"Cost and effect" is usually a strength of MS..why not here?

Post #11,941 by tseliot 10/5/01 1:03:20 PM Reply	"Cost and effect" is usually a strength of MS..why not here? The responsibility for Microsoft's products rests with Microsoft alone, and we take that responsibility very seriously. However, there has traditionally been an unwritten rule among security professionals that the discoverer of a security vulnerability has an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it. This serves everyone's best interests, by ensuring that customers receive comprehensive, high-quality patches for security vulnerabilities but are not exposed to malicious users while the patch is being developed. Once customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products. Many security professionals follow these practices, and Microsoft wants to single them out for special thanks. The acknowledgment section of our security bulletins is intended to do this. When you see a security professional acknowledged in a Microsoft Security Bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the patch, and helped us disseminate information about it once the threat was eliminated. They minimized the threat to customers everywhere by ensuring that Microsoft could fix the problem before malicious users even knew it existed. If MS had any brains, they would pay some piddling sum to people who find security holes and report them first to Microsoft. If anyone is in a position to profit from this, it's MS--they're already seen as a monolith, so getting a "thank you" becomes rapidly less meaningful. And it wouldn't cost them any more than they're paying their security department now anyway... $50 each? That's her, officer! That's the woman that programmed me for evil!
Post #11,945 by Another Scott 10/5/01 1:26:15 PM Reply	That's not "1 Microsoft Way" MS doesn't pay for anything they don't absolutely have to, and do all they can to maximize income. Recall their infamous charity donations of software which they can claim as tax deductions... They don't pay their beta testers, why should they (in their mind) pay people to find security flaws? As long as it doesn't (seem to) affect MS's bottom line (and it won't as long as they have a monopoly grip on the market), they will spend as little as possible on security issues. If they have to have a line item for "security bounties", then it'll impact their P&L statement, reduce their net earnings, and reduce their stock value. It's not going to happen, IMHO. Of course, your logic is impeccable, but MS won't follow it. My $0.02. Cheers, Scott.
Post #11,982 by kmself 10/5/01 3:53:57 PM Reply	Collusion This works well for software which is controlled under a single individual. TeX has used this successfully (Don Knuth), and qmail (Donald J. Bernstein) (Hmm...maybe being named "Don" is also a requirement). In a company the size of Microsoft, and in particular, with the various emnities Microsoft has managed to engender, you'd have to worry about collusion between programmers and bug reporters. Eg: I'll seed n bugs if you kick back m% of the bounty.... There's also the issue of how costs are allocated internally among development and QA for bugs found or not found. It's a complex problem. `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] What part of "gestalt" don't you understand?`
Post #12,002 by tseliot 10/5/01 6:26:33 PM Reply	Heh. Never thought about the collusion idea. Guess my brain doesn't go on that trip often enough. So where's your brain been lately? :P That's her, officer! That's the woman that programmed me for evil!
Post #12,050 by pwhysall 10/6/01 4:31:57 AM Reply	The MS Security Conundrum Windows 2000 provides a comprehensive list of features that provide a secure environment - from VPNs using PPTP or IPSec, to RADIUS servers for remote authentication, to Certificate Services for, well, anything you'd use a certificate for, a proper PKI (Public Key Infrastructure), Kerberos authentication (yeah yeah I know; we'll have THAT conversation later, OK), all with multiple levels of security, secure storage in the shape of encrypted file systems, etc, etc, yadda, yadda. Make no bones about it, if you think Windows 2000 is insecure, then you don't know what you're talking about. Then this same company produces the lump of swiss cheese that is VBA and Outlook. Go figure. Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #12,052 by wharris2 10/6/01 5:00:13 AM Reply	Oh c'mon Even Windows 95 is "secure" in the sense that you can't really penetrate it until/unless you have other stuff installed that allows for penetration. All the secure crap in the world doesn't help if you install SQLServer or IIS with defaults, or open a Email attachmennt. Who knows how empty the sky is In the place of a fallen tower. Who knows how quiet it is in the home Where a son has not returned. -- Anna Akhmatova (1889-1966)
Post #12,053 by pwhysall 10/6/01 5:18:17 AM Reply	That's a strawman argument MySQL can be insecure, as can Oracle, or Postgres, or DB/2... IIS is pretty darn secure, if only you can be arsed to configure it properly. The precise same argument holds for Apache, too. Security is not a product. It's a process. Until you get that through your head, pain and torment awaits and any and all systems you implement with whatever OS will be compromised, again and again. And if you're seriously equating running SQL Server or IIS with "opening an email attachment" then I must question the basis on which you make such a statement. My point was that Windows 2000 is a secure operating system but the applications group at MS seem hell bent on testing that to the limit. And what alternative do YOU bring to the table? Business wants secure computing - and that means more than strong passwords. So, waddya got? Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #12,071 by ben_tilly 10/6/01 1:03:35 PM Reply	What is the process that Microsoft encourages? It is to have untrained monkeys spin the CD and punch through mazes of menus. While arranging for a tollbooth at every possible location. And arranging to make the PHBs think this is the right and only way to run the world. Yes, security is a process. So is extracting maximum profit from the masses. They are not compatible processes. Which one has Microsoft consistently chosen? Cheers, Ben
Post #12,077 by pwhysall 10/6/01 2:48:42 PM Reply	Thanks I've never been called an untrained monkey before. If that's what you think it takes to administrate Windows 2000... Well. Let's just say it won't be possible for us to have a sensible conversation on the subject. Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #12,080 by a6l6e6x 10/6/01 3:06:42 PM Reply	Not to mention Inthane, who's paid to do it. Two for the price of one, Ben. Actually, I know what you mean. I know a guy who's retired and a Microsoft stockholder. He uses MSN. He did not come from an IT background and PCs are just a hobby. He would not know what a proper software test was if it bit him in the ass. He thinks Microsoft is God's gift to civilization. He gets into all the Microsoft beta tests and is among "the counted testers" that Microsoft talks about out. For my mental health, I have taken steps to make sure not run into this guy. Alex Whom the gods wish to destroy, they first make mad. -- Euripides
Post #12,089 by kmself 10/6/01 5:54:47 PM Reply	Toilet trained Peter, some here (and I didn't say me) might be willing to say you've got more than middlin' experience. Since you wax poetic over the merits of both Win2K and VAX, and are known to run GNU/Linux, you've a range of experience likely unusual among NT admins. Moreover, you don't prove anything one way or the other regards Ben's point. If any slack-jawed 14 year old can run a lawnmower, the fact that an airline pilot uses one to mow his lawn doesn't mean the equipment requires, or is designed to be run by, airline pilots. Microsoft is known to have promulgated the myth of "Zero Administration" for quite some time. The fact that you're a nonzero admin doesn't negate this fact. Frankly, GNU/Linux is headed down the same path of putting powerful tools in the hands of anyone, so arguing from a strict point of "it's the admins fault" probably isn't going to be productive. The GNU/Linux camp does seem to be somewhat more grounded in a philosophy of technological indoctrination, though: you're supposed to know your tools, RTFM, and STFW. There are also significantly different incentives to producing and distributing bug-free software, and updates and fixes to remedy other, in the free software world. Microsoft is notorious for charging for bugfixes and updates, at least in sufficient aggregates (Win98, Win2K). `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] What part of "gestalt" don't you understand?`
Post #12,275 by tseliot 10/8/01 2:17:00 PM Reply	STFW: shut the effing window? That's her, officer! That's the woman that programmed me for evil!
Post #12,333 by kmself 10/8/01 6:32:45 PM Reply	Search the effin' Web. `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] What part of "gestalt" don't you understand?`
Post #12,132 by addison 10/7/01 10:30:19 AM Reply	That's not what he said. He said "Encourages". And he's correct. You're putting a selective filter on the Microsoft message.. You said "Well, of COURSE that message is idiotic, don't believe it". And after the years of hearing Microsoft messages, I don't believe any of it. Which is why I Don't Care about NT anymore. And yes, that's 2000 and XP. I'm not going to play the name games. I've been lied to far too many times. You're selectively filtering for messages that you know to be true - using the other experience you have to set said filter. But trust me. The Microsoft Monkeys aren't filtering (they don't know how), and they're taking Microsoft at their word - and that's still a problem. There's a lot of them, and you're selectively filtering that fact out, as well. Why, I don't know. :) Addison
Post #12,145 by ben_tilly 10/7/01 5:07:54 PM Reply	"Encourages" is key Now you know, and should presume that I know, that to administer any complex system well takes competent people. Software isn't somehow special or different, it is just another example. However Microsoft's marketing message is that its software is easy to learn, easy to administer, you just have to run an all-Microsoft shop and always keep up with the latest and greatest. This is not a marketing message that is consistent with encouraging organizations to develop good security procedures. It is, however, a message that makes Microsoft a lot of money. Now before we leave this topic, please answer two questions. The first is, "What is your estimate of how many Microsoft organizations really need people like you, but don't have them and don't understand why they should?" The second is, "Do you really think that this number has anything to do with Microsoft's ongoing advertising about its products?" Cheers, Ben
Post #12,185 by pwhysall 10/8/01 2:00:12 AM Reply	Answers "lots" and "Not a chance" Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #13,093 by ben_tilly 10/12/01 7:58:51 AM Reply	Definite disagreement on the second item
Post #13,229 by pwhysall 10/14/01 6:42:41 AM Reply	In what way? Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #12,278 by tseliot 10/8/01 2:30:12 PM Reply	Waddya got? OpenBSD. But then, that's sort of the opposite extreme in terms of security over marketing. But security isn't a product, is it? Therefore, I don't see how you can make that statement and say, "Windows 2000 is a secure OS" in the same post. I'll believe it when I see the rate of security bulletins decline...many of which are more along the lines of basic services rather than apps. The last few posted to BUGTRAQ dealt with RPC, passwords, Task manager, TCP, SSL, and system file overwriting, for example (not to say there weren't more that had to do with apps--just that there are many that didn't). That's her, officer! That's the woman that programmed me for evil!
Post #12,133 by addison 10/7/01 10:38:46 AM Reply	Conundrum Humdrums. Windows 2000 provides a comprehensive list of features... And it still doesn't fix a lot of the prior problems. Most noteably - SMB networking. (I shouldn't have to elaborate more) Oh, if you have a 100% Windows 2000 network, its fixed? How nice. Why haven't the fixes made it back to the prior clients, for people who can't/don't need to upgrade? THAT'S part of the problem you're redefining the argument away from. (And having the above doesn't mean secure, as you do say in a later post). Its also the thought process and history that Microsoft has shown - they'll hang people who aren't running "latest and greatest" out to dry, (and sometimes even then). Addison

Welcome to IWETHEY!