lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: guninski at guninski.com (Georgi Guninski)
Subject: FW: Security in a Connected World

For me this is pure marketing propaganda without any confirmation from reality.
Just look at the number and severity of bugs - any change after this hype?
 From this I have the impression that if I buy newer windozes, they will be more 
secure, lol.
IMHO billyg is a luser and his marketing rants should not be taken seriously.

Georgi Guninski
http://www.guninski.com

Richard M. Smith wrote:
> FYI:
> 
> -----Original Message-----
> From: Bill Gates [mailto:BillGates@...irman.microsoft.com] 
> Sent: Thursday, January 23, 2003 11:16 PM
> To: rms@...puterbytesman.com
> Subject: Security in a Connected World
> 
> 
> Jan. 23, 2003
> 
> As we increasingly rely on the Internet to communicate and conduct
> business, a secure computing platform has never been more important.
> Along with the vast benefits of increased connectivity, new security
> risks have emerged on a scale that few in our industry fully
> anticipated.
> 
> As everyone who uses a computer knows, the confidentiality, integrity
> and availability of data and systems can be compromised in many ways,
> from hacker attacks to Internet-based worms. These security breaches
> carry significant costs. Although many companies do not detect or report
> attacks, the most recent computer crime and security survey performed by
> the Computer Security Institute and the Federal Bureau of Investigation
> totaled more than $455 million in quantified financial losses in the
> United States alone in 2001. Of those surveyed, 74 percent cited their
> Internet connection as a key point of attack.
> 
> As a leader in the computing industry, Microsoft has a responsibility to
> help its customers address these concerns, so they no longer have to
> choose between security and usability. This is a long-term effort. As
> attacks on computer networks become more sophisticated, we must innovate
> in many areas - such as digital rights management, public key
> cryptology, multi-site authentication, and enhanced network and PC
> protection - to enable people to manage their information securely.
> 
> A year ago, I challenged Microsoft's 50,000 employees to build a
> Trustworthy Computing environment for customers so that computing is as
> reliable as the electricity that powers our homes and businesses today.
> To meet Microsoft's goal of creating products that combine the best of
> innovation and predictability, we are focusing on four specific areas:
> security, privacy, reliability and business integrity. Over the past
> year, we have made significant progress on all these fronts. In
> particular, I'd like to report on the advances we've made and the
> challenges we still face in the security area. As a subscriber to
> Executive Emails from Microsoft, I hope you will find this information
> helpful.
> 
> In order to realize the full potential of computers to advance
> e-commerce, enable new kinds of communication and enhance productivity,
> security will need to improve dramatically. Based on discussions with
> customers and our own internal reviews, it was clear that we needed to
> create a framework that would support the kind of innovation,
> state-of-the-art processes and cultural shifts necessary to make a
> fundamental advance in the security of our software products. In the
> past year we have created new product-design methodologies, coding
> practices, test procedures, security-incident handling and
> product-support processes that meet the objectives of this security
> framework:
> 
> SECURE BY DESIGN: In early 2002 we took the unprecedented step of
> stopping the development work of 8,500 Windows engineers while the
> company conducted 10 weeks of intensive security training and analyzed
> the Windows code base. Although engineers receive formal academic
> training on developing security features, there is very little training
> available on how to write secure code. Every Windows engineer, plus
> several thousand engineers in other parts of the company, was given
> special training covering secure programming, testing techniques and
> threat modeling. The threat modeling process, rare in the software
> world, taught program managers, architects and testers to think like
> attackers. And indeed, fully one-half of all bugs identified during the
> Windows security push were found during threat analysis.
> 
> We have also made important breakthroughs in minimizing the amount of
> security-related code in products that is vulnerable to attack, and in
> our ability to test large pieces of code more efficiently. Because
> testing is both time-consuming and costly, it's important that defects
> are detected as early as possible in the development cycle. To optimize
> which tests are run at what points in the design cycle, Microsoft has
> developed a system that prioritizes the application's given set of
> tests, based on what changes have been made to the program. The system
> is able to operate on large programs built from millions of lines of
> source code, and produce results within a few minutes, when previously
> it took hours or days.
> 
> The scope of our security reviews represents an unprecedented level of
> effort for software manufacturers, and it's begun to pay off as
> vulnerabilities are eliminated through offerings like Windows XP Service
> Pack 1. We also put Visual Studio .NET through an incredibly vigorous
> design review, threat modeling and security push, and in the coming
> months we will be releasing other major products that have gone through
> our Trustworthy Computing security review cycle: Windows Server 2003,
> the next versions of SQL and Exchange Servers, and Office 11.
> 
> Looking ahead, we are working on a new hardware/software architecture
> for the Windows PC platform (initially codenamed "Palladium"), which
> will significantly enhance the integrity, privacy and data security of
> computer systems by eliminating many "weak links." For example, today
> anyone can look into a graphics card's memory, which is obviously not
> good if the memory contains a user's banking transactions or other
> sensitive information. Part of the focus of this initiative is to
> provide "curtained" memory - pages of memory that are walled off from
> other applications and even the operating system to prevent
> surreptitious observation - as well as the ability to provide security
> along the path from keyboard to monitor. This technology will also
> attest to the reliability of data, and provide sealed storage, so
> valuable information can only be accessed by trusted software
> components.
> 
> SECURE BY DEFAULT: In the past, a product feature was typically enabled
> by default if there was any possibility that a customer might want to
> use it. Today, we are closely examining when to pre-configure products
> as "locked down," meaning that the most secure options are the default
> settings. For example, in the forthcoming Windows Server 2003, services
> such as Content Indexing Service, Messenger and NetDDE will be turned
> off by default. In Office XP, macros are turned off by default. VBScript
> is turned off by default in Office XP SP1. And Internet Explorer frame
> display is disabled in the "restricted sites" zone, which reduces the
> opportunity for the frames mechanism in HTML email to be used as an
> attack vector.
> 
> SECURE IN DEPLOYMENT: To help customers deploy and maintain our products
> securely, we have updated and significantly expanded our security tools
> in the past year. Consumers and small businesses can stay up to date on
> security patches by using the automatic update feature of Windows
> Update. Last year, we introduced Software Update Services (SUS) and the
> Systems Management Server 2.0 SUS Feature Pack to improve patch
> management for larger enterprises. We released Microsoft Baseline
> Security Analyzer, which scans for missing security updates, analyzes
> configurations for poor or weak security settings, and advises users how
> to fix the issues found. We have also introduced prescriptive documents
> for Windows 2000 and Exchange to help ensure that customers can
> configure and deploy these products more securely. In addition, we are
> working with a number of major customers to implement smart cards as a
> way of minimizing the weak link associated with passwords. Microsoft
> itself now requires smart cards for remote access by employees, and over
> time we expect that most businesses will go to smart card ID systems.
> 
> COMMUNICATIONS: To keep customers better informed about security issues,
> we made several important changes over the past year. Feedback from
> customers indicated that our security bulletins, though useful to IT
> professionals, were too detailed for the typical consumer. Customers
> also told us they wanted more differentiation on security fixes, so they
> could quickly decide which ones to prioritize. In response, Microsoft
> worked with industry professionals to develop a new security bulletin
> severity rating system, and introduced consumer bulletins. We are also
> developing an email notification system that will enable customers to
> subscribe to the particular security bulletins they want.
> 
> WHAT'S NEXT
> 
> In the past decade, computers and networks have become an integral part
> of business processes and everyday life. In the Digital Decade we're now
> embarking on, billions of intelligent devices will be connected to the
> Internet. This fundamental change will bring great opportunities as well
> as new, constantly evolving security challenges.
> 
> While we've accomplished a lot in the past year, there is still more to
> do - at Microsoft and across our industry. We invested more than $200
> million in 2002 improving Windows security, and significantly more on
> our security work with other products. In the coming year, we will
> continue to work with customers, government officials and industry
> partners to deliver more secure products, and to share our findings and
> knowledge about security. In the meantime, there are three things
> customers can do to help: 1) stay up to date on patches, 2) use
> anti-virus software and keep it up to date with the latest signatures,
> and 3) use firewalls.
> 
> There's much more I'd like to share with you about our security
> initiatives. If you would like to dig deeper, information and links are
> available at
> http://www.microsoft.com/mscorp/execmail/2003/01-23security2.asp to help
> you make your computer systems more secure.
> 
> Bill Gates
> 
> 
> To cancel your subscription to future executive emails, please reply to
> this email with the word UNSUBSCRIBE in the subject line. For
> information about Microsoft's privacy policies, please go to:
> http://www.microsoft.com/info/privacy.htm
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ