Forwarded from: Marc Maiffret <marcat_private> | -----Original Message----- | From: owner-isnat_private | [mailto:owner-isnat_private] On Behalf Of InfoSec News | Sent: Thursday, February 07, 2002 10:50 PM | To: isnat_private | Subject: [ISN] Microsoft developers feel Windows pain | | http://news.com.com/2100-1001-832048.html <snip> | Microsoft's security-assurance group has become the software | giant's taskmaster for the next month. <snip> | The goal is to make an everyday user's computer secure by | default, he said. "Not everyone needs IIS (Microsoft's Web | server) by default," he said. "Not everyone uses Index Server | by default. So today, those features are turned off by default." This same speech was giving for XP before it was released. However, Windows XP home/pro were actually running more SYSTEM level services by default than any other MS OS ever. But... Maybe this next time around they will really stick to their word. | Code modified by the new security initiative will be | incorporated into Windows .Net Server when it ships, and into | Windows XP via Service Pack 1, Howard said. So widely deployed Windows 2000 is not going to get any security loving? Only if the IT world drops win2k and goes to XP will they actually (hopefully) have an MS OS that has actually been made with security in mind? | Microsoft hopes the consistent mantra of "security, security, | security" will push developers--both inside and outside the | company--to build security into their products, eliminating | the need to repeat the monthlong review. What is this idea of a month long review? Are executives within MS seriously being mislead to believe they can truly perform a _GOOD_ security audit of XP and .NET within a month? This sounds great for the press (the idea that microsoft is dropping everything), about as great as Oracles off the wall unbreakable campaign. Maybe if MS said they were going to drop everything for 6 months... Then they'd actually show they were putting the needed time into it. A month will amount to nothing. Half of that month will be just getting the corporate political BS out of the way. So maybe you'll have two weeks in the end of real technical work being done beyond policies that amount to little or nothing. <snip> | "It's going to be difficult," said Mary Ann Davidson, chief | security officer for database maker Oracle. "It is a good | thing they are doing this, and it will be good for the | industry. But directing corporate culture of any nature is | like turning a battleship." Why would anyone interview Oracle to counterpoint Microsoft security? Oracle obviously has been shown to understand security a lot less than most software vendors. I will repeat myself again... The day that Microsoft, or any major software vendor, starts releasing security bulletins on flaws, that they researched, within their own software... That is the day these software vendors will show they are being proactive about security. Until then this is all still talk and large PR departments at work. No, every 8 months service packs with hidden fixes is not being proactive. Security is not a social problem, it's a technical one and it requires technical solutions. OpenBSD is a good example of a development team that does actively research vulnerabilities within their software and releases patches for those vulnerabilities. If only these billion dollar companies could take the time to learn something from the little guys they'd see security is not a hard thing to achieve. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 04:32:37 PST