lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407091521.i69FLZvB007951@turing-police.cc.vt.edu>
Date: Fri, 09 Jul 2004 11:21:35 -0400
From: Valdis.Kletnieks@...edu
To: Alun Jones <alun@...is.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Microsoft and Security

On Mon, 05 Jul 2004 16:10:36 PDT, Alun Jones <alun@...is.com>  said:

> Microsoft employs people who care about producing good software.  We're all
> indoctrinated from day one that our software is used by everyone - our
> parents, our neighbours, our children...  It's perhaps a unique situation
> compared to producers of the other OSs, where the users are usually limited
> to particular sections of the community.

Yes, parts of Microsoft *are* trying to do better, but there's a limit to
what any single programmer can achieve without some serious buy-in from
high-level project leaders.

Unfortunately, there's obviously a disconnect at *some* level, because they
keep shipping software that's broken in very fundemental and recognized ways
(the concept of "zoned", ActiveX, and other such stuff we've known for *YEARS*
is a bad security idea).  There's just too much lock-in to the concept that
since your software is used by everyone, it has to have all sorts of bells
and whistles to make life easier for everyone...

... including black hats.

Be honest now - how many times in their career has the average Microsoft
programmer been indoctrinated with "Be Featureful!", and how many times have
they heard "Be security-minded paranoids!"?  Remember to count double/triple
scores for what they heard the first 6-9 months they were there and
absorbed the culture.

Proof that Microsoft still needs to re-educate some high-level people: the
fact that there was *any* thought given to making SP2 only install on
"legal" copies and locking out pirated copies.  The number of people running
pirated copies that actually will buy legit ones just to install SP2 is quite
likely tiny - but the number of people running pirated ones that would end
up remaining insecure is much larger.  This one *should* have been a no-brainer:

"We screwed up, our software sucked security-wise, and to make up for it,
we're giving out a freebie update for *everybody* and swallowing the profits
from the 23 people who would otherwise go legit just to install SP2".

> I really don't think you'll find much truck with the idea that Microsoft
> employees are happy to leave their mother's home machine, or those of the
> general public, open to infection.

Much would be explained by the thesis that the person(s) causing the
disconnect mentioned above don't have mothers... ;)


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ