lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 13 21:40:24 2006
From: stan.bubrouski at gmail.com (Stan Bubrouski)
Subject: Steve Gibson smokes crack?

I wasn't agreeing its a conspiracy I was just saying they knew about
this being serious for a while and did nothing about until it went
public for whatever reason.

-sb

On 1/13/06, bkfsec <bkfsec@....lonestar.org> wrote:
> Stan Bubrouski wrote:
>
> >Ordinarily I'd argue, but its hard to when we find out Microsoft knew
> >about the bug for a long time and made a concious decision not to
> >patch it even though they knew it could lead to a system compromise.
> >
> >People commented on how Microsoft put out a patch quicker than they
> >usually would but this is NOT THE CASE.  According to Microsoft
> >itself, they knew about the bug months before it was reported in
> >December.  Don't give credit where its not earned...
> >
> >
> >
> I'm going to try to walk the line here.  I loath defending Microsoft,
> and I'm not defending them for their historical conduct, but I still
> can't see conspiracy theories being accurate yet.
>
> A few incidents ("NSA" backdoor) aside, Microsoft's history with
> security has been one of ineptness, not "maliciousness" per-se.  This is
> their history going back to before they purchased IE, and something that
> became really evident when they first began rebuilding Mosaic.  The WMF
> bug is in line with their development methodology up until (and in some
> ways including) recently.  Microsoft's development mantra was, for a
> long time, ease of use at the expense of everything else.  When NT came
> out and Microsoft moved from producing OS' that were not network ready
> out of the box and toy-like GUI infrastructures, the impacts of that
> strategy were transposed onto administrators and users (now more
> vulnerable than ever) alike.
>
> Ease of use became Ease of administration, and that became Ease of
> development.  Netscape and Sun was threatening Microsoft's monopolistic
> paradigm with a new platform for application development that was easily
> cross-platform and as a result, IE had to become an even more robust
> method of distributing application and administration capabilities.
>
> We now see the fallout of that decision.  The web browser was never
> meant to be an application subsystem - it was meant to interpret text
> documents into more visual documents organized in a linked fashion.  It
> was never meant to run code on systems, but that's what it's become.
> The act of making that easier attracted every simpleton web developer
> who couldn't hack it anywhere else.  Administrators saw ActiveX as a way
> to remotely administrate PCs they couldn't get to in any other way.
> These were mistakes... big mistakes from a security standpoint.  But
> security was second to attracting new fresh bodies who could fill the
> seats and drone on endlessly about how awesome Microsoft was.
>
> And this pattern is what I see here -- ineptness in the interests of
> feature-creep.
>
> It's one thing to say that they sat on the knowledge that this was
> exploitable.  It's another thing entirely to claim that they knowingly
> made it for the point of exploiting PCs if ActiveX was disabled.
>
> Given their history and the hallmarks of this flaw, I have a hard time
> making that leap.
>
>              -bkfsec
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ