On Tue, 05 Jun 2001 11:55:01 +0300, Attila Feher <Attila.Feher at lmf.ericsson.se>
On a WinNT system of a company (for that I was doing some network
installation is part time job), it took me less than 24h.
No SPs applied...
I can't tell which SPs were applied and which ones not.
It was not even a program of a cracker page, I got it from the webpage of a
computer magazine. That was still some time ago, so maybe the SP was too new at
that time and they had no time to apply it. But I can't remember that such a
big security hole ever existed for any known UNIX system.
But I'm afraid I'm talking about apples here and you about pears. Let's define
what is meant by "OS".
For me an OS is just the basic system, all that is needed to get the system run
and no all that might be installed on a system.
So when I say UNIX is more secure than Windows, I mean UNIX itself, which is
the kernel, hardware driver, software drivers (like file systems) and the
programs that are absolutely necessary.
When installing a UNIX system that shall be secure, you should disable
everything during installation that can be disabled (including server software,
XServer, etc.). A XServer for example is such a big security hole, that you can
push a whole elephant through it and nobody would recognize it ^_^
And exactly that's the problem. Even when you disable everything possible
during Windows installation, you are still forced to install way too many
stuff. Can you install WinNT without GUI? Since every GUI might be a security
hole and every GUI wastes hardware resources (especially on servers that don't
even have a monitor).
I bet the standard settings of Win2000 installs DirectX as well and I was once
told (from a usually very reliable source) that DirectX is allowed to
circumvent many Win2000 security features to achieve higher speed.
Isn't the InternetExplorer integrated into Win2000's system? And certainly also
into WinXP. The InternetExplorer is full of security bugs and when it supports
something like VBS, goodbye system. No browser is integrated into UNIX systems,
every GUI is optional.
Only looking at those facts, it should be clear that Windows is less secure.
And you must be careful when speaking about UNIX security holes. One of the
biggest security holes of all times was (or maybe still is) SENDMAIL. It needs
root rights to run correctly and that is a danger. You can intentionally crash
it (e.g. provoking a stack overflow and that way executing own code) and such a
crash can result in a new shell with root rights. That was one of the easier
ways to get root rights and immediately everyone said:
"Look, UNIX isn't secure at all!"
But those people seem to overlook that SENDMAIL is a program, not part of the
kernel and not part of the UNIX OS. For this security hole are only programmers
of SENDMAIL responsible, not the UNIX programmers. Despite the fact that I've
seen alternatives to the standard SENDMAIL, I'm currently running a LINUX
system without any SENDMAIL application at all. (That way programs can't send
me notifications via mail, but I don't really care)
Looking at a full featured UNIX system, it's of course not more secure than a
Windows system. I'm only comparing two base systems where no third party
software is installed and there, UNIX *is* more secure than Windows.
There are VMSes on universities and don't think
people don't try to get into them :-)))
I don't know, but I think most people aren't interested into cracking an
university server. I personally only try to get root access for the fun of it
(I wouldn't even know what do with it).
BTW, looks like today is a "happy day" for you.
( Lot's of ":-)))")
Same with NT. I have seen NT setup taking few thousand steps to make
and which was solid as a rock.
See above, there are too many things you can't remove/exclude of a Windows
installation that provide security holes. You simply can't remove things that
are a permanent part of the system and when you compare Windows to UNIX under
this point of view, a LINUX system can be tiny enough to fit onto a single
floppy disc, a UNIX distribution might as well (when you have 2.88 MB
floppies)...how about WinNT?
So I guess now you understand my point of view and on what base I'm arguing
when claiming that UNIX is more secure than Windows.
So the primary decision is: is my target group UNIX or Windows or both.
If you get a UNIX version, you can also make it run on Linux.
And the main difference between UNIX and Windows are the APIs. But for whatever
you have an API call at UNIX, there's also an API call in Windows.
I personally like the system of "wrappers". You neither use UNIX or Windows
APIs directly. You create your own wrapper API, that in once case is wrapped
around the UNIX/Linux APIs and once around the Windows APIs.
That means you don't have to rewrite a single line of C++ code of your
application, you must create wrapper APIs for every system you like to support.
Yes and wanna bet that I can find someone who can crack such a terminal in less
than two hours. I bet if this terminal would run with Linux or maybe with
FreeBSD that wouldn't be that easy.
And? You have cracked the terminal.
No, I'm not good enough for that.
But in my subway station is a ticket machine that runs with Windows and I know
how to crash it, so it has to reboot (it's only Win9x and it's very easy to
crash). If I would be a hacker, I'd be able to make use of this fact and print
thousands of free tickets. Despite this machine accepts debit cards, so it must
be connected to some bank ... ^___^
Unfortunately I can only crash it, it will reboot, start an autostart
application and continue to work. Without keyboard I can't manipulate it
(there's only touch screen and a few buttons).
So you can start up the UNIX/VAX
terminal window and try to log in :-)))
I wouldn't be even able to crash it and if this application is running as
single task (with respawn option), what can you do?
Blue Screen cannot come from user SW.
You can produce a blue screen using DirectX for example.
Than you must have a real good luck. I use Solaris here and I know what
I am talking about :-))) Reboot is once per day on a test machine where
"badly behaving" SW can run.
Our Solaris machines are UltraSparcs, probably configured by a Sun employee.
I have no problem with the security manager, I have problem with the
Java VM code. It isn't "old enough" and mostly not open source to
convince a security-fanatic.
Windows as a whole ins't open source, nevertheless you trust in its security,
don't you? ^_-
Despite that, some parts are open source.
My post is about the fact that every user should be free to chouse his/her
favorite OS according to his her personal needs and nobody should be forced to
accept the flaws of a certain OS, just because some shit-head programmers left
him/her no other choice.
That is right. And I would say also that no shit-had programmer should
be forced to write cross platform code if he cannot.
Can not or doesn't want to?
The point is that small businesses will never be able to
do the first versions of their product to be fully portable. I am
talking about GUI stuff.
The GUI is actually the easiest part.
There's a GDI wrapper for XServer systems (providing full featured Windows GDI
support for XServer) and there are a XServer wrapper for Windows GDI. I would
rather be worried about processor specific optimizing done in assembler that
you can't port without rewriting them.
The only "good" point which I like in Win and _very_much_ miss in Unix is
the messaging opportunity. Unix has few signals, and that's it. Sad.
And that's good!
More message increase security holes and system compressibility.
:-)))) So Solaris 7 is apparently not UNIX. :-)) It does not crash
usually, simply stops working.
Solaris is not the prototype of UNIX, it's just the UNIX of Sun.
Can you still login via SSH when your Solaris 7 systems hangs?
Yep, Windows, it's registry,
Don't mention it's registry, it's hell.
Every application (including those provided with Windows) support 30% of hidden
features that you can only enable with registry tweaks. No matter what you do,
the registry keeps on growing bigger and bigger, it's full of unecessary
entries and not very well organized.
Despite that, I don't think it's a good idea to make a central registry for all
applications and users. Every user should have his/her own registry (and not
just a sub-tree) and only Windows should be allowed to use it (third party
software shall store their configuration somewhere else).
it's changing (screwed up) APIs,
Is there actually a list of all APIs that are included with Windows (or
multiple list for different versions), as well as an explanation what functions
are actually inside those APIs?
Nope. I did not. Let's say I design a very system specific thing, an
internet dialer for example. :-))) Let's not go into this. Everyone is
on his own to decide whether it is feasible to make 1st release cross
platform or not.
If you don't start with a cross-platform solution, it will get harder and
harder in the future to change that. An internet dialer is a very specific
piece of SW, that can't be cross-platform.
But office software, browsers, multimedia players, multimedia editors,
rendering software, programming IDEs, Usenet clients, e-mail clients, database
software, compilers, interpreters, file managers, picture editors, sound
editors, music composers, Internet clients, encryption software, compressors,
Max. size still working (talking about normal WS) Java
applet was around 70K. Then performance degraded so much, that is was
The Java2D demo of sun is larger than 70 KB and not useless.
And it's offering a lot more than you would need for a standard GUI.
(You'll need a browser with Java 1.3 support, maybe it will also run on 1.2.
So for most browsers you'll have to install a the Sun JRE)
To compare with native methods in speed, set to "0 ms" and turn of
"Anti-Aliasing" (as your native system doesn't support that).
Also the sound abilities are pretty impressive (the techno tune is very good).
Do you know their PostScript viewer?
For your GUI, look at the swing demo. Since Swing is 100% pure Java (it runs
without any native support), you can also load the Swing classes on Java
versions below 1.2
(don't forget to switch "skins" on the fly)
BTW I wanted to use Java, I have even installed it. But with my 64M
PII266 notebook it took 3 minutes to open a source file in the
Nah, I don't use Forte, I use JBuilder.
[ QT ]
Tried. They don't have an unlimited trial version for Win and I have no
way now to install a Linux at home. :-(((
Play around with it using Linux.
If you release commercial software, you certain can apply a full version.
Qt is great is what I have heard. I wanted to learn it, but no bonus.
If I get a 30 days trial I may have 2 days when I can really look at it
But Qt is the proof that it is possible to create a GUI for various of systems.
You don't have to use Qt, as your apps probably never use more than 10% of it's
functions anyway. And that means you might as well create your own
cross-platform wrapper API.
Yep. And I am also free to see 1 unhandled exception per minute
Well, of course you must handle those, that's part of being a Java programmer.
- at least with the Java apps I have tried to use. :-(((
I use plenty of Java software (because those are the only apps I can run at
university without any problems on any system) and here I never have this
problem. The only Java applet that permanently throws Exceptions is JavaICQ,
but even though it throws exceptions, it runs very well (IOW you may simply
ignore them). Considering that it's still BETA software (hasn't even reached
version 1.0), it's forgivable.
China, one billion people. Computer shops in China sell Linux 200 times more
often than Windows. The Chinese government plans to increase the usage of Linux
even more (they don't trust Micro$oft, open source rules, as they can make sure
there's no spyware inside). BTW downloaded distributions aren't counted here.
Why don't they trust MS? :-))) I cannot imagine...
Must have something to do with being a communistic country.
Windows NT is not limited to x86...
x86 and Alpha, but software must get recompiled to run on Alpha PCs.
About China - you should ask their government. They filter the Web
You can't really filter the web. You can try, but it will never be really
Anyway I could
trust Java more if it would be a standard language like C++ and Sun
would have less influence on it...
IBM is also writing JVMs and there machines are usually a lot better than the
ones of Sun.
Despite that Java is already a standard language. I'm studying computer science
and we don't learn C++, we only learn Java and all programming we perform is
done in Java.
We've been told: "we expect you to learn the basics of C++ programming yourself
and before you will leave this institution, we assume that you've seen more
than thousand lines of C++ source code, but we will not teach it or use it for
Hasn't crashed my PC a single time and I use it daily.
I currently develop exclusively in Java and my programming IDE is written
itself in Java. Everything always runs fine and I have no idea what you mean by
How much memory? 512Ms?
Currently 256 MB.
Just curious. What CPU? What speed?
AMD Athlon 1 GHz.
But I already were developing in Java on my old PC, Pentium2 350 MHz, 128 MB
RAM. And I can still run Java applications there, both under Windows and Linux,
with acceptable speed.
Take a lok at this page:
Java is not so far away of C++.
Take a look at the first picture and especially at "StrSort" and you'll see
that IBM's JVM is more than 17% faster than Intel's C++ compiled code.
The FpEmul of IBM's JVM is only ~15% slower than with native C++
Comparing IBM's JVM to the two of Sun, you'll see that IBM always wins.
I admit, often Java is slower than C++, but whether your keystroke will get
displayed after 10ms or 20ms within a text editor doesn't play any role, does
| Java is dangerously close to C performance.
| What used to be a dream propagated by Java advocates with blind faith,
| is now a reality. The biggest proof that the Java platform is great (and its
| performance issues have solutions) is to see how Microsoft is smartly
| following the lead, and telling people do do basically the same thing
| (only in a Windows-centric way). I suppose that a successful adoption
| (by Windows app developers) of the Common Language Runtime will
| mean that we won't need to explain to K&R-C dinosaurs that Java is not
| evil thanks to p-code, garbage collector, JIT compilers, safer language rules,
| objects, and so on.
- To quote from this page
He's speaking about C# here, right?
And keep in mind, C++ compilers are very old, while Java compilers are very
young (only 3 years), so there's still potential for improvements. Compare
current Java compilers with the first generation, more than ten times faster.
Think how fast a full featured Java optimizer might be in two years. In theory
a JVM could reach a speed level that isn't possible for C++ code, because a
static compiler will never be able to optimize code beyond a certain level (it
simply can't predict what will go on once the program is running), while a JVM
with dynamic compiler will be able to look at the program during runtime.
Also have an eye on the fact that also Java is so extremely young, there are
already more books about Java programming than about C++ programming. And as I
said before, universities prefer the usage of Java over C++. Mainly for two
Cross-platform development and the ability to have a running BETA program
before C++ programmers even have a concept.
Don't get me wrong, I don't say Java is better than C++, just different.
There's the right time and the right place for everything and low level,
highspeed or realtime applications will always depend on a language like C++,
but 90% of all user applications that current exist on the market could as well
be written in Java.
And I know that I repeat myself, but you can always use native code in Java if
you like. In that case you'll have to replace the native code for every
platform you are supporting, but those native code is maybe 5-10% of your
E.g. I've used a Java application that DIRECTLY accesses OpenGL (without
Java3D) and the speed was just like native C++ code . Never forget, there's
JavaQuake. That is not a real Java version of Quake. Just the game is in Java,
the sound, graphic and 3D engine is still in native code and there's no speed
difference to the 100% native version.
The advantage for programmers:
They only need to port the graphic, sound and 3D engine for all system they
want to support. The game behind the engine (which makes Quake what it is) will
run on every system, since it's Java.