October 17th, 2002, 11:29 AM
MS - Trustworthy Computing
Those of us who follow technology current events are aware of Microsoft's recent push to make security one of its top priorities. In an e-mail sent to employees last January, Microsoft chairman Bill Gates told employees to shift gears and put more resources into making products more secure, rather than adding features.
Gates said: "When we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box."
The change in software focus -- which the company has labeled "Trustworthy Computing" -- came shortly after Microsoft experienced a severe rash of security, reliability and privacy-related problems, which plagued its already-troubled reputation.
Considering this new shift to a security over functionality policy, I think it highly ironic that this appeared in my inbox from the BugTraq mailing list:
...after this person posted a working demonstration of a vulnerability in IE6. This vuln in IE6 enabled the web site to obtain your MSN Messenger contact list and the status of your email. He didn't discover this bug apparently, as his demo is an exploit of a pre-existing vulnerability.
Less then 10 hours After i Post This message on BugTraq
Hotmail Cancelled My Hotmail Account (my Primary email account).
Access Denied to Hotmail Account
Demonstration of Vulnerabilities
The purpose of cancelling his Hotmail account completely escapes me. It doesn't solve the bug, his demos are still up, and it really just shows what a childish organisation Microsoft is. If they sent him an email saying 'We are working on the vuln, nice demos, but do you mind taking them down while we fix the problem' then that would be understandable, as well as productive. It would show that Microsoft is willing to work with people, instead of doing something juvenile like this. If they want to truly implement 'trustworthy computing' they will need to build bridges with the 'hacking' (loathe to use that word) community.
Do you guys think this was a reasonable gesture on MS part?
October 17th, 2002, 11:46 AM
I agree totaly.
Removing his hotmail account (was it a free or a paid one??) is a realy nasty demonstration of microsofts pollicy of Security thrue obscurity.
This was totaly un called for, those kind of things make me on Microsoft.
Some companies I know even upgrade your account if you show them vulnerabilities in their services, but that has never been the Microsoft way, I guess...
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !