Full Disclosure mailing list archives
RE: Microsoft prepares security assault on Linux
From: "Jim Harrison \(ISA\)" <jmharr () microsoft com>
Date: Wed, 12 Nov 2003 13:43:43 -0800
Having followed your link to the "book written under contract", it's immediately clear why it was never published. I won't get into a debate about your assertions; just a reminder that how you choose to express yourself is at least as important as what you have to say. * Jim Harrison MCP(NT4/2K), A+, Network+ Security Business Unit (ISA SE) "I used to hate writing assignments, but now I enjoy them. I realized that the purpose of writing is to inflate weak ideas, obscure poor reasoning, and inhibit clarity. With a little practice, writing can be an intimidating and impenetrable fog!" -Calvin -----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Wednesday, November 12, 2003 12:08 To: support () mmicman com Cc: 'Helmut Hauser'; full-disclosure () lists netsys com; bugtraq () securityfocus com; isn () attrition org Subject: Re: [Full-disclosure] Microsoft prepares security assault on Linux I wrote an information security book last year under contract with Microsoft Press. The book was never published -- among other things it explains truthfully the poor security condition of Windows and offers detailed instructions and advice for defending against Microsoft's bad business practices and incorrect security decisions. URLs for the free electronic book are: (PDF) http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pd f (Raw Text/PNG Graphics --> safer!) http://www.forensics.org/jasonc/iisforensics.zip The security awareness for Windows communicated by my book would have enabled people to avoid intrusions, infections, damage, and down time from MS Blaster, SQL Slammer/Sapphire, and many of this year's other threats. It would also have helped to educate developers of Web applications so that fewer new vulnerabilities would have been created. A few of the specific warnings provided by my book include: * FrontPage Server Extensions are badly flawed from a security perspective and should never be used. * Ports open by default (RPC/DCOM/SMB/Messenger/Workstation Service/etc) will be found to expose remote exploitable buffer overflow vulnerabilities and therefore must be protected and closed at all costs. * Don't use/rely on Microsoft Baseline Security Analyzer because it intentionally ignores known vulnerabilities in order to more often report a happy "you're all patched" message to the admin. * Internet Information Services cannot be trusted out of the box but instead must be carefully security hardened beyond anything that Microsoft normally recommends, and many IIS features must be disabled in order to achieve a trustworthy subset of Microsoft software. * ... more ... If Microsoft intends to launch a PR/advertising campaign against Linux, perhaps it would take a moment out of its busy schedule to explain why it won't publish a book that tells the truth and provides warnings in advance that the only way to safely operate a Windows computer is to subscribe to infosec mailing lists such as bugtraq and full-disclosure in order to remain constantly aware of the real-world condition and capabilities of attackers? Microsoft suppresses awareness of vulnerabilities in order to profit. The only way to achieve security in computing is through awareness. Therefore, Microsoft's profits cause additional insecurity. Go figure. Sincerely, Jason Coombs jasonc () science org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- clarification - reasons as to why commercial software *could* be better, (continued)
- clarification - reasons as to why commercial software *could* be better Gadi Evron (Nov 12)
- Re: clarification - reasons as to why commercial software *could* be better Brent J. Nordquist (Nov 13)
- Re: clarification - reasons as to why commercial software *could* be better vb (Nov 13)
- Re: why commcerical software *could* be better David Maynor (Nov 12)
- Re: why commcerical software *could* be better [WAS: Re: [Full-Disclosure] Microsoft prepares security assault on Linux] Georgi Guninski (Nov 12)
- Re: why commcerical software *could* be better Gadi Evron (Nov 12)
- Re: Microsoft prepares security assault on Linux Charles E. Hill (Nov 12)
- Re: Microsoft prepares security assault on Linux vb (Nov 13)
- Re: Microsoft prepares security assault on Linux Luis Bruno (Nov 13)
- kievonline.org "were back" Maxime Ducharme (Nov 13)
- AW: kievonline.org "were back" Michael Linke (Nov 13)