Steve
Wed Jul 16 22:13:58 CDT 2008
Dan, I recommend you rethink your logic.
The Windows 3.1/9x code was designed and written in an entirely different
age -- one in which TCP/IP was not the standard networking protocol, one in
which indeed networks were rare, and one in which everyone (we and our
customers) assumed that only good guys used computers.
The world no longer lives in that age. If you take any kind of system
(operating system, engineering system, whatever) and place it in an
environment that is wildly different than the original assumptions, that
system will fail catastrophically. There is simply no way we can retrofit
that very old code to function correctly in today's world of intentional
attacks.
I'm not exactly sure how you can make the statement that "a 9x machine with
the proper safeguards such as a wired router that has wireless broadcast
signal turned off" is more secure than XP or Vista. Firstly, an XP or Vista
box behind such a router would be equally "safe" from attack. Secondly,
disabling SSID broadcast in reality does not accord you any security -- see
my article here:
http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx.
You quote a specific vulnerability below, about DNS, and you then make the
argument that this is a reason the military should be using 9x instead of
XP/Vista. How does that follow? How do you know that 9x doesn't have the
same vulnerability? No one can know, because we don't test 9x anymore. It's
simply too old.
And you mention our password checker. Actually, I think its recommendations
aren't strong enough, and I'm working with the folks who own that feature to
improve its strength.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@discussions.microsoft.com> wrote in message
news:175E7266-E50E-40A2-BE3C-305165779621@microsoft.com...
> Thank you, Steve. I appreciate your feedback. Another problem we face in
> computing today is the industry is not fully backing tougher security and
> safety protocols. An example of this is the American Express website
> which
> will only allow me to input a password that is less than optimal according
> to
> Microsoft's password checker. Microsoft is doing their part in many ways
> but
> the rest of the industry must catch up.
>
>
http://www.microsoft.com/protect/yourself/password/checker.mspx
>
> It is critical in this day and age to have alternatives to just the main
> Windows operating system that includes Internet Explorer. I am very
> pleased
> with Microsoft and their technologies so I will continue to use them
> frequently. However, as a power user, I am very pleased that users have
> alternatives such as Mozilla Firefox as an option and it does indeed
> remain
> for use with Windows 98 Second Edition at least until December 2008
> because
> that is when Mozilla Firefox 2.x support is scheduled to end.
>
>
http://en.wikipedia.org/wiki/Mozilla_Firefox
>
> This is most unfortunate in my view since the 9x source code has definite
> advantages over the NT business line of source code. 9x computers were
> meant
> as stand-a-lone machines and thus are great for consumers who do not need
> or
> want the ability to have others tinker with their machines. The many
> services provided in XP allow for their to many greater points of access
> to a
> fully patched XP machine than a fully patched 98 Second Edition machine
> using
> Mozilla Firefox compared to Internet Explorer since Internet Explorer
> patches
> for Windows 98 Second Edition ended July 11, 2006. The NT source code is
> at
> risk as can be seen by the postings of US-Cert which is the computer
> readiness team and part of the Department of Homeland Security.
>
>
http://www.us-cert.gov/cas/bulletins/SB08-196.html
>
> Microsoft -- windows-nt
>
> Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, XP SP2 and
> SP3, and Server 2003 SP1 and SP2 allows remote attackers to conduct cache
> poisoning attacks via unknown vectors, aka "DNS Cache Poisoning
> Vulnerability," a different vulnerability than CVE-2008-1447.
>
> unknown
> 2008-07-08
> 9.4 CVE-2008-1454 MS
>
>
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
>
>
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
>
> I know a fair amount about computer security and safety and helped beta
> test
> Windows Vista Ultimate 32 bit edition for Microsoft as a volunteer. I got
> the DVD with the ISO image from a friend named Jeff who was a systems
> engineer and also testing Vista for Microsoft and then got approval from
> Microsoft to test it and inputed the given product key that Microsoft gave
> me
> for the evaluation version. The problem is that Microsoft has only one
> line
> of code and that makes it that much easier for hackers to target many
> machines and take them over.
>
> With Windows 98 Second Edition, a single machine might have been
> compromised
> but not the whole network. I have had problems with a workplace that I
> recently worked at that stupidly switched to all XP machines and did not
> leave any 98 Second Edition machines in place and that included my own
> Windows 98 Second Edition machine there. That was a huge mistake that I
> don't think the business will repeat. With the 98SE machine, I knew and I
> was right that my machine would be very unlikely to be hacked compared to
> the
> compromised machines of the NT (XP Professional) in this case. The
> incident
> happened in the summer of 2007. I will give you more details via secure
> email if you like.
>
> I have read in a book about Microsoft that early system engineers
> complained
> that NT did not have a true maintenance operating system like DOS. Chris
> Quirke, MVP. has a good article about the safety and security concerns.
> Windows 9x is safe at its core compared to Windows NT line which includes
> 2000, XP and Vista of course. There was also a rumor a while back that
> parts
> of the NT source code were leaked over the Internet compared to the 9x
> source
> code which was never leaked over the Internet, AFAIK.
>
>
http://cquirke.blogspot.com/
>
> (Note: Chris Quirke's 9x website talks about the 9x compared to NT
> security
> and safety discussion)
>
> There is also Unix/Linux technologies and I have played around a little
> bit
> with Ubuntu Linux but I am in no way proficient with it and have only read
> a
> small portion of a big book about Ubuntu Linux.
>
> Finally, my question to you is that I know about the economics and how
> costly it would be for Microsoft to continue the 9x line or even overall
> it
> to make it usable in today's environment but wouldn't the economic cost be
> worth the great reward. I have friends of mine at summer camp who are
> planning mainly on building 98 Second Edition machines just for the
> ability
> to play older games and secondly because these friends feel as I do about
> how
> it is harder to hack into a 9x machine with the proper safeguards applied
> such as a wired router that has the wireless broadcast signal turned off
> so
> as not to attract unwanted or uneeded attention from hackers.
>
> If Microsoft will not develop the 9x source code then at least sell it to
> the United States Military so that the Defense Department can more fully
> protect their military infrastructure from external threats and even
> better
> from potential internal threats from their network of computers from a
> potential spy. The possibilities for 9x are endless and so please I ask
> you
> as a professional to have Microsoft sell 9x kernel unless Microsoft is
> willing which I think would be a smart business move to invest money in
> the
> another Windows 9x that would not subtract features such as easy access to
> DOS and ideally the ability to play old classic games like Windows
> Millennium
> (ME) did.
>
> I am a gamer who is a Generation X'er who got his start on an IBM PCjr
> playing King's Quest 1 on a 5.25 inch floppy disk that was made by Sierra
> On
> Line and had 16 colors and the speaker on the machine supported 3 sounds
> at
> once which was cool. The game had 128 kilobytes on one disk and how is
> that
> for compression despite the obvious limitations compared to today's games.
> I
> still have this machine in storage and it still works! The interesting
> thing
> is that a poster to Game Informer which I read posted about how he was 17
> and
> liked older classic games and his friends made fun of him for it and his
> first name was Daniel too. <grin>
>
> I also enjoy reading PC World, 2600 which is a hacker magazine (I must
> keep
> up to prevent hackers from compromising all of us), and other computer and
> network books. I took several computer classes in college and who knows I
> may go back and get another undergraduate degree but this time in computer
> science. I know that a dream will allow a little guy like me change the
> world despite all the challenges life has thrown at me. Please feel free
> to
> contact me by email or I can contact you by email. My email address is
> with
> Microsoft and on their records. I can also give you an srx number on a
> recent case with Microsoft if you need to confirm my identity. Thanks
> again
> for all you do, Steve and Go Microsoft!
>
> "Steve Riley [MSFT]" wrote:
>
>> Biometrics can never replace passwords, because they aren't secrets.
>>
>> It's me, and here's my proof: why identity and authentication must remain
>> distinct
>>
http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
>>
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>>
http://blogs.technet.com/steriley
>>
http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@microsoft.com...
>> > Bingo! You solved the issue and yes it is one of those cheap
>> > fingerprint
>> > scanners where you just swipe your finger so it must have already had
>> > the
>> > image of my fingerprint on the scanner. It sounds like someone would
>> > need
>> > to
>> > clean the fingerprint scanner each time and it does indeed seem very
>> > easy
>> > to
>> > fool. So much for the security of Biometrics at least cheap Biometric
>> > devices
>> >
>> > "Juergen Nieveler" wrote:
>> >
>> >> Dan <Dan@discussions.microsoft.com> wrote:
>> >>
>> >> > How secure and safe is biometric technology? The reason I bring
>> >> > this
>> >> > up is because I was able to log in using my finger with a band-aid
>> >> > attached and this definitely makes me question the security and
>> >> > safety
>> >> > of biometric technology at least as far as laptops go. I imagine
>> >> > there probably is lots of articles on this already but I wanted the
>> >> > opinions of this newsgroup. Thanks in advance for the replies.
>> >>
>> >> If this was one of those fingerprint readers where you simply put your
>> >> finger on (as opposed to those where you rub your finger along the
>> >> contact plate in a swipe motion), chances are that the camera inside
>> >> picked up the latent fingerprint that was still on the glass - this is
>> >> a common vulnerability of those cheap camera-based readers. All they
>> >> do
>> >> is notice "Oh, something is pushing on the glass, and I recognise the
>> >> pattern" - if the person who last used it had greasy fingers, the
>> >> fingerprint would still be on the glass, so putting something on the
>> >> glass that doesn't have OTHER fingerprints will force the camera to
>> >> use
>> >> the weak fingerprint image still visible to it...
>> >>
>> >> The swipe-type readers are safer in that there can't be an image left
>> >> on the reader... but many of them still can be fooled by a fake
>> >> fingerprint made by taking the fingerprint off something somebody
>> >> touched (lots of how-to's available for that...).
>> >>
>> >> Juergen Nieveler
>> >> --
>> >> A feature is a bug with seniority.
>> >>