RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
> either use sudo or su to do work as root, but Windows doesn't > make users > the admin by default *either*, unless you setup Fast User Switching > *during* the install. Windows XP doesn't allow that to be selected during installation. It is activated or not based on available system memory during install; if your system meets the threshold, it's enabled automatically, otherwise it is disabled. (but the Welcome Screen logon UI remains enabled, and must be turned off manually via the control panel or local policy if not desired.) Windows DOES force you to create between 1 and 5 additional users (aside from Administrator) during setup. I've always found that if only one account is created, it is assigned to both the Users and Administrators groups; IIRC, the same is true when two or more are created during setup. If the system is configured to join a domain during setup, the above does not apply; the welcome screen and fast user switching are disabled in a domain setup. IIRC, no additional users are created, either, as they would generally be created within the domain instead. > That's simply false. Windows has several groups. By default > users are in > the "USERS" group, *not* the ADMINISTRATORS group. True only when users are created AFTER installation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
True goal is making as much money and influence as possible. Please read my previous posts on this list regarding that matter. This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and The Mozilla Suite (and Firefox) already existed for some years. Should we compare the new version/updates delivery frequency of the Mozilla Project with others ? Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Microsoft Windows NT is a complete rewrite from scratch. MSDOS is being emulated in a virtual machine called NTVDM. Microsoft Windows XP is not the first NT version, mind you. I used nt4 ws and server, i still noted at the time the default behavior of making the first user an administrator, and not inviting to create an unpriviledged user. All of the migrations NT4 -> BSD i did were in that case. The point is that relying on the solidity of ur network application / daemon / server and not restricting / reducing the impact of a crash / vulnerability / intrusion is just completely irresponsible. Jails are not "all" but they help as a preventive measure, and they instantly upgrades the knowledge level needed by the attack. They make sure for example, that the latest worms exploiting the latest vulnerability that remains unpatched by your vendor, are not taking over the box completely. Geez sounds familiar ? Until MS manages to run a webserver / authserver / mailserver (fill in the list ... ) with the same functionnality and as non priviledged user, it will be much more unsecure out there. And btw the "Virtual" Dos seems particulary present: Try this on any NT OSes: new folder -> aux, lpt1, con, nul ...Should i carry on ? (Hint: MSDos Reserved devices). As i say previously non case sensitive OSes belong to the museum. Rafel Ivgi, The-Insider wrote: >[ fullquote from grandparent snipped, please learn some quoting style ] I will only if you learn to NOT reply to all [emails] of the thread but just to the list. Stefan Schatzl. d. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Very True, not to talk about all the apps that won't run correctly in Windows because of non-admin rights. Should we all have to give premissions to special reg keys just to have a app run as a non-admin? I mean come on...you give us a so called security feature (Run As) and then it is only useable half the time for the IT world and almost totally useless for the everyday basic user. But of course most of the apps that don't work with Run As are harder apps but I am sure everyone has seen some. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of devis > Sent: Sunday, November 21, 2004 12:11 AM > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > Todd Towles wrote: > > >Windows doesn't tell you about the Admin account and makes > the default > >user a Admin. That isn't best method as you know. > > > > > > >RunAs is great..but that is only good once you create a > normal user - > >and then delete your new default user. Or you log in in > Administrator > >and take away the full control of the default user. Easy for the > >average window user? Nope. If it was Microsoft would make > the default > >user (note > >USER) and then let you configure the Admin account on start. > > > > > > > Thank you. Sometimes i feel the message doesn't get across. > Run as is a false sense of security. Majority of MS apps ( > that gets owned ) run with Admin or Local System priviledges. > Does Run as works on IE ? on Office ? on IIS ? > > My point was that instead of 'hiding' computer knowledge from > the 'user' > , and introducing false 'hyped' security such as 'RunAs', > assuming his stupidity, i think people will be likely to > understand that to install a program they would have to use a > different account than from browsing pages. Especially when > the company behind has lots of $$$ to make it friendly and > understood. 15 years ago people thought only a few people > will ever use email.. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
devis wrote: Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very Finally? Microsoft Windows NT 3.1 had already in 1992 most or all of the permissions and multi-user "functionality". Perhaps you refer with 'finally' to Microsoft Windows XP, which is the current incarnation of the NT operating system. important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). This is not correct for each and every unix flavour. The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS True. [ ... MS ... ] DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights Wrong. The NT operating system has the same 'true' privilege separations as any other modern operating system. Sadly, the vendor chose to blur the distinction on the surface for Joe Average which causes major problems. It would be a better choice to force the average user to create a normal unprivileged account during system installation like Mac OS X does. > Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their True goal is making as much money and influence as possible. This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and The Mozilla Suite (and Firefox) already existed for some years. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Microsoft Windows NT is a complete rewrite from scratch. MSDOS is being emulated in a virtual machine called NTVDM. Microsoft Windows XP is not the first NT version, mind you. Rafel Ivgi, The-Insider wrote: >[ fullquote from grandparent snipped, please learn some quoting style ] Stefan Schatzl. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Fri, Nov 19, 2004 at 11:50:33AM -0500, [EMAIL PROTECTED] wrote: > Linux integration: Tools register themselves as optional add-ons to add new > or extended functionality. If the tool isn't there, all that happens is the > menu items *for that added function* end up greyed out or don't show up, > or simply Nothing Interesting Happens when you click on the object. As an example on non-integration, even the graphical user interface is not a core component of the system. You can perfectly install your system without X11, and it will work. Unless your application requires a graphical output, that is :) Try to remove the graphical interface from your Windows 2003 server :) -- Vincent ARCHER [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
OSX is an interesting case but at the moment it is still an infant. I look forward to seeing what happens with it as you are correct, it is very consumer oriented. To put it another way, it is a chance for *nix to show off its normal user wings if it has any. People who would get off Windows because they have a viable *nix alternative have this option now though there is still a discrepency in available commercial packages which I guess could cause an issue. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shoshannah Forbes Sent: Sunday, November 21, 2004 3:52 AM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Well, Mac OSX is a fully consumer *nix. Can you say that Mac users tend to be " already knowledgeable with its workings or people who WANT to learn the details using it"? I am not so sure about it. BTW, on Mac OSX, by default the root account is *disabled*. All administrative tasks are done with 'su/sudo'. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
LOL, ok you have me on that one. It is something, but very little. :oD Joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: Frank Knobbe [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 11:54 AM To: joe Cc: [EMAIL PROTECTED] Subject: RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Sat, 2004-11-20 at 08:20, joe wrote: > I agree with your initial comment, they can both be changed. I also > agree they both do little. > > I don't agree that the hardcoding in the source does anything for you. Well, it *allows* you to change the ID of the superuser account to something else. But of course that is obfuscation, and is quickly discovered (just check what ID owns /bin/* and so on). Nevertheless, you have the *ability* to change the ID. You can't do that with Windows. (Yeah, cheap shot I know... ;) Cheers, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
joe wrote: Anyway, the base cause is a simple one, Windows is consumer based and *nix wasn't and really still isn't. Look at the market penetrations. *nix tends to have people already knowledgeable with its workings or people who WANT to learn the details using it, Well, Mac OSX is a fully consumer *nix. Can you say that Mac users tend to be " already knowledgeable with its workings or people who WANT to learn the details using it"? I am not so sure about it. BTW, on Mac OSX, by default the root account is *disabled*. All administrative tasks are done with 'su/sudo'. -- http://www.xslf.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Todd Towles wrote: Windows doesn't tell you about the Admin account and makes the default user a Admin. That isn't best method as you know. RunAs is great..but that is only good once you create a normal user - and then delete your new default user. Or you log in in Administrator and take away the full control of the default user. Easy for the average window user? Nope. If it was Microsoft would make the default user (note USER) and then let you configure the Admin account on start. Thank you. Sometimes i feel the message doesn't get across. Run as is a false sense of security. Majority of MS apps ( that gets owned ) run with Admin or Local System priviledges. Does Run as works on IE ? on Office ? on IIS ? My point was that instead of 'hiding' computer knowledge from the 'user' , and introducing false 'hyped' security such as 'RunAs', assuming his stupidity, i think people will be likely to understand that to install a program they would have to use a different account than from browsing pages. Especially when the company behind has lots of $$$ to make it friendly and understood. 15 years ago people thought only a few people will ever use email.. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Paul Schmehl wrote: --On Friday, November 19, 2004 01:12:31 PM -0500 "Crotty, Edward" <[EMAIL PROTECTED]> wrote: I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. There is such a thing as "runas" for Windows. That's not all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. Apparently you don't have very broad experience with OSes. ON *every* OS I'm familiar with, the first user is the administrator (or root) account. Are You an idot ? When i start MS and look at my emty desktop, under what ID that graphic interface runs ? If i configure my oulook and go to fetch nice infected mails, who i am then launching outlook ? Administrator On unix, launching a graphic interface under root would have printed a big warning panel or for more descent OSes not allowed me AT ALL. I am NOT argueing that the first user is and admin, i am argueing that the DEFAULT user is an admin. The default user on UNIX is not root. Try to re reading before making a fool of yourself. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). When's the last time you installed an OS from scratch? Gentoo, FreeBSD, OpenBSD, RedHat, Fedora, Slackware, Mac OS X, Debian, Solaris, *all* create the first user as uid0 during the install process. (I can't speak for the others because I haven't done those, but I'd be willing to bet that NetBSD, AIX, HP-UX, SCO et. al. work exactly the same way.) See up there. You need to learn to read and make sense of it. Once again, I AM NOT ARGUEING THAT THE FIRST ACCOUNT CREATED HAS AN UID0. Please open ur eyes and try to pinpoint the difference beetween first user and default user. Even MS is confused on that subject it seems. Unix does not grant users root access by default, and it does a much better job of separating privileges by requiring you to join the wheel group *and* either use sudo or su to do work as root, but Windows doesn't make users the admin by default *either*, unless you setup Fast User Switching *during* the install. IT does makes the first installer of the box the default user. And that first default user HAS administrator priviledges. What what part of this is not clear ? With or without Fast User Switching. Ever installed XP ? many unixes don't use a wheel group. - snip --- % grep wheel /etc/group % Debian linux --- Playing on words ? Sure Linux isn't Unix, but then write Unix like so: Unix(tm) and i will know. The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, That's simply false. Windows has several groups. By default users are in the "USERS" group, *not* the ADMINISTRATORS group. It might make sense if you actually had knowledge of an OS before you criticize it. Please proove ur point and run IIS from an unpriviledged account. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. Please do the same in Windows. Here's a hint. You'll get the same results. 2) "After all, they don;t need to know" . " You're on a need to know basis job" Do MS really think the users are stupid ? Probably. Otherwise they wouldn't have those stupid warnings popup every time you try to delete something. Are you SURE you want to do this Yes, damn it!! [snipped the rant] Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Oh baloney. Learn a little more about the OS before you make assumptions that make you look ignorant. Aside from the default permissions, you can also granularly apply privileges in many ways. For example, by default USERS have Read & Execute, List Folder Contents and Read access to the Windows folder, its contents and all it's subfolders. In addition, there are fourteen (14) separate rights that can be explicity granted or denied to them at that level only or to all subfolders as well, to files only, to subfolders only, to subfolders *and* files only, etc., etc. I ahve admined nt4 boxes, and before being insulting, u should maybe look up a
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I use WinAmp for Music and the Microsoft stuff for Video...I don't do a lot of video stuff. The lastest Winamp is pretty nice. I can always stream shoutcast or video to my XBOX so..lol > -Original Message- > From: GuidoZ [mailto:[EMAIL PROTECTED] > Sent: Saturday, November 20, 2004 3:03 PM > To: Todd Towles > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > This is true. It will also play many other types of files > (with something like ffdshow) that WMP 9/10 can, although it > will do so with about have the memory footprint and start > twice as fast. Gotta love "upgrades". =/ > > I moved more to BS Player, as it's pretty quick and comes > with all the bells and whistles you'll need. Of course > VideoLAN (VLC) is also a nice choice. I prefer the BS Player > interface (think PowerDVD Crystal theme). =D > > -- > Peace. ~G > > > On Sat, 20 Nov 2004 14:41:59 -0600, Todd Towles > <[EMAIL PROTECTED]> wrote: > > Ohh don't worry I am not knocking it. The 6.4 version will > play some > > of those AVI files that the version 9 and 10 won't play because of > > codec stuff, kinda of funny. =) > > > > > -Original Message- > > > From: GuidoZ [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, November 20, 2004 1:15 AM > > > To: Todd Towles > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as > > > FireFox > > > > > > Dude, mplayer2 rulez!! I use it to play all sorts of things. > > > =) I'm glad they left it there... the newer MS media > player is just > > > bloat. > > > Media Player Classic (that comes with RealAlternative and > QuickTime > > > Alternative) is another one of my favs. =D > > > > > > Yeah, not really anything to do with the topic, but I > felt it had to > > > be said. Don't go knocking my v6.4. ;) > > > > > > -- > > > Peace. ~G > > > > > > > > > On Fri, 19 Nov 2004 12:41:25 -0600, Todd Towles > > > <[EMAIL PROTECTED]> wrote: > > > > > Microsoft integration: You remove the application that plays > > > > > MPEG movies from a system that has never needed to play MPEG > > > movies, and > > > > > never will need to - and your system won't boot anymore. > > > > > > > > Example - Anyone with XP, do a search for mplayer2.exe? > > > What is this > > > > you ask? It is media player 6.4 =) > > > > > > > > You only think you upgraded to Media player 10..lol > > > > > > > > -Todd > > > > > > > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Ohh don't worry I am not knocking it. The 6.4 version will play some of those AVI files that the version 9 and 10 won't play because of codec stuff, kinda of funny. =) > -Original Message- > From: GuidoZ [mailto:[EMAIL PROTECTED] > Sent: Saturday, November 20, 2004 1:15 AM > To: Todd Towles > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > Dude, mplayer2 rulez!! I use it to play all sorts of things. > =) I'm glad they left it there... the newer MS media player > is just bloat. > Media Player Classic (that comes with RealAlternative and QuickTime > Alternative) is another one of my favs. =D > > Yeah, not really anything to do with the topic, but I felt it > had to be said. Don't go knocking my v6.4. ;) > > -- > Peace. ~G > > > On Fri, 19 Nov 2004 12:41:25 -0600, Todd Towles > <[EMAIL PROTECTED]> wrote: > > > Microsoft integration: You remove the application that plays MPEG > > > movies from a system that has never needed to play MPEG > movies, and > > > never will need to - and your system won't boot anymore. > > > > Example - Anyone with XP, do a search for mplayer2.exe? > What is this > > you ask? It is media player 6.4 =) > > > > You only think you upgraded to Media player 10..lol > > > > -Todd > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
This is true. It will also play many other types of files (with something like ffdshow) that WMP 9/10 can, although it will do so with about have the memory footprint and start twice as fast. Gotta love "upgrades". =/ I moved more to BS Player, as it's pretty quick and comes with all the bells and whistles you'll need. Of course VideoLAN (VLC) is also a nice choice. I prefer the BS Player interface (think PowerDVD Crystal theme). =D -- Peace. ~G On Sat, 20 Nov 2004 14:41:59 -0600, Todd Towles <[EMAIL PROTECTED]> wrote: > Ohh don't worry I am not knocking it. The 6.4 version will play some of > those AVI files that the version 9 and 10 won't play because of codec > stuff, kinda of funny. =) > > > -Original Message- > > From: GuidoZ [mailto:[EMAIL PROTECTED] > > Sent: Saturday, November 20, 2004 1:15 AM > > To: Todd Towles > > Cc: [EMAIL PROTECTED] > > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > > > Dude, mplayer2 rulez!! I use it to play all sorts of things. > > =) I'm glad they left it there... the newer MS media player > > is just bloat. > > Media Player Classic (that comes with RealAlternative and QuickTime > > Alternative) is another one of my favs. =D > > > > Yeah, not really anything to do with the topic, but I felt it > > had to be said. Don't go knocking my v6.4. ;) > > > > -- > > Peace. ~G > > > > > > On Fri, 19 Nov 2004 12:41:25 -0600, Todd Towles > > <[EMAIL PROTECTED]> wrote: > > > > Microsoft integration: You remove the application that plays MPEG > > > > movies from a system that has never needed to play MPEG > > movies, and > > > > never will need to - and your system won't boot anymore. > > > > > > Example - Anyone with XP, do a search for mplayer2.exe? > > What is this > > > you ask? It is media player 6.4 =) > > > > > > You only think you upgraded to Media player 10..lol > > > > > > -Todd > > > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
If you are on the box, having changed the name of the Admin is useless. Naming doesn't safe you from a lot...a simple registry pull in Windows will get you all the hashed passwords. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Jeremy Davis > Sent: Friday, November 19, 2004 8:40 PM > To: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > Are you able to change root's name in nix? Why not if the > answer is no? > (Things would break right? UID 0?) Knowing the account name > is two-thirds of the battle. > In windows it's fairly easy to change the admin name. > Not a professional here just curious... > J > > > On Fri, 19 Nov 2004 17:13:36 -0500, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > On Fri, 19 Nov 2004 13:12:31 EST, "Crotty, Edward" said: > > > I'm not a Win based guy (troll?) - Un*x here - and even I > was offended by #1. > > > > > > There is such a thing as "runas" for Windows. > > > > Yes, but is *the main design* of the system "run as a > mortal, and use > > the 'runas' for those things that need more"? > > > > Or is the *main design* "We'll just elect the first user as > > Administrator, and include 'runas' in case somebody wants > to Do It The Right Way"? > > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Sat, 2004-11-20 at 08:20, joe wrote: > I agree with your initial comment, they can both be changed. I also agree > they both do little. > > I don't agree that the hardcoding in the source does anything for you. Well, it *allows* you to change the ID of the superuser account to something else. But of course that is obfuscation, and is quickly discovered (just check what ID owns /bin/* and so on). Nevertheless, you have the *ability* to change the ID. You can't do that with Windows. (Yeah, cheap shot I know... ;) Cheers, Frank signature.asc Description: This is a digitally signed message part
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I think if the main design of any system was run as mortal and do runas for things that need more, you would have a system that by default, NEVER allowed interactive logon to an account that does more. Further it wouldn't let you change that code to allow it. Heck I would even take it further and say that the raised levels of access would be process only based, once that process completed, it would revert. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 5:14 PM To: Crotty, Edward Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Fri, 19 Nov 2004 13:12:31 EST, "Crotty, Edward" said: > I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. > > There is such a thing as "runas" for Windows. Yes, but is *the main design* of the system "run as a mortal, and use the 'runas' for those things that need more"? Or is the *main design* "We'll just elect the first user as Administrator, and include 'runas' in case somebody wants to Do It The Right Way"? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I agree with your initial comment, they can both be changed. I also agree they both do little. I don't agree that the hardcoding in the source does anything for you. -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Friday, November 19, 2004 10:42 PM To: Jeremy Davis Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Fri, 2004-11-19 at 20:40, Jeremy Davis wrote: > Are you able to change root's name in nix? Why not if the answer is no? > (Things would break right? UID 0?) Knowing the account name is > two-thirds of the battle. > In windows it's fairly easy to change the admin name. > Not a professional here just curious... You can change the name of the root account in Unix, just like the Administrator account in Windows. But you can not change the UID of the root account (0) just like you can not change the SID of the Administrator account (500). I argue that changing the account name in Unix does as little or much as changing the account name in Windows. If you have access to the system you can easily find the account name of the UID 0 account, just as easily as you can figure out the name of the SID x-500 account. The difference is that you can change and hard code that change in the source of Unix (at least with those that you have the source for, Linux, *BSD, whatever). Can you do that with Windows? Regards, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
want to move from Win9x to WinXP because some odd piece of crap software doesn't work the same way won't ever consider moving to the new platform Q or whatever they choose to call it. This is such a non-realistic viewpoint it is actually quite laughable. And again, if you go back to a previous conversation from this list, it isn't all of Windows, especially Windows kernel/core level stuff that has an issue. It is some key pieces of the shell. Possibly in your understanding of Windows though, the Shell is all of what you believe Windows is comprised of. joe [1] Don't get me started on MCSEs. As a whole I think they hurt Windows far more than any other thing. A bunch of people who feel they are experts in Windows because they took a couple of tests that 10 year olds could memorize and pass and yet still not be able to run anything. The best I can say about MCSEs is that I will *try* not to look down upon them for being MCSEs and let them prove themselves to be worthless before I assume it in person. -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox This message is primarily destined to all MS trolls, no matter their levels, and i can see so many in this list that i am happy to target a large audience. Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights and can therefore install and remove software and change major configuration. Majority of users don't and will never know there is an 'administrator' user that hides from their eyes. This little detail that apparently Ms people can't 'understand' is a huge step. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. 2) "After all, they don;t need to know" . " You're on a need to know basis job" Do MS really think the users are stupid ? Do understanding different IDs/ roles / accounts on a computer that much of a tough message to pass to the end user ? Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their efforts will have been into making the user understand that he should be admin to install programs, and a non priviledged user to surf the web. IS that that hard to understand ? And that much hidden into high IT security professionnal unreachable knowledge ? I don;t think so. Doesn't a company such as MS has enough ressources to make that a priority and educate the users ? Off course it has. Just not very 'commercially' friendly as if user then understand roles, it might requires less Anti virus, personnal firewall and other bullshit FUD's scareware ( Yes its scareware, and it is the best selling software category OF ALL times of software history ). This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and backward compatibility, is likely more secure than the in house integrated application. Now if u are running Firefox as an administrator .don't be surprised if something happens. Don;t blame the software, but your poor security practices. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Hopes that clears things. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Well if hacking Windows cold across a tcp/ip service such as web this may be helpful, but it doesn't require much more than that to figure out what the admin account is for a given machine. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Davis Sent: Friday, November 19, 2004 9:40 PM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Are you able to change root's name in nix? Why not if the answer is no? (Things would break right? UID 0?) Knowing the account name is two-thirds of the battle. In windows it's fairly easy to change the admin name. Not a professional here just curious... J ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Dude, mplayer2 rulez!! I use it to play all sorts of things. =) I'm glad they left it there... the newer MS media player is just bloat. Media Player Classic (that comes with RealAlternative and QuickTime Alternative) is another one of my favs. =D Yeah, not really anything to do with the topic, but I felt it had to be said. Don't go knocking my v6.4. ;) -- Peace. ~G On Fri, 19 Nov 2004 12:41:25 -0600, Todd Towles <[EMAIL PROTECTED]> wrote: > > Microsoft integration: You remove the application that plays > > MPEG movies from a system that has never needed to play MPEG > > movies, and never will need to - and your system won't boot anymore. > > Example - Anyone with XP, do a search for mplayer2.exe? What is this > you ask? It is media player 6.4 =) > > You only think you upgraded to Media player 10..lol > > -Todd > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On 19 Nov 2004, at 18:40, Jeremy Davis wrote: Are you able to change root's name in nix? Sure. There's no reason why not. Why not if the answer is no? (Things would break right? UID 0?) Knowing the account name is two-thirds of the battle. A much better system is to have root's password unset (i.e. no direct login allowed) and use sudo instead. PGP.sig Description: This is a digitally signed message part
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
--On Friday, November 19, 2004 01:12:31 PM -0500 "Crotty, Edward" <[EMAIL PROTECTED]> wrote: I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. There is such a thing as "runas" for Windows. That's not all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. Apparently you don't have very broad experience with OSes. ON *every* OS I'm familiar with, the first user is the administrator (or root) account. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). When's the last time you installed an OS from scratch? Gentoo, FreeBSD, OpenBSD, RedHat, Fedora, Slackware, Mac OS X, Debian, Solaris, *all* create the first user as uid0 during the install process. (I can't speak for the others because I haven't done those, but I'd be willing to bet that NetBSD, AIX, HP-UX, SCO et. al. work exactly the same way.) Unix does not grant users root access by default, and it does a much better job of separating privileges by requiring you to join the wheel group *and* either use sudo or su to do work as root, but Windows doesn't make users the admin by default *either*, unless you setup Fast User Switching *during* the install. The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, That's simply false. Windows has several groups. By default users are in the "USERS" group, *not* the ADMINISTRATORS group. It might make sense if you actually had knowledge of an OS before you criticize it. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. Please do the same in Windows. Here's a hint. You'll get the same results. 2) "After all, they don;t need to know" . " You're on a need to know basis job" Do MS really think the users are stupid ? Probably. Otherwise they wouldn't have those stupid warnings popup every time you try to delete something. Are you SURE you want to do this Yes, damn it!! [snipped the rant] Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Oh baloney. Learn a little more about the OS before you make assumptions that make you look ignorant. Aside from the default permissions, you can also granularly apply privileges in many ways. For example, by default USERS have Read & Execute, List Folder Contents and Read access to the Windows folder, its contents and all it's subfolders. In addition, there are fourteen (14) separate rights that can be explicity granted or denied to them at that level only or to all subfolders as well, to files only, to subfolders only, to subfolders *and* files only, etc., etc. I'm not Windows fan, but the least you can do is learn the subject before you claim expert status and presume to preach to others. While we're lecturing the unwashed, would you mind trimming your replies? Who needs six levels of FD disclaimers? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Fri, 2004-11-19 at 20:40, Jeremy Davis wrote: > Are you able to change root's name in nix? Why not if the answer is no? > (Things would break right? UID 0?) Knowing the account name is > two-thirds of the battle. > In windows it's fairly easy to change the admin name. > Not a professional here just curious... You can change the name of the root account in Unix, just like the Administrator account in Windows. But you can not change the UID of the root account (0) just like you can not change the SID of the Administrator account (500). I argue that changing the account name in Unix does as little or much as changing the account name in Windows. If you have access to the system you can easily find the account name of the UID 0 account, just as easily as you can figure out the name of the SID x-500 account. The difference is that you can change and hard code that change in the source of Unix (at least with those that you have the source for, Linux, *BSD, whatever). Can you do that with Windows? Regards, Frank signature.asc Description: This is a digitally signed message part
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Andrew Farmer wrote: In fact, I'm not so sure it's even a component of Nautilus. Is this a recent change? Nope - it depends on how you install Nautilus, though. I know that on a number of RH systems I've had to configure lately, Mozilla is a dependancy (not firefox) because Nautilus seems to use it. (at least in RH - my recollection of whether it's available as a dependancy in the Nautilus source code is hazy, it's been a long time since I've compiled GNOME and it will most likely be an even longer time before I do it again.) -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Are you able to change root's name in nix? Why not if the answer is no? (Things would break right? UID 0?) Knowing the account name is two-thirds of the battle. In windows it's fairly easy to change the admin name. Not a professional here just curious... J On Fri, 19 Nov 2004 17:13:36 -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On Fri, 19 Nov 2004 13:12:31 EST, "Crotty, Edward" said: > > I'm not a Win based guy (troll?) - Un*x here - and even I was offended by > > #1. > > > > There is such a thing as "runas" for Windows. > > Yes, but is *the main design* of the system "run as a mortal, and use > the 'runas' for those things that need more"? > > Or is the *main design* "We'll just elect the first user as Administrator, > and include 'runas' in case somebody wants to Do It The Right Way"? > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Fri, 19 Nov 2004 13:12:31 EST, "Crotty, Edward" said: > I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. > > There is such a thing as "runas" for Windows. Yes, but is *the main design* of the system "run as a mortal, and use the 'runas' for those things that need more"? Or is the *main design* "We'll just elect the first user as Administrator, and include 'runas' in case somebody wants to Do It The Right Way"? pgpqKJS1ONVdM.pgp Description: PGP signature
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On 19 Nov 2004, at 08:35, Xavier Beaudouin wrote: Thanks. I thought that it had more meanings :-D Given that Firefox is integrated in Linux... It isn't. <...> Result : Firefox is not integrated in Linux, it is a third party software as /bin/bash or whatever that is given as a giveaway on the computer... Even less so. Bash is sometimes used as a component of startup scripts (#!/bin/bash...), while Firefox is just a plain old browser. In fact, I'm not so sure it's even a component of Nautilus. Is this a recent change? PGP.sig Description: This is a digitally signed message part
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
> Microsoft integration: You remove the application that plays > MPEG movies from a system that has never needed to play MPEG > movies, and never will need to - and your system won't boot anymore. Example - Anyone with XP, do a search for mplayer2.exe? What is this you ask? It is media player 6.4 =) You only think you upgraded to Media player 10..lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Windows doesn't tell you about the Admin account and makes the default user a Admin. That isn't best method as you know. RunAs is great..but that is only good once you create a normal user - and then delete your new default user. Or you log in in Administrator and take away the full control of the default user. Easy for the average window user? Nope. If it was Microsoft would make the default user (note USER) and then let you configure the Admin account on start. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Crotty, Edward > Sent: Friday, November 19, 2004 12:13 PM > To: [EMAIL PROTECTED] > Subject: RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > I'm not a Win based guy (troll?) - Un*x here - and even I was > offended by #1. > > There is such a thing as "runas" for Windows. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of devis > Sent: Friday, November 19, 2004 11:10 AM > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > > This message is primarily destined to all MS trolls, no > matter their levels, and i can see so many in this list that > i am happy to target a large audience. > > Please run some unix or at least read about the unix > permission system, and lets pray god this sheds some light in > your mono cultured brains. > Here are the relevant points: > > 1) Despite recent ameliorations of MS ( multi user finally, > permissions ... ) and some effort at making the system more > secure, something very important is still left out: The first > default user of the MS computer is made an administrator. > This comes down to giving uid0 to ur first unix user. Unix > does NOT do that. It requieres you to use su and become root > ( administrator ) after proper credentials submission ( password ). > The first user is NOT and administrator, and any recent Unix > documentation will insist on the danger of running as > root(admin). Unix keeps the admin account well separated from > the user account, which MS DOESN'T, despite all wrong > arguments i read on this list. VERY BAD practice generally. > So its user friendly, as the user has admin rights and can > therefore install and remove software and change major > configuration. Majority of users don't and will never know > there is an 'administrator' user that hides from their eyes. > This little detail that apparently Ms people can't > 'understand' is a huge step. Please install a proper unix, > create 2 accounts and try to read the home directory of the > second user from the first. > > 2) "After all, they don;t need to know" . " You're on a need > to know basis job" > Do MS really think the users are stupid ? Do understanding > different IDs/ roles / accounts on a computer that much of a > tough message to pass to the end user ? Isn't security > important and supposedly the goal of recent MS developpements > ? If they really did target security, their efforts will have > been into making the user understand that he should be admin > to install programs, and a non priviledged user to surf the web. > IS that that hard to understand ? And that much hidden into > high IT security professionnal unreachable knowledge ? I > don;t think so. Doesn't a company such as MS has enough > ressources to make that a priority and educate the users ? > Off course it has. Just not very 'commercially' > friendly as if user then understand roles, it might requires > less Anti virus, personnal firewall and other bullshit FUD's > scareware ( Yes its scareware, and it is the best selling > software category OF ALL times of software history ). > > > This is why, Firefox being independant from this OS that > carries 60 of its code base as being legacy code for older > system hardware and backward compatibility, is likely more > secure than the in house integrated application. Now if u are > running Firefox as an administrator .don't be surprised > if something happens. Don;t blame the software, but your poor > security practices. > > Lets not hide from ourselves whats needed from MS to reach > modern world > security: > a complete rewrite, and a ditch of old Dos base and the 20 > years old legacy code. > > Hopes that clears things. > > > > Rafel Ivgi, The-Insider wrote: > > >Firefox is not intgrated to the OS, because it doesn't have an OS. > >Its just a trimmed Mozilla for windows.. > >However Mozilla in Linux is integrated at some level...so &
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. There is such a thing as "runas" for Windows. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox This message is primarily destined to all MS trolls, no matter their levels, and i can see so many in this list that i am happy to target a large audience. Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights and can therefore install and remove software and change major configuration. Majority of users don't and will never know there is an 'administrator' user that hides from their eyes. This little detail that apparently Ms people can't 'understand' is a huge step. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. 2) "After all, they don;t need to know" . " You're on a need to know basis job" Do MS really think the users are stupid ? Do understanding different IDs/ roles / accounts on a computer that much of a tough message to pass to the end user ? Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their efforts will have been into making the user understand that he should be admin to install programs, and a non priviledged user to surf the web. IS that that hard to understand ? And that much hidden into high IT security professionnal unreachable knowledge ? I don;t think so. Doesn't a company such as MS has enough ressources to make that a priority and educate the users ? Off course it has. Just not very 'commercially' friendly as if user then understand roles, it might requires less Anti virus, personnal firewall and other bullshit FUD's scareware ( Yes its scareware, and it is the best selling software category OF ALL times of software history ). This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and backward compatibility, is likely more secure than the in house integrated application. Now if u are running Firefox as an administrator .don't be surprised if something happens. Don;t blame the software, but your poor security practices. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Hopes that clears things. Rafel Ivgi, The-Insider wrote: >Firefox is not intgrated to the OS, because it doesn't have an OS. >Its just a trimmed Mozilla for windows.. >However Mozilla in Linux is integrated at some level...so they are just the >same as I.E. > > >Rafel Ivgi, The-Insider >Security Consultant >Malicious Code Research Center (MCRC) >Finjan Software LTD >E-mail: [EMAIL PROTECTED] >- >Prevention is the best cure! >----- Original Message ----- >From: "john morris" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Sunday, November 14, 2004 3:34 PM >Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > > > >>Firefox avoids several fundamental design flaws of IE, in that: >> >>-Firefox is not integrated into Windows, and thus closes holes >>allowing access to the OS. >> >>-Firefox does not support ActiveX JavaVM or VBScript, three Microsoft >>proprietary technologies that are responsible for many security holes. >> >>-Firefox does not allow for the invasion of your system by adware and >>spyware just by visiting a website. >> >>(FROM LINKS TO LINKS WE ARE ALL LINKED) >> >>cheers. >> >>morris >> >>__
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
This message is primarily destined to all MS trolls, no matter their levels, and i can see so many in this list that i am happy to target a large audience. Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights and can therefore install and remove software and change major configuration. Majority of users don't and will never know there is an 'administrator' user that hides from their eyes. This little detail that apparently Ms people can't 'understand' is a huge step. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. 2) "After all, they don;t need to know" . " You're on a need to know basis job" Do MS really think the users are stupid ? Do understanding different IDs/ roles / accounts on a computer that much of a tough message to pass to the end user ? Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their efforts will have been into making the user understand that he should be admin to install programs, and a non priviledged user to surf the web. IS that that hard to understand ? And that much hidden into high IT security professionnal unreachable knowledge ? I don;t think so. Doesn't a company such as MS has enough ressources to make that a priority and educate the users ? Off course it has. Just not very 'commercially' friendly as if user then understand roles, it might requires less Anti virus, personnal firewall and other bullshit FUD's scareware ( Yes its scareware, and it is the best selling software category OF ALL times of software history ). This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and backward compatibility, is likely more secure than the in house integrated application. Now if u are running Firefox as an administrator .don't be surprised if something happens. Don;t blame the software, but your poor security practices. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Hopes that clears things. Rafel Ivgi, The-Insider wrote: Firefox is not intgrated to the OS, because it doesn't have an OS. Its just a trimmed Mozilla for windows.. However Mozilla in Linux is integrated at some level...so they are just the same as I.E. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: "john morris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 14, 2004 3:34 PM Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Firefox avoids several fundamental design flaws of IE, in that: -Firefox is not integrated into Windows, and thus closes holes allowing access to the OS. -Firefox does not support ActiveX JavaVM or VBScript, three Microsoft proprietary technologies that are responsible for many security holes. -Firefox does not allow for the invasion of your system by adware and spyware just by visiting a website. (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Could you please define "integrated"? English isn't my primary language... In:-D Thanks. I thought that it had more meanings :-D Given that Firefox is integrated in Linux... ¿Will I be able to use Linux wthout Firefox? Yes. Or, ¿is Firefox an operating system module? No this is a program like for example Word, or Excel on windows... Being Linux a kernel... Is Firefox a kernel module? No. Result : Firefox is not integrated in Linux, it is a third party software as /bin/bash or whatever that is given as a giveaway on the computer... /Xavier -- Xavier Beaudouin - Unix System Administrator & Projects Leader. President of Kazar Organization : http://www.kazar.net/ Please visit http://caudium.net/, home of Caudium & Camas projects ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Fri, 19 Nov 2004 13:57:31 +0100, Borja Marcos said: > Given that Firefox is integrated in Linux... ¿Will I be able to use > Linux wthout Firefox? Or, ¿is Firefox an operating system module? Being Hint: Linux is over 10 years old, and FireFox just came out. What did Linux do before FF 1.0 shipped? ;) Linux integration: Tools register themselves as optional add-ons to add new or extended functionality. If the tool isn't there, all that happens is the menu items *for that added function* end up greyed out or don't show up, or simply Nothing Interesting Happens when you click on the object. Microsoft integration: You remove the application that plays MPEG movies from a system that has never needed to play MPEG movies, and never will need to - and your system won't boot anymore. pgplIRuHwNcon.pgp Description: PGP signature
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
In my opinion, there are two defintions for "integrated". For most people, it means "a" works with "b". For Microsoft, it means "a" can not work without "b". Firefox is definitelyl the former because I use it both under Linux and under Windows, and I'm trying to get it to work on my Zaurus. On Fri, 19 Nov 2004 13:57:31 +0100, Borja Marcos <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > >> Could you please define "integrated"? English isn't my primary > >> language... > > > > Integrated is similar to saying "is part of" or "united". For future > > reference (and more info), Google can also be extremely handy in such > > a case. Doing a Google search for: > > :-D > > Thanks. I thought that it had more meanings :-D > > Given that Firefox is integrated in Linux... ¿Will I be able to use > Linux wthout Firefox? Or, ¿is Firefox an operating system module? Being > Linux a kernel... Is Firefox a kernel module? :-D (That was the whole > point, I didn't mark the sarcasm correctly, though). > > Borja. > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.4 (Darwin) > > iD8DBQFBne29ULpVo4XWgJ8RAk6RAKC3Hz6S+UgXwYFStdQ+vx+UdmSrIQCgygLV > g5eqzYciEFUG8h+/MtLm9Go= > =ZaI2 > > > -END PGP SIGNATURE- > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Could you please define "integrated"? English isn't my primary language... Integrated is similar to saying "is part of" or "united". For future reference (and more info), Google can also be extremely handy in such a case. Doing a Google search for: :-D Thanks. I thought that it had more meanings :-D Given that Firefox is integrated in Linux... ¿Will I be able to use Linux wthout Firefox? Or, ¿is Firefox an operating system module? Being Linux a kernel... Is Firefox a kernel module? :-D (That was the whole point, I didn't mark the sarcasm correctly, though). Borja. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBne29ULpVo4XWgJ8RAk6RAKC3Hz6S+UgXwYFStdQ+vx+UdmSrIQCgygLV g5eqzYciEFUG8h+/MtLm9Go= =ZaI2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
In case no one else helped you with this, allow me to try. =) > Could you please define "integrated"? English isn't my primary language... Integrated is similar to saying "is part of" or "united". For future reference (and more info), Google can also be extremely handy in such a case. Doing a Google search for: define:WORD_TO_DEFINE will likely reveal the answer to you. (You can also translate it into your own language if Google supports your language, or possible doing such a query from the Google home page of your country would save a step.) For example, here is the Google search for "Integrated": - http://www.google.com/search?&q=define%3Aintegrated Hope that helps. =) -- Peace. ~G On Thu, 18 Nov 2004 15:51:42 +0100, Borja Marcos <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > However Mozilla in Linux is integrated at some level...so they are > > just the > > same as I.E. > > Could you please define "integrated"? English isn't my primary > language... > > Borja. > > - --- > > Borja Marcos* [EMAIL PROTECTED] > Responsable de seguridad* Tel: +34 944209470 > SARENET S.A. - AS3262 * Fax: +34 944209465 > Parque Tecnologico, 103 * PGP KeyID: 0x85D6809F > 48170 - Zamudio (Bizkaia) SPAIN * > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.4 (Darwin) > > iD8DBQFBnLb+ULpVo4XWgJ8RAhYvAJwNBa5JZhmbQqeAdYb5Uk+ymvHJkACglb6X > gFhwQrMhlSTPPIPqixWHhnQ= > =pAqV > > > -END PGP SIGNATURE- > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 However Mozilla in Linux is integrated at some level...so they are just the same as I.E. Could you please define "integrated"? English isn't my primary language... Borja. - --- Borja Marcos* [EMAIL PROTECTED] Responsable de seguridad* Tel: +34 944209470 SARENET S.A. - AS3262 * Fax: +34 944209465 Parque Tecnologico, 103 * PGP KeyID: 0x85D6809F 48170 - Zamudio (Bizkaia) SPAIN * -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBnLb+ULpVo4XWgJ8RAhYvAJwNBa5JZhmbQqeAdYb5Uk+ymvHJkACglb6X gFhwQrMhlSTPPIPqixWHhnQ= =pAqV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Tue, 16 Nov 2004 10:33:26 -0600, Todd Towles <[EMAIL PROTECTED]> wrote: > It doesn'tI was responding to another off-topic message. But they > again, how many messages on FD same on topic for more than 10 messages. > =) Fair enough > Who do you think posted the original "IE is just as safe as FireFox" > message? ;) I am too lazy to. > So what did you message add to the subject? Other than telling me it was > OT..which is given. Hopefully an end or a start of a new thread. :) This will be my last OT post on this subject. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Tue, 16 Nov 2004 09:07:56 -0600, Todd Towles <[EMAIL PROTECTED]> wrote: > Darwin and BSD...Darwin is the open source kernel that OS X uses...=) What does this have to do with IE and Firefox, again? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
It doesn'tI was responding to another off-topic message. But they again, how many messages on FD same on topic for more than 10 messages. =) Who do you think posted the original "IE is just as safe as FireFox" message? ;) So what did you message add to the subject? Other than telling me it was OT..which is given. > -Original Message- > From: Danny [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 16, 2004 10:28 AM > To: Todd Towles > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > On Tue, 16 Nov 2004 09:07:56 -0600, Todd Towles > <[EMAIL PROTECTED]> wrote: > > Darwin and BSD...Darwin is the open source kernel that OS X > uses...=) > > What does this have to do with IE and Firefox, again? > > ...D > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Tue, 16 Nov 2004, JxT wrote: I believe it says "The BSD layer is based on the BSD kernel, primarily FreeBSD." It does not says the OSX kernel. peep developer.apple.com if you really don't believe me ;-) it's a tad more reliable then wikipedia For those interested in technical details, there's a neat page at: http://www.kernelthread.com/mac/osx/arch_xnu.html about the OSX kernel architecture. cheers! == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Darwin and BSD...Darwin is the open source kernel that OS X uses...=) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of JxT > Sent: Tuesday, November 16, 2004 7:45 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > I believe it says "The BSD layer is based on the BSD kernel, > primarily FreeBSD." It does not says the OSX kernel. > > peep developer.apple.com if you really don't believe me ;-) > it's a tad more reliable then wikipedia > > > > -JxT > > > > On Mon, 15 Nov 2004 11:41:35 -0800, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > On Sun, Nov 14, 2004 at 11:53:46PM -0600, JxT wrote: > > >"The BSD layer is based on the BSD kernel, primarily > FreeBSD." That > > >information is available on Apple's Developer Site. > > > > > > > > > > OSX is based on the Mach kernel, not the bsd kernel. > > > > "Apple selected OPENSTEP to be the basis for the successor of the > > classic Mac OS. It became the Cocoa API of Mac OS X. OPENSTEP is in > > fact an upgraded version of NeXTSTEP, which used Mach 2.5. As such, > > OPENSTEP's Mach/BSD amalgam is the basis for Apple's Mac OS > X operating system." > > > > http://en.wikipedia.org/wiki/Mach_operating_system > > > > ___ > > > > > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I believe it says "The BSD layer is based on the BSD kernel, primarily FreeBSD." It does not says the OSX kernel. peep developer.apple.com if you really don't believe me ;-) it's a tad more reliable then wikipedia -JxT On Mon, 15 Nov 2004 11:41:35 -0800, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On Sun, Nov 14, 2004 at 11:53:46PM -0600, JxT wrote: > >"The BSD layer is based on the BSD kernel, primarily FreeBSD." That > >information is available on Apple's Developer Site. > > > > > > OSX is based on the Mach kernel, not the bsd kernel. > > "Apple selected OPENSTEP to be the basis for the successor of the classic Mac > OS. It became the Cocoa API of Mac OS X. OPENSTEP is in fact an upgraded > version of NeXTSTEP, which used Mach 2.5. As such, OPENSTEP's Mach/BSD amalgam > is the basis for Apple's Mac OS X operating system." > > http://en.wikipedia.org/wiki/Mach_operating_system > > ___ > > > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
>OPENSTEP's Mach/BSD amalgam is the basis for Apple's Mac OS X operating system." Is that BSD in there? Ummm... Apple took over OPENSTEP, no wonder they "selected" NextStep. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, November 15, 2004 1:42 PM > To: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > On Sun, Nov 14, 2004 at 11:53:46PM -0600, JxT wrote: > >"The BSD layer is based on the BSD kernel, primarily FreeBSD." That > >information is available on Apple's Developer Site. > > > > > > OSX is based on the Mach kernel, not the bsd kernel. > > "Apple selected OPENSTEP to be the basis for the successor of > the classic Mac OS. It became the Cocoa API of Mac OS X. > OPENSTEP is in fact an upgraded version of NeXTSTEP, which > used Mach 2.5. As such, OPENSTEP's Mach/BSD amalgam is the > basis for Apple's Mac OS X operating system." > > http://en.wikipedia.org/wiki/Mach_operating_system > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I presume he's talking about this one: "Programs that connect to IP addresses that are in the loopback address range may not work as you expect in Windows XP Service Pack 2" http://support.microsoft.com/?kbid=884020 Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Ron DuFresne > Sent: 15 November 2004 20:02 > To: Gregory Gilliss > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > On Sun, 14 Nov 2004, Gregory Gilliss wrote: > > > One comment about XP2 - the company where I work (which produces > > security networking appliances) has a corporate policy - we do not > > support XP2. Sales hates this (because all the numbnuts out > there are > > pulling SP2 down with autoupdate and they have no clue what > they have > > brought upon themselves) but since M$ was so idiotic as to > disable the > > network functionality that allows reverse proxies to > function properly > > (and I'm not talking about Juniper's back door where they > pipe things > > straight through) it basically makes my company's (and every other > > company's) product break. > > > > The really dumb part is that M$ has a patch for their > misdeeds and a > > knowledge base article and everything - but it's not incoroporated > > into autoupdate. Wonder why they would not include that fix > for SP2 in > > autoupdate? Maybe they *want* to break other company's products? > > Nah ... > > > > I'm sure many would have liked to the the direct link to the sp2 fix. > > Thanks, > > Ron DuFresne > -- > ~~ > "Cutting the space budget really restores my faith in > humanity. It eliminates dreams, goals, and ideals and lets > us get straight to the business of hate, debauchery, and > self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
bkfsec wrote: Rafel Ivgi, The-Insider wrote: Firefox is not intgrated to the OS, because it doesn't have an OS. Its just a trimmed Mozilla for windows.. Not exactly... it's a mozilla core in a native application, as opposed to an interpreted XUL front-end. It's a bit faster in both GNU/Linux and Windows. Not exactly ;) Mozilla Firefox does use XUL for it's front-end. There are browsers that do use the native controls instead of XUL while still leveraging the Gecko layout engine to display HTML, for example Camino for Mac OS X (http://www.mozilla.org/products/camino/). -- Heikki Toivonen signature.asc Description: OpenPGP digital signature
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 16, 2004 12:34 AM Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > Quoting Raoul Nakhmanson-Kulish <[EMAIL PROTECTED]>: > >> Hello, Curt Purdy! >> >> > Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) >> > on my network. >> Agreed, I feel 2K to be more reliable than XP too. But mainly this is >> only my feeling, could you explain and prove it by more solid arguments >> than feelings? >> >> -- > > Windows 2K is much easier to reinstall than Windows XP, Since when? I have to deal with any Windows from 95 on upwards in my small networks I see. 95-ME are so easy to reinstall it is laughable. W2K-XP reinstalls are harder but both remain equally the same so far as reinstall is concerned. My main annoyance with both is that if you are restoring an image to another machine in the case that the original machine is just toast, you can almost always never immediately use the restored image unless it was restored to a machine with exactly the same machinery in it. The restore requires some more work to get it working and ever when working often requires a registry hack or upgrade to the next SP in order to fix networking problems. Either way, it isn't hard, just annoyingly extra work that shouldn't NEED to be done. XP has one extra that W2K doesn't have in that it would require you to reactivate it in order to remain "valid" and sometimes that varies from "reactivate NOW" to "Reactivate within 3 days". You never find a customer who, with a large network, wants to make sure that every new machine has multiples of the same parts in case of breakdown of parts on the machin! e - understandably - either so you are ALWAYS faced with those problems now. I never see any difference in a W2K reinstall to XP reinstall, either fresh or from my preferred source - an image. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Rafel Ivgi, The-Insider wrote: Firefox is not intgrated to the OS, because it doesn't have an OS. Its just a trimmed Mozilla for windows.. Not exactly... it's a mozilla core in a native application, as opposed to an interpreted XUL front-end. It's a bit faster in both GNU/Linux and Windows. However Mozilla in Linux is integrated at some level...so they are just the same as I.E. No... it's not the same as IE. Not at all. What you're referring to is Mozilla's integration with Nautilus/GNOME. However, there are many people who don't run Nautilus/GNOME on their systems. Even then, you're talking about Mozilla being a dependancy for an application suite (Nautilus) as opposed to a base-level operating system component. In the situations where it is a dependancy, the intent is to provide a presentation engine, not a runtime engine like it is in IE. So, no - it's not the same thing as IE - not the same thing at all. It's not even the same in a rudimentary, high-level sense, and from a low-level API sense it's not even the same genus as IE, much less the same animal. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Sun, 14 Nov 2004, Gregory Gilliss wrote: > One comment about XP2 - the company where I work (which produces > security networking appliances) has a corporate policy - we do not > support XP2. Sales hates this (because all the numbnuts out there > are pulling SP2 down with autoupdate and they have no clue what > they have brought upon themselves) but since M$ was so idiotic as > to disable the network functionality that allows reverse proxies > to function properly (and I'm not talking about Juniper's back > door where they pipe things straight through) it basically makes > my company's (and every other company's) product break. > > The really dumb part is that M$ has a patch for their misdeeds and > a knowledge base article and everything - but it's not incoroporated > into autoupdate. Wonder why they would not include that fix for SP2 > in autoupdate? Maybe they *want* to break other company's products? > Nah ... > I'm sure many would have liked to the the direct link to the sp2 fix. Thanks, Ron DuFresne -- ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
- Original Message - From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 16, 2004 5:37 AM Subject: RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox >I think that this corporate policy will have far more impact on your company > than on Microsoft. As more and more people and companies deploy XP2, it > makes me wonder if you should just consider leaving the Microsoft market > entirely. > Please tell me how to do that. I live not too far west of Sydney - about an hour on a good day west of the suburbs of Sydney's outer fringe. In my area, there are some Macs (the largest office being 4 people) and 3 businesses that use *nix as well as large hospitality resort places that use someone from another state under contract. Even at those places the installations aren't what anyone would consider big enough to even be rated "small". You have to get the rights to their entire countrywide contract to make it worthwhile. Windows based businesses, though - sure. They are as common as 4 cylinder cars! If I choose anything other than MS products, I don't earn an income. If I attempt to compete in Sydney in non-MS products, the fight is fierce. If someone EVER finds a way to do as you say should be considered, it would be because MS are being overtaken by some other OS and possibly that other OS will just leave us where we are now. At least NOW, we have a better understanding of what can happen. Never jump ship until you are sure there's a lifeboat waiting! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Sun, Nov 14, 2004 at 11:53:46PM -0600, JxT wrote: >"The BSD layer is based on the BSD kernel, primarily FreeBSD." That >information is available on Apple's Developer Site. > > OSX is based on the Mach kernel, not the bsd kernel. "Apple selected OPENSTEP to be the basis for the successor of the classic Mac OS. It became the Cocoa API of Mac OS X. OPENSTEP is in fact an upgraded version of NeXTSTEP, which used Mach 2.5. As such, OPENSTEP's Mach/BSD amalgam is the basis for Apple's Mac OS X operating system." http://en.wikipedia.org/wiki/Mach_operating_system ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
> -Original Message- > From: [EMAIL PROTECTED] [mailto:full-disclosure- > [EMAIL PROTECTED] On Behalf Of Ag. System Administrator > Sent: Sunday, November 14, 2004 7:47 AM > To: Rafel Ivgi, The-Insider > Cc: [EMAIL PROTECTED] > Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > Rafel Ivgi, The-Insider wrote: > > Firefox is not intgrated to the OS, because it doesn't have an OS. > > Its just a trimmed Mozilla for windows.. > > However Mozilla in Linux is integrated at some level...so they are just > the > > same as I.E. > > What make you to think so? How exactly Mozilla integrated in Linux??? > It's sobering that a security "consultant" doesn't know that Mozilla is not "integrated" into Linux. (At least not in the sense that IE is "integrated") ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I think that this corporate policy will have far more impact on your company than on Microsoft. As more and more people and companies deploy XP2, it makes me wonder if you should just consider leaving the Microsoft market entirely. As to why it isn't on Windows Update... I would guess that is because not everyone is running your software or software that is impacted by what you are complaining about. I have been running XP2 on several machines for some time now and have no issues with it on them. My work laptop isn't running XP2 but that is simply because I am waiting for the corporate go ahead once they finish regression testing all apps. I have a virtual machine on the laptop running XP2 that I have been testing it with the corporate network and everything seems to be fine there. My question would be, did your app break only on the final release or did you guys just ignore the public beta figuring you didn't need to test your product because it was, IYO, MS's responsibility to make sure you worked after the update? Does your company as a whole feel attempts at securing machines shouldn't be attempted by Microsoft? I am curious what this says about your company's take on security is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory Gilliss Sent: Sunday, November 14, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox One comment about XP2 - the company where I work (which produces security networking appliances) has a corporate policy - we do not support XP2. Sales hates this (because all the numbnuts out there are pulling SP2 down with autoupdate and they have no clue what they have brought upon themselves) but since M$ was so idiotic as to disable the network functionality that allows reverse proxies to function properly (and I'm not talking about Juniper's back door where they pipe things straight through) it basically makes my company's (and every other company's) product break. The really dumb part is that M$ has a patch for their misdeeds and a knowledge base article and everything - but it's not incoroporated into autoupdate. Wonder why they would not include that fix for SP2 in autoupdate? Maybe they *want* to break other company's products? Nah ... G ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Quoting Raoul Nakhmanson-Kulish <[EMAIL PROTECTED]>: > Hello, Curt Purdy! > > > Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) > > on my network. > Agreed, I feel 2K to be more reliable than XP too. But mainly this is > only my feeling, could you explain and prove it by more solid arguments > than feelings? > > -- Windows 2K is much easier to reinstall than Windows XP, which is pretty locked down, and less picky on the amount of hardware that is added to the PC/Server. - Jostein ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Hello, Curt Purdy! Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) on my network. Agreed, I feel 2K to be more reliable than XP too. But mainly this is only my feeling, could you explain and prove it by more solid arguments than feelings? -- Best regards, Raoul Nakhmanson-Kulish Elfor Soft Ltd., ERP Department http://www.elforsoft.ru/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
- Original Message - From: "Curt Purdy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, November 14, 2004 11:59 PM Subject: RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > > Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) > on my network. All new boxes must be reformatted and W2K or SuSE Linux or > BSD installed (unless of course it is a Mac with OpenBSD kernel that is > always welcome). > Why? XP has System Restore in it which certainly beats the hell out of restoring an image any day when a minor problem crops up. Also, as you know what you are doing, it is no less able to be protected than W2K. The only annoyance I have with XP on a network is it is dog slow to become part of the network unless you manually assign it an IP number, which I always do anyway. I never saw an auto assigned IP on a network so slow before this. I find XP to be basically W2K with a few extras in it but note I don't have anything to do with large networks when saying that so haven't had the chance to see it operating on one. 20-30 together though, it seems as good as W2K and when properly protected - as you would do with W2k - seems fine to me. What am I missing? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
"The BSD layer is based on the BSD kernel, primarily FreeBSD." That information is available on Apple's Developer Site. On Sun, 14 Nov 2004 17:13:41 +, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > MAC OSx is OpenBSD > > -- Original message -- > > > Curt Purdy wrote: > > > > > > Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or > not) > > > on my network. All new boxes must be reformatted and W2K or SuSE Linux > or > > > BSD installed (unless of course it is a Mac with OpenBSD kernel that is > > > always welcome). > > > > Interesting. Do you know where I can get a Mac (OSX?) with OpenBSD kernel? > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
To say that Firefox does not allow adware/spyware is not entirely true. Saying that Firefox does not allow adware/spyware via ActiveX JavaVM or VBScript is correct. There are other means of infecting a user's system, but why should a programmer waste his/her time writing creative code to bypass security when unpatched IE basically opens the door to the OS for you? While IE does have it's issues, one does have to be realistic when capering IE and Firefox. Since Microsoft tied IE to the Windows OS (which is the cause of a lot of their legal troubles), securing IE is a much more difficult task than cleaning up and securing the old Netscape browser. Is Firefox a better product? I think so. It is my preferred browser. Are businesses going to switch over to Firefox in droves? Maybe, maybe not. My business will not because we use Outlook Web Access and Shareport Portal Server, both of which look horrible on the Firefox browser. Only time will tell. Netscape was the dominate browser in the early 90's (until Microsoft pulled their legal shenanigans), so maybe they are on their way to #1 again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of john morris Sent: Sunday, November 14, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Firefox avoids several fundamental design flaws of IE, in that: -Firefox is not integrated into Windows, and thus closes holes allowing access to the OS. -Firefox does not support ActiveX JavaVM or VBScript, three Microsoft proprietary technologies that are responsible for many security holes. -Firefox does not allow for the invasion of your system by adware and spyware just by visiting a website. (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
MAC OSx is OpenBSD -- Original message -- > Curt Purdy wrote: > > > > Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) > > on my network. All new boxes must be reformatted and W2K or SuSE Linux or > > BSD installed (unless of course it is a Mac with OpenBSD kernel that is > > always welcome). > > Interesting. Do you know where I can get a Mac (OSX?) with OpenBSD kernel? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
One comment about XP2 - the company where I work (which produces security networking appliances) has a corporate policy - we do not support XP2. Sales hates this (because all the numbnuts out there are pulling SP2 down with autoupdate and they have no clue what they have brought upon themselves) but since M$ was so idiotic as to disable the network functionality that allows reverse proxies to function properly (and I'm not talking about Juniper's back door where they pipe things straight through) it basically makes my company's (and every other company's) product break. The really dumb part is that M$ has a patch for their misdeeds and a knowledge base article and everything - but it's not incoroporated into autoupdate. Wonder why they would not include that fix for SP2 in autoupdate? Maybe they *want* to break other company's products? Nah ... G On or about 2004.11.14 06:59:40 +, Curt Purdy ([EMAIL PROTECTED]) said: > [EMAIL PROTECTED] wrote: > > On Fri, 12 Nov 2004 10:46:51 GMT, [EMAIL PROTECTED] said: > > > Oh yeah, I've got 14,000 Windows 2000 machines to update to > > windows XP > > > SP2, hang on wheres that CD? > > > > What's worse is having to run a university network where you > > have 30K boxes that you do *not* have the political mandate > > to upgrade (fortunately, we *can* get away with "Upgrade or > > you can't use our network to talk to anybody else", because > > although we don't own the machines, we own the copper. :) > > Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) > on my network. All new boxes must be reformatted and W2K or SuSE Linux or > BSD installed (unless of course it is a Mac with OpenBSD kernel that is > always welcome). > > As for a university network, I can only sympathize. I listened to an > interview with a U of H admin last week, and thought, if I was a > script-kiddie the first thing I would do when I got home was scan their > network. > > Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA > Information Security Engineer > DP Solutions > > - > > If you spend more on coffee than on IT security, you will be hacked. > What's more, you deserve to be hacked. > -- former White House cybersecurity zar Richard Clarke > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Gregory A. Gilliss, CISSP E-mail: [EMAIL PROTECTED] Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Jim Geovedi wrote: Curt Purdy wrote: Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) on my network. All new boxes must be reformatted and W2K or SuSE Linux or BSD installed (unless of course it is a Mac with OpenBSD kernel that is always welcome). Interesting. Do you know where I can get a Mac (OSX?) with OpenBSD kernel? http://www.openbsd.org/macppc.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Sun, 2004-11-14 at 16:17 +0200, Rafel Ivgi, The-Insider wrote: > Firefox is not intgrated to the OS, because it doesn't have an OS. > Its just a trimmed Mozilla for windows.. Its not "trimmed for Windows" it's just trimmed of the non-browser components so it can be used without the full Mozilla suite, it also runs on Linux BTW. Mozilla can also run on windows too. > However Mozilla in Linux is integrated at some level...so they are just the > same as I.E. Yep it's so tightly integrated that you cant run a distro without it $ mozilla -bash: mozilla: command not found Woah someones stolen my mozilla ! Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ] signature.asc Description: This is a digitally signed message part
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Curt Purdy wrote: Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) on my network. All new boxes must be reformatted and W2K or SuSE Linux or BSD installed (unless of course it is a Mac with OpenBSD kernel that is always welcome). Interesting. Do you know where I can get a Mac (OSX?) with OpenBSD kernel? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Rafel Ivgi, The-Insider wrote: Firefox is not intgrated to the OS, because it doesn't have an OS. Its just a trimmed Mozilla for windows.. However Mozilla in Linux is integrated at some level...so they are just the same as I.E. What make you to think so? How exactly Mozilla integrated in Linux??? Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! Best regards, Dm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Firefox is not intgrated to the OS, because it doesn't have an OS. Its just a trimmed Mozilla for windows.. However Mozilla in Linux is integrated at some level...so they are just the same as I.E. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: "john morris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 14, 2004 3:34 PM Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox > Firefox avoids several fundamental design flaws of IE, in that: > > -Firefox is not integrated into Windows, and thus closes holes > allowing access to the OS. > > -Firefox does not support ActiveX JavaVM or VBScript, three Microsoft > proprietary technologies that are responsible for many security holes. > > -Firefox does not allow for the invasion of your system by adware and > spyware just by visiting a website. > > (FROM LINKS TO LINKS WE ARE ALL LINKED) > > cheers. > > morris > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html --- This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Firefox avoids several fundamental design flaws of IE, in that: -Firefox is not integrated into Windows, and thus closes holes allowing access to the OS. -Firefox does not support ActiveX JavaVM or VBScript, three Microsoft proprietary technologies that are responsible for many security holes. -Firefox does not allow for the invasion of your system by adware and spyware just by visiting a website. (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
[EMAIL PROTECTED] wrote: > On Fri, 12 Nov 2004 10:46:51 GMT, [EMAIL PROTECTED] said: > > Oh yeah, I've got 14,000 Windows 2000 machines to update to > windows XP > > SP2, hang on wheres that CD? > What's worse is having to run a university network where you > have 30K boxes that you do *not* have the political mandate > to upgrade (fortunately, we *can* get away with "Upgrade or > you can't use our network to talk to anybody else", because > although we don't own the machines, we own the copper. :) Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not) on my network. All new boxes must be reformatted and W2K or SuSE Linux or BSD installed (unless of course it is a Mac with OpenBSD kernel that is always welcome). As for a university network, I can only sympathize. I listened to an interview with a U of H admin last week, and thought, if I was a script-kiddie the first thing I would do when I got home was scan their network. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
nicolas vigier wrote: > "Vamos, who admitted he has never used FireFox, said there is > a lot of hype surrounding the open-source movement and that > if Microsoft's customers wanted new features, they would have > told the company about it." > > How can he talk about FireFox features if he admitted he has > never used it ? Exactly nicolas. M$ has been so concerned about Linux (rightly so!) that they have totally disregarded FireFox, the true backdoor for open source into the corporate world. 1.0 just threw that door wide open and M$ is history (no, they'll never go away, but their growth curve in the corporation has topped out, just as their stock did three years ago). Even though I think the Democrats are too right wing, I am a believer in the free market and stock charts as harbingers of the future (which is why I believe they will be taking a nose-dive shortly with the Shrub's re-election). Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html