lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: Microsoft Cries Wolf ( again )

> -----Original Message-----
> From: Kristian Hermansen [mailto:this_is_kris@...mail.com] 
> Sent: Tuesday, July 01, 2003 3:09 PM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
> 
> 
> I agree.  It is not our problem.  The reason is this.  
> Microsoft would like to reduce costs.  Fixing bugs in 
> products costs money, and 0-day bugs need immediate fixes 
> which slow down MS total output ability.  They would like to 
> see everyone reporting to the vendor first because this saves 
> them money!!! In this respect, this also allows them to go on 
> writing sloppy code in order to save a few bucks on every 
> product, thus reducing their overhead.  I don't want sloppy 
> code.  Let the 0-days fly....maybe MS will start doing 
> extensive testing to their products before they release it 
> for sale to millions of customers.  I thought .NET was 
> supposed to fix all this  ;-P

That's too funny.  Microsoft ran a "buffer overflow finder" against the
codebase for XP, and the VP in charge announced publicly that they had
"eliminated buffer overflows in XP".  Within thirty days, eEye announced
the UPnP vulnerability in SSDP, which is the single most devastating
hole ever found in MS products.  (You can compromise an entire network
of XP machines with one attack, simultaneously.)

You don't fix code by extensive testing.  You fix it by teaching how to
write secure code to begin with *and* by ongoing, consistent audits done
before code is released.  (OpenBSD has been doing this for years, and
look at the results.)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ