RE: Proxy 2.0 secure? (about ms protocol stack)

["Choi, Byoung" <bchoi () visa com>]

my statement is an empirical conclusion.  i wouldn't make assumption
about whether nt security holes get more publicity than others...

i very much agree with you about the superior reliability of open-source
software - at the worst, it's devil we know (or we are able to find out
if we want to).  however, aix and many commercial unix(es?)  are derived
from bsd/svr, and they are time-tested.  unless the vendor was so
moronic as to waste their time writing the whole protocol stack over, it
wouldn't be unreasonable to expect similar level of performance/security
attribute (this is a bit of blanket statement, i know).

b-

(sorry to the mailiing list folks - i sent a redundant message
previously because it told me that the mess bounced back :-}  )

        ----------
        From:  tqbf () pobox com
        Sent:  Thursday, June 25, 1998 11:00 PM
        To:  bchoi () visa com
        Cc:  AGrigoro () mobility com; firewall-wizards () nfr net
        Subject:  Re: Proxy 2.0 secure? (about ms protocol stack)

        > ms tcp/ip stack is substantially less mature than, say, unix'
(both bsd
        > & s5, i don't know what else is there to compare...).   ms
stack seems
        > particularly vulnerable to faulty ip fragments, and various
malformed

        We don't know this for sure. It happens that some of the most
publicized
        denial of service attacks on the Internet in recent history have
affected
        Windows NT; it also happens that people pay more attention to
bugs that
        affect Windows NT, and pay more attention to the fact that a
given bug
        affects Windows NT (when it may affect many other operating
systems).

        Windows NT certainly does not boast a mature TCP/IP stack ---
read the
        archives of the tcp-impl mailing list to see some of the world's
most
        authoritative TCP implementors explain why. However, the real
reason why
        it's reasonable to claim that Windows NT's stack is less secure
than, say,
        4.4BSD's, is that we don't have access to it's source code. I'm
no more
        confident in AIX's (to name a large commercial Unix platform at
random)
        stack. 

        Security software which has neither open source nor published
peer review
        results should not be trusted. Since the industry doesn't seem
to want to
        meet these criteria for (almost) ANY commercial security
software, you
        take what you can get.

        
------------------------------------------------------------------------
-----
        Thomas H. Ptacek                           SNI Labs, Network
Associates, Inc.
        
------------------------------------------------------------------------
-----
        http://www.pobox.com/~tqbf       "If you're so special, why
aren't you dead?"