Re: Support the Sasser-author fund started

["Mike Roetto" <mroetto () cox net>]

I tend to give MS alot of credit, their patch availability tools are
best-of-class, IMO, and they have done so at considerable cost.

That said, a few glaring examples makes me question their general business
sense.  What are we up to , 3rd or 4th RPC patch now?  Even with large
enterprises, governments, and military looking at open-source in ever
increasing numbers,  MS doggedly hangs on to this dog API.

The fact that the RPC vulnerabilities stretch from NT4 to XP SP1 (8 years),
shows they haven't yet "gotten it", and overhauled this interface
line-by-line.  A secondary argument could be made about the various IIS
scripting problems.

If MS doesn't get their act together, and folks starting put Linux out en
masse on the desktop, well, our lives are going to be really interesting
then. :-)

-m




----- Original Message ----- 
From: "Shane C. Hage" <shage () optonline net>
To: "Georgi Guninski" <guninski () guninski com>; "Tobias Weisserth"
<tobias () weisserth de>; <full-disclosure () lists netsys com>
Sent: Saturday, May 15, 2004 7:31 PM
Subject: Re: [Full-disclosure] Support the Sasser-author fund started


> Why should Microsoft have more blame?
>
> In my opinion, I believe that software companies, especially Microsoft,
have
> taken all of the appropriate steps to provide security within their
> products.
>
> Imagine you own a home and installed a security system on all the doors
and
> windows.  You set the alarm and leave for a weekend.
>
> A thief comes up to your house, breaks a window, and slides through the
> opening.  The alarm does not go off because the thief found a
vulnerability
> in the security system.
>
> Do you blame the security company that installed your intrusion detection
> system?
>
> Software companies like Microsoft spend a lot of money developing their
> software.  In particular, Microsoft halted development on its products so
> that all of its developers could receive training in 'secure coding'
> techniques.  Above and beyond that, Microsoft and other software companies
> undergo 3rd-party security testing of their software before it is
released.
> Plus, most of the software is released to the public in the form of Betas
or
> Release Candidates months ahead of the release date.  If identifying
> security holes was that easy then why aren't there more vulnerabilities
> reported before the 'gold' release of products.
>
> I do expect that any computer user should have fundamental security
training
> before using it.  After all, the computer is a tool.  Nobody should
operate
> a microwave or chainsaw without reading the safety instructions.  The same
> care should be taken for computers.
>
> Thanks for taking the time to listen to my thoughts.
>
> Sincerely,
>
> -Shane
>
>
> ----- Original Message ----- 
> From: "Georgi Guninski" <guninski () guninski com>
> To: "Tobias Weisserth" <tobias () weisserth de>
> Sent: Friday, May 14, 2004 6:00 PM
> Subject: Re: [Full-disclosure] Support the Sasser-author fund started
>
>
> > On Fri, May 14, 2004 at 07:12:08PM +0200, Tobias Weisserth wrote:
> > > > My personal opinion is that more blame should be put on M$.
> > >
> > > The company is called Microsoft or MS in short. Why don't you use its
> > > proper name?
> >
> > are you sure it is MS and not M$ ????
> >
> > i was always taught it was M$.
> >
> > -- 
> > When I answered where I wanted to go today, they just hung up -- Unknown
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html