Full Disclosure mailing list archives
Re: FW: Security in a Connected World
From: Cesar <cesarc56 () yahoo com>
Date: Fri, 24 Jan 2003 09:24:00 -0800 (PST)
I agree. Microsoft has done some little effort in improving security in its top products Windows, Office, SQL Server, etc. But if you take a look at other Microsoft products in only 5 minutes you can find a lot of holes, believe me, try it. Why they don't improve security in non top products? Because they only care were the money is. Cesar. --- Georgi Guninski <guninski () guninski com> wrote:
For me this is pure marketing propaganda without any confirmation from reality. Just look at the number and severity of bugs - any change after this hype? From this I have the impression that if I buy newer windozes, they will be more secure, lol. IMHO billyg is a luser and his marketing rants should not be taken seriously. Georgi Guninski http://www.guninski.com Richard M. Smith wrote:FYI: -----Original Message----- From: Bill Gates[mailto:BillGates () chairman microsoft com]Sent: Thursday, January 23, 2003 11:16 PM To: rms () computerbytesman com Subject: Security in a Connected World Jan. 23, 2003 As we increasingly rely on the Internet tocommunicate and conductbusiness, a secure computing platform has neverbeen more important.Along with the vast benefits of increasedconnectivity, new securityrisks have emerged on a scale that few in ourindustry fullyanticipated. As everyone who uses a computer knows, theconfidentiality, integrityand availability of data and systems can becompromised in many ways,from hacker attacks to Internet-based worms. Thesesecurity breachescarry significant costs. Although many companiesdo not detect or reportattacks, the most recent computer crime andsecurity survey performed bythe Computer Security Institute and the FederalBureau of Investigationtotaled more than $455 million in quantifiedfinancial losses in theUnited States alone in 2001. Of those surveyed, 74percent cited theirInternet connection as a key point of attack. As a leader in the computing industry, Microsofthas a responsibility tohelp its customers address these concerns, so theyno longer have tochoose between security and usability. This is along-term effort. Asattacks on computer networks become moresophisticated, we must innovatein many areas - such as digital rights management,public keycryptology, multi-site authentication, andenhanced network and PCprotection - to enable people to manage theirinformation securely.A year ago, I challenged Microsoft's 50,000employees to build aTrustworthy Computing environment for customers sothat computing is asreliable as the electricity that powers our homesand businesses today.To meet Microsoft's goal of creating products thatcombine the best ofinnovation and predictability, we are focusing onfour specific areas:security, privacy, reliability and businessintegrity. Over the pastyear, we have made significant progress on allthese fronts. Inparticular, I'd like to report on the advanceswe've made and thechallenges we still face in the security area. Asa subscriber toExecutive Emails from Microsoft, I hope you willfind this informationhelpful. In order to realize the full potential ofcomputers to advancee-commerce, enable new kinds of communication andenhance productivity,security will need to improve dramatically. Basedon discussions withcustomers and our own internal reviews, it wasclear that we needed tocreate a framework that would support the kind ofinnovation,state-of-the-art processes and cultural shiftsnecessary to make afundamental advance in the security of oursoftware products. In thepast year we have created new product-designmethodologies, codingpractices, test procedures, security-incidenthandling andproduct-support processes that meet the objectivesof this securityframework: SECURE BY DESIGN: In early 2002 we took theunprecedented step ofstopping the development work of 8,500 Windowsengineers while thecompany conducted 10 weeks of intensive securitytraining and analyzedthe Windows code base. Although engineers receiveformal academictraining on developing security features, there isvery little trainingavailable on how to write secure code. EveryWindows engineer, plusseveral thousand engineers in other parts of thecompany, was givenspecial training covering secure programming,testing techniques andthreat modeling. The threat modeling process, rarein the softwareworld, taught program managers, architects andtesters to think likeattackers. And indeed, fully one-half of all bugsidentified during theWindows security push were found during threatanalysis.We have also made important breakthroughs inminimizing the amount ofsecurity-related code in products that isvulnerable to attack, and inour ability to test large pieces of code moreefficiently. Becausetesting is both time-consuming and costly, it'simportant that defectsare detected as early as possible in thedevelopment cycle. To optimizewhich tests are run at what points in the designcycle, Microsoft hasdeveloped a system that prioritizes theapplication's given set oftests, based on what changes have been made to theprogram. The systemis able to operate on large programs built frommillions of lines ofsource code, and produce results within a fewminutes, when previouslyit took hours or days. The scope of our security reviews represents anunprecedented level ofeffort for software manufacturers, and it's begunto pay off asvulnerabilities are eliminated through offeringslike Windows XP ServicePack 1. We also put Visual Studio .NET through anincredibly vigorousdesign review, threat modeling and security push,and in the comingmonths we will be releasing other major productsthat have gone throughour Trustworthy Computing security review cycle:Windows Server 2003,the next versions of SQL and Exchange Servers, andOffice 11.Looking ahead, we are working on a newhardware/software architecturefor the Windows PC platform (initially codenamed"Palladium"), whichwill significantly enhance the integrity, privacyand data security ofcomputer systems by eliminating many "weak links."For example, todayanyone can look into a graphics card's memory,which is obviously notgood if the memory contains a user's bankingtransactions or othersensitive information. Part of the focus of thisinitiative is toprovide "curtained" memory - pages of memory thatare walled off fromother applications and even the operating systemto preventsurreptitious observation - as well as the abilityto provide securityalong the path from keyboard to monitor. Thistechnology will alsoattest to the reliability of data, and providesealed storage, so
=== message truncated === __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FW: Security in a Connected World Richard M. Smith (Jan 24)
- Re: FW: Security in a Connected World Georgi Guninski (Jan 24)
- Re: FW: Security in a Connected World Cesar (Jan 24)
- Re: FW: Security in a Connected World Steve (Jan 28)
- Re: FW: Security in a Connected World Georgi Guninski (Jan 24)