux admin. I usually don't use or administrate (or even like) Windows. Why should I? There is not a single Windows system in my company anymore, except for some old Pentium 233 that we use as a SPM license server. It _might_ be possible to set up a working, limited account on Windows, but if I, as an administrator for that 'archaic', 'complicated' OS called Linux are unable to set this up, it's too hard for a home user (or lets just say this is much easier with Linux)...

Anyway, I never said anything about XP home, we were using XP pro (not that this really makes any difference). I also never said anything about using a guest account. And, to make that clear: there were applications I could set up on that system without administrator privileges, but most applications insistet in a root account.

My company also has quite a few servers (currently running gentoo-hardened) that were never hacked or had any unscheduled downtimes - so that's no legitimation for a hybris as huge as yours... :-)

On a side note, accept this from someone who actually knows Latin: Viri may be the plural of virus, vira might also be correct. The problem is that there is no known plural form of virus in Latin, and it's unclear which declination it's a member of (could be U or O; O according to Stowasser - then viri would be the plural). Virii is jargon, and usually used by the authors of those nasty little fellas - and I would say it's therefore the most correct form.

Link to post
Share on other sites
incubusdaemon
On a side note, accept this from someone who actually knows Latin: Viri may be the plural of virus, vira might also be correct. The problem is that there is no known plural form of virus in Latin, and it's unclear which declination it's a member of (could be U or O; O according to Stowasser - then viri would be the plural). Virii is jargon, and usually used by the authors of those nasty little fellas - and I would say it's therefore the most correct form.

You might know latin, but that's irrelevant. Viruses is the accepted plural form according to Webster's dictionary, among others, so thats what I'm sticking with.

Link to post
Share on other sites
markjensen

I'm sorry, people. This thread has been going into definitions of "multi-user", the construction history of WinNT, and plural for virus.

Some off-topic is OK, but this thread is beyond clean-up at this point.

I'm going to close this at this time. Discussions on any of these sub-topics can be restarted, but each in their own threads, please.

Nothing personal on any particular poster, or post - and there were some good points made in here, providing enlightenment for all. :)

But, this particular thread has run its life. :no:

* thread closed *

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.