Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

From: William Warren (hescominsoon_at_adelphia.net)
Date: 11/02/03

  • Next message: William Warren: "Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2"
    To: "Beaty, Bryan" <Bryan.Beaty@vector.com>, full-disclosure@lists.netsys.com
    Date: Sun, 02 Nov 2003 08:17:00 -0500
    
    

    Beaty, Bryan wrote:

    > Correct me if I am wrong but...
    >
    > I believe every worm listed below could have been prevented had everyone
    > patched their systems.
    the blaster worm preceded the patch so this argument is DOA
    >
    > I would like the security community to take more responsibility for
    > their own (in)actions. If you were hit by Blaster then you failed to
    > enforce a good patch management policy. Who's fault is that? Patch
    > management is boring and so we often ignore it. Hackers and worms simply
    > take advantage of our laziness. I guess blaster could be a form of
    > social engineering. "I know admins don't patch so I can write a worm and
    > kill the world."
    note above
    >
    > There is no such thing as perfect code. If you want a completely secure
    > system you can buy them but they are unbelievably expensive. If you have
    > a business justification for something that secure then buy it.
    > Otherwise you have to live with what you can get from Linux, UNIX, or
    > even Microsoft.
    >
    > Microsoft has at least come out with some very good patch management
    > systems lately (SUS) and they are free. Red Hat charges me a yearly fee
    > for their RHN.
    you do not have to pay for RHN to get redhat patches. I rh9 for a bit
    on this notebook(had vid issues with all distros here) and was able to
    get all updates without subbing to RHN. MS has no choice but to come
    out with free patching tools because of the huge amount of patches for
    all MS products. I run Astaro Security Linux here at the house..blaster
    and its ilk got killed at my then cable modem and never made it in. I
    have netbios blocked incoming and outgoing and all e-mail is scanned at
    the firewall with all executable attachments being blocked. However it
    is funny MS wants to make automated patch downloading mandatory when on
    every machine here the automatic windows update did not catch wind of
    new patches available on WU for sometimes after 7 days of the release on
    WU. MS has a long way to go on their patching..both in terms of quality
    of software and patches and delivery.
    >
    > I believe the #1 security threat today is poor patch management. Is that
    > Microsoft's fault?
    >
    > --> I am off of my soap box now.
    the number one security threat today is exploits that target a weak
    security model to a degree that exploits can be so easily 0-day released
    without anyone knowing. Also even with all patches right now IE(and
    therefore windows) is still subject to remote download and installation
    of programs without user notification(this is widely known just google
    for it).
    >
    > Bryan Beaty
    >
    > -----Original Message-----
    > From: Exibar [mailto:exibar@thelair.com]
    > Sent: Friday, October 31, 2003 1:40 PM
    > To: Jeremiah Cornelius; full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for
    > good security
    >
    >
    > What an idiot....
    >
    > Take the loveletter worm, when it was first released even if you had
    > a 100% up to date AntiVirus software program, you would still get hit
    > within
    > the first 8 hours.... slammer, blaster, etc all the same thing. The
    > took
    > advantage of holes in the OPERATING SYSTEM!!!!
    >
    > Yes we have ways of updating our VirusSoftware that works very very
    > well, McAfee has E-Policy Orchstrator, which I swear by.
    >
    > I'm not going to go on, but if Windows was as secure as Bill Gates and
    > company says it is, why was blaster, slammer, codered etc even an issue?
    >
    > Exibar
    >
    >
    > ----- Original Message -----
    > From: "Jeremiah Cornelius" <jeremiah@nur.net>
    > To: <full-disclosure@lists.netsys.com>
    > Sent: Friday, October 31, 2003 1:32 PM
    > Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
    > security
    >
    >
    >
    >>-----BEGIN PGP SIGNED MESSAGE-----
    >>Hash: SHA1
    >>
    >>FLAME ON!
    >>
    >>http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
    >>
    >>"But there are two other techniques: one is called firewalling and the
    >
    > other
    >
    >>is called keeping the software up to date. None of these problems
    >>(viruses and worms) happened to people who did either one of those
    >>things. If you
    >
    > had
    >
    >>your firewall set up the right way - and when I say firewall I include
    >
    >
    >>scanning e-mail and scanning file transfer -- you wouldn't have had a
    >>problem. But did we have the tools that made that easy and automatic
    >>and
    >
    > that
    >
    >>you could really audit that you had done it? No. Microsoft in
    >>particular
    >
    > and
    >
    >>the industry in general didn't have it."
    >>
    >>"The second is just the updating thing. Anybody who kept their
    >>software up
    >
    > to
    >
    >>date didn't run into any of those problems, because the fixes preceded
    >
    >
    >>the exploit. Now the times between when the vulnerability was
    >>published and
    >
    > when
    >
    >>somebody has exploited it, those have been going down, but in every
    >>case
    >
    > at
    >
    >>this stage we've had the fix out before the exploit. So next is making
    >
    >
    >>it easy to do the updating, not for general features but just for the
    >>very
    >
    > few
    >
    >>critical security things, and then reducing the size of those patches,
    >
    >
    >>and reducing the frequency of the patches, which gets you back to the
    >>code quality issues. We have to bring these things to bear, and the
    >>very
    >
    > dramatic
    >
    >>things that we can do in the short term have to do with the firewalls
    >>and
    >
    > the
    >
    >>updating infrastructure. "
    >>-----BEGIN PGP SIGNATURE-----
    >>Version: GnuPG v1.2.3 (GNU/Linux)
    >>
    >>iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
    >>SjPLY1EEzamQCtIGKwJT1Vk=
    >>=mIsY
    >>-----END PGP SIGNATURE-----
    >>
    >>_______________________________________________
    >>Full-Disclosure - We believe in it.
    >>Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    -- 
    May God Bless you and everything you touch.
    My "foundation" verse:
    Isaiah 54:17 No weapon that is formed against thee shall prosper; and 
    every tongue that shall rise against thee in judgment thou shalt 
    condemn. This is the heritage of the servants of the LORD, and their 
    righteousness is of me, saith the LORD.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: William Warren: "Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2"

    Relevant Pages

    • RE: Releasing patches is bad for security
      ... After sitting in on some of the discussion at the security conferences ... are released in scheduled patches. ... Those are things they patch in cycle as they are discovered, ... > MS posted a patch and some 300ish days later the worm hit. ...
      (Incidents)
    • RE: Releasing patches is bad for security
      ... posted a patch and some 300ish days later the worm hit. ... The problem then is how to release patches ... specifically focused on finding security flaws in all of their software. ... Releasing patches is bad for security ...
      (Incidents)
    • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... But you'd still patch either way, ... of home users who don't even know what a security patch *IS*, ... But how many organisations firewall off internal servers from ... administrators have the time to watch the IDS given the number of patches they ...
      (Full-Disclosure)
    • RE: Releasing patches is bad for security
      ... The new patch model for longhorn will not require reboots. ... functionality over security. ... Current patches are getting smaller as with large enterprises bandwidth can ... > MS posted a patch and some 300ish days later the worm hit. ...
      (Incidents)
    • Re: [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...
      ... My personal prejudice is that I subscribe to the school of "security by ... I said why release them all on day 0 of the patch release. ... We use the details to create signatures for our vulnerability ... >>these signatures and use them to check for patches or to protect systems ...
      (Full-Disclosure)