| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6.0.0.22.0.20040312140709.0249eae8@mail.buffnet.net> From: wertzcj at buffnet.net (Charles J. Wertz) Subject: Re: MS Security Response is a bunch of half-witted morons MS is not alone. More and more web sites don't work without scripting and/or cookies. I guess cookies are a lesser evil. I'm constantly faced with the decision whether or not a particular content means enough to me that I'll turn on the script. In fact, I now run two browsers, Mozilla with scripting and Firebird without, because I found I'd sometimes forget to turn the scripting back off. I wonder if anything can be done. It would probably take an organized movement that could convince businesses they were going to lose a lot of sales. I don't know what would convince MS. A LOT of bad press might do it, but the again, it might not. Too many people probably don't even understand the risk. At 07:57 PM 3/11/2004, Nick FitzGerald wrote: >Try to read Microsoft's latest security epistles: > > http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx > http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx > >with a browser that does not have JavaScript enabled... > >(And yes, they have retrofitted this "improvement" to _all_ previous >security bulletins...) > >Earth to MSRP: > >1. Your job is to improve security. > >2. Two years ago Billy Boy charged the whole of the company to >straighten up its act as regards security. > >3. MS Security Bulletins were "improved" about 24-30 months ago by a >web design team that clearly does not have an ounce of security smarts >among its entire membership. That "improvement" (_purely_ aesthetic, >and highly debatable anyway) made the bulletins unreadable in IE unless >you are prepared to trust MS and its web presence providers (I'm not >for various reasons -- the company as whole is just far too large and >"attractive" a target; there have been some very bad whoops-es with >Akamai and the Nimda virus; etc). Anyway, that "improvement" was the >final straw that moved me to using Mozilla as my browser of choice, as >it rendered that "improved" form of your pages fine, _and_ with >scripting and the like disabled. > >4. Now the Security Bulletins have been "improved" even further, >turning the detail expansion links into frelling javascript links. >What in the blue blazes is between the ears of your web development >folk? Have they forgotten that the venerable HREF tag can work without >scripting, ActiveX and all manner of other popular but unnecessary cr*p >that web designers can't seem to ignore? When it comes to security >bulletins, f*ck art -- give me _readable content_. > >Sheeeesh!!! > > > >A few weeks back some online magazine editor was asking for clear, >reasoned arguments that "Microsoft just doesn't get security". >Arguments be damned -- if you have two security clues you only have to >look at MS' own security web pages to _see_ that "Microsoft just >doesn't get security". > >TCI is clearly a media and PR circus. > >(In case the magazine editor and his conspirator still do not get the >point of the above, Microsoft has no business dictating _my_ or _anyone >else's_ security policies. This is as fundamental an aspect of >security as there is. Posting its security bulletins in a format that >requires their readers to set their browsers to a configuration that is >acknowledged to be _severely security lowering_, while maintaining that >it is doing everything possible to improve the security of its >products, is the height of hypocrisy and clearly makes a lie of its >public proclamations that it is working to further improve security.) > > >-- >Nick FitzGerald >Computer Virus Consulting Ltd. >Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists