Metasploit mailing list archives
Microsoft BlueHat Security Conference
From: tomb at byrneit.net (Tomas L. Byrnes)
Date: Mon, 20 Jun 2005 20:25:51 -0700
I think this is an oversimplification. When MS made the browser the shell, with IE 4, everyone and their brother screamed that this was a guaranteed security hole. It doesn't take a genius to see that Browser=Shell and everyone runs as local admin is a wide open door for problems. MS didn't do that for the sake of features, they did it as a shortcut to dominating the browser market, since they couldn't get a functioning independent browser out fast enough, and tying the browser tightly to the OS meant that everyone would have to use IE at least some of the time, and that it would be faster and could do things that an application based browser couldn't (ActiveX, another security disaster, designed to kill Java). The result has been the plethora windows security flaws. I think it is a bit disingenuous to buy, and then sell, MS spin on their security problems hook-line-and-sinker. A lot of the problems have nothing to do with the developers, or the way they develop the code, but are a direct result of business decisions that have caused the creation of monolithic code with root-level access. Windows security problems are architectural, not implementation. A lack of compartmentalization, object and component oriented architecture, and the total absence of inheritance, precedence, and processes being bounded to the least privilege, and in no case being able to elevate privilege beyond that of the parent (since there is no parent, this doesn't exist), is the root cause of the vulnerabilities, IMO. MS should follow Apple's lead, use BSD as the underlying OS, and make $ off apps and interfaces.
-----Original Message----- From: H D Moore [mailto:hdm at metasploit.com] Sent: Monday, June 20, 2005 1:52 PM To: framework at metasploit.com Subject: Re: [framework] Microsoft BlueHat Security Conference That wouldn't be fair, we met some sharp people at Microsoft, both in the development and security groups. On the development side, the problem seems to be one of perspective and not technical competence. They write software to make things work, we write software to break their things, and its difficult to write software and constantly review it for security flaws at the same time. A design decision that seems obviously insecure to someone like myself could be an innovation in user convenience to a developer. What we brought to the conference was the idea that the people attacking their software aren't just some grungy kids living in their parent's basement, but people who take their work as seriously as those writing the code in the first place. -HD On Monday 20 June 2005 15:39, Tech wrote:The gist I get from the articles is that the hacker side of the conference decided that the guys from Microsoft are reallynice guys,just not the sharpest knife in the drawer? -----Original Message----- From: H D Moore [mailto:hdm at metasploit.com] Sent: Monday, June 20, 2005 4:05 AM To: framework at metasploit.com Subject: [framework] Microsoft BlueHat Security Conference A few people have asked about the materials for theMicrosoft BlueHatsecurity conference. These are now online, along with some links to the original articles. http://metasploit.com/confs/ http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5
747813.htm
l http://www.bit-tech.net/news/2005/06/17/microsoft_blue_hat_ha
cker_confe
r ence/ http://www.toptechnews.com/story.xhtml?story_id=36563 -HD
Current thread:
- Microsoft BlueHat Security Conference H D Moore (Jun 20)
- <Possible follow-ups>
- Microsoft BlueHat Security Conference Tech (Jun 20)
- Microsoft BlueHat Security Conference H D Moore (Jun 20)
- Balasan: Re: [framework] Microsoft BlueHat Security Conference Sugiowono Tjhin (Jun 20)
- Microsoft BlueHat Security Conference H D Moore (Jun 20)
- Microsoft BlueHat Security Conference Tomas L. Byrnes (Jun 20)
- Microsoft BlueHat Security Conference mmiller at hick.org (Jun 20)