RE: [ISN] Experts: Microsoft security gets an 'F'

From: InfoSec News (isnat_private)
Date: Mon Feb 10 2003 - 00:37:32 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "Cybercrime: Vandalizing the Information Society", Steven Furnell"

    Forwarded from: "Hoodye, Morris" <Morris.Hoodyeat_private>
    
    As for the nonstop enterprise division of HP goes I would like to
    chime in, since the question was asked...Our systems are used to run
    90% of the stock exchanges world wide. The stock exchanges have chosen
    our platform because of it's reliability. One key part of reliability
    is our enterprise operating system (NonSTOP Kernel) does not allow
    user processes to escalate their privileges levels.
    
    The architecture is a true secure message based operating system that
    has a 25+ year history. I have implemented the Nonstop Himalaya
    Platform in some to the most secure and vital parts of our critical
    infrastructure, where the system has NOT been compromised.
    
    When we make changes to the operating system we review each line of
    code change for reliability and security issues, Our customers expect
    nothing less, so we go through great efforts to insure the reliable
    operation of the customers environment...Our customer consider
    downtime unacceptable, we understand this...It is not uncommon for
    customers to 5+ years of constant uptime.
    
    Our systems can be upgraded while running the customers application,
    so I think customers would give us a A.
    
    Get the complete picture at:
    http://nonstop.compaq.com/view.asp?PAGE=HimalayaServers
    
       
    
    -----Original Message-----
    From: InfoSec News [mailto:isnat_private]
    Sent: Tuesday, February 04, 2003 23:16
    To: isnat_private
    Subject: RE: [ISN] Experts: Microsoft security gets an 'F' 
    
    
    Forwarded from: Pete Lindstrom <petelindat_private>
    
    This whole "grading Microsoft" discussion is completely ludicrous. If
    Microsoft gets an 'F,' then who got the A's, B's, C's, and D's? If
    upwards of 100,000 sites were infected with Slammer, does that mean
    that everyone who was infected gets an 'F' too? Or does Microsoft get
    their grade because it was their software? Who gets the 'F' for
    Slapper?
    
    Can we legitimately grade Microsoft's Trustworthy Computing
    initiative, designed to create more secure software, by assessing
    their own internal practices? Can we grade it if there is nothing to
    compare to? How is IBM doing? SAP? Oracle? Siebel? Novell? Computer
    Associates? Sun? HP? PeopleSoft? How about the custom stuff from
    Accenture? EDS? CSC?
    
    Do we really know the difference between what equals "secure" and what
    equals "luck" in the security space? Is there anyone out there who has
    a foolproof method for determining an appropriate level of security
    that is guaranteed to eliminate risk?
    
    You can't blame obesity on McDonald's for serving quarter pounders and
    you can't blame insecurity on Microsoft for serving buggy software
    that the whole world decided to buy because of the functionality and
    backward compatibility - both qualities that create complexity and its
    sister, insecurity. And let's not forget that a large number of our
    security problems are due to poor configuration and not buggy software
    (e.g. SQL Spida attacked null passwords).
    
    There is no doubt that from a security perspective, our existing model
    has been unsuccessful due to its reactive nature and the built-in
    latencies involved. But I talk to companies every day with better
    solutions (check out www.spiresecurity.com/IntrusionPrevention.htm for
    some ideas).
    
    It is far too easy to blame Microsoft (give them an 'F') for the
    world's security woes. But you get a completely different perspective
    when you take a look around at all the potential alternatives and
    existing poor security practices in place.
    
    There, I said it. Please flame me at bill.gatesat_private (just
    kidding).
    
    Regards,
    
    Pete
    
    Pete Lindstrom, CISSP
    Research Director
    Spire Security, LLC
    P.O. Box 152
    Malvern, PA 19355
    phone: 610-644-9064
    fax: 610-644-8212
    www.spiresecurity.com
    Briefing Requests: 
    http://www.spiresecurity.com/briefingrequest.asp?p=briefingrequest
    
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 03:28:39 PST