RE: [ISN] Microsoft developers feel Windows pain

From: InfoSec News (isnat_private)
Date: Sun Feb 10 2002 - 23:49:03 PST

  • Next message: InfoSec News: "Re: [ISN] Deciphering the hacker myth"

    Forwarded from: Marc Maiffret <marcat_private>
    
    | -----Original Message-----
    | From: owner-isnat_private 
    | [mailto:owner-isnat_private] On Behalf Of InfoSec News
    | Sent: Thursday, February 07, 2002 10:50 PM
    | To: isnat_private
    | Subject: [ISN] Microsoft developers feel Windows pain 
    | 
    | http://news.com.com/2100-1001-832048.html
    <snip>
    | Microsoft's security-assurance group has become the software 
    | giant's taskmaster for the next month.
    <snip>
    | The goal is to make an everyday user's computer secure by 
    | default, he said. "Not everyone needs IIS (Microsoft's Web 
    | server) by default," he said. "Not everyone uses Index Server 
    | by default. So today, those features are turned off by default."
    
    This same speech was giving for XP before it was released. However,
    Windows XP home/pro were actually running more SYSTEM level services
    by default than any other MS OS ever. But... Maybe this next time
    around they will really stick to their word.
    
    | Code modified by the new security initiative will be 
    | incorporated into Windows .Net Server when it ships, and into 
    | Windows XP via Service Pack 1, Howard said.
    
    So widely deployed Windows 2000 is not going to get any security
    loving? Only if the IT world drops win2k and goes to XP will they
    actually (hopefully) have an MS OS that has actually been made with
    security in mind?
     
    | Microsoft hopes the consistent mantra of "security, security, 
    | security" will push developers--both inside and outside the 
    | company--to build security into their products, eliminating 
    | the need to repeat the monthlong review.
    
    What is this idea of a month long review? Are executives within MS
    seriously being mislead to believe they can truly perform a _GOOD_
    security audit of XP and .NET within a month? This sounds great for
    the press (the idea that microsoft is dropping everything), about as
    great as Oracles off the wall unbreakable campaign. Maybe if MS said
    they were going to drop everything for 6 months... Then they'd
    actually show they were putting the needed time into it. A month will
    amount to nothing. Half of that month will be just getting the
    corporate political BS out of the way. So maybe you'll have two weeks
    in the end of real technical work being done beyond policies that
    amount to little or nothing.
    
    <snip>
    
    | "It's going to be difficult," said Mary Ann Davidson, chief 
    | security officer for database maker Oracle. "It is a good 
    | thing they are doing this, and it will be good for the 
    | industry. But directing corporate culture of any nature is 
    | like turning a battleship."
    
    Why would anyone interview Oracle to counterpoint Microsoft security?
    Oracle obviously has been shown to understand security a lot less than
    most software vendors.
    
    I will repeat myself again... The day that Microsoft, or any major
    software vendor, starts releasing security bulletins on flaws, that
    they researched, within their own software... That is the day these
    software vendors will show they are being proactive about security.
    Until then this is all still talk and large PR departments at work.
    No, every 8 months service packs with hidden fixes is not being
    proactive.
    
    Security is not a social problem, it's a technical one and it requires
    technical solutions. OpenBSD is a good example of a development team
    that does actively research vulnerabilities within their software and
    releases patches for those vulnerabilities. If only these billion
    dollar companies could take the time to learn something from the
    little guys they'd see security is not a hard thing to achieve.
    
    Signed,
    
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner 
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 04:32:37 PST