Re: Gates: 'You don't need perfect code' for good security

["Geoincidents" <geoincidents () getinfo org>]

----- Original Message ----- 
From: "Matthew Murphy" <mattmurphy () kc rr com>


> Even though MS, by the time you factor in the large number of components
> they ship, has had many times fewer patch releases than competing Linux
> distributions?


Microsoft has been playing a game where they hide exploits then release
patches that address multiple vulnerabilities with a single patch. This is
why you see "less" patches. If you count vulns instead of "patches" you'll
see the game they are playing.

> 2. Sendmail v. Exchange


Why don't you try Exchange vs NTmail? How many exploits has NTmail had in
the last 5 years let alone this year (I was the guy publishing the ntmail
exploits so I've got some idea)? How many have been root level exploits
(zero). Sendmail is a hole, you pick the absolute worst unix mail server to
compare to exchange? Why not compare it to the best? (anything but sendmail)

> 3. Apache v. IIS


fair nough, no complaints with that comparison. You might also compare BIND
to Microsoft DNS, Microsoft's has a much much better security record.
(Stuwart Kwan product manager for W2K's dns knew security when he managed
that project)

> That would be the policy that all networks should use -- firewalling.

Firewalling is an excuse for not closing ports. The only time firewalling is
used where it's not an excuse is when you limit certain public IP addresses
so that they have access while the rest of the world doesn't.

> Funny
> that the same practices, even on an unpatched Windows XP system, would
have
> been sufficient at blocking the worm.  As long as port 135 the related
> NetBIOS services (137, 139, 445, 593, etc.) were blocked, this worm would
> not make it in.

If the ports are blocked, why are they open at all, what good are blocked
ports? Is there some reason everyone should have to run MORE software to
disable other software? Isn't that sort of like letting the worm run on a
computer but blocking it's outbound access instead of disinfecting the
machine?

> I am ignoring your "quality of software" argument, because it is simply
> moot.  There is little difference in quality of software,

I might agree on strict definition of quality, but default settings are also
part of the software and could easily be considered a "quality" issue. The
best security system in the world is useless if an anonymous user can
execute code because scripting is available to anyone who sends you an
email. DEFAULTS ARE CRITICAL.

Really simple change MS could do that would instantly make ALL their
software more secure (not secure but more secure than it is). Have it
install to random paths. So instead of everyone knowing right where the
directories are, each program would install to a random named directory like
/program files/program88475 where the number is random. Now things like
codered would have failed along with dozens of other exploits that rely on
knowing the path. So simple yet this thought has escaped MS thus far..

Geo. (I agree with most of your other points.)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html