Full Disclosure mailing list archives
Re: Re: Gates: 'You don't need perfect code' for good security
From: "Geoincidents" <geoincidents () getinfo org>
Date: Fri, 31 Oct 2003 21:03:42 -0500
I think the issue at hand is how Bill has simply given ideas for band aid patches and not ways to ultimate secure systems. Fire walling and virus protection has its place in any environment. But poorly designed software with bugs known and unknown should not be a part of a "secure" system.
You're partially right. Microsoft's biggest mistakes are in 2 places. But it's not software design, it's default settings and really stupid feature sets. First, default settings, they have tended in the past to enable everything instead of asking where you want to go then only enabling what you need to get there. Recently I've seen good solid progress being made in this area, a number of things are now installing OFF or at least have off switches that are easy to find. I do believe they are on the right track although I'm not sure they are going to get it right yet. The second area is adding functions that have no business being there in the first place. One current example of this is the new functionality they are adding to office that will allow people who are working in office to suddenly shoot off to amazon to do some shopping simply because they mentioned some product in a document. I'll refer to these types of functions as the "desktop salesman". When this new office feature was first mentioned here or on one of the other security lists the first comment I saw was someone asking "doesn't this strike anyone as the type of feature that even SOUNDS exploitable?". Nobody needs this type of feature but Microsoft being the capitalist they are know they can make money by charging for advertising space on everyone's desktops. Be it web beacons, IE popup windows, Media player exposing DVD names to outside sites, picture folders that offer professional printing services, windowsupdate cataloging your hardware, this new Office feature, etc. these types of things have no place in a secure desktop environment and until MS stops selling out the users in favor of the desktop salesman advertisers we can expect this insanity to continue. I still see no sign of them relenting on this part of the insanity (with the exception of email based web beacons, but that was driven by mass revolt). Microsoft really needs to get back to serving the users and forgetting about compromising our privacy and anonymity in favor of the marketing types. Only then will they be able to create a secure desktop environment. Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Gates: 'You don't need perfect code' fo r good security Andre Ludwig (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)