Proxy 2.0 secure? (about ms protocol stack)

Choi, Byoung
Fri, 26 Jun 1998 12:09:57 -0700

my statement is an empirical conclusion.  i wouldn't make assumption
about whether nt security holes get more publicity than others...

i very much agree with you about the superior reliability of open-source
software - at the worst, it's devil we know (or we are able to find out
if we want to).  however, aix and many commercial unix(es?)  are derived
from bsd/svr, and they are time-tested.  unless the vendor was so
moronic as to waste their time writing the whole protocol stack over, it
wouldn't be unreasonable to expect similar level of performance/security
attribute (this is a bit of blanket statement, i know).


(sorry to the mailiing list folks - i sent a redundant message
previously because it told me that the mess bounced back :-}  )

	Sent:  Thursday, June 25, 1998 11:00 PM
	Subject:  Re: Proxy 2.0 secure? (about ms protocol stack)

	> ms tcp/ip stack is substantially less mature than, say, unix'
(both bsd
	> & s5, i don't know what else is there to compare...).   ms
stack seems
	> particularly vulnerable to faulty ip fragments, and various

	We don't know this for sure. It happens that some of the most
	denial of service attacks on the Internet in recent history have
	Windows NT; it also happens that people pay more attention to
bugs that
	affect Windows NT, and pay more attention to the fact that a
given bug
	affects Windows NT (when it may affect many other operating

	Windows NT certainly does not boast a mature TCP/IP stack ---
read the
	archives of the tcp-impl mailing list to see some of the world's
	authoritative TCP implementors explain why. However, the real
reason why
	it's reasonable to claim that Windows NT's stack is less secure
than, say,
	4.4BSD's, is that we don't have access to it's source code. I'm
no more
	confident in AIX's (to name a large commercial Unix platform at

	Security software which has neither open source nor published
peer review
	results should not be trusted. Since the industry doesn't seem
to want to
	meet these criteria for (almost) ANY commercial security
software, you
	take what you can get.

	Thomas H. Ptacek	                   SNI Labs, Network
Associates, Inc.
-----	 "If you're so special, why
aren't you dead?"