lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <OF0FD2F7C6.62780F79-ON85256E55.007395D2-85256E55.007435FA@goodyear.com>
Date: Fri, 12 Mar 2004 16:09:21 -0500
From: jim_walsh@...dyear.com
To: nick@...us-l.demon.co.uk
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
   NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, jim_walsh@...dyear.com
Subject: Re: MS Security Response is a bunch of half-witted morons


Your points are well taken and understandable.  But if you are supporting 
a M$ operating system enough to need to read the SB's, then wouldnt your 
IE be up to date to read them?  Even if you would just use IE to read M$'s 
site?  To sit and scream about web design decisions in this mailing group 
seems a little childish.  And if one was to argue that "Aanyone needs to 
read these articles not just people that support M$ OS's", well to 
that...most people that have a M$ OS as an end user have auto update 
turned on and dont even think twice about it...if they update at all.
Jim Walsh
Operating Systems Administrator
Server Operations and Support Center
330.796.0771

Contains confidential and/or proprietary information.
May not be copied or disseminated without express consent of
The Goodyear Tire & Rubber Company





Nick FitzGerald <nick@...us-l.demon.co.uk> 
03/11/2004 07:57 PM
Please respond to
nick@...us-l.demon.co.uk


To
bugtraq@...urityfocus.com, NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, 
full-disclosure@...ts.netsys.com
cc

Subject
MS Security Response is a bunch of half-witted morons






Try to read Microsoft's latest security epistles:

   http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
   http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx

with a browser that does not have JavaScript enabled...

(And yes, they have retrofitted this "improvement" to _all_ previous 
security bulletins...)

Earth to MSRP:

1.  Your job is to improve security.

2.  Two years ago Billy Boy charged the whole of the company to 
straighten up its act as regards security.

3.  MS Security Bulletins were "improved" about 24-30 months ago by a 
web design team that clearly does not have an ounce of security smarts 
among its entire membership.  That "improvement" (_purely_ aesthetic, 
and highly debatable anyway) made the bulletins unreadable in IE unless 
you are prepared to trust MS and its web presence providers (I'm not 
for various reasons -- the company as whole is just far too large and 
"attractive" a target; there have been some very bad whoops-es with 
Akamai and the Nimda virus; etc).  Anyway, that "improvement" was the 
final straw that moved me to using Mozilla as my browser of choice, as 
it rendered that "improved" form of your pages fine, _and_ with 
scripting and the like disabled.

4.  Now the Security Bulletins have been "improved" even further, 
turning the detail expansion links into frelling javascript links. 
What in the blue blazes is between the ears of your web development 
folk?  Have they forgotten that the venerable HREF tag can work without 
scripting, ActiveX and all manner of other popular but unnecessary cr*p 
that web designers can't seem to ignore?  When it comes to security 
bulletins, f*ck art -- give me _readable content_.

Sheeeesh!!!



A few weeks back some online magazine editor was asking for clear, 
reasoned arguments that "Microsoft just doesn't get security". 
Arguments be damned -- if you have two security clues you only have to 
look at MS' own security web pages to _see_ that "Microsoft just 
doesn't get security".

TCI is clearly a media and PR circus.

(In case the magazine editor and his conspirator still do not get the 
point of the above, Microsoft has no business dictating _my_ or _anyone 
else's_ security policies.  This is as fundamental an aspect of 
security as there is.  Posting its security bulletins in a format that 
requires their readers to set their browsers to a configuration that is 
acknowledged to be _severely security lowering_, while maintaining that 
it is doing everything possible to improve the security of its 
products, is the height of hypocrisy and clearly makes a lie of its 
public proclamations that it is working to further improve security.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ