lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMEAJDJMDLJLOIOCIKJJMEHKECAA.exibar@thelair.com>
From: exibar at thelair.com (Exibar)
Subject: [spam] RE: Gates: 'You don't need perfect code' for good security

I only listed those as examples...  there are many more.

 Poor patch management is an issue yes, absolutely.  But why on earth would,
lets say SQL, first get installed with a blank SA password by default?  Ok,
it's changed now, but why was it ever?  Why on earth is a blank password
even allowed for Administrator?  Why are there still, what 30??, unpatched
IE vulnerabilities?

  Yes, at least Microsoft is finally starting to do something now.  But I
feel ONLY because Linux is starting to make a dent in their bottom line.
Before you say it, NO I am not a Linux junkie, I dont' even run it, and
Linux is just as insecure as Windows, but Linux is perceved to be
secure....at least more secure than Windows.

  Loveletter could not have been prevented by a patch.  Why is a 3rd party
application allowed access to the global address list in the first place?
   Funlove could not have been prevented by a patch, perhaps a firewall
could have segmented infectous areas, but not prevented it.
  Why are Active X components allowed to run as the user and not in a
sandbox such as Java?

  I don't pretend to have all the answers, but Microsoft is coming along
only recently to do just too little, too late IMHO.

  Exibar

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Beaty, Bryan
Sent: Friday, October 31, 2003 6:50 PM
To: full-disclosure@...ts.netsys.com
Subject: [spam] RE: [Full-Disclosure] Gates: 'You don't need perfect
code' for good security


Correct me if I am wrong but...

I believe every worm listed below could have been prevented had everyone
patched their systems.

I would like the security community to take more responsibility for
their own (in)actions. If you were hit by Blaster then you failed to
enforce a good patch management policy. Who's fault is that? Patch
management is boring and so we often ignore it. Hackers and worms simply
take advantage of our laziness. I guess blaster could be a form of
social engineering. "I know admins don't patch so I can write a worm and
kill the world."

There is no such thing as perfect code. If you want a completely secure
system you can buy them but they are unbelievably expensive. If you have
a business justification for something that secure then buy it.
Otherwise you have to live with what you can get from Linux, UNIX, or
even Microsoft.

Microsoft has at least come out with some very good patch management
systems lately (SUS) and they are free. Red Hat charges me a yearly fee
for their RHN.

I believe the #1 security threat today is poor patch management. Is that
Microsoft's fault?

--> I am off of my soap box now.

Bryan Beaty

-----Original Message-----
From: Exibar [mailto:exibar@...lair.com]
Sent: Friday, October 31, 2003 1:40 PM
To: Jeremiah Cornelius; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for
good security


What an idiot....

   Take the loveletter worm, when it was first released even if you had
a 100% up to date AntiVirus software program, you would still get hit
within
the first 8 hours.... slammer, blaster, etc all the same thing.    The
took
advantage of holes in the OPERATING SYSTEM!!!!

   Yes we have ways of updating our VirusSoftware that works very very
well, McAfee has E-Policy Orchstrator, which I swear by.

  I'm not going to go on, but if Windows was as secure as Bill Gates and
company says it is, why was blaster, slammer, codered etc even an issue?

   Exibar


----- Original Message -----
From: "Jeremiah Cornelius" <jeremiah@....net>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, October 31, 2003 1:32 PM
Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> FLAME ON!
>
> http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
>
> "But there are two other techniques: one is called firewalling and the
other
> is called keeping the software up to date. None of these problems
> (viruses and worms) happened to people who did either one of those
> things. If you
had
> your firewall set up the right way - and when I say firewall I include

> scanning e-mail and scanning file transfer -- you wouldn't have had a
> problem. But did we have the tools that made that easy and automatic
> and
that
> you could really audit that you had done it? No. Microsoft in
> particular
and
> the industry in general didn't have it."
>
> "The second is just the updating thing. Anybody who kept their
> software up
to
> date didn't run into any of those problems, because the fixes preceded

> the exploit. Now the times between when the vulnerability was
> published and
when
> somebody has exploited it, those have been going down, but in every
> case
at
> this stage we've had the fix out before the exploit. So next is making

> it easy to do the updating, not for general features but just for the
> very
few
> critical security things, and then reducing the size of those patches,

> and reducing the frequency of the patches, which gets you back to the
> code quality issues. We have to bring these things to bear, and the
> very
dramatic
> things that we can do in the short term have to do with the firewalls
> and
the
> updating infrastructure. "
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
> SjPLY1EEzamQCtIGKwJT1Vk=
> =mIsY
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ