__/ [ BearItAll ] on Tuesday 16 May 2006 13:37 \__
> Roy Schestowitz wrote:
>> ,----[ Quote ]
>> | CORONADO, Calif.--It doesn't appear that Symantec CEO John Thompson's
>> | next computer will run Windows...
>> | Symantec CEO John Thompson: 'The "target-rich" environment created by
>> | Windows vulnerabilities means that virus writers and hackers have set
>> | their sights on Windows PCs'
> Microsoft go it alone in security and anti-virus? Don't give your job up
> just yet Mr Thompson, if Symantec were not there they wouldn't be a Windows
> at all. It was only the work of Symantec, Norton, McAfee and the other main
> security/anti-v people that stopped MS dieing a horrible death in the first
> waves of virus's. MS didn't do anything at all about the problem, even
> compounded it with the 'automatic running of code entering the computer
> from multiple sources' and 'Active documents that could make use of a
> non-limited programming environment and even auto execution'. Even
> printers, the stupidity of allowing executable code to enter a machine via
> a network printer connection, codes that cause software to run, even
> providing parameters, thats fine, but when the code itself can enter that
> way, that was always wrong and still is.
To what level this was actually intended, I am not too sure. Surely there was
an attempt to attain power, function, and ease-of-use through overly
permissive policies. Microsoft failed to account for streetsmarts and, in
due time, they fell victim to bloat that had been developed for many years
without security in mind. It was owing to a type of a smug attitude perhaps.
Between these days of Pong and Brain virus (goes back to my early childhood
as I am inv(old) enough to be some people's son in here) and until later in
the 90's, there has barely been any mentioning of virii (sic). I wish Google
Trends extended backwards to display search volume before 2004. Alas, even
Alta Vista are not so pendantic when it comes to their logs...
It was progres-driven rather than a consciousness and apprehensive process of
development. I often wonder if the background of Linux and its origins in
servers (UNIX, Solaris and other O/Sen likewise) made security a grand goal
which was honoured all along. In due time, with always-on connections,
people's computers virtually become servers and that conceptual shift made
servers endure, whereas a particular toy O/S (that which was intended to
innocently bring Solitaire to people's home) was dying out.
> We could of had that nonsence in UNIX/Linux, but who but MS would have been
> stupid enough to believe that virus writers and hackers would not make use
> of such a thing.
One can never make an assumption. The deeper the flaw, the longer time it may
take to exploit it. But it's there.
Look at how every buffer overflow risk is treated as though it is a critical
flaw. In Firefox, the vulnerability (memory leaks IIRC) which could be
catalyzed by 4 million-character long <title>'s was flagged serious.
> Of cause they is a need for security and anti-v to be in at the root of MS
> software, which is likely what MS have in mind, it should have been there
> long agao, but it isn't so it is still needed. Had it been the sharing
> world in computers that we once had, MS could have invited Symantec to the
> core of their system, 'We'll do the pretty interfaces, you do the
> security'. You might even have been able to put in a proper issolated
> kernel. But who now would trust MS to not take you on for a couple of years
> while their programmers learn how it's done before kicking you out and
> leaving you with no market place.
AV software is merely a patch, or a bandaid that covers an existing sore. A
properly-designed system should have no sores in the first place )and yet
remain backward-compatible(. Blocked ports are causing a lot of trouble
nowadays, especially in Vista. It has become so overly defensive, much like
a turtle inside its shell. Function-wise, it's more like Windows XP +
restrictions + Aero Glass. And _still_, all analysts havealready predicted
that it will offer no security. They are not quite equivocal about it. The
word is very unanimous, in fact.
> MS will not succeed in closing the threats from hacking or virus's, because
> too many of what we call security holes are built into the system by MS. MS
> Win is insecure by design not by mistake.
Yes -- an important point which was mentioned many times before. Roy Culley
likes to re-iterate it. A big issue here are the stubborn promises for
backward-compatibility, which relies on design principles and model that are
Let us face it. Windows has become a bloat that somehow can cater for some
function and services (e.g. IIS). It is by no means efficient and effective
though, unless efficiency is measures by the numbers of machines disposed
and purchases with a new licence of Windows on them.
Linux, on the contrary, offers function and power. It makes good use of its
resources, _without_ relying on some AV software that is eating away CPU
cycles. It is possible to take an elephant and make it carry a 10 pound bag
from one place to another. Is it good use of energy? No. I, for example,
weigh about 91 KG and this morning I benchpressed over 165 KG. I don't shove
burgers down my throat, which would raise the cholesterol levels (analogy
for unneeded software). I just work effectively for the most part and I
watch my diet (system monitor *grin*).
> So there is and will be for some time to come room for an anti-v and
> security vendor. While you prepare for what could be the next level, there
> is a way you can finally beat the virus and hack and lock MS Win into a
> secure shell. The likes of VMWare have shown how it is possible and viable
> on modern hardware to wrap any OS inside a shell, you become the interface
> between the software and hardware. In the case of Symantec, you make
> yourself the machine's kernel, higher authority than the MS kernel if it
> can still be called a kernel, as code it looks more like a bird splat than
> a properly layered system.
> In that possition you truely do have control of what comes in and what goes
> out. Symantec are currently building a poor name with their products
> because they take the speed of the machine down too far, a lot of that
> speed loss has to do with the protection of the Symantec software itself
> and the fact that your software has to be watching many things at once in
> order to keep the machine safe, but if you have the kernel you can gain
> back all of the machines speed.
It may be too late to redesign the kernel though. Windows is a vast project.
All the stuff that is glued to it like Play Doh or Lego (e.g. the window
management component for instance) requires 60% re-write, according to
Microsoft. The code is not sufficiently modular either. Scrape it or forget
about it. That's why they did back in September (they flushed Longhorn), but
they took yet another faulty kernel (Server 2003, XP's ugly cousin).
> Gads, put me in charge of Symantec and with my brains (tongue in cheek) and
> your programmers I'll have you a product that will eventually have people
> calling it Symantec Windows, maybe even SEWindows (and why not?). But only
> if you have a decent pie shop near your offices, I can't work in a place
> that doesn't have a decent pie shop, don't worry about sticky buns, I'm a
> pie man not a bun man.
Roy S. Schestowitz | "ASCII stupid question, get a stupid ANSI"
http://Schestowitz.com | SuSE GNU/Linux ¦ PGP-Key: 0x74572E8E
2:00pm up 18 days 20:57, 8 users, load average: 1.11, 0.60, 0.24
http://iuron.com - help build a non-profit search engine