Re: Microsoft finally acknowledges the security drumbeats

From: Ken Ashe (kashe@rahul.net)
Date: 02/11/02


From: kashe@rahul.net (Ken Ashe)
Date: 11 Feb 2002 02:54:19 GMT

In article <lkC98.36798$GJ2.1000552650@newssvr12.news.prodigy.com>,
alun@texis.com says...
>
>In article <tex98.18755$TI3.178889@typhoon.sonic.net>, Roger Marquis
><not-for-mail@roble.com> wrote:
>>It does, however, further illustrate microsoft's approach to security.
>>By granting themselves remote root-access to your system and
>>write-access to your hard drive, at any time and for any reason (that
>>they can remotely justify), they've created yet another fundamental
>>security vulnerability.
>
>It seems to me, from your quote, that this is language in a licence agreement,
>not a technical description of functioning program elements. Microsoft have
>previously claimed many rights and abilities in their licence agreements that
>are not enacted in the software.
>
>Since we're all familiar with attempts to produce automated updates being a
>security issue, perhaps you could simply wait until such time as the automated
>updates are a reality, rather than a lawyer's wet-dream, in order to sound the
>clarion call to arms?
>

        So you're of the opinion that we should wait for this to become a fait
accomplit than to object strenuously and early, thereby giving MS an
opportunity to point out that it's been policy for some time without objection?

        For another example of MS FUD-mongering (for once, not directed at
competitors) see
<http://www.infoworld.com/articles/op/xml/01/10/01/011001opfoster.xml> which
describes their policy of presenting different forms of EULAs for the same
product in different places and admitting, upon questioning, that "I agree that
we could certainly make that clearer, and I think we will. But there is nothing
in FrontPage or its EULA that limits free speech."

        Then consider the third-last paragraph which reads, "When Microsoft
included a term prohibiting disclosure of benchmarks without its permission in
the SQL Server license, it's pretty certain the intent was not to prevent
people from publishing benchmarks comparing Windows 2000 performance to Windows
NT. But that's exactly how it was used to block an independent lab from
releasing results of an OS comparison that used SQL Server as part of the test
bed (see The Gripe Line
<http://www.infoworld.com/articles/op/xml/01/04/16/010416opfoster.xml> ). If
SQL Server's license could be applied in that situation, the FrontPage EULA
could be used to limit free speech at least as easily."

        Based on the overreaching described in the above situations, I think
any grant of wait-until-we-see-how-it-plays-out is simply playing into MS's
hands.



Relevant Pages

  • Re: Microsoft finally acknowledges the security drumbeats
    ... >>It does, however, further illustrate microsoft's approach to security. ... releasing results of an OS comparison that used SQL Server as part of the test ... SQL Server's license could be applied in that situation, the FrontPage EULA ...
    (comp.security.unix)
  • Re: Is there any way to prevent hacker trying to guess sa password?
    ... and port 1433 will not be open. ... If someone can crash SQL Server by connecting to port 1433, ... You don't need multiple security experts. ...
    (microsoft.public.sqlserver.security)
  • Re: SQL or Access DB
    ... As far as encryption goes though... ... with Sql Server you can use SQL DMO and encrypt your stored procedures ... installation - Security was absolutely critical and in most instances, ... > then we create a nice gui around this database and sell it to automotive ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Getting to the bottom of MSDE network connection problems ...
    ... Brilliant, Nick, especially the explanation for local network user being ... authenticated as GUEST in WinXP SP2. ... > on a desktop OS like XP (meaning that, you can not compare SQL Server ... > again and selected the security tab. ...
    (microsoft.public.sqlserver.msde)
  • [NT] SQL Extended Procedure Functions Contain Unchecked Buffers
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SQL Server 7.0 and 2000 provide extended stored procedures, ... Several of the Microsoft-provided extended stored procedures have been ... Exploiting the flaw could enable an attacker to either cause the SQL ...
    (Securiteam)