Re: Biometrics



I see your point Steve but US-Cert maintains that all NT source code is
vulnerable thus my point being valid about having 98 Second Edition machines
within a network for internal safety reasons and potentially to act as
gateways. How can we allow our military and top secrets to be leaked.
Please see the United States Computer Readiness Team at the Department of
Homeland Security and so you can see how I am getting at the true value of a
source code that is flexible enough to offer external security, internal
safety, and more. Thus we have a source code matrix as presented below. I
am not skilled enough to write the code for this yet but I bet Microsoft and
others are.

--------------------------------------------------------------------------

NT= New Technology --- outer defense network

9x = Internal Safety --- based upon DOS as maintenance operating system --
lacking in XP and Vista --- no true maintenance operating system according to
Chris Quirke, MVP --- Vista is indeed great on security issues but still
lacks in compatibility as the FAA has mentioned only using Windows 2000
(which I like as well --- totally old-school reminds me of Windows 98 Second
Edition) as well XP machines (which are good but too vulnerable in this day
and age due to the large surface area created by too many services and not
having strong enough default settings within Internet Explorer -- another
reason to separate the browser from Windows like the Justice Department
mentioned rightly in the 1998 case although Apple should be investigated now
for the practice of tying Quick time with Itunes and I feel this practice of
tying software must be banned for safety and security reasons in the future.)

Unix/Linux/Mozilla/etc. --- third party programs and open source
technologies mingling as one with closed proprietary software which is
protected by IP. Thank you for continuing this discussion.


-------------------------------------------from us
cert------------------------

Vulnerability Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning
Overview
Deficiencies in the DNS protocol and common DNS implementations facilitate
DNS cache poisoning attacks.


http://www.kb.cert.org/vuls/id/800113

http://www.kb.cert.org/vuls/id/MIMG-7DPJ7W (Microsoft NT but not 9x
vulnerable)


http://www.kb.cert.org/vuls/id/MIMG-7ECLCY (Ubuntu vulnerable)

http://www.kb.cert.org/vuls/id/MIMG-7ECL5Z (Apple unknown whether vulnerable)

I am sure you know see that 3 dans --- 2 on that website and myself another
Dan have helped bring this issue to light about how critical it is --- kind
of boggles the mind doesn't it ---- good reason to bring 98 Second Edition
and/or another variant 9x/NT/Unix source code --- on-line --- Microsoft is
the only one that has the resources to do this and the whole world now needs
your help -- Thank You for seeing the Light of our current situation within
the Defense Network.

----------------------------------------------------------------------------



"Steve Riley [MSFT]" wrote:

A standalone telephone certainly is secure, and keeps its users safe. For
such a phone will never receive or transmit unwanted conversations, and the
users of such phones will never be bothered with advertisements, thoughts
that challenge their perceptions, or interesting and surprising
opportunities.

A standalone computer certainly is secure, and keeps its users safe. For
such a computer will never receive or transmit unwanted software, and the
users of such computers will never be bothered with advertisements, thoughts
that challenge their perceptions, or interesting and surprising
opportunities.

No risk = no reward.

The value of a networked system increases as the square of the number of
elements in that system. A single system has a value of 1^2=1; a two-element
network has a value of 2^2=4; a three element network has a value of 3^2=9;
and so on. (Bob Metcalfe, "It's all in your head," Forbes Magazine, 7 May
2007: http://www.forbes.com/forbes/2007/0507/052.html.)

Chris's distinction between the Internet and "a network" (presumably
private, for Chris doesn't specify) isn't useful today. The network effect
is clearly evident on the Internet; I'd argue that in a private network, the
network effect is diminished. Why else would we all be rushing headlong into
the eventual recognition that private corpnets truly belong on the Internet,
and that continuing to make the distinction means a loss of real business
value? (Scott Charney, "Creating a more trusted Internet,"
http://download.microsoft.com/download/2/f/7/2f752ae4-7e1d-4dbd-b75a-aa2dcb0eff5b/End_to_End_Trust_Statement_of_Purpose_Charney.pdf;
Steve Riley, "Directly connect your corpnet with IPsec and IPv6,"
http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx.)

I quote our own materials here as evidence of the demand from
forward-thinking customers that the industry envision new practices and
develop new technologies that allow for the full realization of the network
effect. Chris's argument that per-user security "creates artificial scopes"
doesn't reflect reality. On the contrary, _stronger_ per-user (and
per-machine) identity and authentication are critical for allowing the
network effect to flourish. Indeed, the lack of strong identity and
authentication has been a hindrance, and that's why you see technologies
like smart cards and TPM chips becoming more common. When we reach the point
where all communications are in the context of validated identities, carried
in transactions with integrity and confidentiality protection, between
endpoints that mutually authenticate their identities and their
configurations, then who cares whether the underlying network is trusted or
not?

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:64852B3D-D174-4D66-8F12-36323BC788D2@xxxxxxxxxxxxxxxx
Courtesy of Chris Quirke, requesting his feedback be copied and copied due
to
his inability to view this post. From Chris Quirke posted via Windows
Live
Mail (aka Hotmail)

-------------------------------------------------------------------------------

I can't find the thread, but you could paste from this reply if you
like...


In summary; because 9x was designed as a stand-alone rather than
network client OS, it is indeed potentially safer than NT. But the code
base is too outdated to deal with modern hardware, and what makes it
safer as a stand-alone OS, also makes it less secure as a network OS.

As pro-IT folks will point out; 9x has no effective per-user security, as
NT on NTFS can provide. Server-centric networks need this security
to work, to manage users (rather than PCs) and to create artificial
scopes in a pervasively networked environment.

The underlying technologies of this security could be more useful for
consumers, if freed from the user-centric mindset that pervades pro-IT.

If you were to align these technologies according to code, and to
maintain scopes between data vs. code, local vs. remote, etc. then
they could play a meaningful role in keeping stand-alone consumer
PCs safe from web and malware attack.

But as long as the design is based on user accounts and logon,
with the ASSumption that all code running during the user's session
represents the will and intentions of the user who logged in, we aren't
going to get anywhere. As long as all code within even the most
limited of user accounts giving all code the right to see, change and
destroy user data, this system won't protect user's interests.


As long as the Internet is treated as a big network, safety failures
will abound. The core difference between Internet and networking
is that the former requires interaction between untrusted parties;
that is in fact the standard interaction in that environment.

It's not helpful to prove a stranger has a particular name, if you have
no template of expectations for that proven identity. Only when a
proven identity can be matched with such expectations, do you
shift into networking between trusted entities.

Instead, you need to limit the potential impact of interactions - and
that boils down to the distinction between data that is safe to view
or edit, vs. code that is dangerous to run.

Pro-IT could not tolerate the inability to scope between users, via
NT's user rights security. As Internet consumers, we need a similar
ability to scope between data safety and code risk.

Both scopes are artificial; just as there's no hard line between users,
so it is argued there is no hard line between data and code. However,
just as pro-IT strives to create an artificial line between users, so we
should strive to create and maintain a line between data and code.


------------------------------------------------------------------------------

"Steve Riley [MSFT]" wrote:

Dan, I recommend you rethink your logic.

The Windows 3.1/9x code was designed and written in an entirely different
age -- one in which TCP/IP was not the standard networking protocol, one
in
which indeed networks were rare, and one in which everyone (we and our
customers) assumed that only good guys used computers.

The world no longer lives in that age. If you take any kind of system
(operating system, engineering system, whatever) and place it in an
environment that is wildly different than the original assumptions, that
system will fail catastrophically. There is simply no way we can retrofit
that very old code to function correctly in today's world of intentional
attacks.

I'm not exactly sure how you can make the statement that "a 9x machine
with
the proper safeguards such as a wired router that has wireless broadcast
signal turned off" is more secure than XP or Vista. Firstly, an XP or
Vista
box behind such a router would be equally "safe" from attack. Secondly,
disabling SSID broadcast in reality does not accord you any security --
see
my article here:
http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx.

You quote a specific vulnerability below, about DNS, and you then make
the
argument that this is a reason the military should be using 9x instead of
XP/Vista. How does that follow? How do you know that 9x doesn't have the
same vulnerability? No one can know, because we don't test 9x anymore.
It's
simply too old.

And you mention our password checker. Actually, I think its
recommendations
aren't strong enough, and I'm working with the folks who own that feature
to
improve its strength.


--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


.



Relevant Pages

  • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS07-051)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Microsoft Agent in the way ... Internet Explorer by setting the kill bit for the control in the registry. ...
    (Securiteam)
  • Risks Digest 28.35
    ... Ontario Provincial Police Recommend Ending Anonymity on the Internet ... Microsoft reports CRITICAL Vulnerability in Windows 7/2003 and later ... "Apple security checks may still miss iWorm malware" (Jeremy Kirk via ... Risks of assuming votes are accurate ...
    (comp.risks)
  • [NT] CitectSCADA ODBC Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... are distributed in over 80 countries through a network of more than 500 ... A vulnerability was found in CitectSCADA that could allow a remote ...
    (Securiteam)
  • [NT] Vulnerability in OLE Automation Allows Code Execution
    ... Get your security news from a reliable source. ... This critical security update resolves a privately reported vulnerability. ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
    (Securiteam)
  • [NT] Vulnerability in the Indexing Service Allows Remote Code Execution (MS05-003)
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in the Indexing Service ... connected to the Internet have a minimal number of ports exposed. ...
    (Securiteam)