Full Disclosure mailing list archives

RE: Gates: 'You don't need perfect code' for good security

From: "Beaty, Bryan" <Bryan.Beaty () vector com>
Date: Fri, 31 Oct 2003 17:50:03 -0600

Correct me if I am wrong but...

I believe every worm listed below could have been prevented had everyone
patched their systems. 

I would like the security community to take more responsibility for
their own (in)actions. If you were hit by Blaster then you failed to
enforce a good patch management policy. Who's fault is that? Patch
management is boring and so we often ignore it. Hackers and worms simply
take advantage of our laziness. I guess blaster could be a form of
social engineering. "I know admins don't patch so I can write a worm and
kill the world." 

There is no such thing as perfect code. If you want a completely secure
system you can buy them but they are unbelievably expensive. If you have
a business justification for something that secure then buy it.
Otherwise you have to live with what you can get from Linux, UNIX, or
even Microsoft. 

Microsoft has at least come out with some very good patch management
systems lately (SUS) and they are free. Red Hat charges me a yearly fee
for their RHN. 

I believe the #1 security threat today is poor patch management. Is that
Microsoft's fault?

--> I am off of my soap box now. 

Bryan Beaty

-----Original Message-----
From: Exibar [mailto:exibar () thelair com] 
Sent: Friday, October 31, 2003 1:40 PM
To: Jeremiah Cornelius; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Gates: 'You don't need perfect code' for
good security


What an idiot....

   Take the loveletter worm, when it was first released even if you had
a 100% up to date AntiVirus software program, you would still get hit
within
the first 8 hours.... slammer, blaster, etc all the same thing.    The
took
advantage of holes in the OPERATING SYSTEM!!!!

   Yes we have ways of updating our VirusSoftware that works very very
well, McAfee has E-Policy Orchstrator, which I swear by.

  I'm not going to go on, but if Windows was as secure as Bill Gates and
company says it is, why was blaster, slammer, codered etc even an issue?

   Exibar


----- Original Message ----- 
From: "Jeremiah Cornelius" <jeremiah () nur net>
To: <full-disclosure () lists netsys com>
Sent: Friday, October 31, 2003 1:32 PM
Subject: [Full-disclosure] Gates: 'You don't need perfect code' for good
security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FLAME ON!

http://www.itbusiness.ca/index.asp?theaction=61&sid=53897

"But there are two other techniques: one is called firewalling and the

other

is called keeping the software up to date. None of these problems 
(viruses and worms) happened to people who did either one of those 
things. If you

had

your firewall set up the right way - and when I say firewall I include

scanning e-mail and scanning file transfer -- you wouldn't have had a 
problem. But did we have the tools that made that easy and automatic 
and

that

you could really audit that you had done it? No. Microsoft in 
particular

and

the industry in general didn't have it."

"The second is just the updating thing. Anybody who kept their 
software up

to

date didn't run into any of those problems, because the fixes preceded

the exploit. Now the times between when the vulnerability was 
published and

when

somebody has exploited it, those have been going down, but in every 
case

at

this stage we've had the fix out before the exploit. So next is making

it easy to do the updating, not for general features but just for the 
very

few

critical security things, and then reducing the size of those patches,

and reducing the frequency of the patches, which gets you back to the 
code quality issues. We have to bring these things to bear, and the 
very

dramatic

things that we can do in the short term have to do with the firewalls 
and

the

updating infrastructure. "
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
SjPLY1EEzamQCtIGKwJT1Vk=
=mIsY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Gates: 'You don't need perfect code' for good security |reduced|minus|none| (Oct 31)
- <Possible follow-ups>
- RE: Gates: 'You don't need perfect code' for good security Beaty, Bryan (Oct 31)
  - RE: Gates: 'You don't need perfect code' for good security james (Oct 31)
  - RE: [spam] RE: Gates: 'You don't need perfect code' for good security Exibar (Nov 01)
    - udp port 2615 Trond Kringstad (Nov 01)
  - RE: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 01)
  - Re: Gates: 'You don't need perfect code' for good security William Warren (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)

(Thread continues...)