[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002001c35776$66ba2ae0$3f2ea8c0@LUFKIN.DPSOL.COM>
From: purdy at tecman.com (Curt Purdy)
Subject: DCOM RPC exploit (dcom.c)
I agree that Micro$oft must die, especially since they replaced the best OS
they ever made, W2K, with the insecure POS they call XP. If they spent
another few years on 2K, they could have made it almost as good as *NIX.
Regardless of how you feel about the .NET concept (personally I feel
distributed code is a security nightmare waiting to happen) 2003 server is
an improvement. You can actually run it more than 30 days without
rebooting! Unfortunately the first product of the "Trusted Computing
Initiative" is still a victim of the worst vuln in history...
As for Perl, I think you have unfairly diss'd the language. It is as
flexible and unstructured as my life and if you don't think it is powerful,
check out popfile http://popfile.sourceforge.net/, in my opinion the best
anti-spam program out there. Very intellegent, learns quickly, and is based
on bayesian theory.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
cpurdy@...ol.com
936.637.7977 ext. 121
----------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Dan
Stromberg
Sent: Monday, July 28, 2003 10:47 AM
To: David R. Piegdon
Cc: Dan Stromberg; full-disclosure@...ts.netsys.com
Subject: [inbox] Re: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> IMHO it is TIME to sue corporations like microsoft for their stupidity
> - and their believe that people/customers are even more stupid.
> they sell their software and tell about their "great security-concepts",
> but they actually do nothing about it.
Actually, much as I absolutely despise microsoft (I'd be overjoyed for
weeks if they closed doors permanently), they -are- doing a lot about
security.
For the short term, they're sending (have sent?) all their programmers
to security training. This is but a band aid, but it is considerably
better than nothing, and better than the opensource movement is likely
to emulate (fully), simply because the places where programmers learn
programming generally don't take this seriously.
For the long term, and more importantly, they're pushing a move to
interpreted languages, meaning .net. .net is evil. .net must die. But
.net makes a lot of sense which we should not fail to learn from.
I cannot emphasize enough that the opensource crowd (of which I am a
part) needs to learn from this. Stop writing software in crappy
languages like C if you want it to sit next to the network on a machine,
and possibly even if you're only running in the soft, chewy center.
Give up languages that make buffer overflows too damn easy. It's not
enough to say "the programmer should know better", because OBVIOUSLY
many do not. Use python. Use ML or a variant. Use lisp. If you have
to use that excuse for line noise called perl, go ahead. Anything that
doesn't put the programmer perilously close to buffer overflows! Turing
(which is designed from the beginning for safe systems programming) or
Modula-3, or Eiffel or Sather are good too, if you absolutely cannot
give up the speed of a compiled language. The latter three all have
respectable free implementations available for linux and others, as do
all of the interpreted languages mentioned. They make vastly more sense
than C.
Even if -you- know what you're doing as a developer, that -doesn't- mean
that every last maintainer that comes after you will.
So yes, microsoft reeks to the sky, but it's not true to say that
they're doing nothing about their security problems. Weak arguments
against microsoft posed as strong ones hurt opensource's credibility.
--
Dan Stromberg DCS/NACS/UCI <strombrg@....nac.uci.edu>
Powered by blists - more mailing lists