Re: What I would like the MS IIS Lockdown tool todo
From: Thor@HammerofGod.comDate: 08/29/01
- Previous message: H C: "Re: Audit Tools"
- In reply to: akomolafe: "Re: What I would like the MS IIS Lockdown tool todo"
- Next in thread: Thor@HammerofGod.com: "Re: What I would like the MS IIS Lockdown tool todo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Thor@HammerofGod.com To: deji@prontomail.com Message-ID: <056e01c130c0$dcb68dd0$af05a8c0@anchorsign.com> Subject: Re: What I would like the MS IIS Lockdown tool todo Date: Wed, 29 Aug 2001 12:28:42 -0700
>Thor, usually you are good, on-the-point, and well-respected (at least, by
>me).
Thanks for the ego boost! I'll elaborate a bit...
>
> That is my beef. Hope you understand.
>
> Deji
I absolutely understand, and agree! We get on a slipper slope here;
Hopefully I can accurately explain what I think the general issue is:
(Please note that this is from my observation and discussions with different
parties involved - it may be completely wrong.)
MS Dev and MS Security are two different entities. Though security issues
are taken into account during development, I don't think it is an integral
part of it. I think it is something that is considered after the
functionality goals are met... Sometimes, this means that the Security guys
don't even get to see stuff until after that fact. This makes it very
difficult (from a security perspective) because of the exact reasons you
state... Things must then be 'fixed' after the fact, and it is very
difficult to do sometimes. I think the security issues that exist now and
the general perception of MS products (in regard to security) attest to
that.
If I were to draw an analogy, I would probably state it like this: Honda
makes cars. People buy cars so that they can drive around. People buy new
cars because they want new cool things, gadgets, bells and whistles, so
Honda starts putting more stuff like that into the car.
People want to go fast,
and want to blast the stereo while going fast, so Honda makes all that
possible. This is great, and sells cars. However, the security guys at
Honda say, "Um, this car can go really fast... What happens if the driver
slams the car into reverse while going 100mph? And putting the shifter in
the middle like this means that the passenger can do it without the driver's
consent! And these locks suck... Any lockpicker worth his salt can get in
15 seconds. We should put safe-guards on the transmission, or put in a
control that only the driver can set, and get better locks.. " Honda
developers would probably say, "Oh, then they just need to drive slowly.
Besides, all the cars are already made and out there, so it is too late.
And stolen cars are part of the risk of owning one. Why don't you make some
fix for that so that the people who really care about it can apply the fix."
Of course, the only fix may be a big steel guard you have to put around the
shifter, which frustrates the people who indeed care about the issue and
really isn't a good way to do it anyway- it might also cause security issues
of its own. At the same time, the majority of people are out there drinking
and driving, indicating that they don't really give a damn in the first
place, making the road a dangerous place for the rest of us. {exhale}.
Some people would say the manufacturing is flawed. Some would say the
security people don't have enough power or don't have good solutions. Some
would say the driver is stupid for driving fast, and should always wear a
seatbelt anyway. Others say "take the bus." Personally, I don't think
anything will change until security becomes an integral, mandatory, baseline
component in the development of the products: provide secure functions- not
security solutions for insecure functions after the fact.
I know the analogy is not perfect (and I always get flamed in some way for
my analogies anyway...) but it does illustrate what I believe part of the
problem is...
That is why I say that this tool, like other security tools, is a good step
in the right direction, and that it does not exist solely for marketing and
that it does indeed make a difference to many people out there. I think we
should support its development in a positive way, and give MS incentive to
make it better. The same with HFNetCheck - the same with MPSA.
Some people say "too little too late," but that does not solve anything,
does it? It does not make our security problems go away. Commitment and
Action makes them go away.
(OK... That's about enough... I feel like I am running for office... Sorry
for the long response.)
Thanks, Deji...
AD
- Previous message: H C: "Re: Audit Tools"
- In reply to: akomolafe: "Re: What I would like the MS IIS Lockdown tool todo"
- Next in thread: Thor@HammerofGod.com: "Re: What I would like the MS IIS Lockdown tool todo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
