Full Disclosure mailing list archives
Re: Gates: 'You don't need perfect code' for good security
From: "Geoincidents" <geoincidents () getinfo org>
Date: Sun, 2 Nov 2003 14:05:36 -0500
----- Original Message ----- From: "Matthew Murphy" <mattmurphy () kc rr com>
Even though MS, by the time you factor in the large number of components they ship, has had many times fewer patch releases than competing Linux distributions?
Microsoft has been playing a game where they hide exploits then release patches that address multiple vulnerabilities with a single patch. This is why you see "less" patches. If you count vulns instead of "patches" you'll see the game they are playing.
2. Sendmail v. Exchange
Why don't you try Exchange vs NTmail? How many exploits has NTmail had in the last 5 years let alone this year (I was the guy publishing the ntmail exploits so I've got some idea)? How many have been root level exploits (zero). Sendmail is a hole, you pick the absolute worst unix mail server to compare to exchange? Why not compare it to the best? (anything but sendmail)
3. Apache v. IIS
fair nough, no complaints with that comparison. You might also compare BIND to Microsoft DNS, Microsoft's has a much much better security record. (Stuwart Kwan product manager for W2K's dns knew security when he managed that project)
That would be the policy that all networks should use -- firewalling.
Firewalling is an excuse for not closing ports. The only time firewalling is used where it's not an excuse is when you limit certain public IP addresses so that they have access while the rest of the world doesn't.
Funny that the same practices, even on an unpatched Windows XP system, would
have
been sufficient at blocking the worm. As long as port 135 the related NetBIOS services (137, 139, 445, 593, etc.) were blocked, this worm would not make it in.
If the ports are blocked, why are they open at all, what good are blocked ports? Is there some reason everyone should have to run MORE software to disable other software? Isn't that sort of like letting the worm run on a computer but blocking it's outbound access instead of disinfecting the machine?
I am ignoring your "quality of software" argument, because it is simply moot. There is little difference in quality of software,
I might agree on strict definition of quality, but default settings are also part of the software and could easily be considered a "quality" issue. The best security system in the world is useless if an anonymous user can execute code because scripting is available to anyone who sends you an email. DEFAULTS ARE CRITICAL. Really simple change MS could do that would instantly make ALL their software more secure (not secure but more secure than it is). Have it install to random paths. So instead of everyone knowing right where the directories are, each program would install to a random named directory like /program files/program88475 where the number is random. Now things like codered would have failed along with dozens of other exploits that rely on knowing the path. So simple yet this thought has escaped MS thus far.. Geo. (I agree with most of your other points.) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gates: 'You don't need perfect code' for good security |reduced|minus|none| (Oct 31)
- <Possible follow-ups>
- RE: Gates: 'You don't need perfect code' for good security Beaty, Bryan (Oct 31)
- RE: Gates: 'You don't need perfect code' for good security james (Oct 31)
- RE: [spam] RE: Gates: 'You don't need perfect code' for good security Exibar (Nov 01)
- udp port 2615 Trond Kringstad (Nov 01)
- RE: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 01)
- Re: Gates: 'You don't need perfect code' for good security William Warren (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)