Interesting People mailing list archives
IP: microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security Flaw
From: David Farber <dave () farber net>
Date: Mon, 07 Jan 2002 14:12:30 -0500
From: "Tom Weber" <webert () bellatlantic net> To: <farber () cis upenn edu>Subject: microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security FlawDave -- The hits just keep on coming, it seems. Fyi, here's my column from today's Journal on getting serious about security in 2002, and the need to reduce dependence on Microsoft given these security problems. Best, Tom E-WORLD By Thomas E. Weber Time to Get Serious: A Checklist of Ways To Secure the Internet 01/07/2002 The Wall Street Journal (Copyright (c) 2002, Dow Jones & Company, Inc.) HERE'S A CHALLENGE to everyone in the technology world: make computer networks more secure and more reliable in 2002. Think of it as homeland security, cyberstyle. At work and at home, computer users are tired of enduring one glaring vulnerability after another. The cycle of bugs, viruses, security patches and inconvenience seems endless -- and all too familiar. As if we needed a reminder, last week came word of yet another colossal security hole. AOL's ubiquitous Instant Messenger chat software turns out to have a glitch that could let hackers invade our PCs over the Internet. A few weeks earlier we learned that Microsoft's shiny new Windows XP operating system is similarly wide open to attack. In both cases, there doesn't appear to have been any harm done. AOL and Microsoft moved to fix the problems, and there were no reports of attacks exploiting the newly discovered weaknesses. But the incidents underscored once again how vulnerable our computers are. Here are some ideas about tightening up online security in 2002: BREAK THE MICROSOFT HABIT: How many times has my computer been threatented by a virus because holes in Microsoft Outlook made it easy for these malicious programs to spread? I've lost count. Microsoft has patched and updated the software, but we're still plagued with viruses that shut down corporate mail servers and cost businesses money. The vulnerabilities in Outlook don't need to be patched; they simply shouldn't be there in the first place. Normally, market forces would punish makers of shoddy products. But Microsoft's dominance impedes those forces. One answer is for corporate customers to use their clout to demand better quality. Consumers can help, too, by refusing to buy software upgrades unless the new versions are demonstrably more secure. Another answer is to nurture and use alternatives whenever possible. Apple's OS X and Linux both provide reasonable alternatives to Microsoft's Windows for many applications. They both have security problems of their own, but increasing the diversity of systems online would strengthen the Net's immune system, a priority after the September terror attacks. Yet what are we faced with, as Microsoft seeks to end private antitrust suits against it? A potential settlement that could encourage the greater spread of Microsoft's software via a giveaway program to underprivileged schools. That isn't just ironic -- it could be bad for national security. FIREWALLS FOR EVERYONE: If you've got a computer that's connected to the Internet, I can't imagine any reason why you wouldn't want a firewall on it. It's easy to get a decent firewall program that will thwart intruders' attempts to hack into your system. In fact, you can even download one free (ZoneAlarm, available at www.zonelabs.com). Good firewalls protect everyone. Many hackers aren't actually interested in the contents of an individual computer. Instead, with the help of automated software, they're probing hundreds of computers at a time to find those susceptible to attack. A hacker who finds enough compromised PCs can assemble a secret army of computers that can then be used to shut down giant Web sites. That means firewalls, along with antivirus systems, are practically a public-health issue for the Internet. They should come installed on every new computer sold and be provided with every Internet account. We don't want unprotected computers on the Net any more than we want cars on the road without brake lights. DON'T SHIELD SHODDY PRODUCTS: Liability is another way of deterring the spread of defective goods and services, but just try suing a software company. Even if a hacker steals your files or a virus destroys months of work, in most cases software users have little recourse. Take a look at the "shrink-wrap" license included with most off-the-shelf programs and you'll find that, if you're lucky, you may get a refund if something goes wrong. An obscure law known as the Uniform Computer Information Transactions Act, or Ucita, intended for adoption by state legislatures throughout the U.S., could further weaken users' rights by strengthening those licenses. Passed in Maryland and Virginia, Ucita is now being tinkered with to address a variety of concerns. Whenever legislators consider this topic, they need to question whether software users' rights are being protected. USE REGULATION, OR THREATEN TO: In the post-9/11 era, it's clear that governments have an interest in information security. Lawmakers and regulators should use 2002 to find innovative ways to encourage safer systems without stifling innovation. Among the ideas that have been floating around are tax credits for spending on security products. John Pescatore, a security expert at Gartner Research, has a better idea: tax breaks for security training for software developers, and research and development credits for creation of secure software. In addition to those carrots, a bit of the stick might prove useful. When faced with the prospect of government intervention, the technology industry has a way of finding solutions to head off new regulations. A few congressional hearings on major software blunders might accomplish a lot. --- > -----Original Message----- > From: David Farber [mailto:dave () farber net] > Sent: Monday, January 07, 2002 1:59 PM > To: ip-sub-1 () majordomo pobox com > Subject: IP: Microsoft Breaks Netscape Rule In New Security Flaw > > > > >Date: Mon, 07 Jan 2002 12:55:02 -0500 > >To: farber () cis upenn edu > >From: Brian McWilliams <brian () pc-radio com> > >Subject: Microsoft Breaks Netscape Rule In New Security Flaw > > > >Hi Dave, > > > >FYI ... > > > >http://www.newsbytes.com/news/02/173439.html > > > >Microsoft Breaks Netscape Rule In New Security Flaw > >REDMOND, WASHINGTON, U.S.A., > >07 Jan 2002, 11:39 AM CST > > > > The failure of Microsoft [NASDAQ:MSFT] to abide by a > well-known browser > > security rule has resulted in a "severe" flaw in the company's Internet > > Explorer browser, according to security experts. > > > >The security bug, which affects all current versions of Internet > Explorer > >for Windows, including IE 5.5 and IE 6, provides attackers with > a grab-bag > >of techniques for stealing other users' browser cookies, reading some > >files on their hard disks, and "spoofing" the content of > legitimate sites, > >according to ThePull, an independent security researcher who discovered > >the vulnerability. > > > >An advisory describing the flaw, along with hyperlinks to demonstration > >exploits, was posted by ThePull on SecurityFocus' Bugtraq > mailing list and > >mailed to Microsoft on Dec. 19. > > > >Microsoft officials were not immediately available for comment. > > > >In its own description of the vulnerability, SecurityFocus, a security > >information and consulting firm, said Microsoft violated a basic > security > >rule known as the "same origin policy." The rule was outlined four years > >ago in a JavaScript security guide authored by Netscape Communications. > > > >According to the 1997 Netscape guide, which was cited in a 2000 advisory > >from the Computer Emergency Response Team (CERT), JavaScript code > >executing in the context of one Web site should not be able to > access the > >properties of another. > > > >[snip] > > > > For archives see: > http://www.interesting-people.org/archives/interesting-people/
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security Flaw David Farber (Jan 07)