|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life
From: Paul L Schmehl (pauls
UTDALLAS.EDU)Date: Fri Apr 21 2000 - 11:39:27 CDT
- Next message: Todd Sabin: "Re: CMD.EXE overflow (CISADV000420)"
- Previous message: Steve: "FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- In reply to: Steve: "FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Next in thread: eEye Digital Security: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Reply: Paul L Schmehl: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Reply: eEye Digital Security: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Reply: Greg Small: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I can't believe I read the whole thing!
Based on rfp's analysis of events (and information I had knowledge of
previously), I believe the entire blame for this fiasco can be placed at
the feet of Steve Lipner, who, in his interview with Ted Birdis is quoted
as saying, "[Lipner] acknowledged the online-security risk in an interview
Thursday and described such a backdoor password as "absolutely against our
policy" and a firing offense for the as-yet-unidentified employees."
Obviously, this statement acknowledges "facts" which don't exist. There
never was a "backdoor password" in dvwssr.dll. Were I in Russ Cooper's
shoes, and Birdis called me to comment on a story that was "confirmed" by
Lipner, I would naturally assume it must be true since an official MS
spokeman had confirmed it to the press. If it were not true, why on earth
would Microsoft admit to the charge?
At that point, all Russ is doing is providing expert opinion regarding the
risks associated with an already confirmed vulnerability. Russ could
perhaps be chastised for not confirming the story with Lipner himself, but
had he contacted Lipner for verification, why would Lipner have told him
anything different? He obviously had enough confidence in his "facts" to
release them to the press.
The sad fact is that the true story, YABO (yet another buffer overflow) in
a MS product will get no press whatsoever, now that everyone has been
convinced the entire thing was a false alarm and "blown out of all
proportion" by the press.
Microsoft completely blew this one,and in the process, contributed to the
increased misunderstanding of the general public regarding the true risks
of poor software engineering and closed source code.
Paul L. Schmehl, paulsutdallas.edu
Technical Support Services Manager
The University of Texas at Dallas
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Todd Sabin: "Re: CMD.EXE overflow (CISADV000420)"
- Previous message: Steve: "FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- In reply to: Steve: "FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Next in thread: eEye Digital Security: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Reply: Paul L Schmehl: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Reply: eEye Digital Security: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Reply: Greg Small: "Re: FW: RFP2K03: Contemplations on dvwssr.dll and how it affects life"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]