On Mon, 7 Jun 1999, Ryan Russell wrote:
> Date: Mon, 7 Jun 1999 22:52:50 -0700
> From: Ryan Russell <[EMAIL PROTECTED]>
> To: Brian Steele <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: RE: Why not NT?
>
>
>
>
> >Care to elaborate on this "buggy and insecure" RPC thingy?
> >
> >I thought the security problems with RPC were hotfixed ages ago.
>
> That nicely elaborates the point of this whole discussion...
>
> ONE rpc hole was found and patched.
>
> The NT security optimist believes that that was the only
> hole, and all is fixed now.
>
> The NT security pessimist believes that that was only the first
> in a long line, and if only one has been found so far, we have
> many, many more to go before we have a mojrity of them fixed.
>
This is a good point. Remember security as a moving target (it's a
process, not an end state).
The thing about the RPC service is that at least _two_ denial of service
bugs were found because the RPC service can't deal with arbitrary data
spouted to its port. Do you _really_ think that MS has completely
rewritten the RPC service to sanity check all user-inputted data?
That's the only way to truly fix this kind of problem. If you
think that, then why was a second bug of the same nature found long after
the first fix? Because they didn't fix the real problem--only that
particular _symptom_. The fixes are superficial bandaids + bubble gum +
duct tape + baling wire. If you think this is an isolated incident, look
at some of the IE bugs that get "fixed" but then a variant comes out that
works just as well as the original.
Deep Thought: Just think of all of the bugs that have been found in NT
_without_ source code. Now imagine if anyone ever looked the source how
many bugs would be found... Now add 30 million lines of code and think
about this again (win2k)... Complexity is the enemy of security.
C2 certification really means nothing when, for example, there are about 5
ways of becoming Administrator on an NT4 system _with SP4_.
-Jason
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
