Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
From: Ron DuFresne (dufresne_at_winternet.com)
To: Peter Busser <email@example.com> Date: Sun, 13 Jul 2003 00:30:59 -0500 (CDT)
On Fri, 4 Jul 2003, Peter Busser wrote:
> > My impression is that until the
> > vendors stepup up to the plate with a better commitment to responsible
> > reselase of products, they will find that the research community continues
> > to eye them with focused suspicion and outrght cynical spite.
> Well, why should vendors do that? In fact, if you look at Microsoft's profit,
> I would say it is rewarded for not doing this. Vendors simply supply the kind
> of products people want. Aparently people love insecure programs. So that is
> what they get.
> The only way to change that is either vote with your dollars and euros or to
> take the vendor to court and demand compensation for the damanges caused by
> badly designed or buggy software. Neither really happens, so what incentive is
> there for companies to change?
But, then just the week following my posting, Dell comes out stating they
are stepping up to the call and committing to locking down the major OS
shipped on their boxes:
Subject: SANS NewsBites Vol. 5 Num. 27
Dell's announcement this morning that it has begun delivering a new
hardened configuration of Windows 2000 is a defining moment in the
ongoing quest to make security less expensive and more effective. Dell
has proven that vendors can take the initial security configuration load
off of users and that there are standards that vendors can use (from
the Center for Internet Security -www.cisecurity.org) if they want to
deliver safer systems. Users no longer have to settle for wide-open,
unsafe configurations. It may soon be perceived as unwise to order a
system configured unsafely when vendors are delivering safe
configurations. If you want to buy systems from other vendors, it is
now acceptable to require in your specifications that they deliver those
systems configured safely. You'll find the Dell announcement at end of
--The Dell Announcement
DELL OFFERS MORE SECURE DESKTOP AND NOTEBOOK COMPUTERS
ROUND ROCK, Texas, July 9, 2003-Dell is helping customers better protect
their information assets from unauthorized access, control or damage by
giving them the option of a more secure or "hardened" configuration.
The new security service, in which Dell activates more than 50 security
settings on Microsoft Windows 2000, helps customers better secure their
systems without adding time nor complexity to their system
This service, available on desktops and notebooks, helps public and
private organizations meet a security benchmark established by the
Center for Internet Security (CIS), whose mission is to help
organizations around the world effectively manage risks related to
information security. CIS is made up of leading companies, universities,
auditing organizations and government agencies.
"Dell is taking a leadership position in providing secure systems to
its customers," said Clint Kreitner, president of CIS. "We hope other
vendors will follow Dell's lead." Dell intends to develop a similar
offering for Windows XP after the benchmark is released by CIS later
"Protecting data from dangers such as hackers and computer viruses is
a challenge for today's organizations," said Tom Buchsbaum, sales vice
president of Dell's federal sector. "Dell is committed to providing our
customers with technology products that provide a high level of
security, and our work with CIS builds on that commitment."
For more information on Dell's security-enabled hardware and security
services, visit www.dell.com/security.
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Full-Disclosure - We believe in it.