PHP coder needs Tor details

Tony Tony at
Tue Feb 13 19:12:01 UTC 2007

Microsoft Outlook is part of Microsoft Office - not part of Windows. Possibly you mean Outlook Express. 

Outlook has not let you run emailed executables directly since the release of Outlook 2002.

Outlook has NEVER executed attachments by default without user interaction. You presumably refer to exploits resulting from viewing HTML emails. Sure there were a few of these, but security was considerably tightened on this since Outlook 2002, IE6 and XP SP2. I cant remember the last exploit on Outlook - they are certainly very rare in recent years.

The zombies you refer to are largely caused by historical bugs in IE6 on Windows XP and by people executing files and activeX addons from websites that ask them to. Not from any interaction with Outlook. The problem is made worse by the large number of people that run pirate versions of Windows and that have never installed XP SP2 because they cant - due to an invalid license key. (These issues do not apply to Windows server 2003 in a default install.)

With the release of IE7 and with Windows Vista the bar for exploits is much higher. Despite a year of betas for hackers to prepare and 3 months since release we havnt seen a notable Vista exploit yet.

Seeing as you are comparing, I seem to remember seeing dozens of get root exploits related to the 'sendmail' email component on UNIX - without needing any end user interaction.

I don't know where you got the idea that Linux has a faster IP stack than Windows Server. Pretty much every benchmark I have ever seen and my own experience contradicts that suggestion. Probably you just don't know how to tune and set the TCP Window size on your server. The Windows Server 2003 IP stack certainly outperforms the Redhat and Suse Linux IP stacks on standard HP server hardware. Especially when you look at high end cards like 10 Gbit Ethernet using Windows Server's scalable networking pack.

If you have ongoing resource issues on Windows Server then I would question your competence as a system admin or suggest you are running crappy software that has handle or resource leaks. Pretty much all resources on Windows are self configuring and any that are not are easily adjusted.

I get 90+ day uptimes on my Windows server running TOR (not to mention Exchange, IIS, etc) at without any resource issues at all. A reboot is only out of choice when I need to update or patch something. Current uptime is 42 days - since a disk change. :-)

Windows XP might have its issues, but to suggest that when comparing Windows SERVER to Linux that Linux is more secure is simply not the case. As you say, Linux is 'not a particularly secure operating system'

Sure PHP is one of the problems I was referring to - it comes on the Linux CD does it not? Not to mention exploits in SSH, SSL, and the many other LAMP related issues there have been over the last year or two.

Nb - GoDaddy as a business converted over 4.5 million web domains from Linux to Windows for several obvious reasons - TCO, performance and scalability:

Our business is based on providing the best possible service at the lowest possible price. This strategy requires us to maximize all of our resources, particularly our technology assets," said Warren Adelman, president and COO. "It was clear from all of the testing we've conducted that Microsoft provides an efficient and scalable operating platform, while also providing the performance needed to handle our extraordinary growth."

-----Original Message-----
From: owner-or-talk at [mailto:owner-or-talk at] On Behalf Of Eugen Leitl
Sent: 13 February 2007 16:35
To: or-talk at
Subject: Re: Re: PHP coder needs Tor details

Okay, I'll chomp upon this troll bait, and descend into lame OS penile
metrology. Hit delete *now*.

On Tue, Feb 13, 2007 at 03:26:55PM -0000, Tony wrote:

> Windows hasn't rendered active content by default since XP SP2. 

I beg to disagree. Outlook pane preview or opening a Word document,
or clicking on an attachment is equivalent to external code execution. How 
do you think that malware makes it onto those 250 Mzombies I mentioned? 

Have you seen a Unix mail client where the default operation
on an attachment is execution? Try executing something random
you download off the web either in KDE or Gnome, it's rather pedagogical.   
Have you seen a FLOSS browser which comes with that great 
technology called ActiveX? God knows Firefox
has its issues, but IE it's not.

> It has never rendered it by default in Vista or Windows 2003.

All very widespread operating systems, Vista especially.
And Windows 2003 server default browser settings are pure joy.
Nothing works anymore, so users so love it.   
> Windows also no longer runs as administrator by default (I guess you havnt used Vista yet).

No, and I won't, unless I have to set up a VMware system for it at work.
I refuse to buy and run DRM-infested systems on principle. 

The necessity to install and run many userland things as
administrator is only indirectly Redmond's fault, but it
has become a part of the information ecology. It doesn't
matter that your OS wants you to be safe, but the applications
don't. You're stuck with that tar baby for a while.
> Its not just in theory. For instance IIS is now so improved that many 
> sites fed up with the constant hacking, exploits, defacements and 
> patching regime dependency compatibility issues that they experience 
> on Linux are migrating over to Windows server 2003. This has been a 

I don't know what they're experiencing on Linux (it's not a particularly
secure operating system, unless cared for properly, I'd rather like
to get away from it on the long run, OpenBSD being the most likely candidate), 
but I don't know what a web server has to do with the OS kernel. You're 
probably (I have to guess here) referring to PHP, which is a) not a web 
server, nor an operating system b) should be certainly considered a cracker 
facilitation tool.

Clearly Sturgeon's rule directly applies here. 

> consistent trend for some time now and Apache just dropped below 

Yes, I've stopped using Apache a long time ago. Strangely enough
my web server isn't even mentioned in the statistics. And it
is also pretty low on vulnerabilities count. Isn't diversity

> 60% market share for the first time since 2002 as a direct result 
> of cumulative migrations from Linux to Windows.

Yes, these numbers are really so meaningful, especially since
GoDaddy converted to MS and hence IIS for no obvious reasons, and it
made rather a spike on the pool. Also, again: Sturgeon's rule.
As you know, millions of flies can't ever possibly be wrong,
so let's all dine on excrement.
> As you say 'most installations are now secure by default'. Touché. 

I guess time will tell. I do not anticipate a decrease in the
number of Windows zombies anytime soon. But if it happens it 
will be certainly a pleasant surprise. 

As to tor, I just wouldn't run it on a non-server system.
(No, Windows 2003 Server is not a server OS -- I know, since
I have to support it).

Both the IP stack performance is awful, there are resource
exhaustion issues which require periodic reboots lest system
lockups occur, and you're not supposed it make it easier
for Mallory by running a router on a vulnerable system.

Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820  
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the tor-talk mailing list