lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0406290939570.7252-100000@tundra.winternet.com>
Date: Tue, 29 Jun 2004 09:59:21 -0500 (CDT)
From: Ron DuFresne <dufresne@...ternet.com>
To: Nancy Kramer <nekramer@...dtheater.net>
Cc: "Burnes, James" <james.burnes@....com>, <1@...ware.com>,
   <bugtraq@...urityfocus.com>, <NTBugtraq@...tserv.ntbugtraq.com>,
   <full-disclosure@...ts.netsys.com>
Subject: RE: Microsoft and Security


On Mon, 28 Jun 2004, Nancy Kramer wrote:

> There are lots of sites written only for IE or clones of IE like
> Opera.  Some large sites are written only for late model IEs.  Many are
> from large companies.  Big business thinks MS is the state of the art and
> the only way to go for business.  You have a choice do it their way or
> don't get the benefits of their web site.  They play to the user who has
> AOL, uses only IE and Outlook with all the defaults on because if MS does
> it it must be right and they really have no interest in changing things or
> knowing about them.  People believe they are protected by big companies
> like MS.  They are fools but then like a friend of mine always says
> "business people are stupid".


nancy, some of this has to do with lazy webdesigners[1].  I recall a time
not too far back whence sites were setup for users that used GUI versions of
browsers, and those that used text based browsers, a cliet could browse
the site from the best perspecitive of the SW they were using.  This even
became more prevalent for a short period when things like 'frames' and
such came into the html lingo.  And there were even some sites back then
that had a 'ie view' as well as a 'netscape view', some still offereing a
thrid 'text only view'.  Course, this gets to be time comsuming and
tedious for the person laying out all that markup code and crafting all
those cgi's and java/perl/php/activeX gunk, let alone trying to tailor
dynamic pages such that they know how to play with the client browser in
use.  EI plays well with the M$ fav good ole security issue in it self,
front page, which produces markup code with a slant towards IE specifics.

Of course, security companiees, though advocating that active c0ntent not
be enabled in client vrowsers for the reasons we see over and over in the
security related lists have also long since given up the ghost.  A person
can fall asleep at the wheel trying to count on the fingers of one hand
the number of 'security specific' or 'security related sites' that do not
engage in actve content themselves.  Thus most  of the warnings and
recomendations to turn off the abilities of a browser to parse the more
potentially dangers dynamic aspects of html, fall on deaf ears all the wat
around, from end users on up.  The bigger flaw here I see is that which
hits when the industry itself pushes content in denial of the realities
they posture.


Thanks,

Ron DuFresne


[1] lazy is perhaps over strong here, and puts perhaps too much blame on
those tasked as content maintainers, who are actually often driven from a
corporate expense model, and often not making the core design decisions on
their own.  Only minor offences meant in the 'lazy' designation.  Of
course, then agian how many sites still maintain content for text based
broswers these days in addition to all the glitzy dynamic content they put
up for exploit?



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ