RE: MBSA and MS's attempts at "security"

From: Adam Smith (eviladamsmith@yahoo.com)
Date: 04/10/02


Date: Wed, 10 Apr 2002 14:55:03 -0700 (PDT)
From: Adam Smith <eviladamsmith@yahoo.com>
To: focus-ms@securityfocus.com

Jack's response is completely non sequitor. If the
lock has design flaws then the person choosing the
lock is hardly to blame for said flaws. Currently,
whatever "Microsoft Solution" you pick you're going to
spend a significant amount of time patching it, etc.
Spouting bad Security 101 analogies is hardly useful -
I think everyone on this list should know that
different information assets need different levels of
protection. duh.

--- Jack Lyons <jack.lyons@martinagency.com> wrote:
> I agree with most of your statements, but try
> removing Microsoft and even IT
> related details.
>
> I have lock in my door. The lock keeps the average
> shmuck from easily
> getting into my house. It isn't going to stop a
> locksmith/criminal from
> getting in if they know the lock and its
> vulnerabilities. Have you ever
> seen a lock smith get into a safe to which the
> combination had been
> forgotten? It took him about an hour...most of it
> was verifying that he had
> permission open the safe.
>
> I am not going to use the same lock on my house as I
> would on my vault of
> gold. The worth of the material inside the vault
> should govern what type of
> lock you use.
>
> My $.02
>
> -----Original Message-----
> From: Damien Adams [mailto:dadams@scientech.com]
> Sent: Wednesday, April 10, 2002 1:16 PM
> To: H C; focus-ms@securityfocus.com
> Subject: RE: MBSA and MS's attempts at "security"
>
>
> ***---SNIP---***
> >
> >Rather than coming up with ways to further inundate
> MS
> >admins with information, MS should be focusing on
> more
> >pressing issues, such as:
> >
> >1. Some way of making patch and SP roll-outs more
> >painless.
> >
> ***---SNIP---***
>
> I sat in on Microsoft's HFNetChk WebCast yesterday
> and asked the webcast
> leaders if Microsoft planned on coming out with
> anything like HFNetChk Pro
> but without a cost for their current customers. My
> question was never
> directly answered and I dont know if anyone elses
> was either. The Q/A was
> more of one of the moderaters taking all the
> questions that were put in and
> summarizing with his own question to another of the
> moderaters. To answer a
> self posed question concerning a GUI interface for
> HFNetChk, attendees were
> pointed towards Shavliks HFNetChk Pro. As for patch
> roll-out, attendees
> were told that Microsoft is working on new features
> for SMS. Microsoft
> Corporate Update Server was mentioned (which we were
> all told would be
> around May when they first mentioned it last
> year)and one of the moderators
> said to expect it around May until another one cut
> him off and wouldnt give
> even an approximate time frame.
>
> For Microsoft to suggest that users should pay for
> tools to fix problems in
> their software is insulting. Now that Microsoft is
> pushing security and is
> even going to venture into the security market will
> we have to pay for
> patches? The majority of the Microsoft security
> market right now exist
> because of holes in their software. For them to
> start selling additional
> software to protect you from their own mistakes is
> incredible. How does
> everyone else feel about this?
>
> Damien

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/