Security? Right.



zamdrist@gmail.com
07-09-2005, 10:51 PM
http://www.microsoft.com/security/twc/vision_frame.mspx

Security Vision and Framework

"Microsoft is committed to enabling every customer to work,
communicate, and transact business more securely."
"Implementing threat modeling and other key security considerations in
design and development stages."
"Promoting more secure deployment and management of our software."

Now read:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx

Remote Limitations

"In addition to exposing your server to unauthorized users, Remote has
the following limitations..."

"Remote performs no security authorization. It permits anyone running
Remote.exe Client to connect to your remote server. Because of this,
the account under which the remote server was run is open to anyone who
connects."

Wow. What a joke.

andy smart
07-09-2005, 10:51 PM
zamdrist@gmail.com wrote:
> http://www.microsoft.com/security/twc/vision_frame.mspx
>
> Security Vision and Framework
>
> "Microsoft is committed to enabling every customer to work,
> communicate, and transact business more securely."
> "Implementing threat modeling and other key security considerations in
> design and development stages."
> "Promoting more secure deployment and management of our software."
>
> Now read:
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
>
> Remote Limitations
>
> "In addition to exposing your server to unauthorized users, Remote has
> the following limitations..."
>
> "Remote performs no security authorization. It permits anyone running
> Remote.exe Client to connect to your remote server. Because of this,
> the account under which the remote server was run is open to anyone who
> connects."
>
> Wow. What a joke.
>

It's not your 'server' in the sense of the physical box though is it?
Sounds more like a remote virtual server started on the physical server
from this article:

http://pensieve.thinkingms.com/CommentView,guid,bcd86023-c8e0-4ef7-a2f5-60ddf47635cc.aspx

Sounds as though you'd need quite a bit of inside information from
somebody with administrator rights before you could misuse it though?

Imhotep
07-09-2005, 10:51 PM
zamdrist@gmail.com wrote:

> http://www.microsoft.com/security/twc/vision_frame.mspx
>
> Security Vision and Framework
>
> "Microsoft is committed to enabling every customer to work,
> communicate, and transact business more securely."
> "Implementing threat modeling and other key security considerations in
> design and development stages."
> "Promoting more secure deployment and management of our software."
>
> Now read:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
>
> Remote Limitations
>
> "In addition to exposing your server to unauthorized users, Remote has
> the following limitations..."
>
> "Remote performs no security authorization. It permits anyone running
> Remote.exe Client to connect to your remote server. Because of this,
> the account under which the remote server was run is open to anyone who
> connects."
>
> Wow. What a joke.


....but don't you know that Microsoft is taking security seriously????


;-)
-Im

zamdrist@gmail.com
07-09-2005, 10:51 PM
Imhotep wrote:

> ...but don't you know that Microsoft is taking security seriously????
>
>
> ;-)
> -Im

Precisely! It's not really a matter of hard it would be.

Imhotep
07-09-2005, 10:51 PM
zamdrist@gmail.com wrote:

>
> Imhotep wrote:
>
>> ...but don't you know that Microsoft is taking security seriously????
>>
>>
>> ;-)
>> -Im
>
> Precisely! It's not really a matter of hard it would be.

I was being sarcastic...There are known security holes in IE that are not
being fixed for some time. It appears that MS does not take security
seriously...

http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss

-Im

Imhotep
07-09-2005, 10:51 PM
andy smart wrote:

> zamdrist@gmail.com wrote:
>> http://www.microsoft.com/security/twc/vision_frame.mspx
>>
>> Security Vision and Framework
>>
>> "Microsoft is committed to enabling every customer to work,
>> communicate, and transact business more securely."
>> "Implementing threat modeling and other key security considerations in
>> design and development stages."
>> "Promoting more secure deployment and management of our software."
>>
>> Now read:
>>
>>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
>>
>> Remote Limitations
>>
>> "In addition to exposing your server to unauthorized users, Remote has
>> the following limitations..."
>>
>> "Remote performs no security authorization. It permits anyone running
>> Remote.exe Client to connect to your remote server. Because of this,
>> the account under which the remote server was run is open to anyone who
>> connects."
>>
>> Wow. What a joke.
>>
>
> It's not your 'server' in the sense of the physical box though is it?
> Sounds more like a remote virtual server started on the physical server
> from this article:
>
>
http://pensieve.thinkingms.com/CommentView,guid,bcd86023-c8e0-4ef7-a2f5-60ddf47635cc.aspx
>
> Sounds as though you'd need quite a bit of inside information from
> somebody with administrator rights before you could misuse it though?

Ah no. It sound like *anyone* who connects *is* an administrator...I would
not recommend using this crapware...

-Im

andy smart
07-09-2005, 10:51 PM
Imhotep wrote:
> andy smart wrote:
>
>
>>zamdrist@gmail.com wrote:
>>
>>>http://www.microsoft.com/security/twc/vision_frame.mspx
>>>
>>>Security Vision and Framework
>>>
>>>"Microsoft is committed to enabling every customer to work,
>>>communicate, and transact business more securely."
>>>"Implementing threat modeling and other key security considerations in
>>>design and development stages."
>>>"Promoting more secure deployment and management of our software."
>>>
>>>Now read:
>>>
>>>
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
>
>>>Remote Limitations
>>>
>>>"In addition to exposing your server to unauthorized users, Remote has
>>>the following limitations..."
>>>
>>>"Remote performs no security authorization. It permits anyone running
>>>Remote.exe Client to connect to your remote server. Because of this,
>>>the account under which the remote server was run is open to anyone who
>>>connects."
>>>
>>>Wow. What a joke.
>>>
>>
>>It's not your 'server' in the sense of the physical box though is it?
>>Sounds more like a remote virtual server started on the physical server
>>from this article:
>>
>>
>
> http://pensieve.thinkingms.com/CommentView,guid,bcd86023-c8e0-4ef7-a2f5-60ddf47635cc.aspx
>
>>Sounds as though you'd need quite a bit of inside information from
>>somebody with administrator rights before you could misuse it though?
>
>
> Ah no. It sound like *anyone* who connects *is* an administrator...I would
> not recommend using this crapware...
>
> -Im

Yes, but only for that session which has already been created by a
system administrator running on the server - that's how I read it. This
is a tool which appears to have been part of the WinNT resource kit so I
have no idea who is still using it of course!

Mark Randall
07-09-2005, 10:51 PM
Ima,

Can I please remind you that you are on the Microsoft public newsgroups, and
while public... this does not mean you can make post after post with none
stop complaining about the software, and insulting it.

This is a group for keeping up to date, and help - not for this
steriotypical anti-microsoft bull that you keep coming out with. It is not
welcome here.

You are of course, free to use them in such a way of helping as you are
clearly, 'very knowledgeable heh.. or you are free to leave.

--
- Mark Randall
http://zetech.swehli.com

"Imhotep" <NoSpam@nothanks.net> wrote in message
news:MzNie.14$jp.2@fed1read03...
> Ah no. It sound like *anyone* who connects *is* an administrator...I would
> not recommend using this crapware...
>
> -Im

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> Ima,
>
> Can I please remind you that you are on the Microsoft public newsgroups,
> and while public... this does not mean you can make post after post with
> none stop complaining about the software, and insulting it.
>
> This is a group for keeping up to date, and help - not for this
> steriotypical anti-microsoft bull that you keep coming out with. It is not
> welcome here.
>
> You are of course, free to use them in such a way of helping as you are
> clearly, 'very knowledgeable heh.. or you are free to leave.
>

Since the posts I have posted here deal directly with Microsoft and security
I feel they are very relevant. Microsoft has fallen short of it's promises
to all of us and I will not sugar it or anything. I am not anti anything. I
am pro security and secure computing no matter what the OS or applications
are. If you have a problem with that, or choose to use that lame excuse of
"anti Microsoft", that is your problem. Deal with it. Facts are facts and
they should not be swept under the rug just because you are a fanatically
pro Microsoft person. Now I will help anyone out where I can but, I will
not deny the facts, for anyone or for any company. Sorry. Try working for
the Bush regime if you want that kind of behavior...

-Im

Roger Abell
07-09-2005, 10:51 PM
That is pretty embarassing, worse actually.
IIRC this Remote.exe is much like an earlier NT4 era MSDN
sample to illustrate client/server. No checks, if you know the
port and syntax . . .
I imagine someone thought, its is not much different from other
remote shell type binaries one can get to install on someone's
machine, that one must first have admin it install a service, etc.
basically too much old generation MS-think that they are still
working to infuse throughout the company.
But placing it in the ResKit as a remote admin tool, embarassing.
It reminds me of a comment nearly a couple years back by an
MS sec strategist to effect that the ResKit is misnamed and
should have been called the Windows cracker's toolkit.
Anyway, I am emailing off as this is IMO something that has
so far gone overlooked in the multiple waves of content purging
that have happened since the security initiative got manpower.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<zamdrist@gmail.com> wrote in message
news:1116424362.039003.8290@o13g2000cwo.googlegroups.com...
> http://www.microsoft.com/security/twc/vision_frame.mspx
>
> Security Vision and Framework
>
> "Microsoft is committed to enabling every customer to work,
> communicate, and transact business more securely."
> "Implementing threat modeling and other key security considerations in
> design and development stages."
> "Promoting more secure deployment and management of our software."
>
> Now read:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
>
> Remote Limitations
>
> "In addition to exposing your server to unauthorized users, Remote has
> the following limitations..."
>
> "Remote performs no security authorization. It permits anyone running
> Remote.exe Client to connect to your remote server. Because of this,
> the account under which the remote server was run is open to anyone who
> connects."
>
> Wow. What a joke.
>

Roger Abell
07-09-2005, 10:51 PM
killer closing line . . .

--
Roger

zamdrist@gmail.com
07-09-2005, 10:51 PM
The obvious, easiest answer is to just not use the tool, and makes sure
it isn't on your system. Nevertheless, I think we are in agreement its
the disparaging messages sent about security thats most troublesome.

Microsoft may want to be serious about security, and I'm sure there are
a number of people at Micorsoft very serious about Microsoft...but
overall, the message is not getting out.

Roger Abell wrote:
> That is pretty embarassing, worse actually.
> IIRC this Remote.exe is much like an earlier NT4 era MSDN
> sample to illustrate client/server. No checks, if you know the
> port and syntax . . .
> I imagine someone thought, its is not much different from other
> remote shell type binaries one can get to install on someone's
> machine, that one must first have admin it install a service, etc.
> basically too much old generation MS-think that they are still
> working to infuse throughout the company.
> But placing it in the ResKit as a remote admin tool, embarassing.
> It reminds me of a comment nearly a couple years back by an
> MS sec strategist to effect that the ResKit is misnamed and
> should have been called the Windows cracker's toolkit.
> Anyway, I am emailing off as this is IMO something that has
> so far gone overlooked in the multiple waves of content purging
> that have happened since the security initiative got manpower.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> <zamdrist@gmail.com> wrote in message
> news:1116424362.039003.8290@o13g2000cwo.googlegroups.com...
> > http://www.microsoft.com/security/twc/vision_frame.mspx
> >
> > Security Vision and Framework
> >
> > "Microsoft is committed to enabling every customer to work,
> > communicate, and transact business more securely."
> > "Implementing threat modeling and other key security considerations
in
> > design and development stages."
> > "Promoting more secure deployment and management of our software."
> >
> > Now read:
> >
> >
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
> >
> > Remote Limitations
> >
> > "In addition to exposing your server to unauthorized users, Remote
has
> > the following limitations..."
> >
> > "Remote performs no security authorization. It permits anyone
running
> > Remote.exe Client to connect to your remote server. Because of
this,
> > the account under which the remote server was run is open to anyone
who
> > connects."
> >
> > Wow. What a joke.
> >

zamdrist@gmail.com
07-09-2005, 10:51 PM
Yes actually, he can. Its called freedom of speech, this is a public
forum.

Your newsreader has a kill filter. Use it.

Mark Randall wrote:
> Ima,
>
> Can I please remind you that you are on the Microsoft public
newsgroups, and
> while public... this does not mean you can make post after post with
none
> stop complaining about the software, and insulting it.
>
> This is a group for keeping up to date, and help - not for this
> steriotypical anti-microsoft bull that you keep coming out with. It
is not
> welcome here.
>
> You are of course, free to use them in such a way of helping as you
are
> clearly, 'very knowledgeable heh.. or you are free to leave.
>
> --
> - Mark Randall
> http://zetech.swehli.com
>
> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:MzNie.14$jp.2@fed1read03...
> > Ah no. It sound like *anyone* who connects *is* an
administrator...I would
> > not recommend using this crapware...
> >
> > -Im

Mark Randall
07-09-2005, 10:51 PM
No, its called a corprate server, of which freedom of speech does not exist
should it harm the owner.

--
- Mark Randall
http://zetech.swehli.com

<zamdrist@gmail.com> wrote in message
news:1116526212.648354.131810@g43g2000cwa.googlegroups.com...
> Yes actually, he can. Its called freedom of speech, this is a public
> forum.
>
> Your newsreader has a kill filter. Use it.

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> No, its called a corprate server, of which freedom of speech does not
> exist should it harm the owner.
>

A free society has the right to question itself, it's leaders and yes, the
companies as well. A what point did it change? I guess I missed that
memo...

So you are saying that people can not tell the truth? People can not ask for
more or better quality from the same company that made billions on us? What
is next? Maybe we should gather all the linux/gnu books out there pile them
up and burn them...


- Im

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> No, its called a corprate server, of which freedom of speech does not
> exist should it harm the owner.
>


By the way, Freedom of Speech is a constitutional right (US). It is not
negated because it is on a corporate server.

-Im

Mark Randall
07-09-2005, 10:51 PM
I think you find most of your american constitutional rights have prevailing
laws that override them in many situations.

--
- Mark Randall
http://zetech.swehli.com

"Imhotep" <NoSpam@nothanks.net> wrote in message
news:bA7je.27$gp.24@fed1read03...
> Mark Randall wrote:
>
>> No, its called a corprate server, of which freedom of speech does not
>> exist should it harm the owner.
>>
>
>
> By the way, Freedom of Speech is a constitutional right (US). It is not
> negated because it is on a corporate server.
>
> -Im

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> I think you find most of your american constitutional rights have
> prevailing laws that override them in many situations.
>


Not when it comes to newsgroups. Sure you are not a Bush aide or adviser?

-Im

Mark Randall
07-09-2005, 10:51 PM
Firstly, I am English and such like the rest of the world.. hates Bush...

Secondly, continually posting on how 'crap' a product is is on a server
owned by the said company is classified as defacement, on this server there
are no rules other than those which are set by Microsoft and they have EVERY
right to insist that they are just used for the purpose of helping, and that
any activities that they feel harm their business, cease.

Ultimatly, by posting to this newsgroup you are placing information on the
microsoft NNTP servers, and their respective hard drives and they have EVERY
right to prohibit certain things. If you would like to go 'bitch' about them
consistantly, please feel free to use one of many free posting forums
available online, instead of here which directly harms MS's business.

--
- Mark Randall
http://zetech.swehli.com

"Imhotep" <NoSpam@nothanks.net> wrote in message
news:U68je.30$gp.8@fed1read03...
> Mark Randall wrote:
>
>> I think you find most of your american constitutional rights have
>> prevailing laws that override them in many situations.
>>
>
>
> Not when it comes to newsgroups. Sure you are not a Bush aide or adviser?
>
> -Im

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> Firstly, I am English and such like the rest of the world.. hates Bush...

Ah, OK maybe you are a Blair adviser...

> Secondly, continually posting on how 'crap' a product is is on a server
> owned by the said company is classified as defacement,

Sorry, not when it can be backed by facts.

> on this server
> there are no rules other than those which are set by Microsoft and they
> have EVERY right to insist that they are just used for the purpose of
> helping, and that any activities that they feel harm their business,
> cease.

Who do you work for? Is this coming from Microsoft or your opinion?

> Ultimatly, by posting to this newsgroup you are placing information on the
> microsoft NNTP servers, and their respective hard drives and they have
> EVERY right to prohibit certain things. If you would like to go 'bitch'
> about them consistantly, please feel free to use one of many free posting
> forums available online, instead of here which directly harms MS's
> business.

Before, I reply to your statement let me tell you a couple of things. For a
long time I did contract IT security work. Some of the most dangerous
people I have met were the type of "IT Professionals" that would dump a
firewall in place and declare "we are safe" to their bosses. The reason
these people are so dangerous is because once the firewall was put in place
they never bothered to periodically check themselves or keep up to date on
security hacking/cracking techniques. They relied solely on announcements
from the vendors. At least if they were informed they would know that they
need to pay closer attention to their logs, etc on their systems.

How many companies have been hacked/cracked lately? How many of the 100s of
thousands of people have lost their information because of this? How many
people will no doubt have to fight to fix their credit reports because some
company lost their data? People need to be informed right away when their
is a security hole, even when it has not been patched yet.

Hiding information from customers is a very dangerous act. I have seen an
alarming rate of companies not informing people right away about the
security holes in their software. They naively think that by not announcing
it they somehow are preventing others for using the technique, or at least
that is what they claim. Honestly, I think many companies worry more about
their marketshare then protecting their customers. Anyway, we are in the
age of information at light speeds. You can not hide these things or the
information about them. As soon as hackers have found the hole they have
already started using the security hole.

Now, let's look at a couple of things. The OP had brought up the question
about remote.exe. A horrible application/binary that does not even
authenticate who the user is before granting admin rights. I replied that
this application is crapware and should not be used. Do you really think it
should?

On another post, it was found that IE has two critical security holes. It
has not been announced and it appears it will not be fixed for at least
another two weeks. I posted it here to inform people so, at least, they
know that there is a current, and active, security breach in IE. At least
they know they need to keep a closer eye on things. Maybe check their logs
everyday. Maybe check for strange binaries on their systems. In short, look
closer and keep a closer eye on their systems.

I will not, nor will I ever, refrain from posting this type of information
form this or any other newsgroup. People need to be informed. Period. And
if you do infact work for Microsoft, then it appears that you want to hide
critical security information from your customers. Maybe you care more
about your marketshare then the very customers that put you there? Shame on
you.

-Im

Roger Abell
07-09-2005, 10:51 PM
<zamdrist@gmail.com> wrote in message
news:1116525911.971697.216120@o13g2000cwo.googlegroups.com...
> The obvious, easiest answer is to just not use the tool, and makes sure
> it isn't on your system. Nevertheless, I think we are in agreement its
> the disparaging messages sent about security thats most troublesome.
>
> Microsoft may want to be serious about security, and I'm sure there are
> a number of people at Micorsoft very serious about Microsoft...but
> overall, the message is not getting out.
>

There are also quite a number that are very serious about security.
It just takes a while to infuse it into so many tens of thousands that
touch each little corner of MS product (like the tech writers that
compile the reskit under MS Press guidance)

> Roger Abell wrote:
> > That is pretty embarassing, worse actually.
> > IIRC this Remote.exe is much like an earlier NT4 era MSDN
> > sample to illustrate client/server. No checks, if you know the
> > port and syntax . . .
> > I imagine someone thought, its is not much different from other
> > remote shell type binaries one can get to install on someone's
> > machine, that one must first have admin it install a service, etc.
> > basically too much old generation MS-think that they are still
> > working to infuse throughout the company.
> > But placing it in the ResKit as a remote admin tool, embarassing.
> > It reminds me of a comment nearly a couple years back by an
> > MS sec strategist to effect that the ResKit is misnamed and
> > should have been called the Windows cracker's toolkit.
> > Anyway, I am emailing off as this is IMO something that has
> > so far gone overlooked in the multiple waves of content purging
> > that have happened since the security initiative got manpower.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > <zamdrist@gmail.com> wrote in message
> > news:1116424362.039003.8290@o13g2000cwo.googlegroups.com...
> > > http://www.microsoft.com/security/twc/vision_frame.mspx
> > >
> > > Security Vision and Framework
> > >
> > > "Microsoft is committed to enabling every customer to work,
> > > communicate, and transact business more securely."
> > > "Implementing threat modeling and other key security considerations
> in
> > > design and development stages."
> > > "Promoting more secure deployment and management of our software."
> > >
> > > Now read:
> > >
> > >
> >
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0926da81-f03a-4986-959d-827b6753c22f.mspx
> > >
> > > Remote Limitations
> > >
> > > "In addition to exposing your server to unauthorized users, Remote
> has
> > > the following limitations..."
> > >
> > > "Remote performs no security authorization. It permits anyone
> running
> > > Remote.exe Client to connect to your remote server. Because of
> this,
> > > the account under which the remote server was run is open to anyone
> who
> > > connects."
> > >
> > > Wow. What a joke.
> > >
>

Imhotep
07-09-2005, 10:52 PM
Roger Abell wrote:

>
> <zamdrist@gmail.com> wrote in message
> news:1116525911.971697.216120@o13g2000cwo.googlegroups.com...
>> The obvious, easiest answer is to just not use the tool, and makes sure
>> it isn't on your system. Nevertheless, I think we are in agreement its
>> the disparaging messages sent about security thats most troublesome.
>>
>> Microsoft may want to be serious about security, and I'm sure there are
>> a number of people at Micorsoft very serious about Microsoft...but
>> overall, the message is not getting out.
>>
>
> There are also quite a number that are very serious about security.
> It just takes a while to infuse it into so many tens of thousands that
> touch each little corner of MS product (like the tech writers that
> compile the reskit under MS Press guidance)
>

Have they not told us for 4 years, or more, now that they are "serious"
about security? Honestly, the only change in security I have seen is that
it is worse than it was 4 years ago....just being honest.

-Im

Roger Abell
07-09-2005, 10:52 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:fEdje.47$gp.43@fed1read03...
> Roger Abell wrote:
>
> >
> > <zamdrist@gmail.com> wrote in message
> > news:1116525911.971697.216120@o13g2000cwo.googlegroups.com...
> >> The obvious, easiest answer is to just not use the tool, and makes sure
> >> it isn't on your system. Nevertheless, I think we are in agreement its
> >> the disparaging messages sent about security thats most troublesome.
> >>
> >> Microsoft may want to be serious about security, and I'm sure there are
> >> a number of people at Micorsoft very serious about Microsoft...but
> >> overall, the message is not getting out.
> >>
> >
> > There are also quite a number that are very serious about security.
> > It just takes a while to infuse it into so many tens of thousands that
> > touch each little corner of MS product (like the tech writers that
> > compile the reskit under MS Press guidance)
> >
>
> Have they not told us for 4 years, or more, now that they are "serious"
> about security? Honestly, the only change in security I have seen is that
> it is worse than it was 4 years ago....just being honest.
>


Then I am now surprised, as this indicates you must be walking
about (and researching MS products) with your eyes closed.
Four years ago things were is a dismal state, whereas low-hanging
fruit was quickly collected after MS caught on to this religion, and
there remains an ongoing process of incremental improvement.
If you cannot recognize that I am left needing to question some of
your otherwise intelligent and critically observant sounding comments.

--
Roger

Imhotep
07-09-2005, 10:52 PM
Roger Abell wrote:

> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:fEdje.47$gp.43@fed1read03...
>> Roger Abell wrote:
>>
>> >
>> > <zamdrist@gmail.com> wrote in message
>> > news:1116525911.971697.216120@o13g2000cwo.googlegroups.com...
>> >> The obvious, easiest answer is to just not use the tool, and makes
>> >> sure it isn't on your system. Nevertheless, I think we are in
>> >> agreement its the disparaging messages sent about security thats most
>> >> troublesome.
>> >>
>> >> Microsoft may want to be serious about security, and I'm sure there
>> >> are a number of people at Micorsoft very serious about Microsoft...but
>> >> overall, the message is not getting out.
>> >>
>> >
>> > There are also quite a number that are very serious about security.
>> > It just takes a while to infuse it into so many tens of thousands that
>> > touch each little corner of MS product (like the tech writers that
>> > compile the reskit under MS Press guidance)
>> >
>>
>> Have they not told us for 4 years, or more, now that they are "serious"
>> about security? Honestly, the only change in security I have seen is that
>> it is worse than it was 4 years ago....just being honest.

> Then I am now surprised, as this indicates you must be walking
> about (and researching MS products) with your eyes closed.
> Four years ago things were is a dismal state, whereas low-hanging
> fruit was quickly collected after MS caught on to this religion, and
> there remains an ongoing process of incremental improvement.
> If you cannot recognize that I am left needing to question some of
> your otherwise intelligent and critically observant sounding comments.

Security as a whole has become more intense compared to 4 years ago. What we
are seeing is a change from the hacker/cracker who wrote is virus for a
"hobby" to the professional who is doing it for money. Don't get me wrong
their still are "hobbyist" hackers/cracks out there but do not be fooled,
the ones that do it for money are by far the most dangerous. Look at some
of the recent hacking/cracking. The new generation of virus writer and
crackers are intent on stealing identities, a highly regarded resource for
revenue.

Security as a whole, has not stepped up enough to match the current
intensity of these "professional" crackers. Companies are still slow to the
"plate" to inform their users (as I pointed out before). They are slow to
educate their users. This is what I mean by saying it has become worse.

What I would like to see is this:
1) All companies upon hearing of a security hole in their software should
make the information public. They should recommend things to look out for
and the things to monitor.

2) When a company learns that they have a security problem, they should put
all of their resources into fixing it and make it the highest priority for
company. In micorsoft's case hold back on the XBox and fix the damn hole.
This is taking security seriously.

3) I would also like to see an organized database, on-line, that lists all
the current security vulnerabilities for all software and OSes. What to
look out for and what to monitor. Now CERT has a nice web presence but,
they too, will not post information about unpatched security holes unless
is has become so wide spread they simply can not ignore it any longer. By
then it is way too late.

-Im

Roger Abell
07-09-2005, 10:52 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:wdsje.9112$gp.292@fed1read03...
> Roger Abell wrote:
>
> > "Imhotep" <NoSpam@nothanks.net> wrote in message
> > news:fEdje.47$gp.43@fed1read03...
> >> Roger Abell wrote:
> >>
> >> >
> >> > <zamdrist@gmail.com> wrote in message
> >> > news:1116525911.971697.216120@o13g2000cwo.googlegroups.com...
> >> >> The obvious, easiest answer is to just not use the tool, and makes
> >> >> sure it isn't on your system. Nevertheless, I think we are in
> >> >> agreement its the disparaging messages sent about security thats
most
> >> >> troublesome.
> >> >>
> >> >> Microsoft may want to be serious about security, and I'm sure there
> >> >> are a number of people at Micorsoft very serious about
Microsoft...but
> >> >> overall, the message is not getting out.
> >> >>
> >> >
> >> > There are also quite a number that are very serious about security.
> >> > It just takes a while to infuse it into so many tens of thousands
that
> >> > touch each little corner of MS product (like the tech writers that
> >> > compile the reskit under MS Press guidance)
> >> >
> >>
> >> Have they not told us for 4 years, or more, now that they are "serious"
> >> about security? Honestly, the only change in security I have seen is
that
> >> it is worse than it was 4 years ago....just being honest.
>
> > Then I am now surprised, as this indicates you must be walking
> > about (and researching MS products) with your eyes closed.
> > Four years ago things were is a dismal state, whereas low-hanging
> > fruit was quickly collected after MS caught on to this religion, and
> > there remains an ongoing process of incremental improvement.
> > If you cannot recognize that I am left needing to question some of
> > your otherwise intelligent and critically observant sounding comments.
>
> Security as a whole has become more intense compared to 4 years ago. What
we
> are seeing is a change from the hacker/cracker who wrote is virus for a
> "hobby" to the professional who is doing it for money. Don't get me wrong
> their still are "hobbyist" hackers/cracks out there but do not be fooled,
> the ones that do it for money are by far the most dangerous. Look at some
> of the recent hacking/cracking. The new generation of virus writer and
> crackers are intent on stealing identities, a highly regarded resource for
> revenue.
>
> Security as a whole, has not stepped up enough to match the current
> intensity of these "professional" crackers. Companies are still slow to
the
> "plate" to inform their users (as I pointed out before). They are slow to
> educate their users. This is what I mean by saying it has become worse.
>
> What I would like to see is this:
> 1) All companies upon hearing of a security hole in their software should
> make the information public. They should recommend things to look out for
> and the things to monitor.
>
> 2) When a company learns that they have a security problem, they should
put
> all of their resources into fixing it and make it the highest priority for
> company. In micorsoft's case hold back on the XBox and fix the damn hole.
> This is taking security seriously.
>
> 3) I would also like to see an organized database, on-line, that lists all
> the current security vulnerabilities for all software and OSes. What to
> look out for and what to monitor. Now CERT has a nice web presence but,
> they too, will not post information about unpatched security holes unless
> is has become so wide spread they simply can not ignore it any longer. By
> then it is way too late.
>
> -Im
>

You are attempting to reopen the responsible disclosure discussion, which
I will not enter into here. That would better be a thread than buried down
within this.

Your observations seems partly right and partly missing the point.

Yes, things are more sophisticated today, and more rapidly disseminated
throughout the crack community. And yes, the more significant threat is
from the for-profit motivated individuals/groups. However, what you are
advocating as to a database of things to monitor and symptoms to keep a
watch over would in fact serve to notify those groups not to go there.
(note: this comment is different from the responsible disclosure one in
that we are not speaking about the PoC and exploit code details). At
any rate, that segment here lumped (rightly or not) under this "for-profit"
label are not likely to be leaving virus/worm trail and also are likely to
be making use of rootkit based techniques so that examination would be
difficult in running systems. The only approach I see that is clearly valid
is to reduce the time to patched systems, the other approaches all seem
to have pros and cons. As far as reducing the time to systems being
patched, while you may have issues with the time MS takes to release
a patch, I do hope that you clearly see that the security intiative has
brought
out tools and automation techniques that have much reduced the time from
patch release to world-wide patched system coverage. (just compare the
average home user machine before Windows Update to presently).

Now, I am not saying you are wrong, or that we should give up on finding
responsible ways to share information in timely fashion, or that the problem
will ever go away for a connected system. However I do not see how the
things you have proposed in 1 and 3 would work to better the situation.

There are some fairly current archives of info on unpatched vulnerabilities,
and as you have likely noticed, it can be a rather full-time preoccupation
just keeping oneself informed of what is out there, even if one only uses
the
unpaid, free info sources. I mean, Secunia for example, currently lists for
for W2k3 Ent that 5 of the 47 advisories issued since its April 03 release
are currently unaddressed; while for Red Hat 4 Ent since it Feb 05 release
it shows 2 of 38 advisories are unaddressed (for the more mature ES 3 it
shows 1 of 178 since its mid-03 release is unaddressed). There are paid
services that will send you exploit and patch availability info that is
tuned
to the set of vendor/products that are of interest.

As to item 2, you must understand MS as a cluster of businesses, not as
a company. In that form of organization shifting resources to, for example,
the unit owning IE from entertainment-oriented units is not likely to
happen.


Security? Right.