lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: jmharr at microsoft.com (Jim Harrison (ISA))
Subject: Microsoft prepares security assault on Linux

Having followed your link to the "book written under contract", it's
immediately clear why it was never published.

I won't get into a debate about your assertions; just a reminder that
how you choose to express yourself is at least as important as what you
have to say.

* Jim Harrison 
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"I used to hate writing assignments, but now I enjoy them. 
I realized that the purpose of writing is to inflate weak ideas, 
obscure poor reasoning, and inhibit clarity. 
With a little practice, writing can be an intimidating and 
impenetrable fog!"
-Calvin

-----Original Message-----
From: Jason Coombs [mailto:jasonc@...ence.org] 
Sent: Wednesday, November 12, 2003 12:08
To: support@...cman.com
Cc: 'Helmut Hauser'; full-disclosure@...ts.netsys.com;
bugtraq@...urityfocus.com; isn@...rition.org
Subject: Re: [Full-Disclosure] Microsoft prepares security assault on
Linux

I wrote an information security book last year under contract with 
Microsoft Press. The book was never published -- among other things it 
explains truthfully the poor security condition of Windows and offers 
detailed instructions and advice for defending against Microsoft's bad 
business practices and incorrect security decisions. URLs for the free 
electronic book are:

(PDF)
http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pd
f

(Raw Text/PNG Graphics --> safer!)
http://www.forensics.org/jasonc/iisforensics.zip

The security awareness for Windows communicated by my book would have 
enabled people to avoid intrusions, infections, damage, and down time 
from MS Blaster, SQL Slammer/Sapphire, and many of this year's other 
threats. It would also have helped to educate developers of Web 
applications so that fewer new vulnerabilities would have been created.

A few of the specific warnings provided by my book include:

* FrontPage Server Extensions are badly flawed from a security 
perspective and should never be used.

* Ports open by default (RPC/DCOM/SMB/Messenger/Workstation Service/etc)

will be found to expose remote exploitable buffer overflow 
vulnerabilities and therefore must be protected and closed at all costs.

* Don't use/rely on Microsoft Baseline Security Analyzer because it 
intentionally ignores known vulnerabilities in order to more often 
report a happy "you're all patched" message to the admin.

* Internet Information Services cannot be trusted out of the box but 
instead must be carefully security hardened beyond anything that 
Microsoft normally recommends, and many IIS features must be disabled in

order to achieve a trustworthy subset of Microsoft software.

* ... more ...

If Microsoft intends to launch a PR/advertising campaign against Linux, 
perhaps it would take a moment out of its busy schedule to explain why 
it won't publish a book that tells the truth and provides warnings in 
advance that the only way to safely operate a Windows computer is to 
subscribe to infosec mailing lists such as bugtraq and full-disclosure 
in order to remain constantly aware of the real-world condition and 
capabilities of attackers?

Microsoft suppresses awareness of vulnerabilities in order to profit.

The only way to achieve security in computing is through awareness.

Therefore, Microsoft's profits cause additional insecurity. Go figure.

Sincerely,

Jason Coombs
jasonc@...ence.org




Powered by blists - more mailing lists