Re: Open Response To Microsoft Security - RE: It's Time to End Information Anarchy

["Pavel Kankovsky" <peak () argo troja mff cuni cz>]

On Wed, 17 Oct 2001, Steve wrote:

> Worms and virus' have been created long before "security research" was
> fashionable.  Code Red, Nimda and a few of the more recent worms were
> made possible not by the research that discovered the vulnerability they
> exploited but by the lack of awareness and training by system
> administrators who did not patch their systems.

Never forget the developers and vendors who release vulnerable software
and ship it to the clueless masses (and they know very well the vast
majority of their target audience is clueless). They are the people who
made all those disasters *possible*!

Arguments about bugs and vulnerabilities being inevitable in ``all
non-trivial software'' are bogus. The principle of least privilege has
been known for decades. So has been the concept of TCB or the concept
of mandatory access control or a large number of other ideas invented
to reduce the impact of bugs, or even to make (some of) them completely
irrelevant from a security point of view.

But how many software systems exploiting these ideas do you know and use?
A few...if any at all. On the other hand, a certain vendor put the whole
webserver plus millions of lines of other junk within its OS's security
perimeter and added an ability to run arbitrary code embedded in data
files to every user application in their portfolio (often with full
privileges of a poor user running the application).


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."