Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: "Kristian Hermansen" <this_is_kris () hotmail com>
Date: Tue, 1 Jul 2003 22:49:59 -0400
Yes, programmers should be trained to write better code...but it is more profitiable to allow sloppy code and a simple fix later (behind the scenes with vendor notification). This is MS point-of-view. This is why they want vendor notification, rather than public notification. Again, I say let the 0-days fly. Did you know that certain US government agencies have teams that their only job is to break software? This has been going on since the 1970's. It helps to produce secure code in mission critical applications that the military needs. I am not saying that MS needs to be SO drastic...but a small team for their MOST popular products would sure be wise to start with. Why not hire fucking intern teenagers from russia to "Crash Test" their development projects (facetious)? Would it be so difficult/expensive to hire some of the main companies that are breaking your software??? Kris Hermansen ----- Original Message ----- From: "Schmehl, Paul L" <pauls () utdallas edu> To: <full-disclosure () lists netsys com> Sent: Tuesday, July 01, 2003 6:58 PM Subject: RE: [Full-disclosure] Microsoft Cries Wolf ( again )
-----Original Message----- From: Kristian Hermansen [mailto:this_is_kris () hotmail com] Sent: Tuesday, July 01, 2003 3:09 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft Cries Wolf ( again ) I agree. It is not our problem. The reason is this. Microsoft would like to reduce costs. Fixing bugs in products costs money, and 0-day bugs need immediate fixes which slow down MS total output ability. They would like to see everyone reporting to the vendor first because this saves them money!!! In this respect, this also allows them to go on writing sloppy code in order to save a few bucks on every product, thus reducing their overhead. I don't want sloppy code. Let the 0-days fly....maybe MS will start doing extensive testing to their products before they release it for sale to millions of customers. I thought .NET was supposed to fix all this ;-PThat's too funny. Microsoft ran a "buffer overflow finder" against the codebase for XP, and the VP in charge announced publicly that they had "eliminated buffer overflows in XP". Within thirty days, eEye announced the UPnP vulnerability in SSDP, which is the single most devastating hole ever found in MS products. (You can compromise an entire network of XP machines with one attack, simultaneously.) You don't fix code by extensive testing. You fix it by teaching how to write secure code to begin with *and* by ongoing, consistent audits done before code is released. (OpenBSD has been doing this for years, and look at the results.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Microsoft Cries Wolf ( again ), (continued)
- Re: Microsoft Cries Wolf ( again ) Brett Hutley (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 01)
- Re: Microsoft Cries Wolf ( again ) dhtml (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Shawn McMahon (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Kristian Hermansen (Jul 06)
- Re: Microsoft Cries Wolf ( again ) gandalf94305 (Jul 06)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Geoincidents (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 02)
- Vote with your dollars (Was: Re: Microsoft Cries Wolf ( again )) Peter Busser (Jul 02)
- Re: Microsoft Cries Wolf ( again ) andrewg (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 03)
- Re: Microsoft Cries Wolf ( again ) Peter Busser (Jul 04)