lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: geoincidents at getinfo.org (Geoincidents)
Subject: Re: Gates: 'You don't need perfect code' for good security

> I think the issue at hand is how Bill has simply given ideas for band aid
> patches and not ways to ultimate secure systems.  Fire walling and virus
> protection has its place in any environment.  But poorly designed software
> with bugs known and unknown should not be a part of a "secure" system.

You're partially right. Microsoft's biggest mistakes are in 2 places. But
it's not software design, it's default settings and really stupid feature
sets.

First, default settings, they have tended in the past to enable everything
instead of asking where you want to go then only enabling what you need to
get there. Recently I've seen good solid progress being made in this area, a
number of things are now installing OFF or at least have off switches that
are easy to find. I do believe they are on the right track although I'm not
sure they are going to get it right yet.

The second area is adding functions that have no business being there in the
first place. One current example of this is the new functionality they are
adding to office that will allow people who are working in office to
suddenly shoot off to amazon to do some shopping simply because they
mentioned some product in a document. I'll refer to these types of functions
as the "desktop salesman".  When this new office feature was first mentioned
here or on one of the other security lists the first comment I saw was
someone asking "doesn't this strike anyone as the type of feature that even
SOUNDS exploitable?".

Nobody needs this type of feature but Microsoft being the capitalist they
are know they can make money by charging for advertising space on everyone's
desktops.  Be it web beacons, IE popup windows, Media player exposing DVD
names to outside sites,  picture folders that offer professional printing
services, windowsupdate cataloging your hardware, this new Office feature,
etc. these types of things have no place in a secure desktop environment and
until MS stops selling out the users in favor of the desktop salesman
advertisers we can expect this insanity to continue.

I still see no sign of them relenting on this part of the insanity (with the
exception of email based web beacons, but that was driven by mass revolt).
Microsoft really needs to get back to serving the users and forgetting about
compromising our privacy and anonymity in favor of the marketing types. Only
then will they be able to create a secure desktop environment.

Geo.


Powered by blists - more mailing lists