Full Disclosure mailing list archives
Re: DCOM RPC exploit (dcom.c)
From: "Curt Purdy" <purdy () tecman com>
Date: Thu, 31 Jul 2003 10:14:12 -0500
I agree that Micro$oft must die, especially since they replaced the best OS they ever made, W2K, with the insecure POS they call XP. If they spent another few years on 2K, they could have made it almost as good as *NIX. Regardless of how you feel about the .NET concept (personally I feel distributed code is a security nightmare waiting to happen) 2003 server is an improvement. You can actually run it more than 30 days without rebooting! Unfortunately the first product of the "Trusted Computing Initiative" is still a victim of the worst vuln in history... As for Perl, I think you have unfairly diss'd the language. It is as flexible and unstructured as my life and if you don't think it is powerful, check out popfile http://popfile.sourceforge.net/, in my opinion the best anti-spam program out there. Very intellegent, learns quickly, and is based on bayesian theory. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions cpurdy () dpsol com 936.637.7977 ext. 121 ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Dan Stromberg Sent: Monday, July 28, 2003 10:47 AM To: David R. Piegdon Cc: Dan Stromberg; full-disclosure () lists netsys com Subject: [inbox] Re: Re: [Full-disclosure] DCOM RPC exploit (dcom.c) On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IMHO it is TIME to sue corporations like microsoft for their stupidity - and their believe that people/customers are even more stupid. they sell their software and tell about their "great security-concepts", but they actually do nothing about it.
Actually, much as I absolutely despise microsoft (I'd be overjoyed for weeks if they closed doors permanently), they -are- doing a lot about security. For the short term, they're sending (have sent?) all their programmers to security training. This is but a band aid, but it is considerably better than nothing, and better than the opensource movement is likely to emulate (fully), simply because the places where programmers learn programming generally don't take this seriously. For the long term, and more importantly, they're pushing a move to interpreted languages, meaning .net. .net is evil. .net must die. But .net makes a lot of sense which we should not fail to learn from. I cannot emphasize enough that the opensource crowd (of which I am a part) needs to learn from this. Stop writing software in crappy languages like C if you want it to sit next to the network on a machine, and possibly even if you're only running in the soft, chewy center. Give up languages that make buffer overflows too damn easy. It's not enough to say "the programmer should know better", because OBVIOUSLY many do not. Use python. Use ML or a variant. Use lisp. If you have to use that excuse for line noise called perl, go ahead. Anything that doesn't put the programmer perilously close to buffer overflows! Turing (which is designed from the beginning for safe systems programming) or Modula-3, or Eiffel or Sather are good too, if you absolutely cannot give up the speed of a compiled language. The latter three all have respectable free implementations available for linux and others, as do all of the interpreted languages mentioned. They make vastly more sense than C. Even if -you- know what you're doing as a developer, that -doesn't- mean that every last maintainer that comes after you will. So yes, microsoft reeks to the sky, but it's not true to say that they're doing nothing about their security problems. Weak arguments against microsoft posed as strong ones hurt opensource's credibility. -- Dan Stromberg DCS/NACS/UCI <strombrg () dcs nac uci edu> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: DCOM RPC exploit (dcom.c), (continued)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: DCOM RPC exploit (dcom.c) El Guille (Jul 27)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Jennifer Bradley (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Jennifer Bradley (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) David R. Piegdon (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Justin Shin (Jul 27)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) David R. Piegdon (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Dan Stromberg (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Curt Purdy (Jul 31)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Robert Wesley McGrew (Jul 28)
- RE: DCOM RPC exploit (dcom.c) gml (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Marc Maiffret (Jul 28)