RE: [Full-Disclosure] Microsoft prepares security assault on Linux

From: Jim Harrison (ISA) (
Date: 11/12/03

  • Next message: David Maynor: "Re: [Full-Disclosure] why commcerical software *could* be better"
    To: <>, <>
    Date: Wed, 12 Nov 2003 13:43:43 -0800

    Having followed your link to the "book written under contract", it's
    immediately clear why it was never published.

    I won't get into a debate about your assertions; just a reminder that
    how you choose to express yourself is at least as important as what you
    have to say.

    * Jim Harrison
    MCP(NT4/2K), A+, Network+
    Security Business Unit (ISA SE)

    "I used to hate writing assignments, but now I enjoy them.
    I realized that the purpose of writing is to inflate weak ideas,
    obscure poor reasoning, and inhibit clarity.
    With a little practice, writing can be an intimidating and
    impenetrable fog!"

    -----Original Message-----
    From: Jason Coombs []
    Sent: Wednesday, November 12, 2003 12:08
    Cc: 'Helmut Hauser';;;
    Subject: Re: [Full-Disclosure] Microsoft prepares security assault on

    I wrote an information security book last year under contract with
    Microsoft Press. The book was never published -- among other things it
    explains truthfully the poor security condition of Windows and offers
    detailed instructions and advice for defending against Microsoft's bad
    business practices and incorrect security decisions. URLs for the free
    electronic book are:


    (Raw Text/PNG Graphics --> safer!)

    The security awareness for Windows communicated by my book would have
    enabled people to avoid intrusions, infections, damage, and down time
    from MS Blaster, SQL Slammer/Sapphire, and many of this year's other
    threats. It would also have helped to educate developers of Web
    applications so that fewer new vulnerabilities would have been created.

    A few of the specific warnings provided by my book include:

    * FrontPage Server Extensions are badly flawed from a security
    perspective and should never be used.

    * Ports open by default (RPC/DCOM/SMB/Messenger/Workstation Service/etc)

    will be found to expose remote exploitable buffer overflow
    vulnerabilities and therefore must be protected and closed at all costs.

    * Don't use/rely on Microsoft Baseline Security Analyzer because it
    intentionally ignores known vulnerabilities in order to more often
    report a happy "you're all patched" message to the admin.

    * Internet Information Services cannot be trusted out of the box but
    instead must be carefully security hardened beyond anything that
    Microsoft normally recommends, and many IIS features must be disabled in

    order to achieve a trustworthy subset of Microsoft software.

    * ... more ...

    If Microsoft intends to launch a PR/advertising campaign against Linux,
    perhaps it would take a moment out of its busy schedule to explain why
    it won't publish a book that tells the truth and provides warnings in
    advance that the only way to safely operate a Windows computer is to
    subscribe to infosec mailing lists such as bugtraq and full-disclosure
    in order to remain constantly aware of the real-world condition and
    capabilities of attackers?

    Microsoft suppresses awareness of vulnerabilities in order to profit.

    The only way to achieve security in computing is through awareness.

    Therefore, Microsoft's profits cause additional insecurity. Go figure.


    Jason Coombs

    Full-Disclosure - We believe in it.

  • Next message: David Maynor: "Re: [Full-Disclosure] why commcerical software *could* be better"

    Relevant Pages