lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <405322F0.26421.31B39FC6@localhost>
Date: Sat, 13 Mar 2004 15:04:16 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
   NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM
Subject: Re: MS Security Response is a bunch of half-witted morons


jim_walsh@...dyear.com to me:

Nothing personal against Jim in particular here -- I've received a 
couple of direct Email responses that suggest a few others may also 
have had trouble grasping the _irony_ I was pointing out...

That dealt with, I'll now address the peripheral security issues Jim 
mentioned in his response...

> Your points are well taken and understandable.  But if you are supporting 
> a M$ operating system enough to need to read the SB's, then wouldnt your 
> IE be up to date to read them?  ...

First, you are assuming that "needing to read the security bulletins" 
is something that may be limited to Windows users.  I'm sure many die-
hard *nix security folk read the MS security bulletins with as much 
interest as the security admin for a 150,000 seat Windows shop...

Second, you are assuming that if I were responsible for the security of 
a large number of Windows machines I would actually use IE.  Sorry, but 
I am something of a "security expert" and I only use IE very sparingly 
(e.g. when I absolutely _must_ access some of the MSDN material I 
occasionally need _AND_ that is not available from the monthly DVD drop 
of the same, and even then I am very careful).

> ...  Even if you would just use IE to read M$'s 
> site?  ...

You missed my comments about the significance of the size and 
desirability of MS as a target, didn't you?

And the comments about MS' highly lax attitude to shoddy content 
distribution processes at third-party sites it has been known to use 
from time to time.

I forgot to mention MS' extremely slack attitudes about the 
responsibility of CAs and its continued use of one after a very public 
complete f*ck-up where MS' preferred CA, despite having special 
additional processes that few customers other than MS "enjoy", wrongly 
issued code-signing certs in Microsoft's name to a non-Microsoft 
affiliated party.

I factor those, and other historical indications into my risk 
calculations and that is part of why I certainly strongly prefer to 
_NOT_ use any MS client software when interacting with any "official" 
MS network presence.  MS may not like that, but that's the reality of 
the world we live in.  MS _should_ recognize that if it truly is 
planning on being seen as a serious "security player", but in reality 
it continues to show incredibly little real concern for this, short of 
a few early media-blitz stories about how it delayed Server 2003 so it 
could turn off all the cr*p that should never have shipped enabled in 
the first place and to take the time to teach its programmers how to 
spell "buffer overflow".

> ...  To sit and scream about web design decisions in this mailing group 
> seems a little childish.  ...

You're welcome to your opinion but to date your opinion, and those 
similar to it, are outweighed more than 10-to-1 in the responses I've 
had.

Also, "getting security" is one of those core attribute things -- you 
either get it or you don't.  The fact that such fundamental security 
edicts as "though shalt not force users to enable 'dangerous' browser 
functionality just to read about securing their computers" has NOT been 
laid thick, hard and often on the web designers is yet further evidence 
that "Microsoft just doesn't get security".  Plenty of clever folk who 
work at MS do "get security" (and undoubtedly many of them do so more 
than I like to think I do) but they either don't care enough, or don't 
wield enough influence, to actually have impact where it matters.

> ...  And if one was to argue that "Aanyone needs to 
> read these articles not just people that support M$ OS's", well to 
> that...most people that have a M$ OS as an end user have auto update 
> turned on and dont even think twice about it...if they update at all.

So?

I _know_ there are hoards and hoards of security ignorant folk out 
there (just look at the number of witless, technically uninteresting 
viruses that show up in our Email every day), and while I care (at some 
level) about them and wish they could be helped, my primary concern 
here is the security of my own computer systems.  MS has _NO_ right to 
dictate my security policies for these machines and while I am content 
(well, not really, but I know it won't change any time soon) to browse 
the wider web with my oddly extreme (by naive user standards) security 
settings, it is unconscionable for a major OS vendor that is trying to 
"clean up its security act" to take a stand such as this.  The fact 
that this even happened is, yet again, prima facie evidence that 
"Microsoft just doesn't get security".

You're welcome to not agree with me, but you won't convince me that you 
are not necessarily wrong _in this case_.

> Contains confidential and/or proprietary information.

Wow!

Really?

What bits precisely?

No, seriously, I need to know so I can avoid ever using that 
information in anything I may say, write or produce in future.  After 
all, you went to the trouble of warning me, therefore it would probably 
be negligent of me to not ascertain precisely what it is that I should 
be careful to not infringe against in the future...

> May not be copied or disseminated without express consent of
> The Goodyear Tire & Rubber Company

Sh*te -- I just did and without express consent from your employer.

And so did the admins of these mailing lists.  Do you really think The 
Goodyear Tire & Rubber Company will mind?

Hmmmm -- thinking about it a bit harder, did _YOU_ have the _express_ 
consent of The Goodyear Tire & Rubber Company to post some of its 
"confidential and/or proprietary information" to all these folk?  Seems 
an odd thing to do with what you're claiming is ostensibly legally 
privileged and limited information, even if you _did_ have express 
consent to do it...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ