You people are awesome!

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

Post Reply
0gb.us
Posts: 4
Joined: Fri Sep 06, 2013 5:22 am

You people are awesome!

Post by 0gb.us »

Microsoft is holding the world back in so many ways, and having a compatible replacement to Windows will be a big step toward alleviating that. And even better, you are using a free license, so others may learn from this project and both improve and adapt this software. I can't say I have the time or skills to help you pull this off, but I would like to thank you for taking the time and effort to build such a great thing.

I'll drop in every now and again to see how this progresses. Once it is out of alpha, maybe I can get my mother to install it. She always complains about viruses and slowness, but refuses to even try anything other than Windows due to compatibility issues. I might even use it myself, without all the Microsoft-induced security bugs and inefficiencies (though unlike her, I come from the UNIX-like world, so I might stick with other systems myself).

Seriously, you have no idea how exited I am to see that this project exist.

mrugiero
Posts: 482
Joined: Sun Feb 14, 2010 9:12 am

Re: You people are awesome!

Post by mrugiero »

Worth pointing out, viruses will probably keep working on ReactOS as well when full compatibility is obtained. What will not be going to be compatible security wise are backdoors, since they rely in flaws in the code. They will almost surely, by chance, different on ReactOS and Windows.

0gb.us
Posts: 4
Joined: Fri Sep 06, 2013 5:22 am

Re: You people are awesome!

Post by 0gb.us »

mrugiero wrote:Worth pointing out, viruses will probably keep working on ReactOS as well when full compatibility is obtained. What will not be going to be compatible security wise are backdoors, since they rely in flaws in the code. They will almost surely, by chance, different on ReactOS and Windows.
And viruses run on other systems too. The really damaging viruses need administrative access to wreck their havoc. But according to what I've read on this site, major security decision flaws (such as giving users administrative accounts by default) will not be done in ReactOS. This will create imperfect compatibility, at least with applications that stupidly assume that all users are administrators, but any well-written application will probably run without exposing the system to the most hazardous of viruses.

So yeah, there will still be some security issues to deal with, but there will be far less.

Not to mention all the speed enhancements that ReactOS will probably have. Running ReactOS in a virtual machine instead of Windows for Windows-only applications will stop Windows from eating all my system resources.

mrugiero
Posts: 482
Joined: Sun Feb 14, 2010 9:12 am

Re: You people are awesome!

Post by mrugiero »

0gb.us wrote: And viruses run on other systems too.
The comment was obviously about *Windows* viruses. On the other part, it's still quite the same as modern Windows versions. My point is: ReactOS is not targetted mostly to being the most secure OS, but to be free of charge and as in free speech (I think, I'm not 100% sure about that) and 100% compatible with Win32 applications. There will be some differences that will help security, as I pointed out: even though there will probably be security flaws, since that's code's nature, chance is they will be different than Windows' ones, and as long as ReactOS isn't quite competing in market share, anyone who writes exploits for them will target Windows.
Not to mention all the speed enhancements that ReactOS will probably have. Running ReactOS in a virtual machine instead of Windows for Windows-only applications will stop Windows from eating all my system resources.
Well, for speed, there is optimization, and then there is lack of features. Both tend to make a system faster and leaner. In the end, ReactOS should be quite a bit like the targetted version of Windows as for resource usage, maybe optimized. Of course, with ReactOS you will be able to make leaner distributions, taking out features you believe basic usage doesn't require, as it is open source. Windows will always come only in the flavours MS produce.

0gb.us
Posts: 4
Joined: Fri Sep 06, 2013 5:22 am

Re: You people are awesome!

Post by 0gb.us »

Well, I won't argue with you about the viruses. To be honest, I don't know a whole lot about viruses. I can hope that ReactOS will fix this virus issue, but that won't make it true. As for the leaner system, many available open source UNIX and UNIX-like operating systems are just as featureful as Windows, but without most of the overhead. In other words, featureful and resource-intensive do not have to be the same thing. Microsoft simply is bad at creating efficient code. I believe that a non-Microsoft community, especially a free software community, can make something that runs way faster and with way less resource usage, even if every feature is implemented. Even Microsoft employees know that free software communities create faster, more efficient software.

http://www.zdnet.com/anonymous-msft-dev ... 000015236/

mrugiero
Posts: 482
Joined: Sun Feb 14, 2010 9:12 am

Re: You people are awesome!

Post by mrugiero »

0gb.us wrote:As for the leaner system, many available open source UNIX and UNIX-like operating systems are just as featureful as Windows, but without most of the overhead. In other words, featureful and resource-intensive do not have to be the same thing. Microsoft simply is bad at creating efficient code.
I'm aware of the UNIX-like systems, I run one. That's one of the reasons I talked about both optimizations and removing features. As for MS being bad at creating efficient code, I don't think so.

milon
Posts: 969
Joined: Sat Sep 05, 2009 9:26 pm

Re: You people are awesome!

Post by milon »

0gb.us wrote:Well, I won't argue with you about the viruses. To be honest, I don't know a whole lot about viruses. I can hope that ReactOS will fix this virus issue, but that won't make it true. As for the leaner system, many available open source UNIX and UNIX-like operating systems are just as featureful as Windows, but without most of the overhead. In other words, featureful and resource-intensive do not have to be the same thing. Microsoft simply is bad at creating efficient code. I believe that a non-Microsoft community, especially a free software community, can make something that runs way faster and with way less resource usage, even if every feature is implemented. Even Microsoft employees know that free software communities create faster, more efficient software.

http://www.zdnet.com/anonymous-msft-dev ... 000015236/
A virus (or malware or trojan, etc) is simply code that takes advantage of a system flaw/inconsistencey in a malicious manner. There are, unfortunately, non-malicious programs that also take advantage of system flaws/inconsistencies to function normally. I am not a developer for ReactOS, so I (thankfully!) don't have to make the decision, but we'll have to decide whether or not to support the legitimate applications that are coded poorly. If we support them, we increase compatibility, but we also have more vulnerabilities than if we choose not to.

It's worth to mention, by the way, that you don't have to perform a full install of ReactOS to test it and see how it works for you so far. You can test it by running it in a virtual machine. On Windows, you can install VirtualBox or another system emulator and load a copy of ReactOS into it. What you'll see is a normal application window, and the contents of that window will be the ReactOS desktop. It's a fun way to get to know the system without risking it being incompatible with your current setup. If you're interested in this, check out the Tutorials section, and ask for help if you need it.

0gb.us
Posts: 4
Joined: Fri Sep 06, 2013 5:22 am

Re: You people are awesome!

Post by 0gb.us »

milon wrote:
0gb.us wrote:Well, I won't argue with you about the viruses. To be honest, I don't know a whole lot about viruses. I can hope that ReactOS will fix this virus issue, but that won't make it true. As for the leaner system, many available open source UNIX and UNIX-like operating systems are just as featureful as Windows, but without most of the overhead. In other words, featureful and resource-intensive do not have to be the same thing. Microsoft simply is bad at creating efficient code. I believe that a non-Microsoft community, especially a free software community, can make something that runs way faster and with way less resource usage, even if every feature is implemented. Even Microsoft employees know that free software communities create faster, more efficient software.

http://www.zdnet.com/anonymous-msft-dev ... 000015236/
A virus (or malware or trojan, etc) is simply code that takes advantage of a system flaw/inconsistencey in a malicious manner. There are, unfortunately, non-malicious programs that also take advantage of system flaws/inconsistencies to function normally. I am not a developer for ReactOS, so I (thankfully!) don't have to make the decision, but we'll have to decide whether or not to support the legitimate applications that are coded poorly. If we support them, we increase compatibility, but we also have more vulnerabilities than if we choose not to.

It's worth to mention, by the way, that you don't have to perform a full install of ReactOS to test it and see how it works for you so far. You can test it by running it in a virtual machine. On Windows, you can install VirtualBox or another system emulator and load a copy of ReactOS into it. What you'll see is a normal application window, and the contents of that window will be the ReactOS desktop. It's a fun way to get to know the system without risking it being incompatible with your current setup. If you're interested in this, check out the Tutorials section, and ask for help if you need it.
Yeah, I downloaded the VirtualBox version yesterday, but have yet to install it quite yet.

I suppose you're right about poorly-coded "legitamate" applications. I hadn't considdered those in my resoning.

DOSGuy
Posts: 582
Joined: Wed Sep 14, 2011 5:55 pm
Contact:

Re: You people are awesome!

Post by DOSGuy »

milon wrote:A virus (or malware or trojan, etc) is simply code that takes advantage of a system flaw/inconsistencey in a malicious manner. There are, unfortunately, non-malicious programs that also take advantage of system flaws/inconsistencies to function normally. I am not a developer for ReactOS, so I (thankfully!) don't have to make the decision, but we'll have to decide whether or not to support the legitimate applications that are coded poorly.
Not really, on either count. There are certainly viruses that exploit vulnerabilities that shouldn't exist in the OS, but many don't have to. A lot of malware makes changes to the registry to make itself your homepage, or to add itself to your startup routine. Very often, you actually agreed to this in the license agreement that you didn't read! The point is that a lot of malware doesn't exploit accidental vulnerabilities, but exploits intentional vulnerabilities like the existence of the registry. We'd all be a lot safer if programs couldn't edit the registry, but almost every Windows program edits the registry for legitimate purposes!

Likewise, it's not so much that we're concerned about losing compatibility with poorly coded programs that depend on Windows bugs and quirks. Those programs break on their own as soon as the next Service Pack comes out and changes the buggy/quirky behavior that they depended on. The issue is that malware messes with you by editing the registry or acquiring low-level access to your hardware, and there are lots of legitimate programs that do the same thing. For instance:
  • Uninstallers need access to your registry to find the crap that was left when some other program supposedly uninstalled itself
    Registry cleaners need to delete orphaned registry entries that bloat your registry and harm your system performance
    Partition managers require the ability to low-level format your hard drive
    Antivirus software needs the ability to monitor system processes for suspicious activity
    Memory dumping programs and hex editors need access to protected memory
    Video drivers need low-level access to your graphics card
There are legitimate reasons to edit the registry and request privileged access to the CPU, RAM, hard drive and other hardware resources. They aren't taking advantage of a system flaw, they're taking advantage of system features. Those features happen to be exploitable for malicious purposes, but failing to implement them or denying access to them isn't the solution. As much as some people might disagree, the registry is not a bug!

The best solution seems to be to have the OS warn you when a program wants to do something that could harm you and ask if you want to allow it, which is why Microsoft created UAC. A ReactOS UAC would be a good idea.
Today entirely the maniac there is no excuse with the article. Get free DOS, Windows and OS/2 games at RGB Classic Games.

milon
Posts: 969
Joined: Sat Sep 05, 2009 9:26 pm

Re: You people are awesome!

Post by milon »

Excellent post, DOSGuy. Thanks for the correction. And I agree with you - ROS should have a UAC at some point. It doesn't block everything (anything an operating system can do can be used maliciously), but it goes a long way.

PurpleGurl
Posts: 1789
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

Re: You people are awesome!

Post by PurpleGurl »

Just a few comments.

Yes, while ReactOS will likely run a lot of the same malware as Windows, it will likely not run it all. There are things like malicious scripts that pull in viruses. I noticed that Windows 98 was more likely to pull such things in than Windows XP. I can think of 2-3 reasons. Win9X has a different underlying architecture than NT/XP so there are nasties that just won't hook in and run since the exact vulnerabilities, undocumented features, etc., don't exist. But then there is another reason. The underlying .DLLs that IE uses are different and contain more features. If we are compare IE 6.x across 98 and XP, IE 6.x is less vulnerable under XP since the system files it relies on are different. So in that case, with the popup blocking, better default security settings, etc., a lot of the scripts that pull in the nasties will not run. Now if you go trying to relax all the settings, then yes, you very well can get infected from browsing. Sometimes the ad companies inadvertently accept malicious scripts or popups from sites with malicious homepage code (or popups to sites that use malicious ad scripts inadvertently). So tighter script settings and integrated popup blocking helps. XP was also more secure in that it used hardware buffer overrun protection when running on compatible CPUs, and if offered a firewall. Rather crude, but better than not being there. Windows 7 has a much more mature firewall which even handles outgoing traffic. Incoming helps keep stuff from getting into the computer in the first place, but outgoing helps mitigate the damage should the system already be compromised. It seems like Microsoft finally got a clue from the security experts. They used to say (paraphrased), "Why would you need an outgoing firewall since wouldn't all software running on your PC with network access be ran with your permission?" But that is what malware does, runs without the user's permission, or at least permission obtained without informed consent.

We should use PAE mode (in the 32-bit version), even if we cap under 4Gb for compatibility reasons, just to get the NoEx instruction and do hardware buffer overrun protection. But doing so would come at a cost (half the TLB entries since it would double the size to get to use 36-bit addressing). I propose that we try to use the Windows 8 strategy for the overrun protection, but on an opt-in basis for any files that are not ours. The malware is more sophisticated and can figure out what is in memory what location. Before that, everything would load in a fixed order, so if malware had knowledge of what is being loaded, it could infect the system at times where the malware would not be detected. It could profile your system and the DLLs to help get in before the hardware protection can feasibly be enabled. So one way around this newer type of attack is to shuffle the system files and drivers, since it is harder to hit a moving target. But that causes a new complication. If the files are written to not care where they are in memory, then that is no problem. But not all apps that can safely be moved around in memory report themselves as able to do such.

We don't have certain vulnerabilities now due to a lack of features. For instance, I don't think root kits are possible now. That requires NTFS.

Oh, an idea come to mind, a registry firewall. Why not the ability to block suspicious registry changes? "Application X is trying to add itself to start automatically with your computer, should we allow this? This time? Always? Not this time? Never?"

Z98
Release Engineer
Posts: 3379
Joined: Tue May 02, 2006 8:16 pm
Contact:

Re: You people are awesome!

Post by Z98 »

Uh, Windows 9x suffered from a lot of issues because it had basically no security to begin with.

Dave3434
Posts: 323
Joined: Tue Jun 28, 2011 2:14 am

Re: You people are awesome!

Post by Dave3434 »

if we use PAE then older system won't be able to run reactos.

PurpleGurl
Posts: 1789
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

Re: You people are awesome!

Post by PurpleGurl »

Dave3434 wrote:if we use PAE then older system won't be able to run reactos.
How old you mean? Pentium 1, 486? But yes, even a Pentium 4/Celeron would have trouble. As I said before, the kernel should detect the hardware. That is what Windows does. It can run with PAE and the inherent security instructions on systems that support it, and run with out it (and use perhaps just some crude software-based protection). The goal is to be Windows compatible, right? Windows knows which HAL code to load. And that would have to be the way to do it if we want the ability to migrate the OS to another machine. I mean, if the burden for the correct HAL code was on the installer, then someone might migrate to an incompatible machine and it would not run.

I have mixed feelings about running on very old hardware. It would mean that certain optimizations could not be done, since the support for older hardware would cripple the performance that newer stuff can provide. However, supporting old hardware would be a very "green" things to do, and it would help children in lesser "developed" parts of the world. While sending our "junk" elsewhere sounds a bit patronizing, still, if you have an OS that can run modern software on older equipment, then you have greatly increased opportunity throughout the entire world. I actually grew up without a home computer, and yet today, people throw away good systems. I know of a computer store where I once lived that made its start selling refurbished XTs. Yes, 8088 processor running at 4.77 Mhz, and they shipped them to Latin American countries.

Dave3434
Posts: 323
Joined: Tue Jun 28, 2011 2:14 am

Re: You people are awesome!

Post by Dave3434 »

pentium 2 onward.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests