Re: IP: Microsoft Rallies Industry Against Bug Anarchy

[David Farber <dave () farber net>]

> Date: Tue, 16 Oct 2001 15:15:41 -0400 (EDT)
> From: elijah wright <elw () stderr org>
> To: farber () cis upenn edu
> Subject: Re: IP: Microsoft Rallies Industry Against Bug Anarchy
>
>
> Dear Dave,
>
> Microsoft has shown over a period of time that they don't take security
> seriously.  Why else would they have to *change* their policies about IIS
> default installations after a public outcry from administrators at
> corporations that were crippled by CodeRed and Nimda??  Those policies
> should have been in place *to begin with*, not added as an afterthought.
>
> Making things "easy" for undertrained, undereducated administrators at
> Internet endpoints should *not* be Microsoft's task.  Particularly when
> the relevant choice happens to be whether or not to install a default
> service.  If the local population at a site isn't capable of turning *on*
> a service, then they most likely don't have a use for it to begin with.
> But let the users decide, rather than forcing them to learn how to turn
> *off* nonessential services after a "base" installation.
>
> Letting an inattentive userbase shoot itself in the foot (as we've seen in
> recent times, as a direct result of often unmonitored, bug-prone IIS
> installations) is a really bad idea.  One that has economic, strategic,
> and political long-term consequences.
>
> Microsoft's attitudes toward 'nondisclosure' vs. 'full disclosure' issues
> indicate a lack of software professionalism and management skill on the
> part of decisionmakers further up the chain of command.  Perhaps Mr. Culp
> is not at fault - perhaps he simply hasn't educated his superiors as to
> the dangers of security policies like the one he has been advocating.
> And perhaps placing blame with the security manager of our favorite
> monopolistic entity is wrong.
>
> But I doubt it.
>
> To close:  Microsoft's rhetoric is flawed and fairly transparent.  For
> most software professionals, the obvious security theme is that Microsoft
> itself is one of the most guilty of failing to release, revise, and repair
> software vulnerabilities.
>
> Sorry if this is a little bit twitchy - written hastily while eating
> lunch.  Feel free to bounce it out to IPers.
>
> Best,
> elijah
>
>
> On Tue, 16 Oct 2001, David Farber wrote:
>
> > Date: Tue, 16 Oct 2001 14:56:20 -0400
> > From: David Farber <dave () farber net>
> > Reply-To: farber () cis upenn edu
> > To: ip-sub-1 () majordomo pobox com
> > Subject: IP: Microsoft Rallies Industry Against Bug Anarchy
> >
> >
> > >Date: Tue, 16 Oct 2001 14:48:36 -0400
> > >To: Dave  Farber <farber () cis upenn edu>
> > >From: Brian McWilliams <brian () pc-radio com>
> > >Subject: Microsoft Rallies Industry Against Bug Anarchy
> > >
> > >http://www.newsbytes.com/news/01/171173.html
> > >
> > >Pushed to the brink by recent Internet worm outbreaks, Microsoft hopes to
> > >rally the computer industry against those who improperly publish
> > >information about security vulnerabilities.
> > >
> > >In an editorial at Microsoft's site, Scott Culp, head of the company's
> > >Security Response Center, announced the initiative against what he called
> > >"information anarchy."
> > >
> > >According to Culp, the damage caused by worms such as Code Red and Nimda
> > >can be blamed in part on computer security professionals who discovered
> > >the software flaws exploited by the malicious, self-propagating programs.
> > >
> > >"The people who wrote (the worms) have been rightly condemned as
> > >criminals. But they needed help to devastate our networks ... It's high
> > >time the security community stopped providing blueprints for building
> > >these weapons," he said.
> > >
> > >[snip]
> > >
> >
> >
> > For archives see: http://lists.elistx.com/archives/interesting-people/
> >
>
> --
> "Let the beauty we love be what we do.
> There are hundreds of ways to kneel and kiss the ground."  --Rumi


For archives see: http://lists.elistx.com/archives/interesting-people/