Microsloths new security stance

[EvIl eLf]

Vorlin you the man , Microsoft is not a horrible product although its not the coupdegras the idea of windows does not suck its the release timing i believe if old billy would wait a while and actually do some serious wind tunnel type tests on his products they would be excellent. i have some problems with people debating Unix vs XP VS Mac os vs Netware. They all have weaknesses and strengths .Now as for firewalls ok i admit
Watch Gaurd is not for a large business but i know of several prominent clothing companys who have never been cracked are using it . Check point does not suck it does have alot of holes to be exploited but Marcus Ranum stated a firewall is only as good as its Admin most of the holes found are because Checkpoint can be severly scrutinized since it is very common,plus there are specific configurations to follow that Admins just dont Adhere to . Let me not go off on Checkpoint or Pix for that matter If Microsoft waited to release XP an extra Year say 2003 I believe it would have been the best os they have made .Do not misquote me not the best os in the world just the best Microsoft has made but i think thats a long way off .About firewalls they are not the end all solution if they were alot of us would work at factories.



PS i enjoyed all of your imput and i look foward to more comments.




EviL

[Infiltrator]

It seems that this "Bill Memo" was sent out at in interesting time. There is some talk that there may be a law (Criminal or Civil) that will hold a company responsible for any damages incurred from an security issue in their software. In other words, if a server running WIN NT / 2000 etc.. becomes compromised, and it is proven that the breach was done using a security hole within the Microsoft program (OS, application etc...), then Microsoft would be liable and there would be penalties and fines.
I don't remeber the links that I saw this from but it causes an interesting set of events. We know that Microsoft products have securtiy issues. We know that it costs money to resolve these issues, both at the customer level and at Microsofts level. Now the gov wants to step in and make it illegal to prduce software that is not secure. The question that comes to mind is: Should the gov be deciding this issue?

Just a question.

Infiltrator

[EvIl eLf]

Alot of breaches occur when someone sets up a sever such as windows 2000 server with checkpoint and does not apply the proper patches or hardening methods , we all need to consider that Microsoft came long after Tcp/ip which by default is insecure .I am not saying the microsoft is not at fault "They are" but only partially some of the blame is on ack of knowledge i once met an MCSE who did not know what DNS was he is the admin for a hospital comforting thought isnt it, imagine it now his boss asks him to implement a security solution guess what he does he buys checkpoint or somthing like that and if he is even smart enough to configure it properly he leaves holes in the OS .I can see it now .


EviL

[Infiltrator]

EvIl, I agree. There are so many areas in computer science that it is impossible for any one person to be a master of all of them. However, when a company designs a program and does not do enough QC on their product, should they be liable? I say yes. I just don't think the Gov is the one to make the decision of security.
One of the biggest exploits I have seen listed on Microsoft NT has been buffer overflows. This is an attack at the fundamental are of a program. This issue could be avoided with more QC from Microsoft.
The problem as I see it is thus:
A tech, engineer, computer scientist or other highly technicaly trained person has a certain mindset which is, 'Do it right the first time'.
A business man, CEO, CFO, or generic bean counter generaly has the mind set of, 'What is the bottom line? How much can we shave off the top?'

When Microsoft developes a product. (Gadget X). The marketing dept is spending tons of money to promote it and the business side of the house wants to get it out on the selves as soon as possible to start getting a return on it's investment. In other companies the product has to be of good quaility or that company won't survive very long. Their customers will lose faith in them. With Microsoft, they are the King Of The Hill at this time so they can get away with much more. Since Microsoft is a business, the business rules seem to apply first. I think that if a better balance is found within Microsoft such that more QC is done on their products and resonable ship dates are set, their products should be of a better quality. Of course, this will allow Microsoft to become even stronger in its position and I am not so sure that is a good idea but that is for another post.


Infiltrator

[EvIl eLf]

infiltrator hit it right on the head .

thats all
EviL

[Vorlin]

One of the biggest exploits I have seen listed on Microsoft NT has been buffer overflows. This is an attack at the fundamental are of a program. This issue could be avoided with more QC from Microsoft.

Buffer overflows are as common people asking how to hack hotmail and could be prevented if MS actually hired decent programmers and/or the programmers they do have actually checked their ****. It takes NOTHING to put a few constraints on a program for length. That's all we're really talking about here, length of data being shoved in a variable or array. Why this is so hard for them to understand is beyond me, as any programmer knows this stuff right out of Programming 101 (or maybe 202 if the programming 101 is to teach them what all the keys on the keyboard mean). I might come off as hostile against programmers but as a unix administrator working with 8 - 10 NT admins who "program", I've seen them constantly forget the "basic fundamentals" with their scripts and worse yet, their cgi scripts that they put into "production" on the intranet. Twice to date, I've crashed their web server just by putting in invalid data and a huge length at that. You'd think some people would learn. All they do is get mad at me and they've stopped telling me when they add something (like adding a cgi script is really a big deal?). Maybe when they actually decide to write good code that has error checking in it, I won't be as pissy towards them.

But who knows, it IS point-and-click after all. Maybe my expectations are too high.

[TechnologyBudda]

Go Vorlin!

[smirc]

Originally posted by zion1459


We don't need to... we've already got linux!
but ur right... we shouldn't waste so much time on bitching about M$, we should use our time to do something creative and injoy our interests.... but if "bitching about M$" is ones main interest then I find it quite alright for him/her to do it all he/she wants to... lmao ... we all (well, except Bill Gates) hate M$ and it's unsecured, overgraphical, flawfull programs so let's fight the power and kick them the hell out of the 'puter market! revolution! yea!

Yeah linix rocks. It just occurred to me that A LOT of energy was being devoted to complaining that could be used to do other really cool things =).

[shkuey]

Buffer overflows are as common people asking how to hack hotmail and could be prevented if MS actually hired decent programmers and/or the programmers they do have actually checked their ****.

It certainly could be their programming staff, but it could also be management imposing undesirable limitations on their code. Just a thought.

[EvIl eLf]

It is definately the time constraints imposed on these poor programmers .
Imagine how they must feel having to patch somthing they could have done with some QA hmmm.Look at enron its all about the bottom line i dont knock the fact that microsoft products cost money i believe if an os is costing me a grand it should at least work properly. Think about it Windows 2000 has a c2 security rating so does netware 5.0 but the c2 for windows 2000 is with most of the networking services disabled novell's rating is in a networked environment, why do you think most companies install checkpoint on a unix or linux based system they know it easier o armour unix and still use a Windows based management gui .

Let us all thirst for more knowledge and not have inflated egos

PEaCe Evil Elf