Full Disclosure mailing list archives
Re: MS Security Response is a bunch of half-witted morons
From: jim_walsh () goodyear com
Date: Fri, 12 Mar 2004 16:09:21 -0500
Your points are well taken and understandable. But if you are supporting a M$ operating system enough to need to read the SB's, then wouldnt your IE be up to date to read them? Even if you would just use IE to read M$'s site? To sit and scream about web design decisions in this mailing group seems a little childish. And if one was to argue that "Aanyone needs to read these articles not just people that support M$ OS's", well to that...most people that have a M$ OS as an end user have auto update turned on and dont even think twice about it...if they update at all. Jim Walsh Operating Systems Administrator Server Operations and Support Center 330.796.0771 Contains confidential and/or proprietary information. May not be copied or disseminated without express consent of The Goodyear Tire & Rubber Company Nick FitzGerald <nick () virus-l demon co uk> 03/11/2004 07:57 PM Please respond to nick () virus-l demon co uk To bugtraq () securityfocus com, NTBUGTRAQ () LISTSERV NTBUGTRAQ COM, full-disclosure () lists netsys com cc Subject MS Security Response is a bunch of half-witted morons Try to read Microsoft's latest security epistles: http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx with a browser that does not have JavaScript enabled... (And yes, they have retrofitted this "improvement" to _all_ previous security bulletins...) Earth to MSRP: 1. Your job is to improve security. 2. Two years ago Billy Boy charged the whole of the company to straighten up its act as regards security. 3. MS Security Bulletins were "improved" about 24-30 months ago by a web design team that clearly does not have an ounce of security smarts among its entire membership. That "improvement" (_purely_ aesthetic, and highly debatable anyway) made the bulletins unreadable in IE unless you are prepared to trust MS and its web presence providers (I'm not for various reasons -- the company as whole is just far too large and "attractive" a target; there have been some very bad whoops-es with Akamai and the Nimda virus; etc). Anyway, that "improvement" was the final straw that moved me to using Mozilla as my browser of choice, as it rendered that "improved" form of your pages fine, _and_ with scripting and the like disabled. 4. Now the Security Bulletins have been "improved" even further, turning the detail expansion links into frelling javascript links. What in the blue blazes is between the ears of your web development folk? Have they forgotten that the venerable HREF tag can work without scripting, ActiveX and all manner of other popular but unnecessary cr*p that web designers can't seem to ignore? When it comes to security bulletins, f*ck art -- give me _readable content_. Sheeeesh!!! A few weeks back some online magazine editor was asking for clear, reasoned arguments that "Microsoft just doesn't get security". Arguments be damned -- if you have two security clues you only have to look at MS' own security web pages to _see_ that "Microsoft just doesn't get security". TCI is clearly a media and PR circus. (In case the magazine editor and his conspirator still do not get the point of the above, Microsoft has no business dictating _my_ or _anyone else's_ security policies. This is as fundamental an aspect of security as there is. Posting its security bulletins in a format that requires their readers to set their browsers to a configuration that is acknowledged to be _severely security lowering_, while maintaining that it is doing everything possible to improve the security of its products, is the height of hypocrisy and clearly makes a lie of its public proclamations that it is working to further improve security.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: MS Security Response is a bunch of half-witted morons, (continued)
- Re: MS Security Response is a bunch of half-witted morons Nicob (Mar 12)
- Re: MS Security Response is a bunch of half-witted morons Walter Wart (Mar 12)
- Re: Re: MS Security Response is a bunch of half-witted morons Troy (Mar 15)
- Re: Re: MS Security Response is a bunch of half-witted morons Valdis . Kletnieks (Mar 15)
- Re: Re: MS Security Response is a bunch of half-witted morons Troy (Mar 15)
- Re: MS Security Response is a bunch of half-witted morons Charles J. Wertz (Mar 12)
- Re: MS Security Response is a bunch of half-witted morons Kim Scarborough (Mar 12)
- Re: MS Security Response is a bunch of half-witted morons flurdoing (Mar 12)
- Re: Re: MS Security Response is a bunch of half-witted morons Patrice Neff (Mar 13)
- Re: Re: MS Security Response is a bunch of half-witted morons martin f krafft (Mar 14)
- Re: MS Security Response is a bunch of half-witted morons Martin Mačok (Mar 13)
- Re: MS Security Response is a bunch of half-witted morons jim_walsh (Mar 12)
- Re: Re: MS Security Response is a bunch of half-witted morons Troy (Mar 12)
- Re: Re: MS Security Response is a bunch of half-witted morons Mike Barushok (Mar 12)
- RE: Re: MS Security Response is a bunch of half-witted morons Aditya, ALD [Aditya Lalit Deshmukh] (Mar 13)
- Re: MS Security Response is a bunch of half-witted morons Nick FitzGerald (Mar 12)
- RE: Re: MS Security Response is a bunch of half-witted morons Andrew Aris (Mar 15)
- RE: Re: MS Security Response is a bunch of half-witted morons Aditya, ALD [Aditya Lalit Deshmukh] (Mar 13)
- Re: Re: MS Security Response is a bunch of half-witted morons Valdis . Kletnieks (Mar 14)
- Re: Re: MS Security Response is a bunch of half-witted morons Troy (Mar 12)
- Re: MS Security Response is a bunch of half-witted morons Georgi Guninski (Mar 15)
- Re: MS Security Response is a bunch of half-witted morons http-equiv () excite com (Mar 12)