IP: microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security Flaw

[David Farber <dave () farber net>]

> From: "Tom Weber" <webert () bellatlantic net>
> To: <farber () cis upenn edu>
> Subject: microsoft dependence RE: Microsoft Breaks Netscape Rule In New 
> Security Flaw
>
>
> Dave -- The hits just keep on coming, it seems. Fyi, here's my column from
> today's Journal on getting serious about security in 2002, and the need to
> reduce dependence on Microsoft given these security problems.
>
> Best,
> Tom
>
>
> E-WORLD By Thomas E. Weber
> Time to Get Serious:
> A Checklist of Ways
> To Secure the Internet
> 01/07/2002
> The Wall Street Journal
> (Copyright (c) 2002, Dow Jones & Company, Inc.)
>
> HERE'S A CHALLENGE to everyone in the technology world: make computer
> networks more secure and more reliable in 2002.
>
> Think of it as homeland security, cyberstyle. At work and at home, computer
> users are tired of enduring one glaring vulnerability after another. The
> cycle of bugs, viruses, security patches and inconvenience seems endless --
> and all too familiar.
>
>
> As if we needed a reminder, last week came word of yet another colossal
> security hole. AOL's ubiquitous Instant Messenger chat software turns out to
> have a glitch that could let hackers invade our PCs over the Internet. A few
> weeks earlier we learned that Microsoft's shiny new Windows XP operating
> system is similarly wide open to attack.
>
> In both cases, there doesn't appear to have been any harm done. AOL and
> Microsoft moved to fix the problems, and there were no reports of attacks
> exploiting the newly discovered weaknesses. But the incidents underscored
> once again how vulnerable our computers are.
>
> Here are some ideas about tightening up online security in 2002:
>
>
> BREAK THE MICROSOFT HABIT: How many times has my computer been threatented
> by a virus because holes in Microsoft Outlook made it easy for these
> malicious programs to spread? I've lost count. Microsoft has patched and
> updated the software, but we're still plagued with viruses that shut down
> corporate mail servers and cost businesses money. The vulnerabilities in
> Outlook don't need to be patched; they simply shouldn't be there in the
> first place.
>
> Normally, market forces would punish makers of shoddy products. But
> Microsoft's dominance impedes those forces. One answer is for corporate
> customers to use their clout to demand better quality. Consumers can help,
> too, by refusing to buy software upgrades unless the new versions are
> demonstrably more secure.
>
> Another answer is to nurture and use alternatives whenever possible. Apple's
> OS X and Linux both provide reasonable alternatives to Microsoft's Windows
> for many applications. They both have security problems of their own, but
> increasing the diversity of systems online would strengthen the Net's immune
> system, a priority after the September terror attacks.
>
> Yet what are we faced with, as Microsoft seeks to end private antitrust
> suits against it? A potential settlement that could encourage the greater
> spread of Microsoft's software via a giveaway program to underprivileged
> schools. That isn't just ironic -- it could be bad for national security.
>
>
> FIREWALLS FOR EVERYONE: If you've got a computer that's connected to the
> Internet, I can't imagine any reason why you wouldn't want a firewall on it.
> It's easy to get a decent firewall program that will thwart intruders'
> attempts to hack into your system. In fact, you can even download one free
> (ZoneAlarm, available at www.zonelabs.com).
>
> Good firewalls protect everyone. Many hackers aren't actually interested in
> the contents of an individual computer. Instead, with the help of automated
> software, they're probing hundreds of computers at a time to find those
> susceptible to attack. A hacker who finds enough compromised PCs can
> assemble a secret army of computers that can then be used to shut down giant
> Web sites.
>
> That means firewalls, along with antivirus systems, are practically a
> public-health issue for the Internet. They should come installed on every
> new computer sold and be provided with every Internet account. We don't want
> unprotected computers on the Net any more than we want cars on the road
> without brake lights.
>
>
> DON'T SHIELD SHODDY PRODUCTS: Liability is another way of deterring the
> spread of defective goods and services, but just try suing a software
> company. Even if a hacker steals your files or a virus destroys months of
> work, in most cases software users have little recourse. Take a look at the
> "shrink-wrap" license included with most off-the-shelf programs and you'll
> find that, if you're lucky, you may get a refund if something goes wrong.
>
> An obscure law known as the Uniform Computer Information Transactions Act,
> or Ucita, intended for adoption by state legislatures throughout the U.S.,
> could further weaken users' rights by strengthening those licenses. Passed
> in Maryland and Virginia, Ucita is now being tinkered with to address a
> variety of concerns. Whenever legislators consider this topic, they need to
> question whether software users' rights are being protected.
>
>
> USE REGULATION, OR THREATEN TO: In the post-9/11 era, it's clear that
> governments have an interest in information security. Lawmakers and
> regulators should use 2002 to find innovative ways to encourage safer
> systems without stifling innovation.
>
> Among the ideas that have been floating around are tax credits for spending
> on security products. John Pescatore, a security expert at Gartner Research,
> has a better idea: tax breaks for security training for software developers,
> and research and development credits for creation of secure software.
>
> In addition to those carrots, a bit of the stick might prove useful. When
> faced with the prospect of government intervention, the technology industry
> has a way of finding solutions to head off new regulations. A few
> congressional hearings on major software blunders might accomplish a lot.
>
> ---
>
>
> > -----Original Message-----
> > From: David Farber [mailto:dave () farber net]
> > Sent: Monday, January 07, 2002 1:59 PM
> > To: ip-sub-1 () majordomo pobox com
> > Subject: IP: Microsoft Breaks Netscape Rule In New Security Flaw
> >
> >
> >
> > >Date: Mon, 07 Jan 2002 12:55:02 -0500
> > >To: farber () cis upenn edu
> > >From: Brian McWilliams <brian () pc-radio com>
> > >Subject: Microsoft Breaks Netscape Rule In New Security Flaw
> > >
> > >Hi Dave,
> > >
> > >FYI ...
> > >
> > >http://www.newsbytes.com/news/02/173439.html
> > >
> > >Microsoft Breaks Netscape Rule In New Security Flaw
> > >REDMOND, WASHINGTON, U.S.A.,
> > >07 Jan 2002, 11:39 AM CST
> > >
> > >  The failure of Microsoft [NASDAQ:MSFT] to abide by a
> > well-known browser
> > > security rule has resulted in a "severe" flaw in the company's Internet
> > > Explorer browser, according to security experts.
> > >
> > >The security bug, which affects all current versions of Internet
> > Explorer
> > >for Windows, including IE 5.5 and IE 6, provides attackers with
> > a grab-bag
> > >of techniques for stealing other users' browser cookies, reading some
> > >files on their hard disks, and "spoofing" the content of
> > legitimate sites,
> > >according to ThePull, an independent security researcher who discovered
> > >the vulnerability.
> > >
> > >An advisory describing the flaw, along with hyperlinks to demonstration
> > >exploits, was posted by ThePull on SecurityFocus' Bugtraq
> > mailing list and
> > >mailed to Microsoft on Dec. 19.
> > >
> > >Microsoft officials were not immediately available for comment.
> > >
> > >In its own description of the vulnerability, SecurityFocus, a security
> > >information and consulting firm, said Microsoft violated a basic
> > security
> > >rule known as the "same origin policy." The rule was outlined four years
> > >ago in a JavaScript security guide authored by Netscape Communications.
> > >
> > >According to the 1997 Netscape guide, which was cited in a 2000 advisory
> > >from the Computer Emergency Response Team (CERT), JavaScript code
> > >executing in the context of one Web site should not be able to
> > access the
> > >properties of another.
> > >
> > >[snip]
> > >
> >
> > For archives see:
> > http://www.interesting-people.org/archives/interesting-people/

For archives see:
http://www.interesting-people.org/archives/interesting-people/