Re: Open Response To Microsoft Security - RE: It's Time to End Information Anarchy

From: Pavel Kankovsky (peakat_private)
Date: Sat Oct 20 2001 - 12:40:47 PDT

  • Next message: Dom De Vitto: "RE: KEYWORDS: shared objects, dynamic linking,"

    On Wed, 17 Oct 2001, Steve wrote:
    
    > Worms and virus' have been created long before "security research" was
    > fashionable.  Code Red, Nimda and a few of the more recent worms were
    > made possible not by the research that discovered the vulnerability they
    > exploited but by the lack of awareness and training by system
    > administrators who did not patch their systems.
    
    Never forget the developers and vendors who release vulnerable software
    and ship it to the clueless masses (and they know very well the vast
    majority of their target audience is clueless). They are the people who
    made all those disasters *possible*!
    
    Arguments about bugs and vulnerabilities being inevitable in ``all
    non-trivial software'' are bogus. The principle of least privilege has
    been known for decades. So has been the concept of TCB or the concept
    of mandatory access control or a large number of other ideas invented
    to reduce the impact of bugs, or even to make (some of) them completely
    irrelevant from a security point of view.
    
    But how many software systems exploiting these ideas do you know and use?
    A few...if any at all. On the other hand, a certain vendor put the whole
    webserver plus millions of lines of other junk within its OS's security
    perimeter and added an ability to run arbitrary code embedded in data
    files to every user application in their portfolio (often with full
    privileges of a poor user running the application).
    
    
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    



    This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 13:15:35 PDT