Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Henry Sieff (hsiefforthodon.com)
Date: Fri Apr 12 2002 - 13:43:04 CDT
[MODERATOR: if this post doesn't make it through, I will understand
why. I think the thread has pretty much run its course. But, far be it
for me not to jump on the pile]
> -----Original Message-----
> From: Steve McAlexander [mailto:invictussbcglobal.net]
> Sent: Friday, April 12, 2002 11:33 AM
> To: Ogle Ron (Rennes); 'Bourque Daniel'; focus-mssecurityfocus.com
> Subject: Re: MBSA and MS's attempts at "security"
> From the past history of MS and their workarounds and patches for
> security problems they create i cannot see how what they are
> doing will in
> the end make us all more secure and make for better software design.
FWIW, MS doesn't intentionally create security problems. What they
don't do (and what almost no other commercial vendor or OS writers do)
is build security in from the ground up. Ya want that, then get
yerself a copy of OpenBSD (http://www.openbsd.com/) or (if you want to
go heavy) a trusted OS
(http://rr.sans.org/securitybasics/trusted_OS.php). Unless you use
something like that, welcome to patchland.
> I guess we are all so heavily sedated or well conditioned to
> just accept
> this crap from them. Best Practices would dictate that MS
> start off first
> with properly designed and secured OS'es before selling and
> marketing them.
> MS makes the unsafe equalivent of the Ford Pinto that has the
> fatal fuel
> tank flaw where it can burst into flames....
For starters, its not a question of "accepting crap". MS products
often come with flaws, that is true. More often than not, best
practices published by MS will tell you not to enable services you
don't use. Hence, I didn't have certain notorious ISAPI extensions
enabled on my web servers. As a consequence, CodeRed was more of an
annoyance (I had to tweak my IDS so it wouldn't log attempts anymore)
then a threat to me.
You shouldn't deploy ANY OS in production without first going over it
with a fine tooth comb and stripping out things you don't need, pure
If, by design, you are talking about OS's which are built from the
ground up with security in mind, see above. They are out there, but
always keep in mind the security vs. functionality paradigm (which is
an over-simplification, but I wonder how happy everyone complaining
about MS's security would be when they discovered they couldn't launch
ftp sessions from their locked down box because their OS wouldn'e let
them would be).
> GOD help us all though if Congress legislates supervised
> design by them....
> if that happen i'm going to find something else to do and
> throw away my
> computer and cell phone. Congress tells the automotive
> company today how to
> build cars and that alone caost that industry a fortune and
> if it happens
> within IT.......FORGET ABOUT IT!
Congress isn't going to do it. Not in a million years. Why? Because it
IS possible to adequately secure MS products (despite what certain
Gartner group analysts might say.) The pinto was impossible to secure.
I can guarrantee you that the overwhelming majority of compromised
boxes last year were compromised via holes that were at least 2 months
old, holes for which patches already existed.
And the answer isn't automatically patching your systems for you. To
some extent, making it easier to identify missing patches and
installing new patches will help. But the single most important thing
is for admins to stay educated. Read ALL of
http://www.microsoft.com/security. Everything. Follow the best
practices checklists which MS provides, religiously.
> We need to get off of our asses and just face it MS will
> continue to do what
> best for them like the govt behaves or we can take matters
> into our own
> hands and create better software and send Bill Gates home
People are already doing that: linux, FreeBSD, OpenBSD, etc. But Bill
G. isn't going to go home, and have you looked at the name of the
mailing list you are on lately? This ain't comp.os.linux.advocacy,
after all (where your comments would meet with almost universal
praise, but where they might ask you to write some of the kernel,
But Windows (in some form or another) is here to stay. Is MS perfect?
Hell, no. Far from it, and I don't really buy their new "security"
focus, but I am not so foolish as to think that somebody is going to
beat them into becoming perfect overnight. The best me, you, or any
other security-minded user or admin can do is to continue to educate
ourselves about the problems out there and how to protect against
them. Most of the time, vulnerabilities are mitigated if you follow
best practices. And, the next time a your regional sales rep calls you
about upgrading to the latest version of their OS, say: "Boy, I want
to, but you know, in my experience its best to wait until SP3 so you
guys can work out some of the issues." ;).
Anyways, my $.02.
-- Henry Sieff