[LUAU] Its time to simply ban Windoze machines from the Internet

Tim Newsham newsham at lava.net
Thu Oct 19 16:05:21 PDT 2006 

> Safely running Windows on the Internet is possible, but its a lot like being 
> locked in a souring, mildewed terror-bunker watching black water pour in over 
> the sill as a society poisoned by Lysenkoist (*) denial drowns in its own 
> spew.

I'm not sure what purpose this comment serves.  It doesn't convey any
information other than "Jim Thompson really really thinks running windows
securely isn't very easy."  It doesn't say why or provide any facts to
back up your point of view.  It doesn't even say that the situation
is any better on other platforms (although I'm betting you believe it
is).

The truth is -- the security on windows platforms today is roughly 
comparable to the security of linux and OS X platforms today.  Some
are slightly better and some slightly worse, but they are all within
an order of magnitude.  Some may say windows is slightly worse than
average (I wouldnt), and some may say slightly better, but in my
opinion, thats just splitting hairs...

There exist attacks against all the popular platforms.  They are found on 
a regular basis.  Attackers can and do exploit them, but there are more 
automated attacks found against Windows platforms due to their popularity. 
Any interested observer can find a long list of new and recent 
vulnerabilities for all platforms in security mailing lists and databases 
run by security vendors, operating system vendors, security organizations 
and government agencies.  The amount of remote vulnerabilities in server 
software is definitely declining on all platforms and the surface area 
exposed over the network is a lot smaller due to inclusion of packet 
filtering in all popular platforms and the choice to disable services by 
default. The amount of vulnerabilities that allow local privilege 
escalation is staggering on all platforms.  Even if it were not so, 
compromising the account of any user who performs administrative access 
(sudo, LUA/UAP, etc..) allows easy compromise of the administative account 
without the use of additional vulnerabilities (ie. PATH, trojan, debugging 
features, terminal manipulation, keystroke logging).

Even if all of that were not true, malware is still a potential issue on 
all platforms.

Tim Newsham
http://www.thenewsh.com/~newsham/

More information about the LUAU mailing list