lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <405322F0.26421.31B39FC6@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Re: MS Security Response is a bunch of half-witted morons jim_walsh@...dyear.com to me: Nothing personal against Jim in particular here -- I've received a couple of direct Email responses that suggest a few others may also have had trouble grasping the _irony_ I was pointing out... That dealt with, I'll now address the peripheral security issues Jim mentioned in his response... > Your points are well taken and understandable. But if you are supporting > a M$ operating system enough to need to read the SB's, then wouldnt your > IE be up to date to read them? ... First, you are assuming that "needing to read the security bulletins" is something that may be limited to Windows users. I'm sure many die- hard *nix security folk read the MS security bulletins with as much interest as the security admin for a 150,000 seat Windows shop... Second, you are assuming that if I were responsible for the security of a large number of Windows machines I would actually use IE. Sorry, but I am something of a "security expert" and I only use IE very sparingly (e.g. when I absolutely _must_ access some of the MSDN material I occasionally need _AND_ that is not available from the monthly DVD drop of the same, and even then I am very careful). > ... Even if you would just use IE to read M$'s > site? ... You missed my comments about the significance of the size and desirability of MS as a target, didn't you? And the comments about MS' highly lax attitude to shoddy content distribution processes at third-party sites it has been known to use from time to time. I forgot to mention MS' extremely slack attitudes about the responsibility of CAs and its continued use of one after a very public complete f*ck-up where MS' preferred CA, despite having special additional processes that few customers other than MS "enjoy", wrongly issued code-signing certs in Microsoft's name to a non-Microsoft affiliated party. I factor those, and other historical indications into my risk calculations and that is part of why I certainly strongly prefer to _NOT_ use any MS client software when interacting with any "official" MS network presence. MS may not like that, but that's the reality of the world we live in. MS _should_ recognize that if it truly is planning on being seen as a serious "security player", but in reality it continues to show incredibly little real concern for this, short of a few early media-blitz stories about how it delayed Server 2003 so it could turn off all the cr*p that should never have shipped enabled in the first place and to take the time to teach its programmers how to spell "buffer overflow". > ... To sit and scream about web design decisions in this mailing group > seems a little childish. ... You're welcome to your opinion but to date your opinion, and those similar to it, are outweighed more than 10-to-1 in the responses I've had. Also, "getting security" is one of those core attribute things -- you either get it or you don't. The fact that such fundamental security edicts as "though shalt not force users to enable 'dangerous' browser functionality just to read about securing their computers" has NOT been laid thick, hard and often on the web designers is yet further evidence that "Microsoft just doesn't get security". Plenty of clever folk who work at MS do "get security" (and undoubtedly many of them do so more than I like to think I do) but they either don't care enough, or don't wield enough influence, to actually have impact where it matters. > ... And if one was to argue that "Aanyone needs to > read these articles not just people that support M$ OS's", well to > that...most people that have a M$ OS as an end user have auto update > turned on and dont even think twice about it...if they update at all. So? I _know_ there are hoards and hoards of security ignorant folk out there (just look at the number of witless, technically uninteresting viruses that show up in our Email every day), and while I care (at some level) about them and wish they could be helped, my primary concern here is the security of my own computer systems. MS has _NO_ right to dictate my security policies for these machines and while I am content (well, not really, but I know it won't change any time soon) to browse the wider web with my oddly extreme (by naive user standards) security settings, it is unconscionable for a major OS vendor that is trying to "clean up its security act" to take a stand such as this. The fact that this even happened is, yet again, prima facie evidence that "Microsoft just doesn't get security". You're welcome to not agree with me, but you won't convince me that you are not necessarily wrong _in this case_. > Contains confidential and/or proprietary information. Wow! Really? What bits precisely? No, seriously, I need to know so I can avoid ever using that information in anything I may say, write or produce in future. After all, you went to the trouble of warning me, therefore it would probably be negligent of me to not ascertain precisely what it is that I should be careful to not infringe against in the future... > May not be copied or disseminated without express consent of > The Goodyear Tire & Rubber Company Sh*te -- I just did and without express consent from your employer. And so did the admins of these mailing lists. Do you really think The Goodyear Tire & Rubber Company will mind? Hmmmm -- thinking about it a bit harder, did _YOU_ have the _express_ consent of The Goodyear Tire & Rubber Company to post some of its "confidential and/or proprietary information" to all these folk? Seems an odd thing to do with what you're claiming is ostensibly legally privileged and limited information, even if you _did_ have express consent to do it... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists