To be fair, Linux was a security nightmare before 2000 too. Linux didn’t have ACL’s until 2002.
with the user being the administrator
No one ran as administrator as default in a corporation, nor at home if you knew anything about computers. NT even suggested creating non privileged user accounts during setup.
Let’s only use it on x86.
It’s not like they didn’t try. When NT came out it was running on Mips, Alpha, PowerPC and Itanium. It wasn’t MS’s fault everything but x86 died. They tried more than anyone to support x86 alternatives. Now that ARM is capable of more than a PocketPC, they are on ARM.
Windows CE which did run on other devices and architectures, doesn’t use the NT kernel.
CE had extremely different requirements. The OS and Apps had to run in 2MB of RAM. NT shipped on many different CPUs.
It really wasn’t. Turn off services you don’t use, don’t run as admin and it was fine. Yes people would get viruses from running executables but that’s because Windows viruses were distributed widely because of market share. Linux wasn’t inherently more secure.
gotta disagree. microsoft’s vaunted API/ABI compatability combined with often broken process isolation made it an absolute mess. security features that should have protected users and systems were routinely turned off to allow user space programs to function (DEP anyone?).
SP2/3 taught users one thing only - if a program breaks, start rolling back system hardening. I cannot think of one XP machine outside of some tightly regulated environments (and a limited smattering of people that 1. knew better and 2. put up with the pain) that did not run their users as a local administrative equiv. to “avoid issues”.
if user space is allowed to make kernel space that vulnerable, then the system is broken.
So you blame Microsoft for allowing users to disable security features but don’t blame Linux for allowing it also?
I am saying that I have far fewer privilege escalation issues/requirements on a typical linux distro - almost as if a reasonable security framework was in place early on and mature enough to matter to applications and users.
we can get into the various unix-ish SNAFUs like root X, but running systems with non-monolithic desktops/interfaces (I had deep core software and version choices) helped to blunt exposures in ways that were just not possible on XP.
we are talking about XP here, a chimeric release that only a DOS/Win combo beats for hackery. XP was basically the worst possible expression of the NT ethos and none of NTs underlaying security features were of practical value when faced with production demands of the OS and the inability of MS to manage a technology transition more responsibly.
now, if you ask me what I think of current windows… well, I still dont persnally use it, but for a multitude of reasons that are not “security absolutely blows”.
apologies for the wall-o-text, apparently I have freshly unearthed XP trauma to unload. :-/
so, hows your day going? got some good family / self time lined up for the weekend?
running systems with non-monolithic desktops/interfaces
That’s security through obscurity. It’s not that Linux has better security, only that its already tiny desktop market share around 2003 was even smaller because of different variations.
MS to manage a technology transition more responsibly.
That’s again blaming the Microsoft user for not understanding computers but not blaming the Linux user for running as root.
That’s security through obscurity. It’s not that Linux has better security, only that its already tiny desktop market share around 2003 was even smaller because of different variations.
no, its absolutely not. its choosing software components based on known security vulns or limiting exposure to a suite of suspected or established attack vectors. its absolutely not security through obscurity. these are fundamental choices made every day by engineers and sysadmins everywhere as part of the normal design, implementation and maintenance process. there is nothing “obscure” about selecting for certain attributes and against others. this is how its done.
perhaps you disagree with this.
That’s again blaming the Microsoft user for not understanding computers but not blaming the Linux user for running as root.
? its not the users job to understand OS security. to expect otherwise is unrealistic. also, virtually no “average” linux user, then or now, ran/runs as root. the “root X” issue related to related to requiring XWindows to run with and maintain root privs., not the user interacting with X running as root. it was much more common in the XP era to find XP users running as administrator than a “Linux user for running as root” because of deep, baked-in design choices made by microsoft for windows XP that were, at a fundamental level, incompatable with a secure system - microsofts poor response to their own tech debt broke everything “NT” about XP… which is exactly the point I am trying to make. I am not sure your statement has any actual relation to what I said.
virtually no “average” linux user, then or now, ran/runs as root.
That’s because Linux users already know about computers. In 2003, at the time of XP Linux distro did not disable root. Root was the default during install. You then had to create your own non privileged accounts. In some distros that meant using useradd.
because of deep, baked-in design choices made by microsoft for windows XP
To be fair, Linux was a security nightmare before 2000 too. Linux didn’t have ACL’s until 2002.
No one ran as administrator as default in a corporation, nor at home if you knew anything about computers. NT even suggested creating non privileged user accounts during setup.
It’s not like they didn’t try. When NT came out it was running on Mips, Alpha, PowerPC and Itanium. It wasn’t MS’s fault everything but x86 died. They tried more than anyone to support x86 alternatives. Now that ARM is capable of more than a PocketPC, they are on ARM.
CE had extremely different requirements. The OS and Apps had to run in 2MB of RAM. NT shipped on many different CPUs.
yes, but XP at any SP is an unfixable mess compared to virtually any OS in the past 20 years (Temple OS excluded?), ACLs or not
not suggesting that you intimated otherwise, but its important to remind myself just how bad every XP instance really was.
It really wasn’t. Turn off services you don’t use, don’t run as admin and it was fine. Yes people would get viruses from running executables but that’s because Windows viruses were distributed widely because of market share. Linux wasn’t inherently more secure.
gotta disagree. microsoft’s vaunted API/ABI compatability combined with often broken process isolation made it an absolute mess. security features that should have protected users and systems were routinely turned off to allow user space programs to function (DEP anyone?).
SP2/3 taught users one thing only - if a program breaks, start rolling back system hardening. I cannot think of one XP machine outside of some tightly regulated environments (and a limited smattering of people that 1. knew better and 2. put up with the pain) that did not run their users as a local administrative equiv. to “avoid issues”.
if user space is allowed to make kernel space that vulnerable, then the system is broken.
So you blame Microsoft for allowing users to disable security features but don’t blame Linux for allowing it also?
Ssh has had bugs that give root on Linux. Does that mean Linux is broken too?
https://www.schneier.com/blog/archives/2024/07/new-open-ssh-vulnerability.html
I am saying that I have far fewer privilege escalation issues/requirements on a typical linux distro - almost as if a reasonable security framework was in place early on and mature enough to matter to applications and users.
we can get into the various unix-ish SNAFUs like root X, but running systems with non-monolithic desktops/interfaces (I had deep core software and version choices) helped to blunt exposures in ways that were just not possible on XP.
we are talking about XP here, a chimeric release that only a DOS/Win combo beats for hackery. XP was basically the worst possible expression of the NT ethos and none of NTs underlaying security features were of practical value when faced with production demands of the OS and the inability of MS to manage a technology transition more responsibly.
now, if you ask me what I think of current windows… well, I still dont persnally use it, but for a multitude of reasons that are not “security absolutely blows”.
apologies for the wall-o-text, apparently I have freshly unearthed XP trauma to unload. :-/
so, hows your day going? got some good family / self time lined up for the weekend?
That’s security through obscurity. It’s not that Linux has better security, only that its already tiny desktop market share around 2003 was even smaller because of different variations.
That’s again blaming the Microsoft user for not understanding computers but not blaming the Linux user for running as root.
Where you tech support at a company?
no, its absolutely not. its choosing software components based on known security vulns or limiting exposure to a suite of suspected or established attack vectors. its absolutely not security through obscurity. these are fundamental choices made every day by engineers and sysadmins everywhere as part of the normal design, implementation and maintenance process. there is nothing “obscure” about selecting for certain attributes and against others. this is how its done.
perhaps you disagree with this.
? its not the users job to understand OS security. to expect otherwise is unrealistic. also, virtually no “average” linux user, then or now, ran/runs as root. the “root X” issue related to related to requiring XWindows to run with and maintain root privs., not the user interacting with X running as root. it was much more common in the XP era to find XP users running as administrator than a “Linux user
forrunning as root” because of deep, baked-in design choices made by microsoft for windows XP that were, at a fundamental level, incompatable with a secure system - microsofts poor response to their own tech debt broke everything “NT” about XP… which is exactly the point I am trying to make. I am not sure your statement has any actual relation to what I said.You don’t swap GUI’s on 1,000 corporate users every time a new exploit comes out. You don’t know which Window Manager or DE is more secure.
Besides the Window manager is rarely relevant to exploits the same as in Windows. DirtyCow, CVE-2024-1086, SSH, this entire list https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 didn’t care which Window Manager you ran.
That’s because Linux users already know about computers. In 2003, at the time of XP Linux distro did not disable root. Root was the default during install. You then had to create your own non privileged accounts. In some distros that meant using useradd.
The exact design choices of Linux at the time.
You have a double standard.