Re: [Full-Disclosure] Microsoft Cries Wolf ( again )

From: Ron DuFresne (dufresne_at_winternet.com)
Date: 07/13/03

  • Next message: Scott: "RE: [Full-Disclosure] Microsoft Cries Wolf ( again )"
    To: Peter Busser <peter@trusteddebian.org>
    Date: Sun, 13 Jul 2003 00:30:59 -0500 (CDT)
    
    

    On Fri, 4 Jul 2003, Peter Busser wrote:

    > Hi!
    >
    > > My impression is that until the
    > > vendors stepup up to the plate with a better commitment to responsible
    > > reselase of products, they will find that the research community continues
    > > to eye them with focused suspicion and outrght cynical spite.
    >
    > Well, why should vendors do that? In fact, if you look at Microsoft's profit,
    > I would say it is rewarded for not doing this. Vendors simply supply the kind
    > of products people want. Aparently people love insecure programs. So that is
    > what they get.
    >
    > The only way to change that is either vote with your dollars and euros or to
    > take the vendor to court and demand compensation for the damanges caused by
    > badly designed or buggy software. Neither really happens, so what incentive is
    > there for companies to change?
    >

    But, then just the week following my posting, Dell comes out stating they
    are stepping up to the call and committing to locking down the major OS
    shipped on their boxes:

    <quote>
    Subject: SANS NewsBites Vol. 5 Num. 27

    Dell's announcement this morning that it has begun delivering a new
    hardened configuration of Windows 2000 is a defining moment in the
    ongoing quest to make security less expensive and more effective. Dell
    has proven that vendors can take the initial security configuration load
    off of users and that there are standards that vendors can use (from
    the Center for Internet Security -www.cisecurity.org) if they want to
    deliver safer systems. Users no longer have to settle for wide-open,
    unsafe configurations. It may soon be perceived as unwise to order a
    system configured unsafely when vendors are delivering safe
    configurations. If you want to buy systems from other vendors, it is
    now acceptable to require in your specifications that they deliver those
    systems configured safely. You'll find the Dell announcement at end of
    this issue.

                                         Alan

    ...

     --The Dell Announcement

    DELL OFFERS MORE SECURE DESKTOP AND NOTEBOOK COMPUTERS

    ROUND ROCK, Texas, July 9, 2003-Dell is helping customers better protect
    their information assets from unauthorized access, control or damage by
    giving them the option of a more secure or "hardened" configuration.

    The new security service, in which Dell activates more than 50 security
    settings on Microsoft Windows 2000, helps customers better secure their
    systems without adding time nor complexity to their system
    installations.

    This service, available on desktops and notebooks, helps public and
    private organizations meet a security benchmark established by the
    Center for Internet Security (CIS), whose mission is to help
    organizations around the world effectively manage risks related to
    information security. CIS is made up of leading companies, universities,
    auditing organizations and government agencies.

    "Dell is taking a leadership position in providing secure systems to
    its customers," said Clint Kreitner, president of CIS. "We hope other
    vendors will follow Dell's lead." Dell intends to develop a similar
    offering for Windows XP after the benchmark is released by CIS later
    this year.

    "Protecting data from dangers such as hackers and computer viruses is
    a challenge for today's organizations," said Tom Buchsbaum, sales vice
    president of Dell's federal sector. "Dell is committed to providing our
    customers with technology products that provide a high level of
    security, and our work with CIS builds on that commitment."

    For more information on Dell's security-enabled hardware and security
    services, visit www.dell.com/security.

    </quote>

    Thanks,

    Ron DuFresne
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    "Cutting the space budget really restores my faith in humanity. It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation." -- Johnny Hart
            ***testing, only testing, and damn good at it too!***

    OK, so you're a Ph.D. Just don't touch anything.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Scott: "RE: [Full-Disclosure] Microsoft Cries Wolf ( again )"

    Relevant Pages

    • Re: Question re: load balancers as a security device
      ... them facing an external network with unknown security implications. ... In the case of managed services I've found that vendors try very hard ... to standardize the implementations they manage. ... understanding of the architecture, traffic, configuration of LBs, etc. ...
      (Pen-Test)
    • RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
      ... >> vendors stepup up to the plate with a better commitment to responsible ... But, then just the week following my posting, Dell comes out stating they ... ongoing quest to make security less expensive and more effective. ... has proven that vendors can take the initial security configuration load ...
      (Full-Disclosure)
    • Inadequate documentation and knowledge
      ... operating system, an application system, or just a network device, ... How many operating systems vendors even disclose to each purchaser ... While vendors talk at length about how security is paramount, ... configuration management, site hardening, et al. ...
      (comp.security.misc)
    • Inadequate documentation and knowledge
      ... operating system, an application system, or just a network device, ... How many operating systems vendors even disclose to each purchaser ... While vendors talk at length about how security is paramount, ... configuration management, site hardening, et al. ...
      (comp.security.misc)
    • [Full-Disclosure] Was: Full Disclosure = Exploit Release - No disclosure No Fix
      ... For the bigger vendors, statistics will iron out mistakes - and ... Would you write a script for that - unlikely. ... 588 new vulnerabilities were posted on major lists. ... To this list of unanswereable questions I could add the ratio of security ...
      (Full-Disclosure)