Full Disclosure mailing list archives
Re: Gates: 'You don't need perfect code' for good security
From: William Warren <hescominsoon () adelphia net>
Date: Sun, 02 Nov 2003 08:17:00 -0500
Beaty, Bryan wrote:
Correct me if I am wrong but... I believe every worm listed below could have been prevented had everyonepatched their systems.
the blaster worm preceded the patch so this argument is DOA
I would like the security community to take more responsibility for their own (in)actions. If you were hit by Blaster then you failed to enforce a good patch management policy. Who's fault is that? Patch management is boring and so we often ignore it. Hackers and worms simply take advantage of our laziness. I guess blaster could be a form of social engineering. "I know admins don't patch so I can write a worm andkill the world."
note above
you do not have to pay for RHN to get redhat patches. I rh9 for a bit on this notebook(had vid issues with all distros here) and was able to get all updates without subbing to RHN. MS has no choice but to come out with free patching tools because of the huge amount of patches for all MS products. I run Astaro Security Linux here at the house..blaster and its ilk got killed at my then cable modem and never made it in. I have netbios blocked incoming and outgoing and all e-mail is scanned at the firewall with all executable attachments being blocked. However it is funny MS wants to make automated patch downloading mandatory when on every machine here the automatic windows update did not catch wind of new patches available on WU for sometimes after 7 days of the release on WU. MS has a long way to go on their patching..both in terms of quality of software and patches and delivery.There is no such thing as perfect code. If you want a completely secure system you can buy them but they are unbelievably expensive. If you have a business justification for something that secure then buy it. Otherwise you have to live with what you can get from Linux, UNIX, oreven Microsoft.Microsoft has at least come out with some very good patch management systems lately (SUS) and they are free. Red Hat charges me a yearly feefor their RHN.
the number one security threat today is exploits that target a weak security model to a degree that exploits can be so easily 0-day released without anyone knowing. Also even with all patches right now IE(and therefore windows) is still subject to remote download and installation of programs without user notification(this is widely known just google for it).I believe the #1 security threat today is poor patch management. Is that Microsoft's fault?--> I am off of my soap box now.
Bryan Beaty -----Original Message-----From: Exibar [mailto:exibar () thelair com] Sent: Friday, October 31, 2003 1:40 PMTo: Jeremiah Cornelius; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Gates: 'You don't need perfect code' for good security What an idiot.... Take the loveletter worm, when it was first released even if you had a 100% up to date AntiVirus software program, you would still get hit within the first 8 hours.... slammer, blaster, etc all the same thing. The took advantage of holes in the OPERATING SYSTEM!!!! Yes we have ways of updating our VirusSoftware that works very very well, McAfee has E-Policy Orchstrator, which I swear by. I'm not going to go on, but if Windows was as secure as Bill Gates and company says it is, why was blaster, slammer, codered etc even an issue? Exibar----- Original Message ----- From: "Jeremiah Cornelius" <jeremiah () nur net>To: <full-disclosure () lists netsys com> Sent: Friday, October 31, 2003 1:32 PM Subject: [Full-disclosure] Gates: 'You don't need perfect code' for good security-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FLAME ON! http://www.itbusiness.ca/index.asp?theaction=61&sid=53897 "But there are two other techniques: one is called firewalling and theotheris called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If youhadyour firewall set up the right way - and when I say firewall I includescanning e-mail and scanning file transfer -- you wouldn't have had a problem. But did we have the tools that made that easy and automatic andthatyou could really audit that you had done it? No. Microsoft in particularandthe industry in general didn't have it.""The second is just the updating thing. Anybody who kept their software uptodate didn't run into any of those problems, because the fixes precededthe exploit. Now the times between when the vulnerability was published andwhensomebody has exploited it, those have been going down, but in every caseatthis stage we've had the fix out before the exploit. So next is makingit easy to do the updating, not for general features but just for the veryfewcritical security things, and then reducing the size of those patches,and reducing the frequency of the patches, which gets you back to the code quality issues. We have to bring these things to bear, and the verydramaticthings that we can do in the short term have to do with the firewalls andtheupdating infrastructure. " -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA SjPLY1EEzamQCtIGKwJT1Vk= =mIsY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- May God Bless you and everything you touch. My "foundation" verse:Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gates: 'You don't need perfect code' for good security |reduced|minus|none| (Oct 31)
- <Possible follow-ups>
- RE: Gates: 'You don't need perfect code' for good security Beaty, Bryan (Oct 31)
- RE: Gates: 'You don't need perfect code' for good security james (Oct 31)
- RE: [spam] RE: Gates: 'You don't need perfect code' for good security Exibar (Nov 01)
- udp port 2615 Trond Kringstad (Nov 01)
- RE: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 01)
- Re: Gates: 'You don't need perfect code' for good security William Warren (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)