Re: FW: Security in a Connected World

[Cesar <cesarc56 () yahoo com>]

I agree.

Microsoft has done some little effort in improving
security in its top products Windows, Office, SQL
Server, etc. But if you take a look at other Microsoft
products in only 5 minutes you can find a lot of
holes, believe me, try it. Why they don't improve
security in non top products? Because they only care
were the money is.


Cesar.

--- Georgi Guninski <guninski () guninski com> wrote:
> For me this is pure marketing propaganda without any
> confirmation from reality.
> Just look at the number and severity of bugs - any
> change after this hype?
>  From this I have the impression that if I buy newer
> windozes, they will be more 
> secure, lol.
> IMHO billyg is a luser and his marketing rants
> should not be taken seriously.
>
> Georgi Guninski
> http://www.guninski.com
>
> Richard M. Smith wrote:
> > FYI:
> >
> > -----Original Message-----
> > From: Bill Gates
> [mailto:BillGates () chairman microsoft com] 
> > Sent: Thursday, January 23, 2003 11:16 PM
> > To: rms () computerbytesman com
> > Subject: Security in a Connected World
> >
> >
> > Jan. 23, 2003
> >
> > As we increasingly rely on the Internet to
> communicate and conduct
> > business, a secure computing platform has never
> been more important.
> > Along with the vast benefits of increased
> connectivity, new security
> > risks have emerged on a scale that few in our
> industry fully
> > anticipated.
> >
> > As everyone who uses a computer knows, the
> confidentiality, integrity
> > and availability of data and systems can be
> compromised in many ways,
> > from hacker attacks to Internet-based worms. These
> security breaches
> > carry significant costs. Although many companies
> do not detect or report
> > attacks, the most recent computer crime and
> security survey performed by
> > the Computer Security Institute and the Federal
> Bureau of Investigation
> > totaled more than $455 million in quantified
> financial losses in the
> > United States alone in 2001. Of those surveyed, 74
> percent cited their
> > Internet connection as a key point of attack.
> >
> > As a leader in the computing industry, Microsoft
> has a responsibility to
> > help its customers address these concerns, so they
> no longer have to
> > choose between security and usability. This is a
> long-term effort. As
> > attacks on computer networks become more
> sophisticated, we must innovate
> > in many areas - such as digital rights management,
> public key
> > cryptology, multi-site authentication, and
> enhanced network and PC
> > protection - to enable people to manage their
> information securely.
> > A year ago, I challenged Microsoft's 50,000
> employees to build a
> > Trustworthy Computing environment for customers so
> that computing is as
> > reliable as the electricity that powers our homes
> and businesses today.
> > To meet Microsoft's goal of creating products that
> combine the best of
> > innovation and predictability, we are focusing on
> four specific areas:
> > security, privacy, reliability and business
> integrity. Over the past
> > year, we have made significant progress on all
> these fronts. In
> > particular, I'd like to report on the advances
> we've made and the
> > challenges we still face in the security area. As
> a subscriber to
> > Executive Emails from Microsoft, I hope you will
> find this information
> > helpful.
> >
> > In order to realize the full potential of
> computers to advance
> > e-commerce, enable new kinds of communication and
> enhance productivity,
> > security will need to improve dramatically. Based
> on discussions with
> > customers and our own internal reviews, it was
> clear that we needed to
> > create a framework that would support the kind of
> innovation,
> > state-of-the-art processes and cultural shifts
> necessary to make a
> > fundamental advance in the security of our
> software products. In the
> > past year we have created new product-design
> methodologies, coding
> > practices, test procedures, security-incident
> handling and
> > product-support processes that meet the objectives
> of this security
> > framework:
> >
> > SECURE BY DESIGN: In early 2002 we took the
> unprecedented step of
> > stopping the development work of 8,500 Windows
> engineers while the
> > company conducted 10 weeks of intensive security
> training and analyzed
> > the Windows code base. Although engineers receive
> formal academic
> > training on developing security features, there is
> very little training
> > available on how to write secure code. Every
> Windows engineer, plus
> > several thousand engineers in other parts of the
> company, was given
> > special training covering secure programming,
> testing techniques and
> > threat modeling. The threat modeling process, rare
> in the software
> > world, taught program managers, architects and
> testers to think like
> > attackers. And indeed, fully one-half of all bugs
> identified during the
> > Windows security push were found during threat
> analysis.
> > We have also made important breakthroughs in
> minimizing the amount of
> > security-related code in products that is
> vulnerable to attack, and in
> > our ability to test large pieces of code more
> efficiently. Because
> > testing is both time-consuming and costly, it's
> important that defects
> > are detected as early as possible in the
> development cycle. To optimize
> > which tests are run at what points in the design
> cycle, Microsoft has
> > developed a system that prioritizes the
> application's given set of
> > tests, based on what changes have been made to the
> program. The system
> > is able to operate on large programs built from
> millions of lines of
> > source code, and produce results within a few
> minutes, when previously
> > it took hours or days.
> >
> > The scope of our security reviews represents an
> unprecedented level of
> > effort for software manufacturers, and it's begun
> to pay off as
> > vulnerabilities are eliminated through offerings
> like Windows XP Service
> > Pack 1. We also put Visual Studio .NET through an
> incredibly vigorous
> > design review, threat modeling and security push,
> and in the coming
> > months we will be releasing other major products
> that have gone through
> > our Trustworthy Computing security review cycle:
> Windows Server 2003,
> > the next versions of SQL and Exchange Servers, and
> Office 11.
> > Looking ahead, we are working on a new
> hardware/software architecture
> > for the Windows PC platform (initially codenamed
> "Palladium"), which
> > will significantly enhance the integrity, privacy
> and data security of
> > computer systems by eliminating many "weak links."
> For example, today
> > anyone can look into a graphics card's memory,
> which is obviously not
> > good if the memory contains a user's banking
> transactions or other
> > sensitive information. Part of the focus of this
> initiative is to
> > provide "curtained" memory - pages of memory that
> are walled off from
> > other applications and even the operating system
> to prevent
> > surreptitious observation - as well as the ability
> to provide security
> > along the path from keyboard to monitor. This
> technology will also
> > attest to the reliability of data, and provide
> sealed storage, so
=== message truncated ===


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html