[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <405322F0.26421.31B39FC6@localhost>
Date: Sat, 13 Mar 2004 15:04:16 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM
Subject: Re: MS Security Response is a bunch of half-witted morons
jim_walsh@...dyear.com to me:
Nothing personal against Jim in particular here -- I've received a
couple of direct Email responses that suggest a few others may also
have had trouble grasping the _irony_ I was pointing out...
That dealt with, I'll now address the peripheral security issues Jim
mentioned in his response...
> Your points are well taken and understandable. But if you are supporting
> a M$ operating system enough to need to read the SB's, then wouldnt your
> IE be up to date to read them? ...
First, you are assuming that "needing to read the security bulletins"
is something that may be limited to Windows users. I'm sure many die-
hard *nix security folk read the MS security bulletins with as much
interest as the security admin for a 150,000 seat Windows shop...
Second, you are assuming that if I were responsible for the security of
a large number of Windows machines I would actually use IE. Sorry, but
I am something of a "security expert" and I only use IE very sparingly
(e.g. when I absolutely _must_ access some of the MSDN material I
occasionally need _AND_ that is not available from the monthly DVD drop
of the same, and even then I am very careful).
> ... Even if you would just use IE to read M$'s
> site? ...
You missed my comments about the significance of the size and
desirability of MS as a target, didn't you?
And the comments about MS' highly lax attitude to shoddy content
distribution processes at third-party sites it has been known to use
from time to time.
I forgot to mention MS' extremely slack attitudes about the
responsibility of CAs and its continued use of one after a very public
complete f*ck-up where MS' preferred CA, despite having special
additional processes that few customers other than MS "enjoy", wrongly
issued code-signing certs in Microsoft's name to a non-Microsoft
affiliated party.
I factor those, and other historical indications into my risk
calculations and that is part of why I certainly strongly prefer to
_NOT_ use any MS client software when interacting with any "official"
MS network presence. MS may not like that, but that's the reality of
the world we live in. MS _should_ recognize that if it truly is
planning on being seen as a serious "security player", but in reality
it continues to show incredibly little real concern for this, short of
a few early media-blitz stories about how it delayed Server 2003 so it
could turn off all the cr*p that should never have shipped enabled in
the first place and to take the time to teach its programmers how to
spell "buffer overflow".
> ... To sit and scream about web design decisions in this mailing group
> seems a little childish. ...
You're welcome to your opinion but to date your opinion, and those
similar to it, are outweighed more than 10-to-1 in the responses I've
had.
Also, "getting security" is one of those core attribute things -- you
either get it or you don't. The fact that such fundamental security
edicts as "though shalt not force users to enable 'dangerous' browser
functionality just to read about securing their computers" has NOT been
laid thick, hard and often on the web designers is yet further evidence
that "Microsoft just doesn't get security". Plenty of clever folk who
work at MS do "get security" (and undoubtedly many of them do so more
than I like to think I do) but they either don't care enough, or don't
wield enough influence, to actually have impact where it matters.
> ... And if one was to argue that "Aanyone needs to
> read these articles not just people that support M$ OS's", well to
> that...most people that have a M$ OS as an end user have auto update
> turned on and dont even think twice about it...if they update at all.
So?
I _know_ there are hoards and hoards of security ignorant folk out
there (just look at the number of witless, technically uninteresting
viruses that show up in our Email every day), and while I care (at some
level) about them and wish they could be helped, my primary concern
here is the security of my own computer systems. MS has _NO_ right to
dictate my security policies for these machines and while I am content
(well, not really, but I know it won't change any time soon) to browse
the wider web with my oddly extreme (by naive user standards) security
settings, it is unconscionable for a major OS vendor that is trying to
"clean up its security act" to take a stand such as this. The fact
that this even happened is, yet again, prima facie evidence that
"Microsoft just doesn't get security".
You're welcome to not agree with me, but you won't convince me that you
are not necessarily wrong _in this case_.
> Contains confidential and/or proprietary information.
Wow!
Really?
What bits precisely?
No, seriously, I need to know so I can avoid ever using that
information in anything I may say, write or produce in future. After
all, you went to the trouble of warning me, therefore it would probably
be negligent of me to not ascertain precisely what it is that I should
be careful to not infringe against in the future...
> May not be copied or disseminated without express consent of
> The Goodyear Tire & Rubber Company
Sh*te -- I just did and without express consent from your employer.
And so did the admins of these mailing lists. Do you really think The
Goodyear Tire & Rubber Company will mind?
Hmmmm -- thinking about it a bit harder, did _YOU_ have the _express_
consent of The Goodyear Tire & Rubber Company to post some of its
"confidential and/or proprietary information" to all these folk? Seems
an odd thing to do with what you're claiming is ostensibly legally
privileged and limited information, even if you _did_ have express
consent to do it...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists