From - Wed Sep 03 08:28:38 1997 Path: news.mitre.org!blanket.mitre.org!nntprelay.mathworks.com!howland.erols.net!news2.digex.net!access1.digex.net!rballard From: REX BALLARD Newsgroups: comp.os.linux.advocacy,comp.os.os2.advocacy,comp.os.ms-windows.nt.advocacy,comp.arch Subject: Re: How can I crash NT? (Was Re: Max I/O rate on PCs (was Re: MS adopts UNIX)) Date: Tue, 2 Sep 1997 16:39:16 -0400 Organization: DIGEX, Inc. Lines: 114 Message-ID: References: <33b8d491.190577626@news.uq.edu.au> <33BB8890.33E8@uk.sun.com> <33bb8c55.368693713@n NNTP-Posting-Host: access1.digex.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII To: "Todd K." In-Reply-To: Xref: news.mitre.org comp.os.linux.advocacy:115508 comp.os.os2.advocacy:331710 comp.os.ms-windows.nt.advocacy:66105 comp.arch:79389 On Tue, 12 Aug 1997, Todd K. wrote: > Scott Ashcraft wrote in article ... > >In article <33e484d8.736981293@news.mindspring.com>, > >dleblanc@mindspring.com.remove-this (David LeBlanc) wrote: > >| Terry Joyce wrote: > >| >What about the WinNuke programs/NetBIOS bugs. Last I heard, no offical > >| >fix was available from Microsoft. NT hackers have written little hot > >| >fixes, but nothing in wide distribution. > >| There were 2 fixes - one in SP3 for the original attack, and another > >| post SP3 for the "Mac attack". > >Does there exist somewhere a list of patches needed to plug up all the > >security holes in Win95/NT/IE? > Yup. The MS knowledge base on the MS web site. They are all documents > there > with detailed explanations of the problems and the appropriate patches / > fixes. The problem is that, unless you are "In the know", you don't know which to apply, when, how often, or where to get the upgrade. SP3 takes a while to download. Do I have to apply all previous patches too? With Red Hat or Caldera, I have received 4.0, 4.1, and 4.2, each provides not only bug fixes, but incremental enhancemnets and upgrades as well. I now have new applications, enhanced support for Java in the Kernel, and I can use Hot Java, Navigator, or Spyglass/Arena, depending on how much I want to pay. I also got a copy of Applix, not bad for 1/5 the price of "Office-97". I suppose I could get the "Upgrade" instead of a legitimate license, but then, I would have a problem when I used it professionally. The Applix price was less than the Office "Upgrade" and I can use it anytime. > >I mean, there were around 8 or so IE holes, > I don't think there were that many... but it sure can seem like it in this > group :-) We just didn't tell you about all of them yet (it's more fun to wait for the "All Clear" press release before you bomb them again :-). > >and a handful of OS holes. It would be awfully easy to miss one and remain > >vulnerable to some sort of attack. > Yup. SP3 contains all of those fixes for the OS. The latest version of > IE (3.02) contains the fixes for IE and has some enhancements as well. So you are now willing to bet your entire 401K savings, and your father's, that NT 4.0 is "All Fixed Now". I'll put up $20 that says it gets broken within the month. This is the bet you are asking me to make. > Finally, the OOB bug has a separate post SP3 patch on MS's site as well. > So, to make sure you have a secure server, just make sure you have SP3 > and the OOB fix. For the client, make sure you have IE 3.02 or IE 4.0. Did they fix those MFC memory leaks? Did they fix IPC or can I still write data directly to a shared static DLL variable (unprotected of course). Can I play with IE buffers via the DLLs? Can IIS read my 2400x3300 by 24 color JPEG file without choking on it? I've seen some of the best Managers in the industry bet as much as $200 million on MS Windows and get burned in really bad ways. Anybody here been through the blood of WFW->NT 3.51->Win 95->NT 4.0 yet? In 1990, you could buy a Sun IPC lunchbox for $5000. The Windows 3.0 PC cost $4500. By 1997, you would have spent almost $20,000 on 6 replacement PCs (Each OS upgrade required more RAM/DISK/CPU...) and it would still take you 90 seconds to graph a 4000 point spreadsheet. In this same period, the IPC was accelerated via software upgrades (xsun instead of xNeWS drivers, caching improvements, IPC, and Java). Meanwhile, you could take the same software that you ran on your IPC and run it remotely on an Enterprise 5000, or take the GPL software that came from SunSite and run it on your IPC. Windows-97 has been renamed Windows-98, NT 4.0 Workstations is a dismal bomb (even Microsoft isn't supporting it), and the "Really cool features will be out in NT 5.0 due in mid 1998 (any bets it isn't out before 1999? Every 2 years Microsoft spends close to $1 Billion hyping it's next "Revolution", and delivers another disappointing system that can only be practically managed in "Shrink Wrapped Boxes". It was really sad to see the poor souls who tried to "Upgrade" a PC from Windows 3.1 to Windows NT or Windows 95. Eventually, they'd proudly announce "success", and immediately reccomend replacing PCs rather than attempting to upgrade them. I am fascinated by the number of NT "Gurus", who can't even edit the registry by hand. I've watched a $3000/day consultant reload and reconfigure an entire system because he corrupted the registry (a problem that could have been fixed with regedit an 20 minutes). He thought NT was the greatest system in the world. Reccomended it to a client who spent nearly $1 billion revamping the IS infrastructure, and lost $2 billion in commissions because the servers "Bombed" when the customers overloaded the systems. Imagine holding Index options as the market drops 300 points and you can't reach the broker's trading system because the All-NT system could only handle 150 concurrent users and you were number 3000 "in the queue". One minute, you are worth $300,000, an hour later, your holdings are worthless because the options have expired. Wanna Buy a Brokerage? > -Todd K. > > scott ashcraft | email: ra4038@email.sps.mot.com > > software engineer | ph. : +1.512.933.3916 > > motorola mos2 cim | team os/2 running wintel-free > > | my opinions are my own > >anti-spam enabled, remove @NOSPAM from my address when replying Rex Ballard http://www.access.digex.net/~rballard this correspondence is personal opinion and does not necessarily reflect any corporate view. copyright 1997 - Rex Ballard