Re: [Full-Disclosure] FW: Security in a Connected World

From: Cesar (cesarc56@yahoo.com)
Date: 01/24/03

  • Next message: Steve Poirot: "[Full-Disclosure] Is MS SharePoint secure?"
    From: Cesar <cesarc56@yahoo.com>
    To: full-disclosure@lists.netsys.com
    Date: Fri, 24 Jan 2003 09:24:00 -0800 (PST)
    

    I agree.

    Microsoft has done some little effort in improving
    security in its top products Windows, Office, SQL
    Server, etc. But if you take a look at other Microsoft
    products in only 5 minutes you can find a lot of
    holes, believe me, try it. Why they don't improve
    security in non top products? Because they only care
    were the money is.

    Cesar.

    --- Georgi Guninski <guninski@guninski.com> wrote:
    > For me this is pure marketing propaganda without any
    > confirmation from reality.
    > Just look at the number and severity of bugs - any
    > change after this hype?
    > From this I have the impression that if I buy newer
    > windozes, they will be more
    > secure, lol.
    > IMHO billyg is a luser and his marketing rants
    > should not be taken seriously.
    >
    > Georgi Guninski
    > http://www.guninski.com
    >
    > Richard M. Smith wrote:
    > > FYI:
    > >
    > > -----Original Message-----
    > > From: Bill Gates
    > [mailto:BillGates@chairman.microsoft.com]
    > > Sent: Thursday, January 23, 2003 11:16 PM
    > > To: rms@computerbytesman.com
    > > Subject: Security in a Connected World
    > >
    > >
    > > Jan. 23, 2003
    > >
    > > As we increasingly rely on the Internet to
    > communicate and conduct
    > > business, a secure computing platform has never
    > been more important.
    > > Along with the vast benefits of increased
    > connectivity, new security
    > > risks have emerged on a scale that few in our
    > industry fully
    > > anticipated.
    > >
    > > As everyone who uses a computer knows, the
    > confidentiality, integrity
    > > and availability of data and systems can be
    > compromised in many ways,
    > > from hacker attacks to Internet-based worms. These
    > security breaches
    > > carry significant costs. Although many companies
    > do not detect or report
    > > attacks, the most recent computer crime and
    > security survey performed by
    > > the Computer Security Institute and the Federal
    > Bureau of Investigation
    > > totaled more than $455 million in quantified
    > financial losses in the
    > > United States alone in 2001. Of those surveyed, 74
    > percent cited their
    > > Internet connection as a key point of attack.
    > >
    > > As a leader in the computing industry, Microsoft
    > has a responsibility to
    > > help its customers address these concerns, so they
    > no longer have to
    > > choose between security and usability. This is a
    > long-term effort. As
    > > attacks on computer networks become more
    > sophisticated, we must innovate
    > > in many areas - such as digital rights management,
    > public key
    > > cryptology, multi-site authentication, and
    > enhanced network and PC
    > > protection - to enable people to manage their
    > information securely.
    > >
    > > A year ago, I challenged Microsoft's 50,000
    > employees to build a
    > > Trustworthy Computing environment for customers so
    > that computing is as
    > > reliable as the electricity that powers our homes
    > and businesses today.
    > > To meet Microsoft's goal of creating products that
    > combine the best of
    > > innovation and predictability, we are focusing on
    > four specific areas:
    > > security, privacy, reliability and business
    > integrity. Over the past
    > > year, we have made significant progress on all
    > these fronts. In
    > > particular, I'd like to report on the advances
    > we've made and the
    > > challenges we still face in the security area. As
    > a subscriber to
    > > Executive Emails from Microsoft, I hope you will
    > find this information
    > > helpful.
    > >
    > > In order to realize the full potential of
    > computers to advance
    > > e-commerce, enable new kinds of communication and
    > enhance productivity,
    > > security will need to improve dramatically. Based
    > on discussions with
    > > customers and our own internal reviews, it was
    > clear that we needed to
    > > create a framework that would support the kind of
    > innovation,
    > > state-of-the-art processes and cultural shifts
    > necessary to make a
    > > fundamental advance in the security of our
    > software products. In the
    > > past year we have created new product-design
    > methodologies, coding
    > > practices, test procedures, security-incident
    > handling and
    > > product-support processes that meet the objectives
    > of this security
    > > framework:
    > >
    > > SECURE BY DESIGN: In early 2002 we took the
    > unprecedented step of
    > > stopping the development work of 8,500 Windows
    > engineers while the
    > > company conducted 10 weeks of intensive security
    > training and analyzed
    > > the Windows code base. Although engineers receive
    > formal academic
    > > training on developing security features, there is
    > very little training
    > > available on how to write secure code. Every
    > Windows engineer, plus
    > > several thousand engineers in other parts of the
    > company, was given
    > > special training covering secure programming,
    > testing techniques and
    > > threat modeling. The threat modeling process, rare
    > in the software
    > > world, taught program managers, architects and
    > testers to think like
    > > attackers. And indeed, fully one-half of all bugs
    > identified during the
    > > Windows security push were found during threat
    > analysis.
    > >
    > > We have also made important breakthroughs in
    > minimizing the amount of
    > > security-related code in products that is
    > vulnerable to attack, and in
    > > our ability to test large pieces of code more
    > efficiently. Because
    > > testing is both time-consuming and costly, it's
    > important that defects
    > > are detected as early as possible in the
    > development cycle. To optimize
    > > which tests are run at what points in the design
    > cycle, Microsoft has
    > > developed a system that prioritizes the
    > application's given set of
    > > tests, based on what changes have been made to the
    > program. The system
    > > is able to operate on large programs built from
    > millions of lines of
    > > source code, and produce results within a few
    > minutes, when previously
    > > it took hours or days.
    > >
    > > The scope of our security reviews represents an
    > unprecedented level of
    > > effort for software manufacturers, and it's begun
    > to pay off as
    > > vulnerabilities are eliminated through offerings
    > like Windows XP Service
    > > Pack 1. We also put Visual Studio .NET through an
    > incredibly vigorous
    > > design review, threat modeling and security push,
    > and in the coming
    > > months we will be releasing other major products
    > that have gone through
    > > our Trustworthy Computing security review cycle:
    > Windows Server 2003,
    > > the next versions of SQL and Exchange Servers, and
    > Office 11.
    > >
    > > Looking ahead, we are working on a new
    > hardware/software architecture
    > > for the Windows PC platform (initially codenamed
    > "Palladium"), which
    > > will significantly enhance the integrity, privacy
    > and data security of
    > > computer systems by eliminating many "weak links."
    > For example, today
    > > anyone can look into a graphics card's memory,
    > which is obviously not
    > > good if the memory contains a user's banking
    > transactions or other
    > > sensitive information. Part of the focus of this
    > initiative is to
    > > provide "curtained" memory - pages of memory that
    > are walled off from
    > > other applications and even the operating system
    > to prevent
    > > surreptitious observation - as well as the ability
    > to provide security
    > > along the path from keyboard to monitor. This
    > technology will also
    > > attest to the reliability of data, and provide
    > sealed storage, so
    >
    === message truncated ===

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



    Relevant Pages

    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #242
      ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • Re: The Myth of the secure Mac
      ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
      (comp.sys.mac.advocacy)