Bruce Schneier and Adam Shostack , SecurityFocus 2002-01-24
A guide to judging Microsoft's security progress.
Colapse all |
Post comment
Results, not Resolutions
2002-01-24
Gary McGraw
Gary McGraw
Concrete suggestions (no matter how hard to implement in reality) are a good thing. Microsoft should take a long hard look at these suggestions and make use of them wherever possible.
When commenting on an early draft of this article, I was struck by an analogy to writing that I find helpful whe...
[ more ] [ reply ]
When commenting on an early draft of this article, I was struck by an analogy to writing that I find helpful whe...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-24
David Litchfield (2 replies)
David Litchfield (2 replies)
Like most people I'd like to see more secure offerings from Microsoft but regardless of the "highest priority" status awarded to security I believe MS will continue to make functionality their main focus. For any software shop, large or small, producing useable, functional software has to be the mai...
[ more ] [ reply ]
[ more ] [ reply ]
Results, Not Resolutions
2002-01-24
davep (at) pitt (dot) edu [email concealed] (1 replies)
> Would you rather people used notepad to edit text files?
Yes...and why not? It works for Unix...I know I would rather edit some simple, keep-the-changes-I-made text files than have the "mystery settings" that keep coming back even after I change some settings! In addition, you can have f...
[ more ] [ reply ]
davep (at) pitt (dot) edu [email concealed] (1 replies)
> Would you rather people used notepad to edit text files?
Yes...and why not? It works for Unix...I know I would rather edit some simple, keep-the-changes-I-made text files than have the "mystery settings" that keep coming back even after I change some settings! In addition, you can have f...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-25
Nicholas Harring
Nicholas Harring
You mention that text files work for UNIX. And so they do, being a devoted Linux user I fully agree. However, I cannot imagine a corporate IT department attempting to support an enterprise wide deployment of Windows and having to tweak config.sys files.
Without getting into the trite, tired argume...
[ more ] [ reply ]
Without getting into the trite, tired argume...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-25
Anonymous
Anonymous
I agree, for the most part. Microsoft has the burden of having to market its product to EVERYONE (not that they HAVE to but, i makes good buisness sense) I would suggest more of a segregation of microsoft products, by ALL means implement the restrictions you want to implement
but dont force my gra...
[ more ] [ reply ]
but dont force my gra...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-24
Anonymous (1 replies)
Anonymous (1 replies)
Results, Not Resolutions
2002-01-24
Anonymous
Anonymous
>Way to go guys! I only hope Bill's reading this...
Oh, Microsoft is reading this all right. They are very good at keeping track of things said about them. And the authors could hardly be more disinguished on this topic.
I would guess that Microsoft would take this excellent, unsolicited a...
[ more ] [ reply ]
Oh, Microsoft is reading this all right. They are very good at keeping track of things said about them. And the authors could hardly be more disinguished on this topic.
I would guess that Microsoft would take this excellent, unsolicited a...
[ more ] [ reply ]
No SOAP? How do you do remote procedure calls over the web?
2002-01-25
Anonymous (6 replies)
Anonymous (6 replies)
It amazes me that everyone is so scared of SOAP and .NET...They weren't scared when Netscate was pushing IIOP and CORBA!!!!! Bruce really knows his stuff when it comes to crypto, but me thinks he's getting a little out of his league....
[ more ] [ reply ]
[ more ] [ reply ]
No SOAP? How do you do remote procedure calls over the web?
2002-01-25
Anonymous
Anonymous
IIOP and CORBA are not tunneled over HTTP solely to bypass firewalls.
Those firewalls are there for a reason! Obviously, the firewall can't protect from actively malicious tunneling through HTTP, but widespread use of SOAP will open up whole new classes of security problems when every VB or Java...
[ more ] [ reply ]
Those firewalls are there for a reason! Obviously, the firewall can't protect from actively malicious tunneling through HTTP, but widespread use of SOAP will open up whole new classes of security problems when every VB or Java...
[ more ] [ reply ]
No SOAP? How do you do remote procedure calls over the web?
2002-01-25
Anonymous
Anonymous
Well, I think the point was no SOAP-over-HTTP, not to have no SOAP at all. The deliberate overloading of a program-to-program communication protocol within web protocols will force network security engineers to proxy all web traffic so it can be examined by the firewall at the application layer. T...
[ more ] [ reply ]
[ more ] [ reply ]
No SOAP? How do you do remote procedure calls over the web?
2002-01-25
Anonymous
Anonymous
You can read Bruce Schnieier's thoughts about
why SOAP is a security problem at
http://www.counterpane.com/crypto-gram-0006.html
A partial counter-argument given, for example, by Fredrik Lundh is that most of the security problems in SOAP also exist in CGI; i.e. it can also be used as a rem...
[ more ] [ reply ]
why SOAP is a security problem at
http://www.counterpane.com/crypto-gram-0006.html
A partial counter-argument given, for example, by Fredrik Lundh is that most of the security problems in SOAP also exist in CGI; i.e. it can also be used as a rem...
[ more ] [ reply ]
Your Homework!
2002-01-25
Anonymous
Anonymous
Figure out what the followings mean.
1. IIOP & CORBA are not _specified_ to use port 80/443.
2. HTTP/HTTPS auth. sucks.
Deduct the difference of IIOP & CORBA vs SOAP in security aspect.
If you can not, learn to think.
If you can not understand your homework, find other job
(for the sak...
[ more ] [ reply ]
1. IIOP & CORBA are not _specified_ to use port 80/443.
2. HTTP/HTTPS auth. sucks.
Deduct the difference of IIOP & CORBA vs SOAP in security aspect.
If you can not, learn to think.
If you can not understand your homework, find other job
(for the sak...
[ more ] [ reply ]
Well, to conclude: Use Java, M$
2002-01-25
Anonymous (1 replies)
Anonymous (1 replies)
Many, many problems and some points of the article are resolved
when using Java.
Buffer overflows ? - Gone.
Dangling pointers ? - Gone.
Free access to host machine ? - Gone.
...
[ more ] [ reply ]
when using Java.
Buffer overflows ? - Gone.
Dangling pointers ? - Gone.
Free access to host machine ? - Gone.
...
[ more ] [ reply ]
Well, to conclude: Use Java, M$
2002-01-25
Trithemius (1 replies)
Trithemius (1 replies)
Many of the points made in the article go well above matters of language vulnerabilities. Sure, Java has built-in insulation against buffer overruns. So does a properly designed C application. Nothing is free, including Java's safety and insulation.
The problem they're pointing out is much deepe...
[ more ] [ reply ]
The problem they're pointing out is much deepe...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-25
Anonymous
Anonymous
There is only one reason for the Bill Gates Security memo. It has to do with the current consent decree offered by the DOJ in the antiturst case against Microsoft. It forces Microsoft to provide APIs and format information to developers except where security would be compromised.
Claiming that th...
[ more ] [ reply ]
Claiming that th...
[ more ] [ reply ]
SOAP Recommendation is Silly
2002-01-25
Anonymous (1 replies)
Anonymous (1 replies)
I like Bruce, and I appreciate the recommendations here, but the terse sentence about eliminating SOAP (which they say can automatically "bypass firewalls") is silly. It can't "bypass" a firewall. The firewall must know how to evaluate a SOAP request, or your SOAP server must be highly secure. Or, b...
[ more ] [ reply ]
[ more ] [ reply ]
Almost right on the compensation
2002-01-25
Anonymous
Anonymous
Bill Says:
"Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are." -Associated Press article on Gates memo, 15 January 2002.
You can see he hasn't written software in over two decades. If he had, he'd know to tie it t...
[ more ] [ reply ]
"Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are." -Associated Press article on Gates memo, 15 January 2002.
You can see he hasn't written software in over two decades. If he had, he'd know to tie it t...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-25
Anonymous
Anonymous
I suspect that the M$ code base is such a can of worms that even they don't understand it enough to make it secure.
Many of the *NIX flavors were built from the ground up with security in mind, yet there are still security advisories being issued as obscure security holes are discovered. To try to ...
[ more ] [ reply ]
Many of the *NIX flavors were built from the ground up with security in mind, yet there are still security advisories being issued as obscure security holes are discovered. To try to ...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-25
Chris
Chris
This article was dead on target. The reason why Microsoft has such a dominant market position really has very little to do with the technical merits of its products. It has a great more to do with Microsoft's marketing and business practices.
A prime example, the organization which I worked for p...
[ more ] [ reply ]
A prime example, the organization which I worked for p...
[ more ] [ reply ]
Regarding macros in documents...
2002-01-25
Anonymous
Anonymous
Regarding the 'macros should NOT be stored in documents'.
Surely this is a little strong. It should be possible to store macros in documents IMO, BUT the macros should be effectively sandboxed such that they can only (a) deal with the document containing the macro OR (b) create a new document, and...
[ more ] [ reply ]
Surely this is a little strong. It should be possible to store macros in documents IMO, BUT the macros should be effectively sandboxed such that they can only (a) deal with the document containing the macro OR (b) create a new document, and...
[ more ] [ reply ]
SOAP Comment misunderstood it seems...
2002-01-25
Anonymous
Anonymous
They used it as an example of an IMPLEMNTATION problem. SOAP per se is nto bad I hearthem say jsut as they did not say scripts were bad. What they said very celarly, early on, was "separate control from data". SOAP is poorly implemented because it uses a HTTP (a data channel) to send RPC (Control in...
[ more ] [ reply ]
[ more ] [ reply ]
Things getting out of hand here?
2002-01-26
Toni Heinonen
Toni Heinonen
I guess mr. Schneier and the likes represent the old school of security. I just think he is going just a tad overkill on a lot of things here. Okay:
Neither the loveletter or melissa exploited bugs in Outlook. They were attachment-viruses, which could have been made as .exes or .bat-files. The on...
[ more ] [ reply ]
Neither the loveletter or melissa exploited bugs in Outlook. They were attachment-viruses, which could have been made as .exes or .bat-files. The on...
[ more ] [ reply ]
Microkernel smog
2002-01-27
Grumpf
Grumpf
I'm quite sure they'll do it. They did it before with Internet technologies when felt behind (to fast to be honest).
But the "where do you want to go today" department must in fact stop and wait a bit. This time no one "wants to go anywhere" blindly.
The microkernel complexity added by the DCO...
[ more ] [ reply ]
But the "where do you want to go today" department must in fact stop and wait a bit. This time no one "wants to go anywhere" blindly.
The microkernel complexity added by the DCO...
[ more ] [ reply ]
If SOAP should go then so should CGI!
2002-01-28
TerryC
TerryC
Asking for the elimination of SOAP is silly. SOAP is just a set of XML requests and responses carried through HTTP. I can set up an html form and ask a user to cut and paste an XML document into a text window and upload it via a submit button. I can form a response and return it as an XML document. ...
[ more ] [ reply ]
[ more ] [ reply ]
Inaccuracies and crazy talk
2002-01-28
Anonymous
Anonymous
STATEMENT:
Internet Explorer: IE should support a complete separation of data and control. Java and JavaScript should be modified so they cannot use external programs in arbitrary ways. ActiveX should eliminate all controls that are marked "safe for scripting."
RESPONSE:
"ActiveX" doesn't do an...
[ more ] [ reply ]
Internet Explorer: IE should support a complete separation of data and control. Java and JavaScript should be modified so they cannot use external programs in arbitrary ways. ActiveX should eliminate all controls that are marked "safe for scripting."
RESPONSE:
"ActiveX" doesn't do an...
[ more ] [ reply ]
Results, Not Resolutions
2002-01-28
Anonymous
Anonymous
I agree completely with the article. I have another unpleasant pill to swallow, one that should be heeded by all, not merely the worst offender.
Quality assurance methods, long accepted as necessary in the manufacture of physical goods, are generally not used by major software suppliers. These ...
[ more ] [ reply ]
Quality assurance methods, long accepted as necessary in the manufacture of physical goods, are generally not used by major software suppliers. These ...
[ more ] [ reply ]
Microsoft's Recommend Development Process
2002-01-28
Anonymous
Anonymous
I have recently completed the Microsoft training program for 'Project Managing Software Projects'. My conclusion is that security is a non-issue in their methodology and is in fact downplayed.
It sounds like Microsoft needs to also revisit their recommended methodology for software developers.
...
[ more ] [ reply ]
It sounds like Microsoft needs to also revisit their recommended methodology for software developers.
...
[ more ] [ reply ]
[ more ] [ reply ]