Re: [Full-Disclosure] FW: Security in a Connected World

From: Cesar (cesarc56@yahoo.com)
Date: 01/24/03

  • Next message: Steve Poirot: "[Full-Disclosure] Is MS SharePoint secure?"
    From: Cesar <cesarc56@yahoo.com>
    To: full-disclosure@lists.netsys.com
    Date: Fri, 24 Jan 2003 09:24:00 -0800 (PST)
    

    I agree.

    Microsoft has done some little effort in improving
    security in its top products Windows, Office, SQL
    Server, etc. But if you take a look at other Microsoft
    products in only 5 minutes you can find a lot of
    holes, believe me, try it. Why they don't improve
    security in non top products? Because they only care
    were the money is.

    Cesar.

    --- Georgi Guninski <guninski@guninski.com> wrote:
    > For me this is pure marketing propaganda without any
    > confirmation from reality.
    > Just look at the number and severity of bugs - any
    > change after this hype?
    > From this I have the impression that if I buy newer
    > windozes, they will be more
    > secure, lol.
    > IMHO billyg is a luser and his marketing rants
    > should not be taken seriously.
    >
    > Georgi Guninski
    > http://www.guninski.com
    >
    > Richard M. Smith wrote:
    > > FYI:
    > >
    > > -----Original Message-----
    > > From: Bill Gates
    > [mailto:BillGates@chairman.microsoft.com]
    > > Sent: Thursday, January 23, 2003 11:16 PM
    > > To: rms@computerbytesman.com
    > > Subject: Security in a Connected World
    > >
    > >
    > > Jan. 23, 2003
    > >
    > > As we increasingly rely on the Internet to
    > communicate and conduct
    > > business, a secure computing platform has never
    > been more important.
    > > Along with the vast benefits of increased
    > connectivity, new security
    > > risks have emerged on a scale that few in our
    > industry fully
    > > anticipated.
    > >
    > > As everyone who uses a computer knows, the
    > confidentiality, integrity
    > > and availability of data and systems can be
    > compromised in many ways,
    > > from hacker attacks to Internet-based worms. These
    > security breaches
    > > carry significant costs. Although many companies
    > do not detect or report
    > > attacks, the most recent computer crime and
    > security survey performed by
    > > the Computer Security Institute and the Federal
    > Bureau of Investigation
    > > totaled more than $455 million in quantified
    > financial losses in the
    > > United States alone in 2001. Of those surveyed, 74
    > percent cited their
    > > Internet connection as a key point of attack.
    > >
    > > As a leader in the computing industry, Microsoft
    > has a responsibility to
    > > help its customers address these concerns, so they
    > no longer have to
    > > choose between security and usability. This is a
    > long-term effort. As
    > > attacks on computer networks become more
    > sophisticated, we must innovate
    > > in many areas - such as digital rights management,
    > public key
    > > cryptology, multi-site authentication, and
    > enhanced network and PC
    > > protection - to enable people to manage their
    > information securely.
    > >
    > > A year ago, I challenged Microsoft's 50,000
    > employees to build a
    > > Trustworthy Computing environment for customers so
    > that computing is as
    > > reliable as the electricity that powers our homes
    > and businesses today.
    > > To meet Microsoft's goal of creating products that
    > combine the best of
    > > innovation and predictability, we are focusing on
    > four specific areas:
    > > security, privacy, reliability and business
    > integrity. Over the past
    > > year, we have made significant progress on all
    > these fronts. In
    > > particular, I'd like to report on the advances
    > we've made and the
    > > challenges we still face in the security area. As
    > a subscriber to
    > > Executive Emails from Microsoft, I hope you will
    > find this information
    > > helpful.
    > >
    > > In order to realize the full potential of
    > computers to advance
    > > e-commerce, enable new kinds of communication and
    > enhance productivity,
    > > security will need to improve dramatically. Based
    > on discussions with
    > > customers and our own internal reviews, it was
    > clear that we needed to
    > > create a framework that would support the kind of
    > innovation,
    > > state-of-the-art processes and cultural shifts
    > necessary to make a
    > > fundamental advance in the security of our
    > software products. In the
    > > past year we have created new product-design
    > methodologies, coding
    > > practices, test procedures, security-incident
    > handling and
    > > product-support processes that meet the objectives
    > of this security
    > > framework:
    > >
    > > SECURE BY DESIGN: In early 2002 we took the
    > unprecedented step of
    > > stopping the development work of 8,500 Windows
    > engineers while the
    > > company conducted 10 weeks of intensive security
    > training and analyzed
    > > the Windows code base. Although engineers receive
    > formal academic
    > > training on developing security features, there is
    > very little training
    > > available on how to write secure code. Every
    > Windows engineer, plus
    > > several thousand engineers in other parts of the
    > company, was given
    > > special training covering secure programming,
    > testing techniques and
    > > threat modeling. The threat modeling process, rare
    > in the software
    > > world, taught program managers, architects and
    > testers to think like
    > > attackers. And indeed, fully one-half of all bugs
    > identified during the
    > > Windows security push were found during threat
    > analysis.
    > >
    > > We have also made important breakthroughs in
    > minimizing the amount of
    > > security-related code in products that is
    > vulnerable to attack, and in
    > > our ability to test large pieces of code more
    > efficiently. Because
    > > testing is both time-consuming and costly, it's
    > important that defects
    > > are detected as early as possible in the
    > development cycle. To optimize
    > > which tests are run at what points in the design
    > cycle, Microsoft has
    > > developed a system that prioritizes the
    > application's given set of
    > > tests, based on what changes have been made to the
    > program. The system
    > > is able to operate on large programs built from
    > millions of lines of
    > > source code, and produce results within a few
    > minutes, when previously
    > > it took hours or days.
    > >
    > > The scope of our security reviews represents an
    > unprecedented level of
    > > effort for software manufacturers, and it's begun
    > to pay off as
    > > vulnerabilities are eliminated through offerings
    > like Windows XP Service
    > > Pack 1. We also put Visual Studio .NET through an
    > incredibly vigorous
    > > design review, threat modeling and security push,
    > and in the coming
    > > months we will be releasing other major products
    > that have gone through
    > > our Trustworthy Computing security review cycle:
    > Windows Server 2003,
    > > the next versions of SQL and Exchange Servers, and
    > Office 11.
    > >
    > > Looking ahead, we are working on a new
    > hardware/software architecture
    > > for the Windows PC platform (initially codenamed
    > "Palladium"), which
    > > will significantly enhance the integrity, privacy
    > and data security of
    > > computer systems by eliminating many "weak links."
    > For example, today
    > > anyone can look into a graphics card's memory,
    > which is obviously not
    > > good if the memory contains a user's banking
    > transactions or other
    > > sensitive information. Part of the focus of this
    > initiative is to
    > > provide "curtained" memory - pages of memory that
    > are walled off from
    > > other applications and even the operating system
    > to prevent
    > > surreptitious observation - as well as the ability
    > to provide security
    > > along the path from keyboard to monitor. This
    > technology will also
    > > attest to the reliability of data, and provide
    > sealed storage, so
    >
    === message truncated ===

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html