Full Disclosure mailing list archives

RE: Microsoft prepares security assault on Linux

From: "Russ" <Russ.Cooper () rc on ca>
Date: Thu, 13 Nov 2003 02:49:11 -0500

Jason said;

I wrote an information security book last year under contract with 
Microsoft Press. The book was never published -- among other things it 
explains truthfully the poor security condition of Windows and offers 
detailed instructions and advice for defending against Microsoft's bad 
business practices and incorrect security decisions.


Because maybe a book isn't needed to describe what I describe in 3 pages, 10 points, keystroke by keystroke, button 
click by button click, documentation. Assuming the requisite files are on hand, it takes less than an hour to "harden" 
an IIS box against all of this years attacks, and the document was written 2 years ago.

Fine, my 3 pages doesn't help "to educate developers of Web applications so that fewer new vulnerabilities would have 
been created.", but at least mine got published to our customers...;-]

Microsoft suppresses awareness of vulnerabilities in order to profit.


Funny how they've always encouraged me with NTBugtraq, that would seem to be at odds with your perception of their 
position. Funny how I once tried to convince them to bury a vulnerability patch in a service pack rather than release a 
security bulletin, and there was no way they would have it.

The old adage, "You catch more flies with honey" seems to often be the opinion of publishers, one reason I've never 
written a book (no publisher wants to publish a book written the way I write...;-]) Since they're putting the money up, 
I have to assume they have good stats on the demographics of who will buy it and what the buyer expects. Its their 
audience, write it for yourself, publish it yourself (as you've done.) That they thought it wasn't going to be 
profitable (from a publishing perspective) doesn't necessarily mean Microsoft is trying to "suppress awareness of 
vulnerabilities", it could just mean they didn't think it would sell.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: clarification - reasons as to why commercial software *could* be better, (continued)
- - - Re: clarification - reasons as to why commercial software *could* be better Brent J. Nordquist (Nov 13)
    - Re: clarification - reasons as to why commercial software *could* be better vb (Nov 13)
    - Re: why commcerical software *could* be better David Maynor (Nov 12)
    - Re: why commcerical software *could* be better [WAS: Re: [Full-Disclosure] Microsoft prepares security assault on Linux] Georgi Guninski (Nov 12)
    - Re: why commcerical software *could* be better Gadi Evron (Nov 12)
    - Re: Microsoft prepares security assault on Linux Charles E. Hill (Nov 12)
    - Re: Microsoft prepares security assault on Linux vb (Nov 13)
    - Re: Microsoft prepares security assault on Linux Luis Bruno (Nov 13)
- Microsoft prepares security assault on Linux Chris (Nov 12)
- RE: Microsoft prepares security assault on Linux Jim Harrison (ISA) (Nov 12)
- RE: Microsoft prepares security assault on Linux Russ (Nov 13)
- Re: Microsoft prepares security assault on Linux Jason Coombs (Nov 13)
- Re: Microsoft prepares security assault on Linux Jason Coombs (Nov 13)
  - kievonline.org "were back" Maxime Ducharme (Nov 13)
    - AW: kievonline.org "were back" Michael Linke (Nov 13)
- RE: Microsoft prepares security assault on Linux Russ (Nov 13)
- RE: Microsoft prepares security assault on Linux Jim Harrison (ISA) (Nov 13)