Forwarded from: Russell Coker <russell@private> Cc: scarlet_pruitt@private On Wed, 25 Feb 2004 21:10, InfoSec News <isn@private> wrote: > http://www.infoworld.com/article/04/02/24/HNunderattack_1.html > > By Scarlet Pruitt > IDG News Service > February 24, 2004 > > Windows 95 was written without a single security feature, he said, > as it was designed to be totally open to let users connect to other > systems. Furthermore, the security kernel of the Windows NT server > software was written before the Internet, and the Windows Server > 2003 software was written before buffer overflows became a frequent > target of recent attacks, he said. The Internet existed long before Windows NT. Below are URLs for the start of Windows NT development and the early days of the Internet. http://www.microsoft.com/presspass/features/1998/winntfs.asp http://www.isoc.org/internet/history/brief.shtml I expect that some of the first NT programmers weren't even born when the ARPANET was first designed! Buffer overflows have been around long before Windows Server 2003. Below is a URL for an explanation of buffer overflows. It documents the first wide-spread buffer-overflow based attack as occurring in 1989, being mostly forgotten until 1995, and then becoming more widely known. http://en.wikipedia.org/wiki/Buffer_overflow Another of the earliest well-known buffer overflows was the "ping of death", which was able to kill almost every machine on the Internet apart from OS/2 and Macintosh systems. Microsoft should recall this one well as there were two variants, the first MS patch only fixed one of them so there was a second round of DoS attacks on NT machines. http://www.insecure.org/sploits/ping-o-death.html The risks of buffer overflows were well known to NT users long before the development of Windows Server 2003! > "Almost all the attacks on our software are legacy attacks and the > points of the system that can talk to older versions of our > software," Aucsmith said. "If you want more secure software, > upgrade," he added. MS has had a long history of introducing new features that permit new methods of attack. Previewing messages that have executable content in Outlook. ActiveX in IE. > "These tools are so good I'm afraid we'll see more zero-day > attacks," Aucsmith said. Of course we will! Until people realise that writing secure software is necessary the number of attacks will increase. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -=- Forwarded from: Mark Hahn <MHahn@private> At 05:10 AM 2/25/2004, InfoSec News wrote: > Security Architect and Chief Technology Officer of Microsoft's > Security Business Unit David Aucsmith [speaking at the at the > e-Crime Congress in London on Tuesday, Feb 24,2004] ... stressed > that many of the current security issues could not have been > foreseen. > > Windows 95 was written without a single security feature, he said, > as it was designed to be totally open to let users connect to other > systems. Furthermore, the security kernel of the Windows NT server > software was written before the Internet, and the Windows Server > 2003 software was written before buffer overflows became a frequent > target of recent attacks, he said. What a piece of total dreck! What a complete re-write of history!!! When Windows 95 was written there were many flavors of UNIX software (BSD, SunOS, early Linux, etc.) all of which were more secure than Windows XP is today, with full featured Internet tools (web browsers and servers, email clients and servers, FTP clients and servers, etc...) . The Microsoft operating system product line has been dragged kicking and screaming into all the major "innovations" that are touted as features of the NT-OS based product line: Multi-tasking, networking, disk file sharing, security, etc. These were all well developed in competing products prior to their introduction in a Microsoft operating system. I find it offensive that he claims these issues could not be foreseen at the time this software was written. The only people who did not foresee this were the boys in Redmond. (I guess I should have waited for Microsoft to release version 2.0 of history before I started using it, eh?) -MpH -------- Mark P. Hahn, CISSP MHahn@private Chief Technical Officer 609 716 9320 TCB Technologies, Inc. Princeton Junction, New Jersey, USA -=- Forwarded from: security curmudgeon <jericho@private> I think you got the URL wrong. Shouldn't this be some tabloid, not Infoworld? Surely this was meant as pure humor? : http://www.infoworld.com/article/04/02/24/HNunderattack_1.html : : By Scarlet Pruitt : IDG News Service : February 24, 2004 : : LONDON -- Businesses worldwide face increasing threats from cyber : criminals attempting extortion and fraud because the software running : their systems makes them vulnerable, Microsoft Corp.'s top security : architect told attendees at the e-Crime Congress in London Tuesday. : : Even while still walking to the podium, Security Architect and Chief : Technology Officer of Microsoft's Security Business Unit David Aucsmith : readily admitted that he is considered a "target" for complaints against : his company's software, but he also stressed that many of the current : security issues could not have been foreseen. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 02:16:16 PST