Interesting People mailing list archives
Re: IP: Microsoft Rallies Industry Against Bug Anarchy
From: David Farber <dave () farber net>
Date: Wed, 17 Oct 2001 07:23:29 -0400
Date: Tue, 16 Oct 2001 15:15:41 -0400 (EDT) From: elijah wright <elw () stderr org> To: farber () cis upenn edu Subject: Re: IP: Microsoft Rallies Industry Against Bug Anarchy Dear Dave, Microsoft has shown over a period of time that they don't take security seriously. Why else would they have to *change* their policies about IIS default installations after a public outcry from administrators at corporations that were crippled by CodeRed and Nimda?? Those policies should have been in place *to begin with*, not added as an afterthought. Making things "easy" for undertrained, undereducated administrators at Internet endpoints should *not* be Microsoft's task. Particularly when the relevant choice happens to be whether or not to install a default service. If the local population at a site isn't capable of turning *on* a service, then they most likely don't have a use for it to begin with. But let the users decide, rather than forcing them to learn how to turn *off* nonessential services after a "base" installation. Letting an inattentive userbase shoot itself in the foot (as we've seen in recent times, as a direct result of often unmonitored, bug-prone IIS installations) is a really bad idea. One that has economic, strategic, and political long-term consequences. Microsoft's attitudes toward 'nondisclosure' vs. 'full disclosure' issues indicate a lack of software professionalism and management skill on the part of decisionmakers further up the chain of command. Perhaps Mr. Culp is not at fault - perhaps he simply hasn't educated his superiors as to the dangers of security policies like the one he has been advocating. And perhaps placing blame with the security manager of our favorite monopolistic entity is wrong. But I doubt it. To close: Microsoft's rhetoric is flawed and fairly transparent. For most software professionals, the obvious security theme is that Microsoft itself is one of the most guilty of failing to release, revise, and repair software vulnerabilities. Sorry if this is a little bit twitchy - written hastily while eating lunch. Feel free to bounce it out to IPers. Best, elijah On Tue, 16 Oct 2001, David Farber wrote: > Date: Tue, 16 Oct 2001 14:56:20 -0400 > From: David Farber <dave () farber net> > Reply-To: farber () cis upenn edu > To: ip-sub-1 () majordomo pobox com > Subject: IP: Microsoft Rallies Industry Against Bug Anarchy > > > >Date: Tue, 16 Oct 2001 14:48:36 -0400 > >To: Dave Farber <farber () cis upenn edu> > >From: Brian McWilliams <brian () pc-radio com> > >Subject: Microsoft Rallies Industry Against Bug Anarchy > > > >http://www.newsbytes.com/news/01/171173.html > > > >Pushed to the brink by recent Internet worm outbreaks, Microsoft hopes to > >rally the computer industry against those who improperly publish > >information about security vulnerabilities. > > > >In an editorial at Microsoft's site, Scott Culp, head of the company's > >Security Response Center, announced the initiative against what he called > >"information anarchy." > > > >According to Culp, the damage caused by worms such as Code Red and Nimda > >can be blamed in part on computer security professionals who discovered > >the software flaws exploited by the malicious, self-propagating programs. > > > >"The people who wrote (the worms) have been rightly condemned as > >criminals. But they needed help to devastate our networks ... It's high > >time the security community stopped providing blueprints for building > >these weapons," he said. > > > >[snip] > > > > > For archives see: http://lists.elistx.com/archives/interesting-people/ > -- "Let the beauty we love be what we do. There are hundreds of ways to kneel and kiss the ground." --Rumi
For archives see: http://lists.elistx.com/archives/interesting-people/
Current thread:
- IP: Microsoft Rallies Industry Against Bug Anarchy David Farber (Oct 16)
- <Possible follow-ups>
- Re: IP: Microsoft Rallies Industry Against Bug Anarchy David Farber (Oct 17)