Re: Re: PHP coder needs Tor details
On Tue, Feb 13, 2007 at 07:12:01PM -, Tony wrote: > Microsoft Outlook is part of Microsoft Office - not part of Windows. Possibly > you mean Outlook Express. > [snip] This off-topic thread has gone on for too long. Please stop this thread now. -Paul -- Paul Syverson () ascii ribbon campaign Contact info at http://www.syverson.org/ /\ against html e-mail
RE: Re: PHP coder needs Tor details
Microsoft Outlook is part of Microsoft Office - not part of Windows. Possibly you mean Outlook Express. Outlook has not let you run emailed executables directly since the release of Outlook 2002. Outlook has NEVER executed attachments by default without user interaction. You presumably refer to exploits resulting from viewing HTML emails. Sure there were a few of these, but security was considerably tightened on this since Outlook 2002, IE6 and XP SP2. I cant remember the last exploit on Outlook - they are certainly very rare in recent years. The zombies you refer to are largely caused by historical bugs in IE6 on Windows XP and by people executing files and activeX addons from websites that ask them to. Not from any interaction with Outlook. The problem is made worse by the large number of people that run pirate versions of Windows and that have never installed XP SP2 because they cant - due to an invalid license key. (These issues do not apply to Windows server 2003 in a default install.) With the release of IE7 and with Windows Vista the bar for exploits is much higher. Despite a year of betas for hackers to prepare and 3 months since release we havnt seen a notable Vista exploit yet. Seeing as you are comparing, I seem to remember seeing dozens of get root exploits related to the 'sendmail' email component on UNIX - without needing any end user interaction. I don't know where you got the idea that Linux has a faster IP stack than Windows Server. Pretty much every benchmark I have ever seen and my own experience contradicts that suggestion. Probably you just don't know how to tune and set the TCP Window size on your server. The Windows Server 2003 IP stack certainly outperforms the Redhat and Suse Linux IP stacks on standard HP server hardware. Especially when you look at high end cards like 10 Gbit Ethernet using Windows Server's scalable networking pack. If you have ongoing resource issues on Windows Server then I would question your competence as a system admin or suggest you are running crappy software that has handle or resource leaks. Pretty much all resources on Windows are self configuring and any that are not are easily adjusted. I get 90+ day uptimes on my Windows server running TOR (not to mention Exchange, IIS, etc) at without any resource issues at all. A reboot is only out of choice when I need to update or patch something. Current uptime is 42 days - since a disk change. :-) Windows XP might have its issues, but to suggest that when comparing Windows SERVER to Linux that Linux is more secure is simply not the case. As you say, Linux is 'not a particularly secure operating system' Sure PHP is one of the problems I was referring to - it comes on the Linux CD does it not? Not to mention exploits in SSH, SSL, and the many other LAMP related issues there have been over the last year or two. Nb - GoDaddy as a business converted over 4.5 million web domains from Linux to Windows for several obvious reasons - TCO, performance and scalability: Our business is based on providing the best possible service at the lowest possible price. This strategy requires us to maximize all of our resources, particularly our technology assets," said Warren Adelman, GoDaddy.com president and COO. "It was clear from all of the testing we've conducted that Microsoft provides an efficient and scalable operating platform, while also providing the performance needed to handle our extraordinary growth." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eugen Leitl Sent: 13 February 2007 16:35 To: or-talk@freehaven.net Subject: Re: Re: PHP coder needs Tor details Okay, I'll chomp upon this troll bait, and descend into lame OS penile metrology. Hit delete *now*. On Tue, Feb 13, 2007 at 03:26:55PM -, Tony wrote: > Windows hasn't rendered active content by default since XP SP2. I beg to disagree. Outlook pane preview or opening a Word document, or clicking on an attachment is equivalent to external code execution. How do you think that malware makes it onto those 250 Mzombies I mentioned? Have you seen a Unix mail client where the default operation on an attachment is execution? Try executing something random you download off the web either in KDE or Gnome, it's rather pedagogical. Have you seen a FLOSS browser which comes with that great technology called ActiveX? God knows Firefox has its issues, but IE it's not. > It has never rendered it by default in Vista or Windows 2003. All very widespread operating systems, Vista especially. And Windows 2003 server default browser settings are pure joy. Nothing works anymore, so users so love it. > Windows also no longer runs as administrator by default (I guess you havnt > used Vista yet). No, and I won't, unless I have to set up a VMware system for it at work. I refu
Re: Re: PHP coder needs Tor details
Okay, I'll chomp upon this troll bait, and descend into lame OS penile metrology. Hit delete *now*. On Tue, Feb 13, 2007 at 03:26:55PM -, Tony wrote: > Windows hasn't rendered active content by default since XP SP2. I beg to disagree. Outlook pane preview or opening a Word document, or clicking on an attachment is equivalent to external code execution. How do you think that malware makes it onto those 250 Mzombies I mentioned? Have you seen a Unix mail client where the default operation on an attachment is execution? Try executing something random you download off the web either in KDE or Gnome, it's rather pedagogical. Have you seen a FLOSS browser which comes with that great technology called ActiveX? God knows Firefox has its issues, but IE it's not. > It has never rendered it by default in Vista or Windows 2003. All very widespread operating systems, Vista especially. And Windows 2003 server default browser settings are pure joy. Nothing works anymore, so users so love it. > Windows also no longer runs as administrator by default (I guess you havnt > used Vista yet). No, and I won't, unless I have to set up a VMware system for it at work. I refuse to buy and run DRM-infested systems on principle. The necessity to install and run many userland things as administrator is only indirectly Redmond's fault, but it has become a part of the information ecology. It doesn't matter that your OS wants you to be safe, but the applications don't. You're stuck with that tar baby for a while. > Its not just in theory. For instance IIS is now so improved that many > sites fed up with the constant hacking, exploits, defacements and > patching regime dependency compatibility issues that they experience > on Linux are migrating over to Windows server 2003. This has been a I don't know what they're experiencing on Linux (it's not a particularly secure operating system, unless cared for properly, I'd rather like to get away from it on the long run, OpenBSD being the most likely candidate), but I don't know what a web server has to do with the OS kernel. You're probably (I have to guess here) referring to PHP, which is a) not a web server, nor an operating system b) should be certainly considered a cracker facilitation tool. Clearly Sturgeon's rule directly applies here. > consistent trend for some time now and Apache just dropped below Yes, I've stopped using Apache a long time ago. Strangely enough my web server isn't even mentioned in the statistics. And it is also pretty low on vulnerabilities count. Isn't diversity great? > 60% market share for the first time since 2002 as a direct result > of cumulative migrations from Linux to Windows. Yes, these numbers are really so meaningful, especially since GoDaddy converted to MS and hence IIS for no obvious reasons, and it made rather a spike on the pool. Also, again: Sturgeon's rule. As you know, millions of flies can't ever possibly be wrong, so let's all dine on excrement. > As you say 'most installations are now secure by default'. Touché. I guess time will tell. I do not anticipate a decrease in the number of Windows zombies anytime soon. But if it happens it will be certainly a pleasant surprise. As to tor, I just wouldn't run it on a non-server system. (No, Windows 2003 Server is not a server OS -- I know, since I have to support it). Both the IP stack performance is awful, there are resource exhaustion issues which require periodic reboots lest system lockups occur, and you're not supposed it make it easier for Mallory by running a router on a vulnerable system. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
RE: Re: PHP coder needs Tor details
Windows hasn't rendered active content by default since XP SP2. It has never rendered it by default in Vista or Windows 2003. Windows also no longer runs as administrator by default (I guess you havnt used Vista yet). Its not just in theory. For instance IIS is now so improved that many sites fed up with the constant hacking, exploits, defacements and patching regime dependency compatibility issues that they experience on Linux are migrating over to Windows server 2003. This has been a consistent trend for some time now and Apache just dropped below 60% market share for the first time since 2002 as a direct result of cumulative migrations from Linux to Windows. As you say 'most installations are now secure by default'. Touché. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eugen Leitl Sent: 13 February 2007 10:34 To: or-talk@freehaven.net Subject: Re: Re: PHP coder needs Tor details On Tue, Feb 13, 2007 at 10:25:54AM -, Tony wrote: This is offtopic, but... > Actually Windows does exactly the same thing. e.g. the 'Network > Service' and 'Local Service' accounts. See > http://www.microsoft.com/technet/security/midsizebusiness/topics/netwo > rksecurity/securingaccounts.mspx The point is that rendering active content is default, and running everything as administrator is default (in fact, most Windows userland software needs to be installed and run as administrator) -- the technology and the culture conspire to give us the 250 Mzombie Internet experience we love. > People seem to forget that the original and worst worm outbreak ever - that > efffectively shut down the internet for days was on UNIX... That was a long time ago. Unix is diverse, and most installations are now secure by default. The technology and the culture work together, and lower profile is one of the key points that diversity is good, monoculture is bad. > Windows might have its problems but they are not unique. You're correct only in theory. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: Re: PHP coder needs Tor details
On Tue, Feb 13, 2007 at 10:25:54AM -, Tony wrote: This is offtopic, but... > Actually Windows does exactly the same thing. e.g. the 'Network Service' and > 'Local Service' accounts. See > http://www.microsoft.com/technet/security/midsizebusiness/topics/networksecurity/securingaccounts.mspx The point is that rendering active content is default, and running everything as administrator is default (in fact, most Windows userland software needs to be installed and run as administrator) -- the technology and the culture conspire to give us the 250 Mzombie Internet experience we love. > People seem to forget that the original and worst worm outbreak ever - that > efffectively shut down the internet for days was on UNIX... That was a long time ago. Unix is diverse, and most installations are now secure by default. The technology and the culture work together, and lower profile is one of the key points that diversity is good, monoculture is bad. > Windows might have its problems but they are not unique. You're correct only in theory. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
RE: Re: PHP coder needs Tor details
Actually Windows does exactly the same thing. e.g. the 'Network Service' and 'Local Service' accounts. See http://www.microsoft.com/technet/security/midsizebusiness/topics/networksecurity/securingaccounts.mspx People seem to forget that the original and worst worm outbreak ever - that efffectively shut down the internet for days was on UNIX... Windows might have its problems but they are not unique. From: [EMAIL PROTECTED] on behalf of Juliusz Chroboczek Sent: Tue 13/02/2007 06:53 To: or-talk@freehaven.net Subject: Re: PHP coder needs Tor details > To shorten... How do I allow nobody to utilize Tor (It can already > do that but I must start it like a root and stop it like a root) Please don't. The very reason Unix is more secure than Windows is that Unix actively uses the permission system to prevent insecure things like PHP from munging the networking daemons. By running PHP with higher privileges, you'll make your Unix system just as insecure as Windows. Juliusz <>
