Thursday, October 18, 2001
what's hot what's not
Viruses are Your Fault says Microsoft
Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, these viruses have attacked computer networks around the world, causing billions of dollars of damage. These are all viruses that have one thing in common. They attack Microsoft Software Products.
In yet another classic FUD, Microsoft's Scott Culp, Manager of the Microsoft Security Response Center blames the Independant Security community for Microsofts security problems. He starts out by painting the Independant Security community as 'Anarchists'
The first good nugget:
Supporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security, by giving system administrators information on how to protect their systems, demonstrating the need for them to take action, and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.
The most interesting thing here is the publication of this information is usually not the first thing that happens, but as a last resort as the vendors suffer from the Not Invented Here Syndrome. The usual refrain has been that these vunerabilities were 'theoretical'. Until Microsoft gets bitchslapped with one of these worms their stance has been reactive rather than proactive.
So to recap. Information and Knowledge is a bad thing unless delivered by the same vendors who released the vunerable products in the first place. Independant review and exploration to help the entire community is a bad thing.
Yet when these worms tore through the user community, it was clear that few people had applied these fixes.
Fair enough. But when did the people change from perceptive, intelligent customers to blind users? When the check cleared? People buy software to increase productivity, not to have to fix and repair products that were sold to them to robust and secure.
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendorís paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
The most telling refutation of this argument is the ability of people with little or no programming experience being able to exploit vunerabilities in products that are feature rich and security poor.
As for the threat of finding other ways of protecting customers how exactly will you do that? Will you call me? Will you send me a letter? You haven't yet.
Vendors that do not openly discuss security concerns will find themselves on the bottom of the shopping list. Then they will drop off of it.
Extensible Stylesheet Language (XSL)
New Code for Us.
The web works because HTML is an open system.
The majority of what you see on your screen is written in Hyper Text Markup Language. This language has been carefully created to extend the capabilities of what can be communicated from one computer to another. The source for this is the W3C World Wide Web Consortium.
The W3C holds a special position in our little world. We in concert, without clubs, memberships, secret handshakes, or free mouse pads, have decided to agree on the W3C Recommendations as the stone tablets of our universe of the web. We are here as these 'standards' are non-propriatary, open source, and do not 'belong' to anybody. This means that we have a baseline to begin our exploration and experimentation with what we can get to show up in a browser.
Previously October 15, 2001
you are here ·
Copyright © 1997-2001 lemurzone design all rights reserved