[1242] in linux-security and linux-alert archive
Re: [linux-security] WinNT security?
daemon@ATHENA.MIT.EDU (Yuri Volobuev)
Sat Oct 19 08:32:37 1996
Date: Fri, 18 Oct 1996 13:37:05 -0500 (CDT)
From: Yuri Volobuev <volobuev@t1.chem.umn.edu>
To: Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610170833.KAA08444@feivel.topsystem.de>
> My company uses NT on most machines and intends to use it for the upcoming
> internet connection, too. Now I wonder whether there's any reason to use
> NT over Linux? Or in other words does anyone have amountion for me to
> talk them into using Linux on the primary net machine?
There were some pretty nasty problems with weak algorithm used for storing
encrypted passwords on the disk (the original bug was discovered in Win95,
but it may apply to NT). It was breakable in <1sec on a slow Sun with
proper cracker. I also heard about bad problems with file sharing: one may
export one folder ro and anyone on the subnet can access whole disk (with
weakly encrypted passwords on it).
On the other hand, NT is C2-certified. I don't like M$ and I don't want to
engage in a flame war, so I won't comment. We had a similar discussion here
recently, and Linux won. The winning argument was: ok, all OSes have holes.
What happens if there's a hole in Linux? You look in the source and fix it,
or wait couple days and apply a patch. What happens if hole is found in NT?
You are screwed. The bug _may_ be fixed in the next Service Pack, which
will be released b.g.-knows-when. Also, the only good test for any security
system is exposing its source to the public for rigorous testing.
> This may be off-topic but does anyone know if there's a similar list for
> NT?
from http://www.it.kth.se/~rom/ntsec.html
There is a NT security mailing list maintained by the good folks at ISS. You
subscribe to it by sending a mail to majordomo@iss.net with the body
containing the string "subscribe ntsecurity your email".
The mailinglist have some traffic and on-going discussion, and some people
might prefer to subscribe to the digest version instead to reduce their
incoming mail. The digest is available by sending mail to the same address
but with the text "subscribe ntsecurity-digest your email".
---
yuri