[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41900BD7.8040304@linuxbox.org>
From: ge at linuxbox.org (Gadi Evron)
Subject: MSIE src&name property disclosure
Dave Aitel wrote:
> This is another reason why studies comparing Microsoft's security to
Open Source security are always bizzare. They compare the entire set of
Linux vulnerabilities to a tiny subset of the bugs Microsoft knows
about, but pretends other people don't. WINS is a classic example.
Actually, I personally have nothing against MS. They succeeded where
many failed. Good for them!
Their bad attitude and bloody competitive nature can hardly be blamed in
the world they compete in... and their corporate culture.. it's their
own problem.
So where do I blame them? I blame them in how they treat me;
- They have released vague and mind-boggling advisories (where do I
start?).
- They don't advertise most of their security issues (remember defcon a
couple of years back with the CoDC and their "we already use that
computer name?" issue? MS refused to give credit because "they were
already aware of the issue").
- They hide security patches inside other patches (so much that the best
way to find Windows vulnerabilities is to do reversing on their
patches).
- They pre-patch products and for that reason hold on patches until such
products are out (XP SP2).
- They insist on dealing with trouble by either ignoring it or killing
it by applying a band-aid (I'll give only one example: winnuke and
closing the port).
And don't even get me started on "viruses" (all the way back through
macro viruses and beyond).
I don't envy, hate or mock Microsoft. I actually appreciate what they
have accomplished. I have a serious issue with their way of doing
business with non-competition - the way they treat me as a security
professional.
All the above, is naturally, only my personal opinion. I may have some
of the details not 100% accurate, but I stand by the spirit of the words.
I tried and start a good-natured FACTUAL discussion on the subject in
the past - but all the kiddies always jump up and yell. In this case,
even some of my best friends enter the yelling criteria.
Oh.. and any idea why MS keeps adding caches on caches on caches to
solve problems? It turns me crazy.
Which reminds me of a similar discussion on a list I own a bit back.
Someone asked why IE keeps checking a certain Windows game - it was
turning him crazy. So the Managing Director of a big
disassembler/debugger company offered to make it a "surprise discount"
on the order forms if someone wrote the name of the game there.
It was hilarious. :o)
That's the best you will see out of me on religion. I decide to comment
on such issues about twice a year.
Gadi Evron.
Powered by blists - more mailing lists