Dailydave mailing list archives
Re: a war on all fronts is a war on none
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 1 Jul 2004 16:00:21 -0500
I remember reading that exact statement in Howard's latest book[1], which besides being a product of Microsoft Press, is actually a decent read. The value in the book is not so much the techniques it shows, but the commentary behind why those techniques are important and the subtle hints as to what applications were hosed because of it. The section on token management was especially insightful when taking a harder look at some of the network services in Windows 2000. Even if you despise everything coming from that company, the view from the other side is always interesting :) 1. http://www.microsoft.com/MSPress/books/5957.asp On Thursday 01 July 2004 15:52, dave wrote:
The following is a really good point, and one the Windows 2003 team fubared up. -dave http://blogs.msdn.com/michael_howard/archive/2004/06/27/167367.aspx Perhaps this one will be a little less controversial than my previous post! When I review threat models, I often target it on the mitigations, making sure they are good, solid and well thought out. One mitigation type that worries me is when a team mitigates a threat by asking the user/admin to make a trust decision. As a rule of thumb, this is not the best mitigation. Sometimes you must ask the user, I understand that, but fewer trust dialog boxes is often safer. Case in point is IE in XPSP2 - have you noticed a number of dialog asking users to make security decisions have “gone away”? Rather the browser simply enforces a default security policy and tells you what it just did (in a bar above the HTML content.) For example blocking ActiveX controls, or blocking pop-ups and so on. If you want to change the policy then go ahead, but the default is not to prompt the user. Net net: We've found that constantly asking users to make trust decisions is generally not a good thing. Invariably, people will see the dialog, and to them it'll read, “Do you want to get your job done” and they'll hit 'yes' with little or no regard for the consequences. So now, we just enforce a default security policy. Simple, really. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- a war on all fronts is a war on none dave (Jul 01)
- Re: a war on all fronts is a war on none H D Moore (Jul 01)