Proxy 2.0 secure? (about ms protocol stack)

Choi, Byoung bchoi@visa.com
Fri, 26 Jun 1998 12:09:57 -0700


my statement is an empirical conclusion.  i wouldn't make assumption
about whether nt security holes get more publicity than others...

i very much agree with you about the superior reliability of open-source
software - at the worst, it's devil we know (or we are able to find out
if we want to).  however, aix and many commercial unix(es?)  are derived
from bsd/svr, and they are time-tested.  unless the vendor was so
moronic as to waste their time writing the whole protocol stack over, it
wouldn't be unreasonable to expect similar level of performance/security
attribute (this is a bit of blanket statement, i know).

b-

(sorry to the mailiing list folks - i sent a redundant message
previously because it told me that the mess bounced back :-}  )

	----------
	From:  tqbf@pobox.com
	Sent:  Thursday, June 25, 1998 11:00 PM
	To:  bchoi@visa.com
	Cc:  AGrigoro@mobility.com; firewall-wizards@nfr.net
	Subject:  Re: Proxy 2.0 secure? (about ms protocol stack)

	> ms tcp/ip stack is substantially less mature than, say, unix'
(both bsd
	> & s5, i don't know what else is there to compare...).   ms
stack seems
	> particularly vulnerable to faulty ip fragments, and various
malformed

	We don't know this for sure. It happens that some of the most
publicized
	denial of service attacks on the Internet in recent history have
affected
	Windows NT; it also happens that people pay more attention to
bugs that
	affect Windows NT, and pay more attention to the fact that a
given bug
	affects Windows NT (when it may affect many other operating
systems).

	Windows NT certainly does not boast a mature TCP/IP stack ---
read the
	archives of the tcp-impl mailing list to see some of the world's
most
	authoritative TCP implementors explain why. However, the real
reason why
	it's reasonable to claim that Windows NT's stack is less secure
than, say,
	4.4BSD's, is that we don't have access to it's source code. I'm
no more
	confident in AIX's (to name a large commercial Unix platform at
random)
	stack. 

	Security software which has neither open source nor published
peer review
	results should not be trusted. Since the industry doesn't seem
to want to
	meet these criteria for (almost) ANY commercial security
software, you
	take what you can get.

	
------------------------------------------------------------------------
-----
	Thomas H. Ptacek	                   SNI Labs, Network
Associates, Inc.
	
------------------------------------------------------------------------
-----
	http://www.pobox.com/~tqbf	 "If you're so special, why
aren't you dead?"