mailing list archives
RE: Operating Systems Security, "Microsoft Security, baby steps"
From: Luke Scharf <lscharf () aoe vt edu>
Date: Fri, 19 Mar 2004 09:15:21 -0500
On Fri, 2004-03-19 at 01:49, Todd Burroughs wrote:
Wasn't that something that MS tried to say, the "hackers" are reverse
engineering our patches? That was funny, but the sad thing is that a
lot of people will believe it.
I have no doubt that people reverse engineer their patches.
However, saying "hackers ONLY reverse engineer our patches" is a lot
different from saying "one possible technique for abusing a Windows
system is to look for problems by reverse engineering out patches."
Biiiiiiig difference. Driving while sloshed is one possible way to get
hurt while driving a car, but certainly not the only way.
What I meant is that you can most likely actually use the Internet to get
patches with a fresh install before you get taken over, not that somehow
UNIX-like systems make patches before the exploits are out there and being
used ;-) It's quite apparent by other threads on the list that this is
not generally the case with Windows. Just being patched doesn't mean
that you are safe, but it's better than running well known security holes.
For the last couple of years (maybe longer?) RedHat Linux (and recently
Fedora) have been shipping with a built-in firewall that enabled by
If you don't know it's there, the it should certainly be enabled! :-)
And if you decide to turn it off, you have to at least justify the
effort to run /usr/sbin/lokkit.
I hear that some BSD's do something similar.
Obviously, if you go on the Net with all services running, especially
on an unpatched box, you're gonna get rooted pretty quickly.
Yup. Last I checked, Sun does it this way... Yay! Fortunately,
they're a smaller target, and ppro is decent. But, it still takes me a
few minutes to turn off all of the unnecessary stuff before I can begin
the real work of setting up a useful system (and re-enabling anything
that I actually need).
Luke Scharf, Systems Administrator
Virginia Tech Aerospace and Ocean Engineering
Full-Disclosure - We believe in it.