ah ha! this means our winME machine is the most secure

@Bodie

Nah, yer Miggy's more secure.

_________________
A1G4XE, OS4-pre

Sounds like a neat Scam to get pre XP owners to install a convienient patch. Wonder what other code is lurking in that patch ?

_________________
******************************************
I dont suffer from Insanity - I enjoy it

******************************************

Downloading "security patches" is all my Windows machine next to me seems to do, they're coming out with them all of the time. When I first bought the machine I was prompted to do a Windows update (was on dialup at the time) and when I clicked on it I was presented with a list as long as my arm! And not small updates either, it took FOREVER. Infact I got so pi**ed off with it taking all my dial-up bandwidth that I ended up taking it into work and sticking it on the LAN to complete the download.

The amount of updates it's had, it must be a whole new Operating System by now.

I suppose at leas they ADMIT these security flaws straight away and provide you with the updates cost-free. It'd be worse if they attempted to cover up these sorts of things.

This always makes me wonder how AmigaOS would stand up to the attempts of a hacker though. I always feel safer using my Amiga on the internet, but that's mainly because most of the hackers are not familiar with AmigaOS and would probably not bother attempting to compromise it, and none of the trojans or viruses doing the rounds will effect my Amiga either. But if the Amiga was suddenly to become the world's leader in desktop computer/OS then I wonder how long it would be before AmigaInc released security patches for AmigaOS?

Is AmigaOS significantly more robust in terms of security issues or do we not worry about it merely because our OS is not under the spotlight?

Brian

I have to be honest, when I saw the security update on Microsoft's website I totally dismissed it as "yet another security patch.". After reading the above it looks like I'm going to have to apply this one to my work machine quickly.

There are so many updates these days that it's getting pretty ridiculous.

Ah well..

_________________
OS4.1 + SAM Flex
RIP my A1XE.. that used to have an appetite for batteries!

Basically, you can only have a security hole in an open service, the io mechanism (ip-stack, keyboard-input etc) or the login mechanism itself.

I would say a BSD based ip stack is likely to be quite safe. So unless you open up any services (like telnet, samba, http and so on) you are safe.

If you need one of these open, you will need to figure out which are safe and which are not.

For instance, samba can not be considered as safe as http, because one is (usually) a free-for-all webservice hosted by a professional webserver (apache) while the other is a reimplementation of a Microsoft protocol, using an inferior password mechanism.

So for a LAN with samba, you'll need a firewall. Setting the Amiga to accept samba traffic only on the internal network, not from the internet, should be possible. In which case it will act as a firewall.

Now, if you insist on using a different webserver than apache, you're on your own.

And telnet should of course not be used. By anyone. For anything.
Use ssh instead.

Remember that a firewall is only ever as secure as the ip stack it is running on (in fact less, because if there's x bugs in the ip stack and y bugs in the firewall the resulting number of holes is x+y and neither can be a negative number. Zero bugs should be aimed for but the only way to ever get it (try to scientifically proove that there is no bugs ) is to have zero functionality (see OpenBSD for more examples ), so if you do not trust the ip stack on a machine, you'll need to find a better machine to run the firewall on. This machine and its ip stack should have as little functionality as possible (outside the firwalling capabilities).

Hmm, I wonder if any of the above made sense?


Anyway, a "popular" type of security hole is an overflow on username/password input or similar. If the programmer makes a bummer there, nothing will save you.

The way this works is that the buffer meant to handle the user input isn't large enough to handle the data coming in, so other data in memory gets overwritten. The trick here is to overwrite data that is actually CODE, with OTHER code. Then you can make the system do whatever you want. But you need to do it in assembly, which is where security by obscurity enters. If you are running the not most popular CPU, you will likely not be the target of the first wave of scripts for the script kiddies. Which means you have at best a few days to close the vulnerability before someone thinks of targetting you.

Unless you platform becomes so popular that it is worth it.
But a corporate platform is always more popular to hack than a private platform, because the resulting bandwidth available for emailing and DDOS is so much greater, along with the possibilities to sneak off with IP

I mean, if someone could choose which of my computers to hack into, the work PC with proprietary code and PCB designs, or the home PC with maybe two games, open source applications and MPlayer (it's my home entertainment system) installed, which do you think he would target? Yeah, duh

_________________
This weeks pet peeve:
Using "voltage" instead of "potential", which leads to inventing new words like "amperage" instead of "current" (I, measured in A) or possible "charge" (amperehours, Ah or Coulomb, C). Sometimes I don't even know what people mean.

@BrianHoskins

I'm surprised people still use Windows, the amount of serious security issues and viruses it has had, even over the last three or so months. The amount of time it takes to update on dial-up, it is no wonder that people have unpatched WIndows machines on the Internet.

I read an article a few days ago about a service pack for (I think) Windows Server 2003. It said that due to security issues, the update will include a firewall. I instantly wondered why they didn't just fix the security holes.

@olegil
It depends, is the second machine an AmigaOne? Does it have OS4 on it? Now, that's an incentive to hack in.

Chris

_________________
"Miracles we do at once, the impossible takes a little longer" - AJS on Hyperion
Avatar is Tabitha by Eric W Schwartz

Seems the coming of the Amiga has saved me some grief because I have held off updating my OS and still use Windoze98 not even 98SE, AMD CPU. Its has been a pain in other ways of course (almost NEVER boots 1st try and can take 10 or 15 tries to boot some days..SIGH!) I have so many programs on it I loath to wipe and reload.

I have a second slightly slower AMD dual boot system (Win98/Redhat9) that works well and I'm gonna slowly transfer.

Anyway I can't wait to see the the A1 up and running so I start my Windoze withdrawal and get back to an Amiga again.

@olegil

Nice explanation, thanks.

Bob C.

_________________

(Slightly Off Topic)

I was sitting in Opera and went to MS site for WindowsUpdate:
http://windowsupdate.microsoft.com/

It redirect me to:
http://v4.windowsupdate.microsoft.com/default.asp

where I get the message, that I should upgrade to Internet Explorer 5 or higher. So I use Quick Prefs in Opera to make it identify as MSIE6.0, refresh the page, and now I get the message:


Thank you for your interest in Windows Update

Windows Update is the online extension of Windows that helps you get the most out of your computer.

Follow these steps to access Windows Update through the Help and Support Center:
Click Start, and then click Help and Support.
If you are running Windows XP, click Keep your computer up-to-date with Windows Update.
If you are running a Windows Server 2003 operating system, click Windows Update.


So I need the latest IE to get a message to use another program???
WHY is this company still in business? They keep on destroying the computer market, destroying free market. What happened to the law suit from all those american states against MS? (Not to say all the companies, that have cases against them.)

/John.

Oops!

_________________
2017 Camaro 2SS

Patch number 985298289323668 applied

I found it quite ammusing when applying a security patch to IE5. It told me to upgrade to IE6 which I did, then it told me it needs 5 more security updates than I started with!

I can't keep up with these updates. I found it unusual that the security flaw made it to the mainstream news as these flaws are every day occurances. Windows upate is no use as says I don't need any more updates. But, just this week there is "MS04-007 ASN.1 Vulnerability Could Allow Code Execution (828028)" and "MS04-004 Cumulative Security Update for Internet Explorer (832894)".

Last week I got another DCOM RPC type of virus called Gaobot.gen. I have thought the msblast update would have prevented this, and the ZoneAlarm firewall did not block the effected ports either.

The trouble is Microsoft just does not have a security mindset. They had to bribe their employees by having a bonus scheme for identifying and preventing security flaws. They keep churning out more and more bloated code than they can test effectively. One of the susposedly benifits of NT / Win2k / XP Pro is that it has C2 level security, but it seems more insecure than ever!

_________________