lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41900BD7.8040304@linuxbox.org>
Date: Tue, 09 Nov 2004 02:14:15 +0200
From: Gadi Evron <ge@...uxbox.org>
Cc: Michal Zalewski <lcamtuf@...ttot.org>,
   Berend-Jan Wever <skylined@...p.tudelft.nl>,
   full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: MSIE src&name property disclosure


Dave Aitel wrote:

 > This is another reason why studies comparing Microsoft's security to 
Open Source security are always bizzare. They compare the entire set of 
Linux vulnerabilities to a tiny subset of the bugs Microsoft knows 
about, but pretends other people don't. WINS is a classic example.

Actually, I personally have nothing against MS. They succeeded where 
many failed. Good for them!

Their bad attitude and bloody competitive nature can hardly be blamed in 
the world they compete in... and their corporate culture.. it's their 
own problem.

So where do I blame them? I blame them in how they treat me;

- They have released vague and mind-boggling advisories (where do I
   start?).
- They don't advertise most of their security issues (remember defcon a
   couple of years back with the CoDC and their "we already use that
   computer name?" issue? MS refused to give credit because "they were
   already aware of the issue").
- They hide security patches inside other patches (so much that the best
   way to find Windows vulnerabilities is to do reversing on their
   patches).
- They pre-patch products and for that reason hold on patches until such
   products are out (XP SP2).
- They insist on dealing with trouble by either ignoring it or killing
   it by applying a band-aid (I'll give only one example: winnuke and
   closing the port).

And don't even get me started on "viruses" (all the way back through 
macro viruses and beyond).

I don't envy, hate or mock Microsoft. I actually appreciate what they 
have accomplished. I have a serious issue with their way of doing 
business with non-competition - the way they treat me as a security 
professional.

All the above, is naturally, only my personal opinion. I may have some 
of the details not 100% accurate, but I stand by the spirit of the words.

I tried and start a good-natured FACTUAL discussion on the subject in 
the past - but all the kiddies always jump up and yell. In this case, 
even some of my best friends enter the yelling criteria.

Oh.. and any idea why MS keeps adding caches on caches on caches to 
solve problems? It turns me crazy.
Which reminds me of a similar discussion on a list I own a bit back. 
Someone asked why IE keeps checking a certain Windows game - it was 
turning him crazy. So the Managing Director of a big 
disassembler/debugger company offered to make it a "surprise discount" 
on the order forms if someone wrote the name of the game there.
It was hilarious. :o)

That's the best you will see out of me on religion. I decide to comment 
on such issues about twice a year.

     Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ