[fw-wiz] Re: @Stake CTO fired for Microsoft comments
From: Roger Marquis (marquis_at_roble.com)
Date: 09/29/03
- Previous message: Strydom, Willie: "[fw-wiz] PIX 6.33 & DNS fixup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Mon, 29 Sep 2003 10:57:44 -0700 (PDT)
On 26/09/03 19:12 -0400, Claussen, Ken wrote:
> with the Operating system itself (there have been numerous Root level
> compromises of other operating system) and more to do with the skill of
> the administrator.
This is factually incorrect. MS Windows, 2003 et al, are insecure
in both default and hardened configurations. The vulnerabilities
exist due to several well known design decisions:
* leveraging of Windows' large and insecure legacy code base.
* a dearth of code reviews relative to other OS.
* lack of memory protection.
* full-privilege processes, which could run in user-mode but don't
in order to avoid context switching and its performance penalty.
* proprietary hooks embedded throughout the OS to preserve MS'
advantage over third party developers.
* Perhaps most importantly are the business decisions which MS has
made for many years, deemphasizing security for features and
time-to-market. The most recent example of this is SOAP, _designed_
to bypass firewalls and already being exploited.
> Let's tone down the rhetoric and get back to discussing security.
> I have seen people
Problem is neither Dan Geer nor Bruce Schneier have published
anything resembling rhetoric. Neither did Brett Glass
(<http://www.thetwowayweb.com/stories/storyReader$56>), or NPR which
carries MS ads and, as a result, has never aired a story critical
of the company.
Much of the news Joe Public sees today is similarly toned-down.
While this may benefit advertisers it ultimately dumb's down the
system to the point where it is vulnerable (to spam, viruses, worms
etc). Historical examples of what this can lead to include AMC,
asbestos manufacturers, big tobacco, ...
This sort of group-think and self-deception is examined in Daniel
Goleman's "Vital Lies, Simple Truths - The Psychology of Self-Deception".
Recommended reading for anyone in the business of information
security.
-- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Strydom, Willie: "[fw-wiz] PIX 6.33 & DNS fixup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
