lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 12 Mar 2004 14:12:56 -0500
From: "Charles J. Wertz" <wertzcj@...fnet.net>
To: nick@...us-l.demon.co.uk, bugtraq@...urityfocus.com,
   NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, full-disclosure@...ts.netsys.com
Subject: Re: MS Security Response is a bunch of half-witted morons


MS is not alone. More and more web sites don't work without scripting 
and/or cookies. I guess cookies are a lesser evil. I'm constantly faced 
with the decision whether or not a particular content means enough to me 
that I'll turn on the script. In fact, I now run two browsers, Mozilla with 
scripting and Firebird without, because I found I'd sometimes forget to 
turn the scripting back off. I wonder if anything can be done. It would 
probably take an organized movement that could convince businesses they 
were going to lose a lot of sales. I don't know what would convince MS. A 
LOT of bad press might do it, but the again, it might not. Too many people 
probably don't even understand the risk.

At 07:57 PM 3/11/2004, Nick FitzGerald wrote:
>Try to read Microsoft's latest security epistles:
>
>    http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
>    http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx
>
>with a browser that does not have JavaScript enabled...
>
>(And yes, they have retrofitted this "improvement" to _all_ previous
>security bulletins...)
>
>Earth to MSRP:
>
>1.  Your job is to improve security.
>
>2.  Two years ago Billy Boy charged the whole of the company to
>straighten up its act as regards security.
>
>3.  MS Security Bulletins were "improved" about 24-30 months ago by a
>web design team that clearly does not have an ounce of security smarts
>among its entire membership.  That "improvement" (_purely_ aesthetic,
>and highly debatable anyway) made the bulletins unreadable in IE unless
>you are prepared to trust MS and its web presence providers (I'm not
>for various reasons -- the company as whole is just far too large and
>"attractive" a target; there have been some very bad whoops-es with
>Akamai and the Nimda virus; etc).  Anyway, that "improvement" was the
>final straw that moved me to using Mozilla as my browser of choice, as
>it rendered that "improved" form of your pages fine, _and_ with
>scripting and the like disabled.
>
>4.  Now the Security Bulletins have been "improved" even further,
>turning the detail expansion links into frelling javascript links.
>What in the blue blazes is between the ears of your web development
>folk?  Have they forgotten that the venerable HREF tag can work without
>scripting, ActiveX and all manner of other popular but unnecessary cr*p
>that web designers can't seem to ignore?  When it comes to security
>bulletins, f*ck art -- give me _readable content_.
>
>Sheeeesh!!!
>
>
>
>A few weeks back some online magazine editor was asking for clear,
>reasoned arguments that "Microsoft just doesn't get security".
>Arguments be damned -- if you have two security clues you only have to
>look at MS' own security web pages to _see_ that "Microsoft just
>doesn't get security".
>
>TCI is clearly a media and PR circus.
>
>(In case the magazine editor and his conspirator still do not get the
>point of the above, Microsoft has no business dictating _my_ or _anyone
>else's_ security policies.  This is as fundamental an aspect of
>security as there is.  Posting its security bulletins in a format that
>requires their readers to set their browsers to a configuration that is
>acknowledged to be _severely security lowering_, while maintaining that
>it is doing everything possible to improve the security of its
>products, is the height of hypocrisy and clearly makes a lie of its
>public proclamations that it is working to further improve security.)
>
>
>--
>Nick FitzGerald
>Computer Virus Consulting Ltd.
>Ph/FAX: +64 3 3529854


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ