Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

From: Geoincidents (geoincidents_at_getinfo.org)
Date: 11/02/03

  • Next message: Jynx Security: "[Full-Disclosure] Hacking Course Israel"
    To: "Full Disclosure" <full-disclosure@lists.netsys.com>
    Date: Sun, 2 Nov 2003 14:05:36 -0500
    
    

    ----- Original Message -----
    From: "Matthew Murphy" <mattmurphy@kc.rr.com>

    > Even though MS, by the time you factor in the large number of components
    > they ship, has had many times fewer patch releases than competing Linux
    > distributions?

    Microsoft has been playing a game where they hide exploits then release
    patches that address multiple vulnerabilities with a single patch. This is
    why you see "less" patches. If you count vulns instead of "patches" you'll
    see the game they are playing.

    > 2. Sendmail v. Exchange

    Why don't you try Exchange vs NTmail? How many exploits has NTmail had in
    the last 5 years let alone this year (I was the guy publishing the ntmail
    exploits so I've got some idea)? How many have been root level exploits
    (zero). Sendmail is a hole, you pick the absolute worst unix mail server to
    compare to exchange? Why not compare it to the best? (anything but sendmail)

    > 3. Apache v. IIS

    fair nough, no complaints with that comparison. You might also compare BIND
    to Microsoft DNS, Microsoft's has a much much better security record.
    (Stuwart Kwan product manager for W2K's dns knew security when he managed
    that project)

    > That would be the policy that all networks should use -- firewalling.

    Firewalling is an excuse for not closing ports. The only time firewalling is
    used where it's not an excuse is when you limit certain public IP addresses
    so that they have access while the rest of the world doesn't.

    > Funny
    > that the same practices, even on an unpatched Windows XP system, would
    have
    > been sufficient at blocking the worm. As long as port 135 the related
    > NetBIOS services (137, 139, 445, 593, etc.) were blocked, this worm would
    > not make it in.

    If the ports are blocked, why are they open at all, what good are blocked
    ports? Is there some reason everyone should have to run MORE software to
    disable other software? Isn't that sort of like letting the worm run on a
    computer but blocking it's outbound access instead of disinfecting the
    machine?

    > I am ignoring your "quality of software" argument, because it is simply
    > moot. There is little difference in quality of software,

    I might agree on strict definition of quality, but default settings are also
    part of the software and could easily be considered a "quality" issue. The
    best security system in the world is useless if an anonymous user can
    execute code because scripting is available to anyone who sends you an
    email. DEFAULTS ARE CRITICAL.

    Really simple change MS could do that would instantly make ALL their
    software more secure (not secure but more secure than it is). Have it
    install to random paths. So instead of everyone knowing right where the
    directories are, each program would install to a random named directory like
    /program files/program88475 where the number is random. Now things like
    codered would have failed along with dozens of other exploits that rely on
    knowing the path. So simple yet this thought has escaped MS thus far..

    Geo. (I agree with most of your other points.)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Jynx Security: "[Full-Disclosure] Hacking Course Israel"

    Relevant Pages

    • Re: Linksys BEFW11S4
      ... > when playing and choose my IP for it. ... The link clearly shows what inbound ports must be forwarded on the router ... playing the game behind the router without the ports being forwarded. ...
      (comp.security.firewalls)
    • Re: Guild Wars 2
      ... Arkham City 360 demo to compare. ... just put it down to being a simpler game, but Batman: ... The only issue is that playing it in 1680x1050 introduces an odd ...
      (uk.games.video.misc)
    • Re: VGA Planets 4
      ... >(bugfixes and game balance adjustments). ... you have failed to compare it to the games that it really does ... Bad effects - there's a built-in filter on players I find. ... walls often make me search for the 'ideal' method of playing the game. ...
      (comp.sys.ibm.pc.games.strategic)
    • Re: laker ng same as it ever was...
      ... lakers lose 2nd game of a back to back against the suns in the 2ng game of the year with two new starters, one playing a new position and all of a sudden the sky is falling... ... It's meaningless to compare May with Bynum at this point. ...
      (alt.sports.basketball.nba.la-lakers)
    • Stacraft 2. What do you think?
      ... So if you got the game and have been playing it, ... What do you dislike? ... How does it compare to the old ...
      (comp.sys.ibm.pc.games.strategic)