[thelist] FYI - Plug this MS Application Hole

bruce bedouglas at earthlink.net
Thu Sep 4 05:36:49 CDT 2003 

Ken,

I understand, and applaud that msoft is doing better in the area of
security. and my fault if I didn't give them kudos for being a little
better. but it's still horrendous. Hell, I still have almost every couple of
weeks, a security email to possibly patch something!

And this still does not remove or address the past damage that has been
caused by their work. For my $0.02 worth, if you're going to give someone a
tool that can be used to reek havoc, then you need to be held accountable. I
don't have an issue with not blaming msoft if someone maliciously uses their
apps. But, there is plenty of evidence that suggests the msoft just didn't
really give a damm.

As an analogy. If GM were to sell defective cars, it doesn't matter that
they started doing a better job, they need to recall the cars that were
defective, and even then they probably get sued for the damage caused!!

A reason that you still have major issues, is that people know that people
aren't going to always patch their apps, and that if a virus is written for
that hole/issue, there will be a number of systems that are susceptible.

Regards,

-Bruce


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org]On Behalf Of Ken Schaefer
Sent: Wednesday, September 03, 2003 9:59 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] FYI - Plug this MS Application Hole


Bruce,

Over the next couple of years you will start to see major changes in the way
that Microsoft ships products. A lot of products will be a lot more secure,
there will be a lot more published at release time showing how to secure a
product, and the default options will be such that hardly anything will work
unless you explicitly turn it on.

Additionally, the actual underlying lanaguage used to program a lot of MS
products will change from what's currently being used, to managed .Net
languages, avoiding a lot of the problems that we have at the moment.

None of this is going to happen instantaneously - there's a lot of legacy
code, and a lot of legacy apps built on top of that legacy code. But things
will happen. Having recently attended TechEd, it has been pleasantly
suprising to see the amount of work that has been done. If you use SQL
Server, and have a look at the post-SP3 Books Online, you will see that a
vast number of changes have been made - all the code samples have been
reviewed, all the the permissions on sprocs have been changed. If you look
at Windows 2003, the number of remote exploits in the past 4.5 months has
been 2 (well, 1 until yesterday).

If you look at the number of whitepapers, and prescriptive architecture
solutions that MS is now putting out (both for it's own internal developers,
and for external users) you will see a vast improvement in what's available.
Not only in the quality, but also the timeliness of release. For example,
ASP.Net developers can access Building Secure ASP.Net applications, for
free:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/ThreatCounter.asp

Check out the rest of the Patterns and Practices site here:
http://www.microsoft.com/resources/practices/

I honestly believe that Microsoft now thinks that it's important that it's
products be more secure. Not necessarily because security is good. But
because customers are starting to demand it.

Cheers
Ken


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "bruce" <bedouglas at earthlink.net>
Subject: RE: [thelist] FYI - Plug this MS Application Hole


: Actually...
:
: I tend to believe it will end if/when a serious class action suit hits
msoft
: for their lousy attempts at security. I've had to spend God only knows how
: many hours over the past 3-4 years dealing with my systems and
: patching/protecting/etc.... Not because I had very many issues, but
because
: others didn't bother to secure their systems, and why would they!
:
: I'd be willing to bet that there has probably been more the $4-5 Billion
: spent dealing with msoft security issues, by people like me who spend 5-10
: hours here/there trying to deal with the security issues caused by msoft.
: the hours add up when you're talking rates of ~$50.00/hr... which is
: considerably less than i would normally get from my regular 8-5...
:
: If msoft, had bothered to write a little/lot better code, as well as ship
: the IIS/FTP/ETc.. servers in a seriously tied down/closed state as the
: default... a good deal of pain could have been avoided. And while the
msoft
: license might say i have no recourse to them regarding my own box, i'm
: willing to bet a serious class action directed towards them for actions
from
: other boxes, would have a serious impact!!
:
: i'm also willing to bet that it would get past the 1st initial court
: hearings...
:
: peace...
:
: -Bruce
:
:
: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
: [mailto:thelist-bounces at lists.evolt.org]On Behalf Of Ken Schaefer
: Sent: Wednesday, September 03, 2003 7:36 PM
: To: thelist at lists.evolt.org
: Subject: Re: [thelist] FYI - Plug this MS Application Hole
:
:
: It will never end: http://www.securityfocus.com/archive/1
: It doesn't matter what you run - it'll have bugs in it.
:
: Cheers
: Ken

--
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

More information about the thelist mailing list