Microsoft BlueHat Security Conference

[tomb at byrneit.net (Tomas L. Byrnes)]

I think this is an oversimplification. When MS made the browser the
shell, with IE 4, everyone and their brother screamed that this was a
guaranteed security hole. It doesn't take a genius to see that
Browser=Shell and everyone runs as local admin is a wide open door for
problems.

MS didn't do that for the sake of features, they did it as a shortcut to
dominating the browser market, since they couldn't get a functioning
independent browser out fast enough, and tying the browser tightly to
the OS meant that everyone would have to use IE at least some of the
time, and that it would be faster and could do things that an
application based browser couldn't (ActiveX, another security disaster,
designed to kill Java). The result has been the plethora windows
security flaws.

I think it is a bit disingenuous to buy, and then sell, MS spin on their
security problems hook-line-and-sinker. A lot of the problems have
nothing to do with the developers, or the way they develop the code, but
are a direct result of business decisions that have caused the creation
of monolithic code with root-level access.

Windows security problems are architectural, not implementation. A lack
of compartmentalization, object and component oriented architecture, and
the total absence of inheritance, precedence, and processes being
bounded to the least privilege, and in no case being able to elevate
privilege beyond that of the parent (since there is no parent, this
doesn't exist), is the root cause of the vulnerabilities, IMO. 

MS should follow Apple's lead, use BSD as the underlying OS, and make $
off apps and interfaces.


> -----Original Message-----
> From: H D Moore [mailto:hdm at metasploit.com] 
> Sent: Monday, June 20, 2005 1:52 PM
> To: framework at metasploit.com
> Subject: Re: [framework] Microsoft BlueHat Security Conference
>
> That wouldn't be fair, we met some sharp people at Microsoft, 
> both in the development and security groups. On the 
> development side, the problem seems to be one of perspective 
> and not technical competence. They write software to make 
> things work, we write software to break their things, and its 
> difficult to write software and constantly review it for 
> security flaws at the same time. A design decision that seems 
> obviously insecure to someone like myself could be an 
> innovation in user convenience to a developer. What we 
> brought to the conference was the idea that the people 
> attacking their software aren't just some grungy kids living 
> in their parent's basement, but people who take their work as 
> seriously as those writing the code in the first place.
>
> -HD
>
> On Monday 20 June 2005 15:39, Tech wrote:
> > The gist I get from the articles is that the hacker side of the 
> > conference decided that the guys from Microsoft are really 
> nice guys, 
> > just not the sharpest knife in the drawer?
> >
> >
> >
> > -----Original Message-----
> > From: H D Moore [mailto:hdm at metasploit.com]
> > Sent: Monday, June 20, 2005 4:05 AM
> > To: framework at metasploit.com
> > Subject: [framework] Microsoft BlueHat Security Conference
> >
> > A few people have asked about the materials for the 
> Microsoft BlueHat 
> > security conference. These are now online, along with some links to 
> > the original articles.
> >
> > http://metasploit.com/confs/
> >
> >
> > http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5
747813.htm
> > l
> >
> > http://www.bit-tech.net/news/2005/06/17/microsoft_blue_hat_ha
cker_confe
> > r ence/
> > http://www.toptechnews.com/story.xhtml?story_id=36563
> >
> > -HD