Re: NT vs Unix on the Internet

From: Bennett Todd (betat_private)
Date: Wed May 06 1998 - 04:46:51 PDT

Next message: BVE: "NT vs Unix on the Internet"

Previous message: Kirkilis, John: "Java Sockets and Firewalls"
Maybe in reply to: Peter Jeremy: "NT vs Unix on the Internet"
Next in thread: Russ: "RE: NT vs Unix on the Internet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> There would be lots more to say, of course.

One thing I'd add is that the underlying attitude makes an enormous
difference. Unix arrived on the scene as a brilliant job of
_simplifying_ an OS; the thing that astonished everyone was how useful
it was, for how little complexity there was[*]. That virtue has faded
over the years; layers of cruft have been slathered on, and it may
be time for a revolution. But still what complexity that is there is
out and documented for people to scrutinize, analyze, comment on, and
(increasingly) fix.

Contrast this with NT: that is an OS designed by someone who didn't
understand what Unix had contributed; he just wanted to do VMS again,
and so he did. It's way way more complex, which is bad for security.
Worse, in an attempt to keep out competition, the internals and as much
as possible of the API are un- or ill-documented, so very few people can
really look closely for bugs in the spec and the implementation.

Good systems enjoy a distinctive security profile over time; during
testing bugs are (naturally) being uncovered continuously; after public
release, when the user community increases many times over, a few more
may be found, then the rate of new bug discoveries plummets, except only
small waves when scrutiny is brought to bear on previously unconsidered
parts of the system (e.g. the recent flurry of low-level IP stack bugs,
w/ DOS attacks on packet reassembly and so on).

Poor systems also enjoy a distinctive security profile: the rate at
which really painful and embarrasing new security holes are uncovered
stays fairly stable over time. Think ``sendwhale'' here. NT is the
sendmail of OSes. Only unlike sendmail it doesn't pay its freight by
delivering wonderful new capabilities that raise the bar for any future
replacement.

-Bennett

[*] Re simplicity, I _loved_ that classic paper where Ken basically
    sketched out ``what is a Unix'' in broad strokes, something like:

	handle = open(name, mode)
	read(handle, buffer, length);
	write(handle, buffer, length);
	lseek(handle, distance, origin);
	close(handle);

	pid = fork();
	exec(filename, arguments);

    That's a Unix. Cool!

Next message: BVE: "NT vs Unix on the Internet"
Previous message: Kirkilis, John: "Java Sockets and Firewalls"
Maybe in reply to: Peter Jeremy: "NT vs Unix on the Internet"
Next in thread: Russ: "RE: NT vs Unix on the Internet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:28 PDT